Blockchain intelligence and the emerging geopolitics of crypto

Blockchain technology represents a powerful tool for innovation. Cryptocurrencies – the most prominent use case of blockchain technology – enable low-cost, high-speed value transfers, democratise access to financial services, and have even introduced new ways to support charitable causes through transparent, auditable donations.

As with many innovations, however, malign actors have weaponised the same features that make crypto a force for good. From Russian ransomware gangs to North Korean hackers, threat actors exploit the decentralised and pseudonymous nature of digital currencies to generate revenue, launder money, evade sanctions, and conduct other illicit activities.

Many believe blockchain-based transactions lie beyond the reach of governments because they occur outside the verification and surveillance mechanisms of the traditional financial system. The reality, however, is the opposite. National security and law enforcement agencies around the world are harnessing the power of enriched blockchain intelligence to track, trace, and disrupt the flow of illicit funds in ways that were previously unimaginable.

What is blockchain intelligence?

Blockchain intelligence involves linking crypto addresses, made up of randomly generated strings of characters, to real-world entities, with an appropriate level of confidence.

Blockchain intelligence firms combine raw blockchain data with additional information, such as open-source or threat intelligence, to develop high-confidence ‘ground truth’ attribution data linking a particular address to an identifiable entity, such as a crypto exchange or a cybercriminal organisation. Firms then apply data science techniques to achieve additional attribution at scale.

The result is a vast database that security professionals can use to identify patterns of illicit behaviour, link those patterns and behaviours to real-world entities, and develop a comprehensive understanding of those entities’ activities over time.

The emerging threat landscape

As Western security officials regularly remind us, ‘The governments of China, Russia, Iran, [and] North Korea […] are aggressively using advanced cyber capabilities to pursue objectives that run counter to our interests and broadly accepted international norms.’ Despite these nations’ shared goal of destabilising the prevailing international order, each ‘has its own overarching [cyber] threat behaviours and agenda to meet its ruling government’s ambitions on the world stage.’

North Korea: Funding a rogue state through cybercrime

North Korea’s cyber capabilities represent a formidable threat. The comprehensively sanctioned regime has turned in part to cryptocurrency theft to fund its ambitions. Since 2017, Pyongyang-linked hackers have stolen nearly US$3 billion worth of crypto. In 2023 alone, North Korean cyber actors stole digital assets worth approximately US$700 million, representing over a third of all funds stolen in crypto attacks globally.

A specialised hacking unit has specifically targeted the cryptocurrency industry, employing highly sophisticated techniques. The overarching goal is simple: to bolster North Korea’s missile and weapons programmes.

Blockchain intelligence not only illuminates this complex malign activity but also helps disrupt it. For example, our analysis of the June 2023 North Korean attack on users of Atomic Wallet, a non-custodial wallet provider, reveals an astonishing series of twists, turns, mixes, and leaps across multiple blockchains in the aftermath of the hackers’ theft of approximately US$100 million worth of cryptocurrency. After retaining blockchain intelligence firms as part of its incident response, however, Atomic Wallet announced it had frozen US$2 million of the stolen funds – a small percentage, but more than what victims typically recover in a ‘real-world’ theft case. Indeed, thanks to blockchain intelligence, some large-scale DPRK-related cybercrimes have actually yielded significant crypto recoveries.

Russia: A haven for illicit financial activity

Russia’s embrace of cryptocurrencies as a tool for sanctions evasion and illicit finance has placed that nation at the forefront of global cybercrime. Russian-speaking ransomware groups – criminal organisations that operate largely with impunity from within Russia’s borders – have become dominant players. In 2023, these groups accounted for 69% of all crypto proceeds from ransomware attacks, exceeding US$500 million.

The Russia-based exchange Garantex handled 82% of crypto volumes from all sanctioned entities globally in 2023, with funds funnelled into military procurement and other state-sponsored activities. Press reports confirm crypto’s meaningful role in Moscow’s ‘shadow trade’ for weapons parts and other high-tech equipment. Moscow has also begun legitimising certain domestic crypto operations in the face of Western sanctions. Recently, for example, it legalised bitcoin mining – and derived over US$550 million in tax revenues as a result.

By mapping out illicit digital infrastructure, blockchain intelligence has supported operations targeting Russian actors, including global law enforcement authorities’ coordinated takedown of the LockBit ransomware group’s infrastructure in 2024 and a similar action in 2023 against the Hive ransomware group.

China: Fentanyl and espionage

China uses digital assets – as well as blockchain technology generally – to project its influence abroad. Officially, crypto ownership and trading are strongly disfavoured on the mainland (though, unlike crypto-mining, they are not banned, as is sometimes mistakenly believed), consistent with Beijing’s goal of imposing domestic stability. At the same time, the regime has allowed crypto to thrive in Hong Kong as a way of ‘stay[ing] in the game while mitigating the risks.’ It is also expanding cross-border uses of the digital yuan and launching new public blockchain infrastructure to advance the Belt and Road Initiative and its geopolitical aims.

Similar calculations may be at play in the regime’s attitude towards the global fentanyl trade. While fentanyl trafficking and addiction do not appear to be significant problems within China’s borders, Chinese manufacturers play a leading role in the production and international dissemination of fentanyl precursors. One study found that 97% of the over 120 examined Chinese precursor manufacturers permitted payment in crypto, and, in 2023 alone, those entities received over US$26 million in crypto payments. Blockchain intelligence further reveals that, between 2022 and 2023, the amount of cryptocurrency deposited into wallets linked to Chinese precursor manufacturers increased by over 600%. This figure more than doubled in the first four months of 2024 compared to the same period in 2023.

China’s use of cryptocurrency in espionage activities adds another layer of complexity to the digital domain. State-sponsored payments played notable roles in recent, high-profile spying cases in Taiwan and the United States.

These incidents, among others, underscore how nation-states are leveraging digital assets not only to promote financial crimes, but also to jockey for geopolitical advantage. 

Iran: International trade and transnational terror

Iran is another nation that initially pursued a (somewhat muddled) policy aimed at suppressing domestic use of cryptocurrencies but more recently has calibrated its approach in light of evolving global circumstances. Blockchain data reveals a flourishing crypto ecosystem within Iran today, with incoming volume to Iranian exchanges approaching US$3 billion in 2022. Notably, nearly 90% of Iran’s incoming crypto volume was processed by exchanges with know your customer (KYC) requirements, in marked contrast to Russia, a haven for cyber criminality and dirty money, where 95% of all exchanges ‘have little to no KYC or [anti-money laundering] controls.’ Perhaps as a consequence, the ‘proportion of illicit volume received by Iranian exchanges, 0.08%, was slightly less than the global average in 2022.’

This data is consistent with recent efforts by the Central Bank of Iran to normalise blockchain projects and develop a more structured, official approach to digital assets. Notable milestones include the country’s first use of crypto to settle an international trade deal, in August 2022; an announcement in January 2023 with Moscow to jointly issue a gold-backed stablecoin for use in cross-border payments; and the launch in June 2024 of a central bank digital currency.

Like recent moves in Russia and Venezuela, Tehran’s efforts seem focused on operationalising crypto to facilitate international trade, in line with other countries facing US sanctions that have adopted similar strategies to bypass the dollar-dominated global financial system. These states also share other tactics. Like their Russian counterparts, Iran-based ransomware actors target victims based in nations that are Iran’s geopolitical adversaries. In other cases, the Iranian government itself has collaborated with global ransomware organisations to achieve similar ends. Through blockchain intelligence, those efforts can be tracked, analysed, and confronted.

For example, blockchain intelligence was used in mapping out illicit payment networks in the wake of the 7 October 2023 attacks on Israel, when the US, UK, and Australia imposed new sanctions on facilitators of funds transfers – including cryptocurrency transfers – from the Iranian government to terrorist organisations in Gaza. 

The future of blockchain intelligence

Blockchain intelligence offers national security and law enforcement agencies a dimension of visibility into financial transactions that was previously unavailable, not only enhancing their ability to track and disrupt illicit activities, but also providing a deeper understanding – both historically and in real time – of the broader threat landscape.

As threat actors’ tactics continue to evolve, agencies can leverage blockchain intelligence to stay ahead of adversaries and ensure that digital economic ecosystems remain domains where the rule of law can prevail.