Cryptocurrency’s Criminal Revolution – Hacker Noon

The Unsavory Cast Of Bitcoin’s Biggest Beneficiaries

The “Revolution”

It’s hard to believe that the “crypto revolution” started a decade ago. I can vaguely remember first hearing about Bitcoin in one of my university’s computer labs way back in 2008, shortly after the Bitcoin whitepaper was published under the pseudonym Satoshi Nakamoto. Ten years later blockchain-mania is in full swing as the full stack of Silicon Valley’s innovation infrastructure scrambles to be the next Blockchain for Uber (powered by Deep Learning).

Since Bitcoin’s debut a slew of competing “coins” and “tokens” have entered the marketplace. Although there are only about 180 government backed currencies worldwide, Investopia reports that more than 800 cryptocurrencies have already failed. In the first half of 2018 more than $6 billion was invested in Initial Coin Offerings (ICOs) where speculators and other patrons can purchase an amount of the cryptocurrency being released. ICO’s have become notorious for being a high risk investment, with more than half of all coins becoming defunct within 4 months of the ICO according to Bloomberg.

The last 18 months have been a roller coaster of hype, success, and despair for those aboard the cryptotrain. As with any gold rush there have been some ill-advised casualties as well as some unexpected winners. Take for example Long Island Iced Tea — a tea company that changed its name to Long Blockchain and subsequently saw its stock value rise nearly 300%. Unfortunately for Long Blockchain, this pivot failed and NASDAQ has since delisted the company’s stock.

Another surprise pivot came from the photography company Kodak, who announced an ICO in January. Kodak’s stated goal is to use blockchain technology and their cryptocurrency “KodakCoin” to protect the intellectual property rights of photographers. Like Long Blockchain, Kodak saw its stock price rise in the immediate aftermath of the announcement. Since the January announcement, Kodak has convinced a few professional sports arenas to adopt partnerships related to KodakCoin.

Only time will tell if Kodak’s bet will pay off, but in the meantime regulators are scrambling to deal with the wave of companies trying to get in on the action. In a reaction to moves like Long Blockchain and KodakCoin the SEC has issued a warning that it will be watching the blockchain market more closely due to this type of gamesmanship. Speaking to the Securities Regulation Institute recently, SEC Chairman Jay Clayton said:

I doubt anyone in this audience thinks it would be acceptable for a public company with no meaningful track record in pursuing the commercialization of distributed ledger or blockchain technology to (1) start to dabble in blockchain activities, (2) change its name to something like “Blockchain-R-Us,” and (3) immediately offer securities, without providing adequate disclosure to Main Street investors about those changes and the risks involved. [source]

Then there’s DogeCoin, the cryptocurrency that was created as a joke. Although his intention was to poke fun at the crypto world using the “Doge” meme as a mascot, Jackson Palmer instead created a cryptocurrency that reached $1 billion in market cap earlier this year. Palmer had this to say reaching the $1 billion mark:

I have a lot of faith in the Dogecoin Core development team to keep the software stable and secure, but I think it says a lot about the state of the cryptocurrency space in general that a currency with a dog on it which hasn’t released a software update in over 2 years has a $1B+ market cap. [source]

It looks like a joke, barks like a joke, but went on to be worth $1B+ so the jokes on us.

As new currencies enter and leave the marketplace, speculators and early adopters need tools to buy, trade, and sell their digital money. Marketplaces that facilitate the transfer of cryptocurrencies are popping up almost as fast as the coins themselves. Services such as Coinbase, Coinsquare, and “Blockmarket by Blockchain Foundry” provide the ability to trade cryptocurrencies and also sell your digital “math-backed” currency for a classical currency backed by a government.

Speculators, investors, and engineers have all lost the plot in the crypto craze. The leaders in the crypto space are wandering aimlessly through the technological landscape looking for more proverbial nails to smash with their shiny new crypto-hammers; conveniently forgetting that when you invent the ship, you also invent the shipwreck. In the meantime gangsters, rogue states, speculators, and money launderers have fallen in love with cryptocurrencies just the way they are.

To understand why these groups are flocking to Bitcoin and other cryptocurrencies we must briefly discuss the technology itself.

Intro To Cryptocurrency: It’s Digital Cash

The key innovation in the Bitcoin whitepaper, called the blockchain, solves a problem that is unique to digitized money. When two individuals exchange cash the proof of the exchange is self evident: one person now has physical bills that another person used to have. Due to the physical nature of cash it is impossible to double spend — spending the cash requires it to physically leaves one’s possession.

With digital currency things aren’t so clear. If I have 20 Bitcoins and I “give” them to you, what actually changes as a result of that transaction? The Bitcoins don’t have a physical existence, so they cannot be transferred in the same literal sense that a $20 bill can be transferred. Any digital data can be copied so having a particular file or other collection of data on your hard drive cannot count as proof of ownership.

Historically we have relied on record keeping and trusted entities to engage in online transactions. We trust banks, credit card companies, and other digital commerce services to keep adequate receipts and ensure that money is reliably transferred between the accounts in question. When those entities make mistakes (malicious or accidental) we rely on the laws, the courts, and the kept records to settle any disputes.

Titled A Peer-to-Peer Electronic Cash System, The Bitcoin white paper described a payment system that was not reliant on a trusted entity like a bank, credit card company, or the promise of legal recourse. The Bitcoin blockchain is a record of every transaction ever made using Bitcoin and it is the heart of the cryptocurrency. In order to exchange Bitcoin two parties need to create a record of the transaction (a block) that will be added to the blockchain.

In this way the blockchain acts as a ledger. Ledgers were revolutionary when they were invented, but that is literally ancient history. The blockchain’s innovation is about where the ledger is stored and how it is maintained. Consider processing a single transaction:

The two parties in the transaction are identified only by their “wallet number” (sometimes called an address). A transaction includes a sending wallet number, a receiving wallet number, an amount of Bitcoin to exchange, the date of the transaction, and other information about the transaction. The transaction is sent to a distributed network of computers that are all running the Bitcoin software. These computers each verify the incoming transaction and add their own “seal of approval” to the transaction. Once enough computers in the network have signed the transaction the resulting data (the block) is added to the public ledger (the blockchain).

All of the computers in this distributed network have a copy of the blockchain, and once consensus has been reached about a new transaction, they all update their copy of the blockchain in exactly the same way. This is why the SEC Chairman Jay Clayton referred to the blockchain as “distributed ledger technology”.

Because Bitcoin enters the global supply as a transaction, the blockchain contains an auditable accounting of every Bitcoin ever “made”. This ledger also effectively solves the key problem of digital currency. The blockchain ensures there is always a record of exchange for every Bitcoin that changes hands — this means the blockchain effectively encodes the amount of Bitcoin that belongs to any given wallet at any given time. The $20 bill being in your wallet is the proof that you have $20; the blockchain is the proof that you have 20 Bitcoin.

In return for doing all the computational work to verify transactions by creating blocks, the computers in the network (called miners) are rewarded with Bitcoin. Anyone who wants to can download the software and the blockchain, and begin mining for themselves. Buyer beware though, the electricity required to mine Bitcoin often costs more than the value of the generated Bitcoin (more on this later).

Much more could be said about the technology and how it works, but instead I’d like to focus an age old question: cui bono?

The New Underground Markets

I’m sure that more than one person has Venmo’d their drug dealer at this point, but transferring lots of money long distances has long been a thorn in the side of criminal enterprises. Cash is king in the criminal world because reliance on traditional financial institutions is big risk. Law enforcement loves to follow the money and lots of criminals are caught as a result.

These days cash is losing ground to cryptocurrencies as the currency of choice for illegal enterprises. Bitcoin’s most touted virtue — performing digital monetary transactions without relying on a trusted third party — is an ideal property for people who cannot rely on traditional financial entities like banks to store and transfer their money. The ease with which Bitcoin flows across borders and oceans is a vast improvement over the transportation of large amounts of cash, especially for cash that was illegally obtained.

In a report that shouldn’t surprise anyone, researchers from the University of Technology Sydney found that approximately 25% of Bitcoin users and 41% of Bitcoin transactions were associated with illegal activity; the same report estimates that roughly $72 billion worth of Bitcoin changes hands for illegal goods and services each year. A majority of the illegal transactions are made on dark web marketplaces like the now defunct Silk Road.

Silk Road was — and the marketplaces that have replaced Silk Road are — attracted to Bitcoin (and other cryptocurrencies) because they enable a level of anonymity that is unrivaled by any other online payment mechanism.

When two parties exchange cryptocurrency they are identified by a wallet number. This number is a unique identifier, but one that carries no personally identifiable information. Two parties that wish to exchange funds enter only the sending and receiving wallet numbers and the amount being exchanged to the transaction that ends up in the blockchain. There are no restrictions on how many wallets you can obtain and there is no centralized management system keeping track of who owns which wallets.

Shipping and handling is a separate problem that requires a separate solution for the exchange of non-digital goods. But like Mitch Hedberg once joked, “I love my Fed-Ex guy cause he’s a drug dealer and he doesn’t even know it.”

Proponents of such websites and cryptocurrency apologists often point out that the most popular item for sale on the dark web is cannabis — which is perfectly legal in a growing number of places. Take a right turn onto libertarian lane and it’s easy to argue that, “the government doesn’t have a place regulating what I put in my body anyway!”

Unfortunately, wherever you personally draw the line on the question “what should a human be able to purchase?” someone on the dark web is selling something way past that line.

Credit card numbers, social security numbers, zero-day hacks, compromised username/password combinations, untraceable guns, recipes for C4 explosive, fake passports/driver’s licenses/state identification, child pornography, and — as in the sting that ultimately took down Silk Road’s creator — assassins for hire. All this and more is for sale on these dark web marketplaces.

Say what you will about drug dealers, but even my worst weed hookup didn’t advertise that he could help me murder someone.

Cryptocurrency didn’t invent the underground market so it’s not fair to blame Bitcoin completely for the creation of Silk Road. On the other hand, it’s obvious to anyone watching that cryptocurrency is emerging as a powerful tool much beloved by the criminal underground.

The Center on Sanctions & Illicit Finance published a memo that examined the laundering of Bitcoin associated with illicit activity. The report found that the number of illegal enterprises utilizing Bitcoin grew five-fold between 2013 and 2016 and that roughly 95% of the Bitcoin being laundered between 2013–2016 originated from transactions made on just 9 dark web marketplaces including Agora, AlphaBay, and Silk Road.

The Center on Sanctions & Illicit Finance memo also noted that:

Our data should not be interpreted to assess or estimate the full amount of illicit Bitcoin transactions which may have occurred on the Bitcoin blockchain. The actual volume of illicit Bitcoin transactions is almost surely to be significantly larger than represented in our sample.

Another research group, CipherTrace, reported that the amount of cryptocurrency being laundered between January and July of 2018 is already triple the amount that was laundered in 2017.

Doing this kind of research on Bitcoin transactions is hard. Bitcoin’s use of wallets as the sole identifier of an entity in a transaction makes analysis harder than with traditional financial institutions and instruments. Law enforcement agencies and data analysis firms are adapting, but just as quickly new coins with an increased focus on privacy such as Dash, Monero, and Zcash are entering the market, making this kind of research (and law enforcement) even harder.

In 2016, the last year covered by the Center on Sanctions & Illicit Finance memo, the authors uncovered a notable standout in the sources of illicitly obtained Bitcoin. In 2016 roughly 15% of laundered Bitcoin originated from ransomware attacks, rocketing up from 0.87% in 2015.

A new era of cryptocurrency enabled cybercrime was heralded by the infamous WannaCry worm.

Trustless Payments For Ransomed Data

Ransomware entered the mainstream when the WannaCry worm infected millions of machines worldwide. Broadly speaking, ransomware is a type of cyber attack that infects a machine and then encrypts all of the data on that machine. This encryption makes it impossible for the owner of the machine to access their own data without the decryption key, which the attacker will gladly sell the victim in exchange for an amount of Bitcoin.

The WannaCry ransomware attack in 2016 cost an estimated $4–6 billion worldwide. It’s hard to know exactly how much money the attackers made, but the upward trend in ransomware attacks suggests that such attacks don’t suck at making their perpetrators money. In a microcosm of cryptocurrency facilitated crime, the North Korean cyber squad that executed the WannaCry attack apparently bought the code from a hacker group called the Shadow Brokers who only accept payment in the form of two privacy focused cryptocurrencies, Monero and Zcash. The Shadow Brokers likely stole the exploit from the NSA, but that’s another story.

Those who would ransom your data are attracted to cryptocurrency for the same reasons that operators of illegal marketplaces are. You’ve all seen this scene in a movie or TV drama: a disguised voice on the phone says, “Come to a sketchy location at midnight with $100,000 in cash. Come alone, we are watching you.”

The cash part is really important. If victims write the criminals a check, then some bank has to approve transfer of funds to someone else’s bank account (presumably the criminal’s). Not only will most banks collaborate with law enforcement to catch the crooks, but there is a lot of red-tape surrounding sudden withdrawals of large amounts of cash for exactly this reason.

For the criminal, going somewhere to get the money is a huge risk. What if it’s a sting? What if the victim brings a gun? What if the victim learns enough to identify one of the criminals? What if an onlooker witnesses the transaction? This is all very messy, not to mention walking around with all that cash makes you a target for police and other criminal enterprises alike.

Ransomware and cryptocurrencies fix a lot of these “problems” with classical ransom. With ransomware there are no physical goods to be exchanged since the data being ransomed is never actually taken anywhere. Similarly, using cryptocurrency as the payment mechanism enables attackers to simply leave a Bitcoin wallet number on the computer, along with instructions for the victim to: get their own Bitcoin wallet, buy some Bitcoin, and send it to the attacker. A perfect crime — money changes hands and neither the attacker nor the victim even have to get out of bed.

The lack of physical exchange also means that criminals can target people who they could never meet up with in real life. In this way cryptocurrency allows would-be attackers to expand their pool of potential victims dramatically.

Dark web sellers and ransomware attackers both love something else about cryptocurrency — it’s easier than cash to launder. The ephemeral nature of this new digital cash makes obfuscating its origin easier. The memo from The Center on Sanctions & Illicit Finance identifies cryptocurrency mixers (also called tumblers) as the primary mechanism for “cleaning” dirty Bitcoin.

Tumblers are conceptually quite simple. You send your dirty Bitcoins to a tumbler’s address along with a brand new “clean” address of your own; the tumbler mixes in Bitcoin from lots of different wallets (some clean some dirty) into their own wallet; and finally the tumbler has that wallet pay out to all the “clean” wallets provided by their customers (after extracting a service fee, of course).

By bundling a bunch of coin into a single wallet then distributing those funds to brand new wallets, mixers make it harder to associate the Bitcoin in the “clean” wallet with the original illicit behavior. Mixers can add all sorts of noisy complexity to their services by transferring funds between many different wallets, further obfuscating the source and destination wallets of any individual client. This process is even more effective when used with emerging anonymity and privacy focused cryptocurrencies such as Monero and Zcash.

In addition to new illicit marketplaces and new kinds of ransom, cryptocurrency is also enabling a new kind of theft. Hackers are stealing electricity and computational power from everyday people in order to mine this difficult-to-track and easy-to-launder source of money. A theft most abstract; some electricity and some clock cycles are stolen and turned into money through the miracle of mathematics.

Stealing Time

Different cryptocurrencies have different exact mechanics, but they are all based on the concept of proof-of-work. The specifics of proof-of-work can get confusing, but conceptually it’s straightforward. Computers that contribute their time and effort to the computational work of approving transactions (creating blocks for the blockchain) are rewarded for that work with Bitcoin (or the cryptocurrency in question). The more work you do, the more you get paid.

Generally speaking, mining Bitcoin costs more in electricity than it is worth. Early adopters got better deals in terms of work-to-bitcoin ratio to encourage growth but nowadays Bitcoin enters the supply more gradually. The result is that it is not reliably profitable to mine Bitcoin without specific hardware (and a lot of it). Even then, after you factor in the costs of buying/renting that hardware, mining a cryptocurrency is far from a sure thing.

Industrious hackers have realized, however, that if you don’t pay for the hardware or the electricity yourself mining is a lot more profitable. Attackers who might have otherwise installed keyloggers, or malware like VPNFilter, are instead extracting value more directly by tricking victims’ computers into mining Bitcoin and other cryptocurrencies.

These attacks, called “crypto jacking”, are often easy to execute and in many cases may not be illegal at all. Embedded advertisements, images, and videos on websites can be designed to carry and execute code that mines Bitcoin or other cryptocurrencies. Even reputable websites have been compromised, for example ads carrying crypto jacking payloads were found on YouTube earlier this year.

Advertisements have long been a source of concern for privacy advocates who worry about tracking cookies and other nefarious data collection tactics. Now advertisements can steal your CPU cycles and profit from you automatically. Isn’t the Internet a beautiful place?

Hackers have found ways to hijack all kinds of internet connected devices. From the obvious targets like web-browsers and cloud computing platforms like Amazon Web Services to the more obscure like wifi-connected toasters and fish tanks. As companies scramble to get connected to the “Internet of Things” (IoT), they tend to do so without much regard for security.

The Internet of Things has proven to be fertile ground for hackers, from the massive IoT DDoS attack against DNS back in 2016, to the refrigerators in the popular HBO series Silicon Valley earlier this year, hacking the IoT is mainstream and cryptojackers are on the bandwagon.

Ephemeral Assets With Real Costs

Some of the byproducts of the blockchain — such as Etherium’s 1+ terabyte ledger — are ephemeral and intangible by their nature. Unfortunately, the energy consumption and the byproduct of producing that energy isn’t intangible at all. Bitcoin production worldwide has already exceeded the country of New Zealand in terms of energy consumption and that’s just Bitcoin. As more people and companies get into blockchain energy costs will continue to rise.

In addition to enabling all kinds of new and creative criminal enterprises, cryptocurrencies are having a very direct impact on global energy use and climate change. Despite all this, the investors of Silicon Valley can’t wait to “put a blockchain on it,” regardless of what “it” is. We’ve heard this story before: move fast, break things, and deal with the fallout later.

Meanwhile, scientific organizations are predicting that sea levels will rise between 2–6 feet by 2100 and the CEO of CipherTrace predicts that more than $1.5 billion in cryptocurrency will be stolen this year.

I believe that the Bitcoin whitepaper actually was revolutionary, and that cryptocurrency is probably here to stay. The core ideas of Bitcoin, including the blockchain, have the potential to reshape and disrupt more than just criminal enterprises. Stories like the ones about the Venezuelans who are mining Bitcoin as a hustle to survive in a harsh regime are a reminder that there are legitimate applications for these kinds of “trustless” payments, especially outside of well-developed market democracies.

It is folly, however, to simply ignore the unintended consequences of these technology advances. As it stands, Bitcoin has been most beneficial to two main groups: speculators and criminals. As the global community continues to grapple with the new challenges of how to regulate, police, and innovate responsibly in the digital spaces of the information age it is crucial that we take the time to carefully examine the bigger picture.

The impact of future innovations will depend largely on what research is targeted as well as what kinds of policy governments adopt regarding the nascent technology. In making those decisions, we should carefully consider all the ways this technology can be deployed, not just the ways we hope it will be deployed.

read original article here