Sitting with cyber-detectives following cryptocurrency criminals


Spighe yellow and blue shapes begin to fill a screen that covers an entire wall in a laboratory of Imperial College London. The shapes emerge from the empty space while the display pulsates and dances. Visualization is hypnotic and confusing, but it makes sense once you realize what you are seeing. I'm watching the Bitcoin blockchain growing in front of me.

An irregular blue circle opens and William Knottenbelt, a college researcher, provides a live commentary. "Here you see someone who takes in Bitcoin and then pays it to thousands of other people," he says.

"So this could be a mining pool that pays premiums to people who helped find some blocks." Indicates a curious cluster of shapes on the screen.

This story is part of our May / June 2018 issue

See the rest of the problem

"Ah, this structure is interesting here," says Knottenbelt. Several blue circles appear, plus payments to multiple accounts, but are joined by a cross-hatching of yellow lines. Looks like someone scribbled on the display with a Sharpie.

What Knottenbelt has just noticed it could be the first evidence of a sophisticated criminal at work.

An industry has arisen to help fight. New forensic tools are allowing authorities to track money through cryptocurrency networks that are proving far less private than their founders were hoping for. Just as CCTV turned bank-robbers from celebrated criminals into easily captured thefts, researchers hope their progress can turn anonymous thieves into known prisoners and make the world of cryptocurrency safe for the average customer.

Opportunities in cryptocrime

If you're not up, cryptocurrencies pop up a lot of boxes. The only thing that binds you to an account in Bitcoin or Ethereum or NEM or another thousand systems of cryptocurrency is an address, usually a random sequence of letters and numbers. You can have as many addresses as you want and, in principle, there is no obvious way to link them or identify their owners. Moreover, the money in these accounts can be transferred without intermediaries and over international borders as easily as sending an e-mail.

"Instead of meeting you in a dark parking lot to deliver a suitcase of money, I can sit with a laptop on a balcony in Monaco," says Jeffrey Robinson, an investigative journalist and author of 30 books on financial crime, including BitCon: The Naked Truth about Bitcoin.

William Knottenbelt, a researcher at Imperial College London, said: "I do not think that the ban on anything can help anyone".

Thomas Angus, Imperial College London

Smart criminals are embracing new opportunities. A 2018 study by the blockchain analysis startup Elliptic and the US think tank, Center on Sanctions and Illicit Finance, found a five-fold increase in the number of large-scale illegal operations that worked on the Bitcoin blockchain between the 2013 and 2016. Analyzing the history of more than 500,000 bitcoins, they identified 102 criminal entities – including dark web markets, Ponzi schemes and ransomware attackers – and showed that many of the coins in their study could be linked to them .

Ninety-five percent of all recycled coins followed by the study came from just nine web markets, including Silk Road, Silk Road 2.0, Agora and AlphaBay. These are known online bazaars where a person can buy prohibited goods such as drugs and weapons and pay for services such as prostitution or murder. "On the dark web you can even buy legal advice," says Robinson. "There are lawyers over there willing to take Bitcoin to tell you how to avoid getting caught up with Bitcoin."

Other types of organized crime are also emerging. Hackers have adopted Bitcoin as payment of choice for ransomware attacks. These attacks increased in 2016, with nearly 16% of contaminated currencies linked to malware outbreaks like Locky. The trend continued in 2017 with WannaCry and NotPetya, who ran computer systems hostage in hospitals and companies around the world. In March of this year, Atlanta municipal government systems were rendered useless by a ransomware attack whose authors asked about $ 51,000 in Bitcoin.

Cryptocrime is also infecting the offline world. The last few months have seen a flurry of robberies in the real world where the victims were forced to hand over the details of the account to knifepoint. "Suddenly, if you have a lot of crypto you're in physical danger," says Knottenbelt of Imperial College.

Yet, since every Bitcoin transaction is recorded in a distributed public register, it is possible to keep track of illicit gains. Anyone can download the entire Bitcoin transaction history – which currently weighs around 160 gigabytes – and examine it, or use a website like or Block Explorer to check it in a browser.

This analysis helped to unveil a great robbery. In 2014, Mount Gox, then the largest Bitcoin exchange in the world, was violated by unknown thieves who stole 850,000 bitcoins, worth more than $ 450 million.

As Mount I Gox began to bankrupt, its trustees enlisted a forensic team to find the missing coins. What they found was a mess. "Mt. Gox did not understand how many bitcoins people had and how many bitcoins they actually had until they realized they were gone, "says Jonathan Levin, who led the investigation, and Levin and his team eventually tracked the funds for an exchange called BTC-e, where the track became cold.

Although they failed to recover most of the missing coins, "that investigation gave us the idea of ​​developing an instrument that other people could use," says Levin. His company Chainalysis, born of this effort, builds tools for bitcoin companies that want to better understand their customers and order forces looking for criminals. Other companies, such as Block Seer and Elliptic, offer similar tools and services.

According to Tom Robinson, cofounder and chief data officer of Elliptic, most of the Bitcoin platforms in the world use the company's software to analyze transactions. Check, for example, if they can be linked to ransomware portfolios, dark markets or theft. Ellittiche helped provide evidence in several criminal cases, including one involving a man who bought parts for AR-15 automatic rifles on the dark network and a handful of drug busts.

Since the company was founded five years ago, according to Robinson's estimates, bitcoin transactions worth trillions of dollars were examined using its software, even though there were only about 300 billion bitcoin transactions. dollars. This is because some transactions are screened several times; Elliptic advises its customers to re-run analyzes on older transactions because the information on dubious accounts is continually updated. "You have to keep checking," says Robinson.

Robinson will not name his clients, but a quick search on reveals that they include the US Drug Administration, the Internal Revenue Service, the FBI and Immigration and Customs . Chanalysis works with those and more, including financial regulators like the SEC. Chainalysis also says that Europol and more than half of the police forces in Europe are using its software.

The US Treasury's interest in the blockchain reflects the fact that crypto-criminality is not limited to the theft of coins and black markets. It is also about fraud and tax evasion. "This will be an interesting fiscal year," says Jeffrey Robinson. "It is the first time in the United States where Bitcoin trade is being contracted for tax purposes".

Sarah Meiklejohn and her colleagues developed techniques in 2013 on which a large part of the current cryptocurrency analysis is based.

Andrew Testa

How to track down the untraceable

Much of what these companies do is based on the techniques introduced by Sarah Meiklejohn, then at the University of California, San Diego, and her colleagues in 2013. The basic idea is simple. By looking closely at the blockchain activity, you can identify accounts that appear to belong to the same Bitcoin portfolio and are therefore controlled by the same entity. The process is known as clustering. For example, multiple addresses starting the same transaction might look like a person or an organization that groups smaller funds into a single larger dish. Another signal is when the transition from a Bitcoin transaction is redirected to an account other than the one in which the funds were launched. Over time, chaos can be solved in regular patterns.

Once multiple accounts have been linked to the same owner, you can try to figure out who that owner is. Linking Bitcoin accounts to real-world identities is possible because information tends to filter out. Regulated cryptocurrency exchanges, typically those in the US or Europe, must follow the rules of know-your-customer and anti-money laundering, which require people to deliver identification before using their services. Some people are also so negligent to publish their supposedly private Bitcoin addresses in online forums. "What people forget is that the blockchain is only half of the equation," says Knottenbelt.

Chainalysis and Elliptic now use automatic learning to help cluster addresses. Soon it might even be possible for an AI to check the blockchain in real time.

The visualization of the dimensions of the Imperial College wall is a step forward. The blue and yellow tangle that caught Knottenbelt's attention was a network of hand-tossed coins, a sequence of transactions deliberately designed to make it difficult to track down individual coins. It's like dropping money into a jar, shaking it and then pulling it out again: the amount does not change, but it's hard to say which coin it was. The effect is very similar to what you get by moving money through a bank in a place like the Cayman Islands, where there are strict laws on banking secrecy.

Stay a step forward

However, glasses are not necessaryDefinitely a sign of criminal activity. "Some people do it only for privacy reasons," says Knottenbelt. And anyway, there are better ways for criminals to cover their tracks. While Bitcoin's privacy limits become more apparent, people are moving to new cryptocurrencies, such as Zcash and Monero, which reveal almost nothing of the transactions recorded on their blockchains.

Zcash uses a so-called zero-knowledge test to verify transactions. This is a mathematical way to confirm that a transaction took place without disclosing any information about who was involved or how much was transferred. Zcash also allows you to return coins and extract new coins, the equivalent of exchanging your banknotes marked with clean bank notes.

Monero, meanwhile, is in fact a large tumbling network. When you want to transfer coins, your address is mixed with a group of others so no one can tell which one was spending the money.

Zcash and Monero certainly bring privacy to the next level. But this does not mean that they will never give up their secrets. Meiklejohn points out that the incorrect behavior of users, such as the publication of their private address in the forums, will leave clear traces again, just as with Bitcoin.

In addition, Monero offers users the ability to make transactions without confusing mixed coins. This eliminates privacy for that particular transaction and adds a way for researchers to untangle, through a process of elimination, all the mixers that subsequently include those coins. Malte Möser from Princeton University and colleagues estimate that 62% of Monero's transaction inputs are vulnerable to this analysis. When users of Zcash and Monero begin to show signs of bleeding, those like Meiklejohn and Möser will be ready.

Perhaps the biggest problem for the forces of order, however, is the large number of unregulated exchanges, in which criminals can wipe out the traces of their theft by recycling the stolen cryptocurrency into other forms of wealth. Many exchanges challenge regulation in principle: for example, the BTC-e and the Shapeshift conversion service, for example, are sold with the promise not to ask for identification of their users. Shapeshift's founder Erik Voorhees is particularly explicit about the political implications of regulation.

Sign up for Chain of Sant & Antonio

Blockchains, cryptocurrencies and why they are important.

By signing up you agree to receive e-mails and newsletters
notifications from MIT Technology Review. You can change your preferences at any time. Look at ours
Privacy statement for more details.

Security researcher and cryptocurrency Ross Anderson of the University of Cambridge, UK, argues that these exchanges prosper partly because the laws are ineffective. "The problem with money laundering in general is that nobody wants it to be done well," he says. "If you're a bank in the city, you do not want to know that John Gotti is a client, and therefore the banks would never tolerate a law that says that anyone who accuses the mafia will go to jail." If this is how the world works, why should cryptographic exchanges be different?

Banks and finance companies are experimenting with the use of cryptocurrency to create more fluid payment systems. But technology also supports a new generation of illicit activities, providing new ways to steal, blackmail, commit fraud and break international sanctions.

Anderson's cynicism of the authorities' willingness to act led him to formulate a plan to overthrow the cryptocracy system himself. He is creating what he calls a taintchain: a public list of bitcoins with clear links to criminal activity. "What I'm about to do is publish a list of all the stolen Bitcoins and the software needed to generate them so that everyone can control them on their own," he says. The exchanges would then think twice about the management of the stolen coins.

Even though regulation was more stringent, however, it is not clear that it would make a difference. "I do not think that banning anything can help anyone," says Knottenbelt. Driving underground technology, he argues, simply means that transactions will be hidden rather than broadcast openly on the Internet, making it even more difficult for researchers like Meiklejohn to analyze money flows and find thieves.

Surprisingly, Meiklejohn himself does not care too much about regulation or lack thereof. "Once you've solved the problem with bad exchanges operating outside the typical jurisdictions, you've won," he says. Get BTC-e, an exchange based in Russia that was known to have taken a lot of criminal money. Many ransomware operators seemed to use BTC-and almost exclusively. It was also the place where the missing mountain. Gox funds were seen last time before the track disappeared.

Imperial College of London

But in July 2017 it was closed. US authorities arrested personnel and seized computers at one of the exchange's data centers, and Alexander Vinnik, his suspected operator, was arrested. "They clearly would not have responded to the quotes," says Meiklejohn. "On the other hand, this is something that the forces of order know well how to deal with."

Meiklejohn sees his work as a cryptocrimi distiller on the type of crime familiar to the forces of order. Armed with contacts from Elliptic and others, a good old police system will do what it does best.

The greatest cyber-robber in history

For the moment, however, the cyber criminals are still one step ahead. Even though researchers can now see cryptocurrency thefts on blockchain networks happen almost in real time, they can not connect them to the real world fast enough to even stop monumental capers.

The biggest cybernetic robber in history happened at 3:00 am in Japan on a January morning of this year. Someone, or more likely someone, has taken out more than half a billion dollars in digital currency called NEM from the exchange of cryptocurrencies to Tokyo Coincheck. No one at the station raised the alarms until lunchtime, and the perpetrators got an eight-hour advantage.

When the news finally reached the vice president of the NEM Foundation, Jeff McDonald, in Tulsa, Oklahoma, went straight to the chain. The funds had been taken from a software portfolio connected to the Internet, an unsafe storage locker that Coincheck claims to use only because of a breakdown at another point in its system. "It's basically like leaving your ATM card with the PIN number written on it," says Alexandra Tinsman, communications director at the NEM Foundation. All 523 million stolen coins were channeled first through a single account before being split among many others.

In order to prevent the thieves from collecting the loot in fiat currency, the NEM team rushed to wave the stolen coins and alert the exchanges. The day after the hack, the NEM team had identified and published the addresses of 11 accounts where the funds had run out. Each was tagged with a tag that said "coincheck_stolen_funds_do_not_accept_trades: owner_of_this_account_is_hacker." But since they did not know who the account owner was, the NEM team was not able to do much more than trying to block the exits.

A waiting game followed. Initially incapable of collecting coins stolen from the NEM network, the thieves moved them around them. These movements were all visible on the public blockchain. The NEM team tracked down the coins in Canada and then saw some of them return to Japan. But even if NEM has never looked away from the marked notes, the thieves have gone. Eventually they were able to get to an unregulated exchange and cash out at least half of the stolen coins. In March, the NEM team announced that it was hunting.

Marked by massive theft, Coincheck announced that he would no longer treat Zcash, Monero or Dash, another anonymous currency. It is among the first exchanges to cut those coins.

Coincheck's move is part of a broader effort to bring the law and order to this new money frontier. The US government is playing with the idea of ​​creating a blacklist of cryptocurrency addresses associated with criminal groups, such as terrorists, drug traffickers and bribes of sanctions. One possibility is that it would become illegal to deal with blacklisted addresses.

The NEM thieves have fled for now. But the technology of the future may still roll. As forensic techniques and tools improve, previously neglected evidence will come to light as traces of DNA in a one-year-old crime scene. Whenever the authorities close a Silk Road or a BTC-e, it sends a signal, says Jeffrey Robinson: "They will get the rest of them, one by one."

Douglas Heaven is a freelance writer based in London.

[ad_2]Source link