Although the funds always came to the exchange via intermediary wallets, Chainalysis found instances in which the wallet receiving ransomware proceeds sent funds directly to the mining pool wallet, which then sent the coins to the exchange. This might mean that both the ransomware- and mining-related wallets belong to the same owner, who is using mining as a way to launder criminal funds, Chainalysis wrote.