In January 2018, Andrew Schober was tricked into downloading a purported cryptocurrency wallet called “Electrum Atom” (also deployed under the name “Electrum Gold”) which resulted in approximately 16.4 Bitcoins being stolen from him [1]. Electrum Atom turned out to be an early variation of what has been dubbed “clipboard hijacker” malware [2,3]. The malware monitored the copy-paste (or “clipboard”) function of the infected computer until it detected that the user had copied a Bitcoin address. When the malware recognized a Bitcoin address, it modified the Bitcoin address stored in the clipboard to a similar-looking Bitcoin address controlled by the malware operator. By doing this, the malware was able to divert bitcoin from Mr. Schober to an address controlled by the creator of the Electrum Atom malware.
In May 2021, Mr. Schober filed a lawsuit in Colorado against two minors from the UK, Defendants Benedict Thompson and Oliver Read, and their respective parents, alleging that they stole Schober’s bitcoin via the Electrum Atom malware. Both Benedict Thompson and Oliver Read deny any involvement with the incident.
In public court filings, Schober and his legal team have released interesting forensic evidence obtained during the discovery process. This article aims to examine and explain the evidence unearthed by Mr. Schober during his lengthy investigation and provides broader insights into the reality of digital asset recovery through the judicial system. All evidence contained herein is readily auditable by other experienced blockchain analysts.
195,112 Bitcoin addresses are embedded in the malware and controlled by its operator
About 1 month after the malware diverted Schober’s bitcoin (BTC) to the address 1CZioyptarnQ3rdT9np2rwMwXftMX9ATT7, it was transferred to a Bitfinex deposit address: 3CWQ5d2XgCrYuz7F3g4fmhd6VQMv4iPio7.
Realizing he would need more data in order to identify who had stolen his BTC, Schober enlisted the help of a malware analyst who was able to extract a list of bitcoin addresses embedded within the malware code.
Tracing the Malware Transactions to the Defendants
Out of the 195,112 addresses embedded in the malware, a total of four, including the one which received Schober’s stolen BTC, were found to have received BTC between November 2017 and January 2018. This proved extremely valuable to the investigation: much like a forensic investigator can link bullets from different crime scenes to the same firearm, this made it possible to link multiple alleged thefts to the Electrum Atom malware and broaden the surface area of the investigation.
Two of the malware-controlled addresses, 1PpV and 1A6K, sent about 0.54 BTC to a different Bitfinex account than the one which received Schober’s stolen BTC. This Bitfinex account had a deposit address beginning with 1Gqt. [Fig. 4]
An FBI document reveals that the username on the 1Gqt Bitfinex account was “JamesandJohn” and the e-mail “annaadmams12@gmail.com”. [Fig. 5] Benedict Thompson acknowledged using this email, though he claims it was also used by others. [Fig. 6] Benedict Thompson has denied using the alias “JamesandJohn”. This is contradicted by the FBI document, which identifies JamesandJohn as an alias used by Benedict Thompson. [Fig. 5] This connection is further corroborated by a comment Benedict Thompson posted on Github, where he disclosed using a computer with the username “JamesandJohn”. [Fig. 7]
In summary, there are multiple connections between Benedict Thompson and the 1Gqt Bitfinex account which received BTC from addresses embedded in the Electrum Atom malware.
The controller of the Bitfinex account which received Schober’s stolen BTC used an IP address which likely shared a subnet used by Thompson
Schober’s stolen BTC was sent to a Bitfinex account with a deposit address beginning in “3CWQ”. The 3CWQ account was registered with the username “thp2k”. An FBI document shows that on February 25, 2018, thp2pk logged in to the 3CQW Bitfinex account from Southampton, UK, where the Thompson family lives, using an IP address registered to British Telecom: 86.158.130.34. [Fig. 8]
The first three octets of the IP address are identical to numerous IP addresses used by Benedict Thompson [Table 2]. A plausible explanation for this is that the device used to login to the 3CWQ Bitfinex account was on the same subnet as Thompson’s devices.
Shortly after receiving Mr. Schober’s stolen BTC, the person in control of the 3CWQ Bitfinex address converted the BTC to Monero (XMR) and withdrew it to a Monero address beginning with 44nUb [Fig. 8]. Monero is notoriously difficult to track and Mr. Schober did not have the benefit of access to the 3CWQ account data until months after his lawsuit was filed.
Bitcoin from the Electrum Atom Malware was sent to ShapeShift.io, converted to XMR, then sent back to ShapeShift and converted to Bitcoin
A 4th address embedded in the Electrum Atom malware, 1JrT4DePAThEHarvEiYyRu2x2anhMCsoPr, received 0.10179145 BTC on December 30, 2017. On January 10, 2018, the controller of the malware address sent all of the funds to an “instant exchange” called ShapeShift.io and converted the BTC to Monero (XMR). ShapeShift was well-known for allowing users to swap between different cryptocurrencies without providing an e-mail or other identifying information. [5]
ShapeShift’s API shows that the ~0.1 BTC sent from the 1JrT malware address was converted to ~3.62 XMR, which was sent to a Monero address beginning with 46uK at 19:52:06 UTC (block 1484306) on January 10, 2018:
{"status":"complete",
"address":"3HbANjJRUw8GdK16Xk572qKDarAV4Hy17H",
"withdraw":"46uKqypoMZFFURWJd1H8z5fFwrUHES2PgHUUQ7b4mSQW2LBCg67S3fqdZ4asfaRcHj115TMTepHyxT9zYCRJR9pkAuZnNEY",
"incomingCoin":0.10082679,
"incomingType":"BTC",
"outgoingCoin":"3.62709924",
"outgoingType":"XMR",
"transaction":"5ef113d20b62c8302d97ef0db3678d3c9e802bcbc1880e2a32605734dfb7afd9",
"transactionURL":"https://xmrchain.net/tx/5ef113d20b62c8302d97ef0db3678d3c9e802bcbc1880e2a32605734dfb7afd9"}Immediately after the ~3.62 XMR received from the BTC → XMR ShapeShift transaction became spendable, 3.6 XMR was sent back to ShapeShift and converted to 0.09606655 BTC, which ShapeShift sent to the vanity Bitcoin address 1BeNEdictBLbmVJ9LXkSwqiyWWf36XKTD1. The 1BeNEdict address is verified as belonging to Benedict Thompson on keybase.io [Fig. 9] and is also linked to Thompson’s Reddit, Github, and Twitter accounts.
The temporal correlation is striking; ~0.1 BTC from an address embedded in the Electrum Atom malware was converted to ~3.62 XMR ShapeShift, and immediately afterwards, ~3.6 XMR was sent back to ShapeShift and converted to ~0.096 BTC sent to Benedict Thompson’s bitcoin address.
Furthermore, it is possible to demonstrate that the XMR unspent transaction output (UTXO) spent and sent to ShapeShift was very likely the exact same UTXO received from ShapeShift a half hour earlier via an Eve-Alice-Eve (EAE) attack. I previously described an EAE attack against the North Korean Lazarus Group as they cashed out their proceeds from the WannaCry malware here. Briefly, Monero’s RingCT confidential transactions hide the amount being transacted on the blockchain (but ShapeShift’s API provides us with this information). Monero’s RingCT also hides the exact UTXO being spent, but does provide blockchain analysts with a list of plausible “ring members”, one of which is being spent and the remainder of which are “decoys”. [Fig. 10]
Four of the five plausible ring members for the transaction were broadcast over one month earlier, whereas the 5th ring member was broadcast in the BTC → XMR ShapeShift transaction about a half hour earlier. In September 2021, a bug in Monero’s decoy selection algorithm[6] which “caused the algorithm to select marginally fewer decoy outputs roughly 10 to 20 blocks old” was disclosed, which may further increase the probability that the 12-block old ring member was the UTXO being spent, as opposed to a decoy. [6]
Schober obtained internal data from ShapeShift related to the XMR to BTC swap. The data shows that in addition to the “withdraw” parameter being set to “1BeNEdict”, the “returnAddress” parameter, a refund address provided by the customer in case of transaction issues, matched the exact same 44nUb Monero address Schober’s stolen assets were transferred to from Bitfinex 1.5 months later. [Fig. 11]
The transaction chain from the 1JrT4 malware address to Thompson’s 1BeNEdict vanity address strongly links him to the Electrum Atom malware. Temporal analysis shows that the stolen BTC was very likely “chain hopped” to Monero and then “U-turned”[7] back to BTC sent to Benedict Thompson’s 1BeNEdict address a half hour later. The Eve-Alice-Eve attack strongly corroborates that the temporal analysis is correct.
The returnAddress parameter on the XMR → BTC ShapeShift transaction which sent ~0.096 BTC directly to Thompson provides a strong link between the person who initiated the ShapeShift transaction and the person who stole Schober’s BTC; the 44nUb Monero address was reused at Bitfinex to withdraw Schober’s stolen property from Bitfinex after the stolen BTC was converted to XMR. [Fig. 12]
Corroborating Evidence
In addition to the blockchain-based evidence, Mr. Schober found compelling circumstantial evidence showing that the defendant Benedict Thompson not only possessed the knowledge necessary to build clipboard jacking malware but was actively ideating it. A few weeks before the malware appeared in the wild, Thompson wrote a post to the bitcoin-dev mailing list describing how quickly a computer could maliciously generate indifferentiable Bitcoin vanity addresses that match an address to which a user intends to send BTC. [Fig. 13]
Not only did Thompson ideate around this — his public Github actually included much of the code needed to build out the Electrum Atom malware. For instance, Thompson’s Github page included a Bitcoin vanity address generator which could be used to generate the 195,112 addresses embedded in the malware and the Electrum client with which the malware was bundled.
The complaint also alleges that another defendant, Oliver Read, was promoting the Electrum Atom malware on Reddit.
Conclusion
This investigation highlights a wide range of cyber investigatory methods. Andrew Schober started with standard open source intelligence techniques (OSINT). He then enlisted the help of others to analyze the malware and the cryptocurrency addresses contained therein. When Schober encountered information that was held by centralized entities, he relentlessly looked for ways to obtain it, eventually going as far as to serve them with civil subpoenas. In other instances, Schober obtained information pertinent to his investigation directly from the Cyber Division of the FBI.
Despite the fact that potential evidence was being lost due to data retention limits or because it was deleted by the defendants, Schober was able to obtain clear and convincing evidence connecting his stolen BTC to real people.
Four Bitcoin addresses embedded within the malware sent funds to three different destinations. The first destination, the 1Gqt Bitfinex account, used an e-mail and username associated with Benedict Thompson. A second malware address sent BTC to ShapeShift in exchange for the privacy coin Monero (XMR). Temporal analysis, a Monero EAE attack, and internal records from ShapeShift together showed that a transaction sending malware funds to Thompson’s bitcoin address used the 44nUb return address. The third and final destination, the 3CQW Bitfinex account, received Schober’s stolen bitcoins, which were converted to Monero and withdrawn to the same 44nUb address used at ShapeShift. This Bitfinex user logged in from a Southampton IP address that was likely on the same subnetwork used by Thompson. Ultimately, every bitcoin transaction sent by the Electrum Atom malware operator went to a destination address that was linked to Benedict Thompson. [Fig. 14] The case is ongoing.
Nick Bax’s company, Five I’s LLC, provides expert consulting and witness services on a variety of cryptocurrency-related topics including forensics. E-mail: nick at 5is dot tech
References
- Krebs, B. Man Robbed of 16 Bitcoin Sues Young Thieves’ Parents. Krebs on Seccurity. (2021). https://krebsonsecurity.com/2021/08/man-robbed-of-16-bitcoin-sues-young-thieves-parents/
- Meskauskas, T. How to prevent financial loss caused through Clipboard Hijacker. PCrisk. (2022). https://www.pcrisk.com/removal-guides/15815-clipboard-hijacker-malware
- Cimpanu, C. Malware author made $560,000 just from a simple clipboard hijacker. The Record. (2021). https://therecord.media/malware-author-made-560000-just-from-a-simple-clipboard-hijacker
- Schober vs Thompson Complaint. 1:21-cv-01382-NYW. (2021). https://storage.courtlistener.com/recap/gov.uscourts.cod.207081/gov.uscourts.cod.207081.1.0.pdf
- Scheck, J. How Dirty Money Disappears Into the Black Hole of Cryptocurrency. WSJ. (2018). https://www.wsj.com/articles/how-dirty-money-disappears-into-the-black-hole-of-cryptocurrency-1538149743
- Berman, J. Post-Mortem of Decoy Selection Bugs. The Monero Project. (2021). https://www.getmonero.org/2021/09/20/post-mortem-of-decoy-selection-bugs.html
- Yousaf, H. et al. Tracing Transactions Across Cryptocurrency Ledgers. n Proceedings of the USENIX Security Symposium. (2019). https://www.usenix.org/system/files/sec19-yousaf_0.pdf
