Tracing the WannaCry 2.0 Monero Transactions

Contributors: Nicolas A. Bax, PhD and an unnamed contributor.

MAYC/Getty Images

Leaked slides belonging to Chainalysis recently surfaced. They include the claim that Monero transactions related to the WannaCry 2.0 ransomware were traced as they were converted back to the transparent BTC and BCH blockchains. Here, I demonstrate how the WannaCry 2.0 funds were traceable using publicly-available information.

Wannacry 2.0: funds tracked from BTC to XMR and back to BTC and BCH after 3 months.

To my knowledge, this is the first public example of real-world Monero tracing with ringCT transactions. Examples of real-world Monero tracing were previously published in 2017 by Möser, M., et al [1]. However, the paper focused on Monero transactions prior to the introduction of ring confidential transactions (RingCT) — a technological advance which vastly improved Monero transaction privacy by obfuscating the amount of XMR being transacted.[2] This method utilizes an “Eve-Alice-Eve” (EAE) attack which has been well-described [3], and was facilitated in part by a cryptocurrency exchange which leaked data about incoming and outgoing transactions.

Because of its technical subject matter, the target audience for this article is people who are familiar with how other cryptocurrencies such as Bitcoin are traced.

Translated text from the leaked slides mentions tracing WannaCry 2.0 funds from BTC to XMR and back to Bitcoin Cash (BCH).

The WannaCry Malware

In May 2017, the WannaCry 2.0 ransomware infected hundreds of thousands of computers worldwide causing an estimated hundreds of millions to billions of dollars in damage.[4] The ransomware demanded that the owners of infected computers send Bitcoin to one of three Bitcoin addresses in order to decrypt their files. Preliminary reporting by cybersecurity firms attributed the
malware to the North Korean “Lazarus Group”. Throughout this article, I refer to the threat actors who carried out these transactions as “Lazarus”.

Many are familiar with the WannaCry malware, not just because of the scale of the attack, but also because of the story of a British malware researcher, Marcus Hutchins, who was able to stop the attack by registering a sinkhole which functioned as a killswitch. Later on, he was arrested by the FBI and charged in a case that baffled many observers before eventually pleading guilty and being sentenced to time served and one year of supervised release. [5] People who follow cyber crimes also still occasionally debate whether WannaCry 2.0 was released deliberately, or whether it managed to escape during development as worms are apt to do.

Tracing WannaCry’s Bitcoin to Monero

The WannaCry malware first appeared in the wild in May 2017 and extorted about 52 BTC in ransoms in the first 2 and ½ months following its release. On August 3rd, 2017, the BTC began moving through numerous different bitcoin addresses. In September 2017, Neutrino (later acquired by Coinbase) published an article describing how Neutrino used their “P-Flow capabilities” to trace WannaCry’s BTC as it was converted to Monero a month earlier on August 3rd, 2017. [5] This form of cryptocurrency obfuscation is known in the industry as “chain hopping”, whereby someone tries to obfuscate the source or destination of cryptocurrency tokens by converting them to a privacy-focused cryptocurrency (almost always Monero). [6] Some of the BTC→XMR conversion was done via the cryptocurrency exchange ShapeShift, which at the time did not require users to provide an e-mail or any other personal information (although it appears ShapeShift also logged IP address and User-Agent data). [7]

Using the data from Neutrino’s article, as well as ShapeShift’s API, I was able to obtain a list of all of the WannaCry 2.0 BTC deposits and the corresponding outgoing XMR transactions. Repeating the BTC portion of this analysis is “left as an exercise for the reader”.

How to trace the WannaCry 2.0 Monero

Step 1: Flag outputs to trace

At this stage in the analysis, we have a list of Monero transactions which were sent by ShapeShift to the entity that deposited the WannaCry BTC, Lazarus.

Screenshot of part of the wannashift.json file provided on github which shows the amount of XMR sent from ShapeShift as well as the outgoing transaction ID.

Let’s take a closer look at the first outgoing ShapeShift XMR transaction in the xmrchain.info screenshot below. Similar to Bitcoin, Monero uses a UTXO model. Each transaction uses unspent transaction outputs (UTXOs) as inputs and sends outputs. There is no convention on how to refer to the outputs of Monero transactions. I refer to these as ‘TXOs’ when they are used as a noun, and as ‘output’ when used as a verb.

Unlike Bitcoin’s transparent blockchain, where it is trivial to see the public address that is receiving funds, it is impossible to positively identify the receiving address of a Monero transaction using only publicly-available blockchain data. It is, however, possible to glean some useful information. In this case I focus primarily on the integer identifiers of the TXO. As seen in the figure below, we know that the transaction has 3 TXOs: [1823678, 1823679, 1823680]. Just like in most Bitcoin transactions, most XMR transactions send out 2 or more TXOs. One of these TXOs is usually a “change output (TXO)” which goes back to the transaction sender. The other TXO(s) goes to the recipient — Lazarus in this case.*

[Unlike with Bitcoin] it is impossible to positively identify the receiving address of a Monero transaction using only publicly-available blockchain data.

One of the transactions sent from ShapeShift to the Lazarus group after converting stolen BTC to XMR. At this point, we know that the XMR sent to the outputs in the magenta square are controlled by either ShapeShift (change TXOs) or Lazarus.

I collected the TXOs for all of the transactions from ShapeShift (Table 1). Again, the Monero represented by these TXOs is controlled by either ShapeShift or Lazarus.

Outgoing XMR transactions from ShapeShift. At this point, we believe that at least 1 TXO from each transaction in the ‘Outputs’ column went to Lazarus and 1 TXO went to ShapeShift as a change TXO. In most cases, there is a 3rd TXO which could have gone to either Lazarus or ShapeShift (we later learn that it always went Lazarus).

Step 2: Identify transactions which spend flagged TXOs

Unlike Bitcoin transactions, Monero RingCT transactions generate a “ring signature” that hides the real transaction input being spent amongst several false “decoy” inputs, any one of which should plausibly be the “real” TXO being spent. The number of decoys included in a transaction, in addition to the real input, is called the “ring size” and at the time that these transactions were occurring, the sender of a transaction could select the ring size (it was later hard-coded to 11, that is, 10 decoys and 1 real TXO). The figure below shows parts of a screenshot of a transaction on xmrchain.info. It is impossible to spend a TXO without including it in a ring, and one of the ring members in each ring is necessarily controlled by the sender of a transaction. The other ring members are decoys. The screenshot shows the “stealth address” of each TXO — however, these TXOs also have a corresponding integer identifier or “index” (Table 1).

Screenshot of a transaction which is spending a total of 7 inputs. The first two inputs and their rings are shown. Each input has a separate “ring” consisting of 1 TXO being spent, and 4 decoys. One of the ring members is necessarily the real TXO being spent. Ostensibly, each ring member has a similar probability of being the real TXO being used as an input.

The next step in this analysis is to identify transactions which are spending the TXOs that we have flagged as belonging to either ShapeShift or Lazarus. To do this, I made a database of every RingCT TXO in the Monero blockchain and every transaction/ring which includes the TXO as a ring member. A simplified version of this database has the format: TXO,[List of TXIDs].

Then, I simply searched for every transaction which included flagged TXOs as ring members. A sample list of some of these transactions is included below:

Transactions in bold spent 2 or more TXOs flagged from the Lazarus BTC →ShapeShift →XMR transactions. The bolded TXID beginning with ‘9e0476’ is an example of a false positive (see endnotes).

My code identified 4 transactions which included more than 1 flagged TXO in their rings. Three of these transactions occurred around the same time on August 17th — about two weeks after the BTC →ShapeShift →XMR transactions on 8/3/17. This analysis utilizes a variation of the previously-described “output merging heuristic”.[9] These transactions could be ShapeShift consolidating TXOs, they could be Lazarus spending flagged TXOs, or they could be completely unrelated and purely coincidental.† In fact, one of the 4 transactions identified was likely an off-target hit.‡ The three positive hits are shown in table 2. One of the positive hits spent 2 flagged TXOs as well as two inputs that we did not have flagged. The second transaction spent 5 flagged TXOs and two unflagged TXOs. The unknown TXOs may have come from the exchange Changelly, which the Lazarus actors used in addition to ShapeShift. Unlike ShapeShift, Changelly’s API does not make it easy to get the outgoing transactions although it is plausible that law enforcement is in possession of these TXIDs.

3 transactions which spent multiple flagged outputs known to be associated with Lazarus’ ShapeShift transactions, as well as the outputs (TXOs) of these transactions.

The exact statistics used to determine whether a transaction is really spending flagged TXOs or simply an off-target hit are “beyond the scope of this article” and unnecessary in this case. Here is an example “napkin math” on the odds of these transactions being included randomly:

Decoys are selected from a pool of well over 100,000 outputs. The odds of a specific Lazarus output being selected as a decoy is at most 1 in 100,000. We are monitoring 23 outputs to see if they are spent so the odds of one of these outputs being selected is at most 23 in 100,000. Each ring has 5 members, so 5 chances to include a Lazarus output (5*23)/100,000 or 0.00115. The odds
of 7 outputs being selected as a decoy in the same transaction is roughly 0.00115^7 or, which is 2.6 × 10^–21 or 0.00000000000000000026%.

In short, while this is a “probabilistic” analysis, the probability of 7 flagged TXOs randomly being selected as decoys in a transaction with only 7 inputs is astronomically small.

I call the transactions in table 2 “consolidation transactions”, as they consolidated all of the ShapeShift TXOs into what may have been a new wallet. This may also have been an ill-fated attempt at “churning”. The consolidation transactions are notable in that they have more than 2 TXOs; at the time that these transactions occurred, two of the most popular wallets in use, Monero GUI Wallet and Cake Wallet, only generated transactions with exactly 2 TXOs (1 change TXO, and 1 TXO going to the recipient of a transaction, they now allow for up to 15 recipients). Because the consolidation transactions have more than 2 TXOs, they were likely made using the command line wallet “Monero Wallet CLI”, which is not accessible to novice users.

3. We identified some transactions associated with Lazarus, now what?

I am unsure as to why the Lazarus consolidation transactions outputted 4 or 8 TXOs as opposed to the default of 2. This does make tracing the funds considerably easier because we now have 20 TXOs associated with Lazarus — as opposed to just 6 if they had made 3 churn transactions with 2 TXOs each. As in the previous step, I searched the blockchain for transactions which include flagged TXOs from the consolidation transactions.

I looked at transactions spending flagged TXOs and noticed a cluster of transactions which occurred all around the same time on November 2nd, 2017 — about 3 months after the initial BTC→ShapeShift→XMR transactions.

Earlier, I promised the reader an EAE attack — the first “Eve” move was getting the outgoing TXIDs from ShapeShift. Then we identified Lazarus’ (Alice’s) consolidation transactions. Now it is time for the second “Eve” trick:

ShapeShift’s API does not require authentication and allows anybody to query the status of a deposit to ShapeShift simply by providing the unique deposit address created for a ShapeShift user. (See endnote §: ShapeShift has fixed the data leak as a result of this article.) Some readers may now be thinking, “wait a minute, didn’t you say it’s impossible to identify Monero’s stealth deposit addresses using blockchain data?” The answer to that question is “yes”. However, until November 2019, ShapeShift’s API did not use Monero addresses for their API. Instead, they used the now-deprecated 32-byte payment IDs. These payment IDs are transparent and easily obtainable from the blockchain. This means that all XMR deposits to ShapeShift which used a 32-byte payment ID, and their associated withdrawal transaction to a transparent blockchain, were easily obtainable and this information should be considered exposed. §

An example of one such XMR deposit transaction and API request are shown below with the payment ID highlighted. If queried in ShapeShift’s API, it shows that the sender (Lazarus in this example) deposited 60 XMR at ShapeShift and withdrew about 8.55 BCH to the address 13tz3oD75Y4jcGds6rPJawnxHjXduTmpap.

Example of a ShapeShift API query for one of Lazarus’ XMR deposits shows that 60 XMR was deposited and 8.5513396 BCH was withdrawn to 13tz3oD75Y4jcGds6rPJawnxHjXduTmpap. The ‘address’ field (yellow) is actually a payment ID and not the deposit address.

If you click the the ring member being spent on xmrchain.info, it will take you to the consolidation transaction which produced that TXO. Unfortunately, xmrchain.info currently only shows the stealth address associated with a TXO, and not the human-readable integer identifier.

A transaction on the Monero blockchain in which Lazarus sent 60 XMR to ShapeShift in exchange for BCH. The real input (an output of one of the consolidation transactions) is highlighted in red. The payment ID is highlighted in yellow. Clicking the hash of the ring member will take a user to the transaction which outputted the TXO.

In total, I was able to find 9 deposits which spent XMR from the consolidation transactions, sending a total of 536 XMR to ShapeShift in exchange for 78.39291766 BCH to the same address. These 9 transactions are the only 9 received by that BCH address. The XMR transactions also formed a “peeling chain” on the Monero blockchain, where transactions spent some change TXOs from earlier XMR →ShapeShift →BCH transactions. A table showing all of the XMR →ShapeShift →BCH transactions, as well a graph showing all of the transactions described here are provided below.

Table showing all of Lazarus’ XMR→ShapeShift→BCH transactions
A transaction graph showing Lazarus’ Monero transactions. Large dots are transactions. Small dots represent TXOs for the transactions they’re connected to. TXOs are also connected to the transactions which used spent them as inputs. [Top] Blue transactions show all of the XMR outputs received by Lazarus from ShapeShift. Most TXOs went to Lazarus but each transaction had at least 1 TXO that is presumed to be a change TXO. The three consolidation transactions (pink) spent 14 TXOs known to come from ShapeShift. The three consolidation generated 20 TXOs. Many of the TXOs were spent by 3 peeling chains (purple, red, yellow) consisting of 2–4 transactions all of which sent 60 XMR to ShapeShift in exchange for BCH, except for two which sent 58 XMR.

Summary and Conclusions

On August 3rd, 2017, Lazarus converted BTC to 820.79942522 XMR via ShapeShift and an unknown amount of Monero coin (XMR) via Changelly (another no-email instance exchange platform). Lazarus consolidated XMR received from Shapeshift in three transactions on August 17th, 2017, around 06:20 UTC. Then, on Nov. 2, 2017, Lazarus converted 536 XMR to BCH using ShapeShift.io via 9 transactions.

This tracing was carried out using code developed in-house that made Monero Daemon RPC calls, and supplemented with data from xmrchain.info, and ShapeShift’s API.

Several factors made the tracing in this example particularly easy. First, ShapeShift limited the amount of currency that could be converted in a single transaction, meaning Lazarus had to make multiple BTC→ShapeShift→XMR transactions. This produced more flaggable TXOs and made identifying the consolidation transactions easier. Second, Lazarus’ consolidation transactions had more than the default 2 outputs which again created more flaggable TXOs. Third, Lazarus sent all of their XMR to the same BCH address which gives us additional confidence in the assessment that all of the XMR→ShapeShift→BCH transactions are connected and were carried out by Lazarus.

In 2019, Monero deprecated the transparent 32-byte payment IDs which made this analysis possible. Today, Monero uses encrypted payment IDs or subaddresses which cannot be used to identify deposit addresses. Additionally, Monero has forced all transactions to use exactly 10 decoys, which lowers the certainty obtained by these methods when compared to a transaction with just 4 decoys.

Cake Wallet and Monero GUI Wallet both now allow non-technical users to send out multiple TXOs in the same transaction so it is no longer possible to fingerprint Monero Wallet CLI or custom wallet software based on the number of TXOs.

Nevertheless, this example shows that “probabilistic” analysis can lead to very high certainties in Monero tracing. It shows that even state-sponsored actors can be traced if improperly using Monero. While most exchanges do not readily provide information about all of their Monero deposits and withdrawals, this example serves to demonstrate that Monero tracing is sometimes feasible when exchange-level data is leaked, stolen or obtained through legal means.

The information from this leak can also potentially be used alongside other Monero attacks, such as the recently-described flood attack [10], to increase the reliability of EAE attacks.

The tracing information provided here is incomplete and simply serves to demonstrate how such an EAE attack can be carried out.

As of February 2021, the United States DOJ has indicted 3 North Korean hackers for their involvement in the WannaCry attacks. [11]

Endnotes

Another person made authorship-level contributions to this research but is currently unnamed for good reasons. Authorship may be updated in the future.

Some additional data is provided at https://github.com/nickbax/wannacry_monero_tracing. This may be updated in the future.

*ShapeShift is slightly unusual in that it sometimes sent transactions with 3 outputs and other times just 2.

†There are a few other unusual edge cases but I don’t think any of them is the case in this example.

https://xmrchain.info/tx/9e0476aa390a8d91668d28aa27bcf7da721c73a07529f56ae49381af6d940a1e is a transaction with 14 inputs and an absurdly large ring size of 220, meaning there are 3,066 decoys selected, increasing the odds of randomly selecting 2 flagged TXOs as decoys.

§ Some people consider this to be a data breach so I responsibly disclosed it to ShapeShift through their bug bounty program. It was fixed on 9/24/2021 as a result of my disclosure. I estimate that approximately 100,000 XMR deposits and an additional 250,000 XMR withdrawals were affected. The API still leaks a small amount of information about whether a deposit went to ShapeShift, but leaks no information about the amount or outgoing address.

The “meat” of my disclosure was as follows:

Vulnerability: The ShapeShift API documentation states that the “Status of deposit to address” is available at http://shapeshift.io/txstat/[address]

However, in the case of Monero transactions between approximately April 2015 to November 2019, the ShapeShift API does not use the deposit address but instead uses a transparent 32 byte payment ID which can be scraped from the blockchain. I have spoken to numerous Monero users and experts who did not realize that ShapeShift used payment IDs as opposed to stealth addresses* for the API. This means that users believed only they could see the status of their XMR deposits to ShapeShift (because Monero stealth addresses cannot be publicly determined) and may be surprised to see that their transactions can be traced by someone using an EAE attack.

*I erroneously used the term “stealth address” instead of the term “subaddress” in this disclosure.

Acknowledgements

Thank you to my friends and all of the members of the Stanford and Monero communities who assisted me by reviewing this manuscript.

References

  1. Möser, M., et al. An Empirical Analysis of Traceability in the Monero Blockchain. PPET. (2017). https://arxiv.org/pdf/1704.04299/
  2. Ehrenhofer, J., Response to “An Empirical Analysis of Traceability in the Monero Blockchain”, Version 2. Monero Research Labs. (2018). https://www.getmonero.org/2018/03/29/response-to-an-empirical-analysis-of-traceability.html
  3. Ehrenhofer, J., Noether, S. 09: Poisoned Outputs (EAE Attack). Breaking Monero. (2019). https://www.monerooutreach.org/breaking-monero/poisoned-outputs.html
  4. Berr, J. “WannaCry” ransomware attack losses could reach $4 billion. MoneyWatch. (2017). https://www.cbsnews.com/news/wannacry-ransomware-attacks-wannacry-virus-losses/
  5. Greenberg, A. The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet. Wired. (2020). https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/
  6. Neutrino Research Team. WannaShift to Monero. (2017). https://www.neutrino.nu/Research_WannaShift_to_Monero.html
  7. Advanced Obfuscation Techniques: Mixing, CoinJoins, Chain Hopping, and Privacy Coins. Chainalysis. (2020). https://go.chainalysis.com/advanced-obfuscation-techniques-webinar-recording.html
  8. https://www.justice.gov/opa/press-release/file/1092091/download (pdf page 114.)
  9. Hinteregger, A. Haselhofer, B., An Empirical Analysis of Monero Cross-Chain Traceability. International Conference on Financial Cryptography and Data Security. (2019). https://arxiv.org/pdf/1812.02808.pdf
  10. Krawiec-Thayer, M.P., et al. Fingerprinting a flood: forensic statistical analysis of the mid-2021 Monero transaction volume anomaly. Medium. (2021). https://mitchellpkt.medium.com/fingerprinting-a-flood-forensic-statistical-analysis-of-the-mid-2021-monero-transaction-volume-a19cbf41ce60
  11. https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and

Financial Disclosures: Nick Bax holds BTC, XMR and other cryptocurrencies. Nick Bax’s company, Five I’s LLC, provides consulting services on a variety of cryptocurrency-related topics including forensics.

Princeton ’12 (Chemistry), Stanford ’21 (Structural Biology PhD), Currently analyzing blockchains

Princeton ’12 (Chemistry), Stanford ’21 (Structural Biology PhD), Currently analyzing blockchains