Cryptocurrency: A Gold Mine for Open-Source IntelligenceExpert Says Virtual Currency Systems Leak Useful Data to Track Criminals
John Bambenek, an Illinois-based intelligence analyst and malware researcher, spent about two years investigating Russian intrusions that plagued the 2016 U.S. presidential election.
That investigation, which Bambenek jokingly dubs a dumpster fire, is ongoing. Bambenek, who runs his own consulting firm and is a vice president at the threat intelligence firm ThreatSTOP, needed a distraction from it. So he turned to bitcoin.
The virtual currency has become the favored means of exchange for cybercriminals and those avoiding the restrictions of traditional banking.
"I'm not saying everyone who uses bitcoin is a criminal, but all criminals are using bitcoin and cryptocurrency," says Bambenek, who gave a presentation on Thursday at the AusCERT computer security conference in Australia's Gold Coast. "So as an intelligence analyst, it's like fishing in a pond with unlimited fish."
Bitcoin, developed by a mysterious developer going by the name Satoshi Nakamoto, is a completely legitimate technology. The virtual currency, which launched in 2009, has triggered a wave of innovation based on blockchain, its public distributed ledger, and spawned 2,000 other virtual currency projects.
"I'm not saying everyone who uses bitcoin is a criminal, but all criminals are using bitcoin and cryptocurrency."
—John Bambenek, ThreatSTOP
Experts have long warned that bitcoin is not as private as it appears. Bambenek says the design of bitcoin, as well as other virtual currencies, can lend a surprising amount of information about the groups using it to transact. In fact, it's sometimes easier to track than if criminals used the traditional banking system.
"The inherent weakness of cryptocurrency isn't the algorithm, blockchain technology or peer-to-peer," Bambenek says. "It's the place where you can turn it into money and vice versa."
Bitcoin, as well as most other virtual currences, is based on public key cryptography.
A sender initiates a transaction by unlocking a bitcoin with a private key and sending it over the network to a recipient's public address, which is a 32-character alphanumeric value. All records of transactions are publicly viewable in the blockchain, a design intended to inspire confidence in a network with no central gatekeeper.
To obfuscate transaction flows, users often split and move bitcoins into new wallet addresses in circuitous ways that can make tracing funds more difficult. But Bambenek says that most users are lazy and don't make efforts to either obscure transaction chains or even store their bitcoins securely.
Most tend to use the same wallet or address for all transactions, "which means I can now attribute their conduct over the entire lifetime of the wallet," Bambenek says.
Also, many bitcoin thefts have occurred against those who haven't encrypted their wallets. On a whim, Bambenek searched Virus Total's online repository of malware and other files for those containing bitcoin wallet addresses. He found a private key for a bitcoin wallet that had been mistakenly uploaded. The wallet was worth US$17 million at the time.
"I could have transacted that," Bambenek says. "I could have left this whole cybersecurity industry behind and just retired some place at a nice resort in the South China Sea."
But exchanges represent the real weak point for virtual currencies, Bambenek says. At least today, cashing out large amounts isn't possible.
Also, the virtual currency industry is seeing an inevitable collision with regulators if it is going to grow beyond enthusiasts and hobbyists. So exchanges are increasingly following know-your-customer procedures that banks use to comply with anti-money laundering regulations.
"The number of places that you can turn that [virtual] money into something else is radically small, which gives us a lot of opportunity to gather intelligence either by legal process or some other means," Bambenek says.
Bambenek began looking into how white supremacists were funding their operations following the violent clashes in Charlottesville, Va., in August 2017.
Pressure had built since early that year when the city indicated it would rename two parks named after Confederate generals and remove a statue of a Civil War general. Demonstrators violently clashed with white supremacists. The riots culminated with the death of a 32-year-old woman run down by a vehicle that intentionally charged at protesters.
" Your garden variety Neo-Nazi is a moron when it comes to technology.They just have no idea how to do things. When Coinbase blocked them, they had no idea where else to go."
—John Bambenek, ThreatSTOP
Bambenek says he wanted to see how much money white supremacists had gathered since groups had encouraged donations through a bitcoin address.
"In essence, a little less than a million dollars," Bambenek says. "They have real wealth."
But by exposing that public address, Bambenek could begin digging through the blockchain and finding wallets used by donors. Wallet addresses are anonymous, but not private. Googling bitcoin addresses frequently lead to the identity of those controlling the addresses, he says.
"There is a difference between anonymity and privacy that most people don't really grasp," Bambenek says. "Even in our community, we gloss over the nuance between the two."
To illuminate the funding of white supremacists, he created a Twitter account called the NeoNazi BTC Tracker. It regularly posts transactions of suspected people within supremacist movements. The tracker had an immediate impact on their funding, Bambenek says.
"When I started publishing this, people were seeing this, and potential donors were saying 'You guys are sitting on almost a million dollars. What do you need a donation for? You've got real money.'" Bambenek says.
Bitcoin exchanges, which are a critical choke point, also took note. Coinbase, one of the largest exchanges in the U.S., clamped down on bitcoins destined for the Daily Stormer, a prominent supremacist website. Surprisingly, some other exchanges also joined in. That created an immediate problem for the Daily Stormer, Bambenek says.
"Your garden variety Neo-Nazi is a moron when it comes to technology," he says. "They just have no idea how to do things. When Coinbase blocked them, they had no idea where else to go. It took some effort."
Pressure On Exchanges
Still, tracking virtual currency will prove to be challenging with the emergence of more privacy-centric coins such as monero, Bambenek says.
There's increasing use of monero. North Korea, for example, consolidated ransoms paid for the WannaCry ransomware into a monero address that Bambenek says he was able to isolate (see Trump Administration: 'North Korea Launched WannaCry').
But in many ways, converting monero to fiat currency isn't easy. There also doesn't appear to be any exchanges that allow for a direct purchase of monero with cash. Often, someone has to buy bitcoin first, convert that to monero and then covert the monero back to bitcoin to get fiat currency, he says.
Monero doesn't show account balances, unlike bitcoin's blockchain. But Bambenek says he's had some luck tracing bitcoin that was traded for monero and then sent along to a monero wallet address. He did that with "Weev," the nickname of Andrew Auernheimer, a hacker and white supremacist who's lent technical support to the Daily Stormer.
But tracing inter-virtual currency transactions may prove to be more challenging as more currencies are used. Bambenek says he is developing a cross-currency database that will make it easier to, for example, determine an ether wallet is also tied to a litecoin wallet or any other so-called alt-coin.
That will help put more immediate pressure on exchanges that have become unwittingly involved in handling funds for human trafficking, ransomware and other criminality that has migrated to virtual currency.
"That [an exchange] is the weak point of the entire infrastructure," Bambenek says. "Bitcoin is in essence useless until I can turn it into something that I really want."