When Bitcoin burst onto the scene in 2009, fans advertised cryptocurrency as a secure, decentralized, and anonymous way to transact outside of the traditional financial system.
Criminals, who often operate in hidden places on the internet, flocked to Bitcoin to do illicit business without revealing their names or locations. The digital currency quickly became as popular with drug dealers and tax evaders as it was with contrarian libertarians.
But this week’s revelation that federal officials had recovered most of the Bitcoin ransom paid in the recent Colonial Pipeline ransomware attack exposed a fundamental misconception about cryptocurrencies: They are not as difficult to track as cybercriminals think.
On Monday, the Justice Department announced that it had tracked 63.7 of the 75 Bitcoins – about $ 2.3 million of the $ 4.3 million – that Colonial Pipeline had paid to hackers when the ransomware attack shut down systems. company IT, causing fuel shortages and a spike in gasoline prices. Since then, officials have refused to provide more details on how exactly they got the Bitcoin back.
However, for the growing community of cryptocurrency enthusiasts and investors, the fact that federal investigators had tracked the ransom as it moved through at least 23 different electronic accounts belonging to DarkSide, the hacking collective, before Accessing an account showed that law enforcement was growing along with the industry.
This is because the very properties that make cryptocurrencies attractive to cybercriminals – the ability to instantly transfer money without permission from a bank – can be exploited by law enforcement to track and seize funds from criminals. at Internet speed.
Bitcoin is also traceable. While digital currency can be created, moved, and stored outside of the reach of any government or financial institution, each payment is recorded on a permanent fixed ledger, called a blockchain.
That means that all Bitcoin transactions are in sight. The Bitcoin ledger can be viewed by anyone who is connected to the blockchain.
“They’re digital breadcrumbs,” said Kathryn Haun, a former federal prosecutor and investor at venture capital firm Andreessen Horowitz. “There is a trail that law enforcement can follow quite well.”
Ms Haun added that the speed with which the Justice Department seized most of the ransom was “revolutionary” precisely because of the hackers’ use of cryptocurrency. In contrast, he said, obtaining bank records often requires months or years of navigating through paperwork and red tape, especially when those banks are abroad.
Given the public nature of the ledger, crypto experts said, all law enforcement had to do was figure out how to connect criminals to a digital wallet, which stores Bitcoin. To do this, the authorities probably focused on what is known as “public key” and “private key”.
A public key is the string of numbers and letters that Bitcoin holders have to transact with others, while a “private key” is used to keep a wallet safe. Tracking a user’s transaction history was a matter of figuring out which public key they controlled, authorities said.
The seizure of the assets required obtaining the private key, which is more difficult. It is unclear how federal agents were able to obtain DarkSide’s private key.
Justice Department spokesman Marc Raimondi declined to say more about how the FBI seized DarkSide’s private key. According to court documents, the investigators accessed the password of one of the hackers’ Bitcoin wallets, although they did not detail how.
The FBI did not appear to rely on any underlying vulnerabilities in blockchain technology, cryptocurrency experts said. The most likely culprit was good old-fashioned police work.
Federal agents could have confiscated DarkSide’s private keys by placing a human spy inside DarkSide’s network, hacking into the computers where his private keys and passwords were stored, or forcing the service that has his private wallet to hand them over through a warrant. registration or other means.
“If they can get hold of the keys, it’s seizable,” said Jesse Proudman, founder of Makara, a cryptocurrency investment site. “Simply putting it on a blockchain does not absolve that fact.”
The FBI has partnered with several companies that specialize in tracking cryptocurrencies in digital accounts, according to officials, court documents and the companies. Startups with names like TRM Labs, Elliptic, and Chainalysis that track cryptocurrency payments and flag potential criminal activity have flourished as law enforcement agencies and banks try to get ahead of financial crime.
Its technology tracks blockchains for patterns that suggest illegal activity. It’s similar to how Google and Microsoft tamed spam by identifying and then blocking accounts that distribute email links across hundreds of accounts.
“Cryptocurrency allows us to use these tools to track funds and financial flows along the blockchain in ways we could never do with cash,” said Ari Redbord, head of legal affairs at TRM Labs, a chain intelligence company. of blocks that sells its analytical software. to law enforcement and banks. He was previously Senior Adviser on Financial Intelligence and Terrorism at the Treasury Department.
Several longtime crypto enthusiasts said that the recovery of much of the Bitcoin ransom was a victory for the legitimacy of digital currencies. That would help change the image of Bitcoin as the playground of criminals, they said.
“It is being shown to the public little by little, case after case, that Bitcoin is good for law enforcement and bad for crime, the opposite of what many historically believed,” said Hunter Horsley, CEO of Bitwise asset management, a cryptocurrency investment company.
In recent months, cryptocurrencies have become increasingly common. Companies like PayPal and Square have expanded their cryptocurrency services. Coinbase, a start-up company that allows people to buy and sell cryptocurrencies, went public in April and is now valued at $ 47 billion. Over the weekend, a Bitcoin conference in Miami drew more than 12,000 attendees, including Twitter CEO Jack Dorsey and former boxer Floyd Mayweather Jr.
As more people use Bitcoin, most access digital currency in a way that mirrors a traditional bank, through a central intermediary such as a crypto exchange. In the United States, anti-money laundering and identity verification laws require such services to know who their customers are, creating a link between identity and account. Customers must upload a government ID when registering.
Ransomware attacks have put unregulated crypto exchanges under the microscope. Cybercriminals have targeted thousands of high-risk individuals in Eastern Europe who do not abide by these laws.
After the Colonial Pipeline attack, several financial leaders proposed a ban on cryptocurrencies.
“We can live in a world with cryptocurrencies or a world without ransomware, but we can’t have both,” Lee Reiners, executive director of the Center for Global Financial Markets at Duke Law School. wrote in The Wall Street Journal.
Cryptocurrency experts said that hackers could have tried to make their Bitcoin accounts even more secure. Some cryptocurrency holders go to great lengths to store their private keys away from anything connected to the internet, in what is called a “cold wallet.” Some memorize the string of numbers and letters. Others write them on paper, although they can be obtained through search warrants or police work.
“The only way to get the truly uncavable feature of the asset class is to memorize the keys and not have them written down anywhere,” Proudman said.
Raimondi of the Justice Department said the Colonial Pipeline ransom seizure was the latest undercover operation by federal prosecutors to recover illicitly obtained cryptocurrencies. He said the department has made “many seizures, worth hundreds of millions of dollars, of unhosted cryptocurrency wallets” used for criminal activity.
In January, the Department of Justice disrupted another ransomware group, NetWalker, which used ransomware to extort money from municipalities, hospitals, law enforcement agencies, and schools.
As part of that operation, the department obtained around $ 500,000 of NetWalker’s cryptocurrency that had been collected from the victims of its ransomware.
“Although these people believe that they operate anonymously in the digital space, we have the ability and tenacity to identify and prosecute these actors to the full extent of the law and confiscate their criminal proceeds,” said María Chapa López, then prosecutor. The Middle District of Florida federal said when the case was announced.
In February, the Justice Department said it had orders to seize nearly $ 2 million in cryptocurrency that North Korean hackers had stolen and deposited into accounts at two different cryptocurrency exchanges.
Last August, the department also uncovered a complaint about North Korean hackers who stole $ 28.7 million worth of cryptocurrency from a cryptocurrency exchange and then laundered the proceeds through Chinese cryptocurrency laundering services. The FBI tracked the funds to 280 cryptocurrency wallets and their owners.
In the end, “cryptocurrencies are actually more transparent than most other forms of value transfer,” said Madeleine Kennedy, a spokeswoman for Chainalysis, the startup that tracks cryptocurrency payments. “Certainly more transparent than cash.”