Development of a Tracker Solution for Cryptocurrencies — It all happened when I was tracking down an Ethereum thief!
Interview with Patrick Kim, CEO, and Founder of Uppsala Security (Sentinel Protocol) by Park, Geun-Mo, Coindesk Korea reporter.
This is an English translation of the original article published in Coindesk Korea, which can be found here: https://www.coindeskkorea.com/tracingstolenetherendsinsolution/
Cisco, Palo Alto Networks, Fortinet, F5 Networks, and Darktrace… the world’s leading network security companies everyone is familiar with. What should I do to work for these firms? The general answer is that you need to study very hard in high school, go to a prestigious university, study hard, learn English, major in computer engineering, get a degree, and acquire related IT certifications.
Well, this is not the case for Patrick. He is a high school graduate. He studied on his own. He worked as an architectural engineer at the Cisco Singapore branch. Since then, he worked in various global security companies. He spent a decade as a security expert outside of South Korea. The is the story of Patrick Kim, CEO, and Founder of Uppsala Security, who established Sentinel Protocol, a blockchain-based security platform. Prior to founding Uppsala Security last year, Patrick Kim was a security expert working abroad for 11 years, starting at Cisco in 2007.
Unlike other articles, this one does not start with a modifier such as “the world’s best security expert”, which is not the case with Patrick. I’ve gotten my currency wallet hacked, and to think I’m a security expert! Gosh! That’s when Patrick realized the need for a professional security company in the field of blockchain. He dived straight in.
Patrick Kim, whom I met at the Uppsala Security office in Samseong-dong, Gangnam-gu, Seoul on March 13, was compassionate and full of determination. Upon his first look at me, Patrick said: “Let me tell you the goal of Uppsala Security.” And then…!
“SAVE THE WORLD.”
That was what he suggested, which stunned me. What is this? The Avengers? Why?
Patrick Kim said a bit shyly, but with confidence: “I have been working as a security expert for over a decade outside of South Korea. As I was looking into the latest IT tech, I ran into the world of blockchain around November 2012. I mined Bitcoin and Ethereum. I also traded on numerous exchanges. Then it happened. I, a security expert, was hacked! I lost 7,218 ether in May 2016. The hacker went after the little known vulnerability within Ethereum. I informed the Ethereum Foundation, but I was ignored. I was told to disregard it as a minor issue. The birth of Uppsala Security was because I did not want this to happen to others who use blockchain and cryptocurrencies.”
The process was not simple. Patrick Kim created a website called ‘Security 7218’, named after the amount of tokens he lost. Security 7218 found two security vulnerabilities in Ethereum. It was explained in great detail through articles and even a demonstration video. Still, he did not get any help from the Ethereum Foundation, neither did he manage to recover his lost ETH.
From then on, he decided to pursue the hackers — resulting in the development of the Crypto Analysis Transaction Visualization (CATV) tool, a cryptocurrency tracker solution that supports ERC20 and ETH. This is an independent technology created by Sentinel Protocol.
“Back then, I used an Ethereum explorer called ‘etherscan’ to track the paths of cryptocurrencies. Nonetheless, the hacker repeatedly split and merged the cryptocurrencies using numerous wallets to keep them from getting tracked. This is what we call ‘mixing with tumblers’. After snatching my ETH, the hacker split and merged the ether more than 1,000 times. Eventually, parts of the stolen ether were confirmed to have been liquidated in a foreign exchange. I sent a protest against it, but of course, I wasn’t compensated.”
After leaving Patrick’s wallet, the ETH was ‘mixed and tumbled’ 1177 times for over two years and three months (from May 12, 2016, to August 28, 2018). The stolen ether entered the wallets owned by exchanges, namely Poloniex, Bittrex, BTC-e, Quadriga, and ShapeShift. The deal was done, however, there was absolutely no way to find out whether they were liquidated or hidden somewhere else.
It was such a toil to manually track on etherscan! Feeling the pain, he focused on the development of a tracker solution. This is how CATV was born. Through this system, one wallet’s address was all it took to visualize all the links connected to that particular wallet.
Patrick soon turned to something else. He explained that the process for hackers to liquidate their loot is getting more complicated as of recently. Regulatory authorities are demanding reinforced personal identification procedures (Know Your Customer) while enforcing anti-money laundering and anti-coin laundering laws worldwide. However, hackers are still able to bypass these restrictions. More liquidation is taking place at anonymous exchanges such as ShapeShift or decentralized exchanges (DEX), where peer-to-peer trades occur. As such, tracking has become more difficult.
Let’s take a closer look.
The security solutions of Sentinel Protocol are divided into four major categories:
· Threat Reputation Database (TRDB)
· UPPward (Network Protection)
· Interactive Cooperation Framework (ICF)
· Crypto Analysis Transaction Visualization (CATV)
Experts Verify Upon Any Report Submission: TRDB
The TRDB is the core function of Sentinel Protocol. It collects and manages all kinds of security threat information (including URLs, domains, IDs, wallet addresses, e-mails, Twitter addresses, etc.). The TRDB basically consists of blacklists and whitelists. Access is blocked when something is blacklisted and whitelisted only after it has been verified to be safe.
The TRDB is currently being recorded on the EOS blockchain for management. CEO Patrick Kim explained that, since security threat information is necessary for anyone, the optimal platform for management is the EOS blockchain. He added that he was also satisfied because the collected information could not be modified at random, thus making the information more reliable.
“Generally, every major security vendor collects threat information for their own consumption. The collected threat information reflects the vendor’s security level. Hence, the collected threat information is often not shared with other companies. As a company, we strongly feel that security threat information, especially related to cryptocurrencies, should be available to the community so this information provides real security value. In addition, the most important thing in the security domain is data reliability. If any threat information record is forged arbitrarily by anyone, then there is no trust in the entire database as well as the information itself. So, I combined the TRDB with blockchain.”
Threat information collected by Sentinel Protocol over the past year amounted to 1,316,762 cases. It is clear that threats are increasing by the day. Sentinel Protocol’s TRDB allows anyone and everyone to submit suspicious activity or incidents. A group of about 20 external security experts, called The Sentinels, and about 30 internal security experts all verify the submitted report and record the case as threat information. It is an autonomous method of participation. Patrick described it as “crowdsourcing.”
“Once submitted, the case is registered into the TRDB for security experts to verify it. The reward system, which is still in the beta phase, aims to compensate both informers and verifiers. We plan to introduce this during the third quarter of this year.”
UPPward — Network Protection for Individual Users
UPPward, developed by Sentinel Protocol, is a cryptocurrency scam and fraud protection solution for individual users. It is simple to use. The solution can be installed as a browser extension for Chrome and Firefox. When transacting cryptocurrencies using the browser, the wallet address is cross-checked with information archived in the TRDB. If the address is registered as a scam wallet or as a wallet previously involved in suspicious activity, the user receives a warning message. Phishing websites or malicious social accounts on Twitter are also registered as threats.
For example, the TRDB blacklist has over 60 social accounts impersonating Vitalik Buterin. When the user encounters any social or wallet address on the blacklist, UPPward sounds an alarm.
Interactive Cooperation Framework (ICF) is for enterprise users. ICF interconnects the TRDB with the CATV using APIs so external users can use these functions for free.
“Information in the TRDB is useful for finance companies, cryptocurrency exchanges, wallet developers, and payment solution developers. By leveraging the TRDB, it is possible to prevent users from transferring their cryptocurrencies to scam addresses or phishing websites from exchange wallets. The same goes for wallet developers and payment solution developers. Finance companies are also becoming interested. Since cryptocurrency exchanges are businesses, they are bound to make transactions with financial institutions. In this process, financial companies should confirm that their trading counterparts are transacting safely to comply with anti-money laundering regulations. The ICF allows all stakeholders to use the TRDB, CATV, and other Sentinel Protocol solutions.”
Tada! All coin transfer paths starting with a single wallet address…
… and the CATV. In his most powerful, self-confident voice, Patrick explained as he demonstrates the solution, “we are the only place with these technological features.” It was absolutely amazing. The CATV allows you to see, at a glance, all wallets and transactions connected to a single wallet address.
Let’s take a look at the PureBit’s hack case in the CATV tool. On November 5, 2018, PureBit was at the center of a dine-and-dash controversy for its KRW 2.6 billion investment towards building a mining exchange. PureBit’s Ethereum wallet address used for fundraising was ‘0x7DF1BD58e8Fd49803E43987787adFecB4A0A086C’. Upon entering the address in the CATV tool, all transactions around this wallet address popped up on a graph. There was a total of 231 transactions. About 615 ETH had been moved to Upbit’s wallet six times in a little over one month (from November 5 to December 9). Likewise, transfers to Gate.io and Cashierest also occurred. The 7070 BTC stolen from the Binance hack on May 5 was also trackable.
“With the CATV, you can see wallet addresses or transactions that were previously difficult to track. Hackers, in particular, have recently been ‘mixing with Tumblers’ — a technique used to wash stolen coins thousands of times to avoid getting tracked by the judicial authorities. Tracking became impossible. But the CATV tracks even those and shows all these transactions graphically. At present, however, only tokens based on Ethereum such as ERC-20 are trackable. We are preparing to support Bitcoin, EOS, Ripple, and Litecoin this year.”
The CATV does not just track your wallet address. It is a vain attempt when you don’t know whom the wallet belongs to. To counter this, Sentinel Protocol analyzes wallet addresses of all domestic and foreign cryptocurrency exchanges. Sentinel Protocol explained that it has identified more than 1 million wallet addresses of domestic exchanges and more than 18 million wallet addresses of foreign exchanges.
“This is what I did not understand while developing CATV. Exchanges won’t give any hint as to their wallet information. The hot wallet’s wallet address, as much as it is open to the public, has not been granted upon request due to security matters. So, we found each and everyone on our own. Later on, of course, we also developed a technique to automatically identify exchange wallets and collect their information.”
Patrick Kim explained that the wallet information collected from the CATV is also being recorded on the EOS blockchain. In particular, as with the TRDB, information on the exchange wallet was created by the Structured Threat Information eXpression (STIX), an industry security standard. It is easy to utilize the collected information.
Seeing all these mesmerizing solutions, I wondered what Uppsala Security’s profit model was. What do you get for all of this? The look on Patrick’s face clouded a bit.
“I actually have a lot of worries about the revenue model. There are already a couple of other cryptocurrency trackers around. Of course, they don’t have what we have: the easy and graphically comprehensible technologies. There is a tracker company called Chainalysis. But the solution they provided there is pricey and difficult to use. Only the giants can use them, not individuals.
I think this kind of solution should be made available for individuals as well. Nobody takes responsibility for hacks, whether it’s blockchain or cryptocurrency. The solutions we provide are free for individuals with no limits. UPPward is an extension for web browsers and available for installation free of charge. Instead, I am thinking B2B will be our main model for profit. Our B2B customers are currency exchanges, wallet developers, financial institutions, and government agencies.”
Industry officials say that the Chainalysis tracker solution, most widely used in and outside Korea, costs about KRW 100 million annually.
With Patrick’s mention of government agencies, one thing came to my mind: a request from the Supreme Prosecutors’ Office to cooperate with the development of the cryptocurrency address inquiry system was publicly disclosed last March. With Sentinel Protocol’s TRDB and CATV, this can be used immediately without further development.
“I met the FSS staff earlier this year. They told me there is an increasing number of cyber crimes involving cryptocurrencies. The existing tracker systems are inconvenient and do not work properly. So, we showed the CATV tool we developed. They were amazed and asked why a solution like this came out so late. The wallet address inquiry system, as requested by the Supreme Prosecutors’ Office to the Korea Blockchain Association, is similar in function to the CATV we developed. We are ready to cooperate with law enforcers anytime.”
Uppsala Security, the operator of Sentinel Protocol, provides a strong feeling of security. The organizational structure naturally makes it so. Most of the team members, including CEO, Patrick Kim, Head of Operations Narong Chong (Palo Alto Networks, F5 Networks), Head of Business Brian Yang (Dell EMC), Chief Evangelist John Kirch (DarkTrace), and Head of Security Officer Nobel Tan (FireEye, F5 Networks) are experts who spent most of their careers in security companies.
“Like me, our team comprises members are from global security companies. So, our products and operations are exactly the same as those from existing security companies. It’s why we can keep chanting the slogan, ‘save the world’. We will continue to do our best to develop the best security solutions by bringing the best security experts together. Save the world!”
