How Blockchain Analytics Uncovers State-Sponsored Cybercrimes

Blockchain technology is a powerful tool for innovation. Cryptocurrencies, the most well-known application of blockchain, enable fast and low-cost money transfers, expand access to financial services, and even introduce new ways to support charitable initiatives through transparent and verifiable donations.

As with many new technologies, bad actors have found ways to exploit the same features of cryptocurrencies that make them useful. For example, North Korean hackers use the decentralized and pseudonymous nature of digital currencies to generate revenue, launder money, evade sanctions, and conduct other illegal activities.

Many people believe that blockchain-based transactions are beyond the reach of government oversight, since they occur outside the monitoring and verification systems of traditional financial institutions. In reality, the opposite is true. National security and law enforcement agencies worldwide are using blockchain analytics technologies to track and disrupt illicit financial flows that once seemed impossible to trace.

What Is Blockchain Analytics?

Blockchain analytics involves linking cryptocurrency addresses—random strings of characters—to real-world organizations or individuals with a certain degree of confidence. Blockchain analytics companies combine blockchain data with additional information, such as open-source intelligence or investigative data, to create highly reliable connections between specific addresses and real entities, like crypto exchanges or cybercriminal organizations. Data analysis methods are then used to further attribute information at scale.

The result is a massive database that security professionals can use to identify patterns in criminal activity, link those patterns to real-world entities, and build a comprehensive understanding of their operations over time.

A New Threat Landscape

As Western security agencies regularly warn, “the governments of China, North Korea, and Iran […] aggressively use advanced cyber capabilities to achieve objectives that run counter to our interests and accepted international norms.” While these states share a common goal of destabilizing the global order, each has its own cyber threats and strategic objectives on the world stage.

North Korea: Funding the Regime Through Cybercrime

North Korea’s cyber capabilities pose a serious threat. The heavily sanctioned regime has partially turned to cryptocurrency theft to fund its ambitions. Since 2017, hackers linked to Pyongyang have stolen nearly $3 billion in cryptocurrencies. In 2023 alone, North Korean cyber actors stole about $700 million in digital assets—over a third of all funds stolen in crypto attacks worldwide.

A specialized hacker unit targets the cryptocurrency industry using highly sophisticated methods. The main goal is simple: to support North Korea’s missile and weapons programs.

Blockchain analytics not only uncovers this complex criminal activity but also helps disrupt it. For example, analysis of the June 2023 North Korean attack on users of Atomic Wallet, a non-custodial crypto wallet provider, revealed surprising twists, mixing, and transfers across various blockchains after hackers stole about $100 million in cryptocurrency. After blockchain analysts were brought in to investigate, Atomic Wallet announced it had frozen $2 million of the stolen funds—a small portion, but more than is usually recovered in real-world thefts. Thanks to blockchain analytics, some major North Korea-linked cybercrimes have actually resulted in significant crypto recoveries.

China: Fentanyl and Espionage

China uses digital assets and blockchain technology in general to expand its influence abroad. Officially, cryptocurrency ownership and trading are heavily restricted on the Chinese mainland (though, unlike crypto mining, they are not banned, as is sometimes mistakenly claimed), in line with Beijing’s goal of maintaining domestic stability. At the same time, the government has allowed crypto to develop in Hong Kong to “stay in the game while minimizing risks.” The use of the digital yuan in cross-border transactions is expanding, and new public blockchain infrastructures are being launched to support the country’s geopolitical goals.

A similar approach can be seen in the global fentanyl trade. While fentanyl use and addiction are not major issues within China, Chinese manufacturers play a key role in producing and distributing fentanyl precursors. Research has shown that 97% of over 120 Chinese precursor manufacturers accept cryptocurrency payments, and in 2023 alone, these companies received more than $26 million in crypto payments.

Blockchain analytics reveals that from 2022 to 2023, the volume of crypto sent to wallets linked to Chinese precursor manufacturers increased by 600%. In the first four months of 2024, this figure more than doubled compared to the same period in 2023. The use of cryptocurrencies in espionage adds another layer of complexity to the digital sphere. State payments played a notable role in recent espionage cases involving Taiwan and the United States. These incidents, among others, highlight how states use digital assets not only for financial crimes but also to gain geopolitical advantages.

Iran: International Trade and Transnational Terrorism

Iran is another country that initially sought to suppress domestic cryptocurrency use but later changed its policy in response to global developments. According to blockchain analytics, the volume of crypto transactions in Iran reached nearly $3 billion in 2022. Notably, about 90% of this volume was processed by exchanges that enforce Know Your Customer (KYC) requirements, in sharp contrast to the lack of such measures in other countries. This may explain why the share of illicit activity linked to Iran is just 0.08%, below the global average.

This data aligns with recent efforts by Iran’s Central Bank to normalize blockchain-based projects and develop a more structured approach to digital assets. Key milestones include using cryptocurrency for an international trade deal in August 2022 and a joint statement with Moscow in January 2023 about issuing a gold-backed stablecoin for international settlements. In June 2024, Iran officially launched its central bank digital currency.

Like other sanctioned countries, Tehran uses cryptocurrencies to circumvent financial restrictions. Similar steps are seen in Venezuela, where crypto is used for trade deals and to bypass the dollar in the global financial system. Additionally, Iranian hackers continue to attack countries in conflict with Iran. In some cases, the government has directly collaborated with international groups to achieve its goals.

An example of blockchain analytics in action was the tracking of payment networks after the attacks on Israel on October 7, 2023. The US, UK, and Australia imposed new sanctions on intermediaries transferring funds—including cryptocurrencies—from the Iranian government to terrorist organizations in Gaza.

The Future of Blockchain Analytics

Blockchain analytics gives national security and law enforcement agencies a new level of transparency into financial transactions. This not only enhances their ability to track and disrupt illegal operations but also deepens their understanding of the current and future threat landscape.

As criminal tactics evolve, government agencies will be able to use blockchain analytics to stay one step ahead of their adversaries and enforce the law in digital economic ecosystems.