When hackers unleashed the WannaCry “ransomware” in mid-May, not only did they wreak havoc on European hospitals, telecoms and railways, they also made off with a profit. The malicious software locked up thousands of computers’ files and demanded $300 ransom payments in order to decrypt them. Victims have so far ponied up more than $140,000 in bitcoin, the digital currency whose reputation for anonymity attracts the libertarian-leaning, the privacy-minded—and the criminally inclined.
Contrary to its reputation, however, bitcoin is quite traceable, making such large attacks harder to profit from than people initially thought. Even after the WannaCry hackers attempted earlier this month to launder their money into a more anonymous bitcoin alternative called monero, experts say it will take an extraordinarily meticulous effort to cash out without leaving digital bread crumbs.
The WannaCry attack operated by infecting out-of-date Windows computers, encrypting their files and automatically generating a message directing victims to pay a ransom or permanently lose their data (hence the term ransomware). In the days after the attack, however, many speculated the perpetrators had already shot themselves in the foot. Well-designed ransomware instructs each victim to pay into a fresh bitcoin “address,” which University of Surrey computer scientist Alan Woodward compares with a Swiss bank account number; the address can receive money and anyone with the keys can spend the money, but the address itself contains no identifying information. That allows addresses storing ransoms to hide innocently among the thousands of new addresses created daily. But the WannaCry software had each victim send the spoils to one of just three different addresses—telling the authorities exactly where to look.
This might not pose a problem for the crooks were it not for the fact that all bitcoin transactions are public. At the heart of the system is the “blockchain”—a giant list of every bitcoin transaction that has ever occurred, with new ones submitted and confirmed by participating computers in a decentralized, elegantly orchestrated protocol. Each blockchain entry describes a transfer of money among addresses—for example, “at 12:01 P.M. on August 9, Address A and Address B gave one bitcoin each to Address C.”
Addresses are thus not truly anonymous, but rather function as pseudonyms. If the authorities know ransomers own an address, the blockchain gives them an easy trail to follow to see where the money is flowing. And if law enforcement identifies the owners of any account to which the money is moved or if the ATMs or online cryptocurrency exchanges at which the owners cash out know their identities (as is generally required by law), the game is up for the extortionists.
Mixing and Matching
Less than five years ago—in the early days of bitcoin—criminals felt so assured of the cryptocurrency’s anonymity that they built their business models on it, says Michael Gronager, CEO of bitcoin analysis company Chainalysis. But in 2015 two law enforcement agents who had been investigating the bitcoin-based black market Silk Road were prosecuted for a number of crimes, including fraud and money laundering, in part on the basis of blockchain analysis by Chainalysis and others. The takeaway for criminals was clear: get smart about bitcoin anonymity or get caught.
One option was to launder ill-gotten gains by “mixing” them with other users’ money. Under the simplest mixing method, an anonymity-craving user hands their bitcoins to a third-party address—a “tumbler” or “mixer”—which doles it back out to fresh, unsullied addresses belonging to the same owner. The mixer’s address becomes a dead end in the trail, as the origins of any bitcoins emerging from it are indistinguishable from one another. This method requires entrusting the potentially shady mixer with temporary ownership of the bitcoins. Less trust-dependent services, such as the JoinMarket mixer, act instead as matchmakers among many people looking to transfer bitcoins. By helping these parties merge their smaller transactions into one large transaction with many inputs and outputs, the mixer obscures who is paying whom.
Leaky Privacy Protection
The difficulty of anonymizing transactions got people thinking: Why not make anonymity a core cryptocurrency feature, rather than duct-taping it onto bitcoin? Monero, the digital currency the WannaCry culprits tried to convert their bitcoins into, is an alternative that effectively turns every transaction into a mix. Rather than recording a single sender, each blockchain entry records something akin to “one of the following six addresses sent a coin.” Monero also offers “stealth addresses,” which allow users to dissociate the addresses used in different transactions. After a few transactions have occurred, it becomes very difficult to track where the original money went.
Still, experts say the mouse has not yet escaped the cat. For one thing, ShapeShift, the service the WannaCry hackers used to exchange their bitcoins into monero, blacklisted the dirty bitcoin addresses from transacting on the service before most of the money could be traded. Additionally, ShapeShift publicly records which XMR (the unit of monero) were bought with which bitcoins, so investigators know where to start in the monero network.
Cybersecurity experts will likely discover more ways to de-anonymize downstream monero transactions. Andrew Miller, an assistant professor in computer science at the University of Illinois at Urbana–Champaign, points to a flaw in earlier versions of monero in which addresses with balances of zero would be included in mixes, effectively reducing the number of participants. Although that vulnerability has been fixed, he speculates there may be more like it. And because monero is not highly traded, there will be few legitimate users to give the thieves cover, Gronager adds.* Ultimately,” says Sarah Meiklejohn, an assistant professor of computer science at University College London, “however you move the money…it’s going to be [in the blockchain] forever, so you’re giving law enforcement a lot of time to figure it out.”
Even if monero does sweep away the blockchain trail, the hackers will have countless opportunities to let their masks slip. Meiklejohn, who helped pioneer blockchain de-anonymization techniques, notes it is easy to spot when criminals reconsolidate money that has been split and handled by mixers. She has also managed to link thousands of unknown addresses with known dirty ones based on the fact that they regularly send money together.
In addition to the flow of money, Miller says, the crooks’ network connections can give them away. If they are not exceptionally careful, law enforcement can see which computers are submitting the obfuscating transactions, which may be just the clue the FBI needs to launch a raid. Even the timing of transactions can be enough to reveal hidden connections between accounts. “If [the perpetrators] make even a single mistake, there may be enough information to track them,” Miller says.
Ultimately, cryptocurrencies remain much like our familiar financial system. What really enable financial criminals, Gronager says, are jurisdictions willing to shelter them. But with many exchanges in such places facing either poor reputations or government takedowns, technological solutions will not save most swindlers from persistent investigators. Just as in the physical world, a perfect crime will be a rare beast—and WannaCry is likely no exception.
*Editor’s Note (8/17/17): This sentence was edited after posting. The original incorrectly indicated that stealth addresses are rarely used in monero.