AT&T ransom laundered through mixers, gambling services

The $370,000 ransom paid to a hacker involved in the massive theft of data from telecom giant AT&T is currently being laundered through a variety of cryptocurrency mixing platforms and gambling services, according to researchers tracking the funds.

TRM Labs, a blockchain analysis company, has been tracking a ransom payment of 5.72 BTC — about $370,000 — made on May 17. Last week, AT&T revealed that a hacker stole metadata from “nearly all” call logs and texts made by about 109 million AT&T customers over a six-month period in 2022.

The stolen data includes records that identify phone numbers that interacted with AT&T numbers, the number of interactions, the call durations and cell site identification numbers.

At least one of the hackers involved has been apprehended, according to AT&T’s filings with regulators. But reporters from WIRED and Bloomberg spoke to another hacker who claimed to have been paid by AT&T, providing both outlets with a Bitcoin wallet address and a video of themselves deleting the data. 

TRM Labs used that address provided to the reporters to track the funds. AT&T has declined to comment on reports of the company paying the ransom.  

Chris Janczewski, head of global investigations at TRM Labs, said about $150,000 went to wallets at two different centralized exchanges and a small deposit was made to a gambling service. 

“A deposit of less than $10,000 was made at a non-custodial exchange — an exchange platform where users maintain control over their wallets and funds,” Janczewski said. “Most of the remaining funds were sent through swap services — platforms that facilitate the exchange of one cryptocurrency for another without requiring users to deposit funds into the platform.” 

TRM Labs did not name the mixing services or gambling platforms used, but law enforcement agencies are in a near constant game of whack-a-mole with these types of services — issuing dozens of sanctions over the last five years against popular cybercriminal tools like Tornado Cash, Sinbad and its predecessor Blender.io, Helix, ChipMixer, and most recently Samourai Wallet and Bitcoin Fog. 

Gambling platforms have also been a go-to for ransomware gangs and hackers looking to obfuscate the source of their funds. 

“The use of gambling services, swap services and privacy coins are indicative of money laundering activity. These are common obfuscation techniques presumably being used by the actor to hide the source and destination of the funds,” Janczewski explained. 

A United Nations report in January said the expanding Southeast Asian casino industry has become one of the key players facilitating large-scale money laundering by organized crime networks.

Jeremy Douglas, regional representative for Southeast Asia and the Pacific at the United Nations Office on Drugs and Crime said in the UN report that the acceleration of globalized crime networks centered in the Mekong has “necessitated a revolution in the regional underground banking architecture, resulting in the development of systems and infrastructure capable of moving and laundering massive volumes of state-backed fiat and cryptocurrencies.”

The UN report said in most cases, hackers take their illicit funds and pay into an online gambling platform or an affiliate agent who arranges the transfer of in-game points online through some combination of identifiable or anonymous accounts.

“They are either cashed out or placed in bets, often in collusion with affiliates,” the UN report said. “Once the money in the gambling account is paid out in a desired currency and jurisdiction, it can effectively be given legal status and integrated into the formal financial system and economy.”