Counter Terrorism Use Cases for Cryptocurrency: Tracking Ransomware Payments Through Crypto
Introduction
The emergence of cryptocurrency onto the digital currency scene became an instant hit for cybercriminals and underground criminal consortiums because of the features of the crypto technology. Firstly, cryptocurrencies offer unlimited speed, making it possible for users to transfer huge sums without any special authorization from a centralized authority as required by the traditional banking system. Secondly, cryptocurrencies offer users anonymity.
The anonymity of cryptocurrencies makes it almost impossible to tie identities to crypto wallets. Therefore, this made it possible for users to receive monies for illegal purposes and funnel dirty money back into circulation after rerouting them within the complex tunnels of the global crypto-subways.
The speed, anonymity, and discreet workings of cryptocurrencies have made the means of payment rise to global prominence, especially for ransomware terrorists/hackers. Chainanalysis stated that cryptocurrency payments for a ransomware attack in 2020 totaled $350 million, signaling a 300% rise from 2019 numbers. At best, the above is considered a conservative estimate. The exact amount may far outweigh what is recorded because companies in the US are only required by law to report cyber and ransomware attacks when customers’ personal information is compromised.
However, with the growing patronage of cryptocurrencies by criminal syndicates for its ability to keep the identities of users under the radar, authorities are becoming proficient at monitoring, tracking, and recovering funds lost to criminals through crypto, thus, signaling an end to the days when cryptocurrencies were regarded as the perfect clean currencies for dirty transactions.
This article will examine popular cyber-terrorist campaigns, the receipt of cryptocurrencies for their activities, and the recovery of paid funds. Finally, the piece will round off with steps on tracking ransomware payments through crypto the Bilic way.
The Monkey Wrench
The Kaseya attack in 2021 was a unique one for reasons that would be made known later. On the 2nd day of July in 2021, Kaseya, a security IT Solutions Company, announced that its systems had been compromised. And with its connection to various clients’ confidential data and system infrastructure, the compromise of Kaseya’s system immediately had adverse effects on the functionalities of its client companies.
It is recorded that the attack affected over 1500 organizations in different countries. REvil, a criminal syndicate, took responsibility for the attack, for which it demanded a whopping ransom payment of $70 million. However, with concerted efforts from the FBI and the US Cyber Security and Infrastructure Agency, Kaseya refused to make the payment and could secure a universal decryptor key with which its systems and those of her clients were released from the hold of the hackers.
The importance of this event is twofold. Firstly, it marked the beginning of defiance by organizations in the face of hack attacks and threats to make ransom payments, and secondly, it encouraged the race to the further development of crypto tracking and forensics infrastructure as well as the provision of hack service in the pursuit of cyber terrorists and criminals.
The Colonial Pipeline
In 2021, the crypto world finally embraced the reality that cryptocurrencies and their famed anonymity might not be untraceable or irrecoverable after all. This came after the FBI’s May 2021 Colonial Pipeline ransom payment recovery in collaboration with private sector forensic experts and the Department of Justice.
In May of 2021, a US company named Colonial Pipeline, whose infrastructure transported fuel and gas to other parts of the United States, had its systems attacked by ransomware. The DarkSide RaaS operation was responsible for the attack. With a precautionary orientation that most of its systems might be in danger and to swiftly bring an end to the attack to prevent the complete crippling of its activities which had already caused a rise in gas prices, Colonial Pipeline decided to pay the demanded ransom.
Colonial Pipeline, therefore, paid $4.4 million in bitcoins to prevent the shutdown of critical operations. With the help of the blockchain, the immutable public ledger that stores all transaction details for validation of transactions on the network by all computer nodes connected to it, the FBI was able to use the transaction data created at the beginning of the ransom payments to trace the movement of the $4.4 million paid by Colonial Pipeline to the hackers. With this data, the movement of the money paid (about 75 bitcoins) was followed as it was transferred from one wallet to another.
In the process, the FBI followed about $2.3 million transferred to a specific wallet and gained access to the wallet by securing the private key to the wallet. The FBI was able to trace and recover the $2.3 million, while the 11.2 BTC left were traced to an address linked to the DarkSide developers as payment for the ransomware services, which made the takeover of Colonial Pipeline systems possible. It is worthy of note that the remainder of the 11.2 bitcoins were never recovered.
It remains unknown how the FBI recovered these coins, especially how it secured the private key to the wallets which held the recovered loot. It was, however, clear that cooperation with skilled private-sector experts was instrumental in the catch.
In the words of Kennedy Maddie, senior director of communications with New York-based Chainalysis, “We can’t speak to the Colonial investigation specifically, but we can generally say that the key to tackling ransomware is disrupting the ransomware supply chain, including identifying authors and developers, affiliates, infrastructure services providers, launderers, and cash-out points.”
How we do it at Bilic: Follow The Money (FTM)
Crypto forensics is expanding, no doubt. This is due to the huge potential for the industry since the crypto space has been riddled with criminal elements who continue to cast a dent in the future and complete global acceptance of financial technology. At the heart of crypto, forensics is data and the ability to clearly trail the movement of suspected transactions from their point of
origins to their destination wallets.
Bilic uses these essential elements to create its Follow The Money Design. Bilic’s Follow The Money design involves three important components which are:
· Transaction explorer
· Funds tracker
· Wallet identifier
The Transaction Explorer is a tool that allows for investigating transactions on the blockchain. It enables the FTM to system access the details of transactions, the amount transacted, their origins, destinations, and intermediate wallet addresses. The transaction explorer phases involve the sorting and sifting of transactions to create related clusters.
The fund tracker uses the data provided by the transaction explorer. The fund tracker follows the money trail through the clusters of accounts that were identified in the first stage and through their connection and relationship with the wallet of focus. The goal of the funds’ tracker is to follow the movement of the money irrespective of the rerouting and round-tripping employed to hide the money trail by the threat actors.
Finally, the third component of Bilic’s Follow The Money design is the wallet identifier. The wallet identifier tries to identify the humans behind wallet addresses. It tries to use data within its disposal to uncover the identities of the threat actors behind wallet addresses and the movement of funds. This is often achieved through data on KYC’d wallets or with the use of sophisticated unique identifiers.
In the diagram, the green lines show the outflows of funds from the wallet of focus, while the red arrows show the inflows of funds into the wallet. The system can determine from the ratio of inflow and outflow of funds if the threat actors are trying to hide their trails by round-tripping the funds or if the funds has been split into several chunks. Each line carries its own unique sets of information such as the amount transferred or received, the sender or receiver as the case may be, the time of the transaction, and transaction fees. In addition, the lines can be clicked to view the information behind it to understand better what is going on. The green node in the middle represents the wallet of focus, while the different receipts and sent funds through the transaction explorer create a cluster of wallet addresses connected to the wallet of focus, which helps track funds.
With the data available from the clusters of connected accounts, Bilic’s fund tracker can identify the moment of funds through different exchanges and wallet addresses and successfully follow the money trail from the original account or accounts to the destination accounts. Finally, the identity of the actors can be uncovered with a summary report of the funds they have within their wallets.
Endnotes
Crypto forensics starts and ends with data. The ability to gather the right data, sift and analyze the data, and follow the data make it possible to follow crypto money trails to their destination. The Bilic Follow The Money design significantly makes this important factor the strategic foundation of its forensic process. However, it is important to note that, just as crypto forensics are increasingly emboldened in infrastructure and results, threat actors also adopt new strategies and designs to evade capture. That notwithstanding, the blockchain’s immutability provides a huge advantage, and when combined with other technology like the Follow The Money tool from Bilic, the crypto space would be too small for criminal syndicates to feel safe.
Website: https://www.bilic.io/
Join the Community on Discord: https://discord.gg/Pc6EJCMSWk
Official Twitter: https://twitter.com/spectralhash
Platform Demo: https://ftm.bilic.io/dashboard
Link Tree: https://t.co/roxplzk1Zh
Relevant Links: https://www.chainalysis.com/
