We may not know the names of those who steal cryptocurrency from online exchanges, but we now know that most of the thefts are down to just two groups – and one of them isn’t even in it for the money alone.

A new report from blockchain investigation company Chainalysis reveals that just two criminal groups are responsible for around 60% of all cryptocurrency stolen from exchanges.

Cryptocurrency exchanges are prime targets for cybercriminals. People trading Bitcoin and other virtual currencies do so using exchanges, and many tend to leave their funds in their accounts on those exchanges rather than withdrawing them to a secure account under their control. This makes it more convenient for them to to make trades quickly without having to keep redepositing funds.

Large amounts of these funds often reside in an exchange’s hot wallet, which is connected to the blockchain and therefore online. It makes exchanges prime targets for online attacks. Chainalysis, which uses forensic techniques to find connections between cryptocurrency addresses, analysed some of those thefts to find out where the funds ended up. They may not know who owns the addresses, but using its forensic techniques it can determine whether the addresses are owned by the same people.

In its Crypto Crime Report, released last week, Chainalysis found that two groups, which it calls Alpha and Beta, were responsible for stealing around $1 billion in funds from exchanges.

Each group had different endgames, the company said. Alpha is quick to route its stolen funds through a large number of addresses – up to 15,000 in some cases – to cover its tracks. On average, the group sold three quarters of its ill-gotten gains via other exchanges within a month.

The Chainalysis report describes Alpha as “a giant, tightly controlled organization partly driven by non-monetary goals.” A spokesperson told Naked Security:

There’s one key indicator that Alpha wasn’t driven entirely by monetary goals: they had an extremely high average number of transfers, and for each transfer they had to pay a fee. And when that number of transfers is in the range of 15,000 for one hack, it adds up.

Alpha’s motive seemed to have been causing chaos and confusion, according to Chainalysis, whereas Beta was all about the money. The latter group would leave coins dormant for up to 18 months before selling them, using fewer transactions to cloak its activities.