Our Recent Posts


No tags yet.

Pseudonymity: A curse for criminals, a blessing for law enforcement

Published on August 12, 2018

Over the past 15 months, one argument I've tried to maintain throughout each blog post has been that, for blockchain technology to thrive, major institutions (both public and private) need to develop a comfort level when it comes to supporting the use of the technology. For government entities, that comfort level is obtained through the application of sensible regulation; for corporate entities, security is achieved through the application of safeguards protecting the entity from reputational harm or compliance related risk. When presenting my thoughts regarding blockchain technology to groups around the country, one of the common misconceptions regarding bitcoin is the idea that it’s an anonymous currency; experts within the area of cryptographic currency actually refer to bitcoin as pseudonymous. There have been a number of criminal enterprises since the advent of bitcoin in 2009 that have made the mistake of confusing anonymity and pseudonymity, often with devastating outcomes for their various illegal endeavors. With the tenth anniversary of bitcoin’s creation rapidly approaching, there have been a number of investigative victories that bitcoin evangelists can point to that will help secure the cryptographic currency’s role as the leading contender for widespread universal adoption.

In the case of bitcoin, the units and subunits owned by those transacting in the decentralized digital currency are connected to the owner by an alphanumeric code, or public key. When bitcoin transactions are initiated by these owners, the transactions in question are recorded onto the blockchain permanently and are immutable. If those who transact are successful in shielding their own identity from association with the code or public key, no one can theoretically connect the individual to those transactions. If, on the other hand, a link can be established between the individual and that specific public key, one would be able to trace all of the transactions made with that public key and breach a significant portion of that individual's privacy, which would be of significant concern to that individual if any of the transactions in question were considered to be illegal. An illustration of an obvious mistake made by bitcoin users who wish to maintain their anonymity would be the posting of their public key on their Facebook page to make it easy for friends and family to donate bitcoin to their run to benefit a charity. If at a later time, they decide to use that same public key for a purchase of illegal narcotics from a dark website, authorities would be able to link that individual to the illegal narcotics purchase. That’s one of the more obvious "pitfalls." It’s imperative, as a bad actor, that the public keys associated with your bitcoin are in fact organized, and you haven't inadvertently used a "clean code" for something nefarious. Software products that can identify IP addresses in conjunction with specific public keys are poison to a criminal organization using bitcoin. Because of the pseudonymous nature of bitcoin, bad actors are put into a position of having to dramatically increase their organizational skills and ability to think two steps ahead of law enforcement.

For bad actors, the intersection of legacy technology and blockchain technology increases the complexity of their various operations. The August 23, 2017, edition of the MIT Technology Review highlights how easy it is to reveal the identities behind bitcoin transactions by cross-referencing public keys linked to cryptocurrency transactions and traditional web research tools. This level of exposure has the potential to provide investigators with the bad actor's email address and other personal identifiable information.

On any given day, web tracking is conducted on users of the Internet by e-commerce website administrators and marketing firms with the goal of personalizing marketing materials or to gain insight into consumer behavior. As pointed out by the MIT Technology Review (MIT Technology Review), this marketing information can also be leaked onto various open internet sources, aggregated by law enforcement and providers of blockchain forensic software, and assembled into a deeply personal understanding of a bitcoin user’s activity. As a bad actor carrying out an illegal activity on the web, it’s imperative they protect their machines from cookies that are placed on their computer for the purpose of consumer tracking. They must also be aware if they have intersected with a "browser fingerprinting" exercise that takes relevant information from the user's browser (such as version, operating system, hardware configurations and time zone) to assemble unique characteristics of that user's machine. All of these details must be addressed by the criminal element even before the issues related to bitcoin's pseudonymity are taken into consideration.

The latest indictment filed by the Special Prosecutor Robert Mueller and his team on July 13, 2018, investigating the Trump Administration illustrates the global nature of the alleged criminal activity. The Russian conspirators allegedly used bitcoin to lease a server based in Malaysia, which hosted the website DCLeaks.com and was a source destination for those wishing to read the emails that were illegally obtained from the Hillary Clinton for President campaign. Count Ten (Conspiracy to Launder Money) on page 21 of the indictment alleges that the "Defendants conspired to launder the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin." The indictment goes on to report that when registering domains and purchasing servers and any other "tools" used to enable the alleged illegal activity, bitcoin was the currency of choice for payment. In addition to being able to track these transactions via blockchain analysis of previously circulated bitcoin and allocated for the alleged illegal activity, investigators were also able to identify the internal "mining" operation for the use of freshly generated bitcoin as well. The fact that they have the ability not only to observe the identities utilizing previously issued units of currency, but also to discern those units created by "mining rigs" in possession of the Russian conspirators is an extreme level of detail that would never be available had the Russian conspirators not used bitcoin.

When it comes to publicity surrounding dark web marketplaces, Silk Road seems to get the majority of media attention. I believe that this is not only due to its business model as a marketplace for drugs, criminal services, and child pornography, but also because Silk Road was the first instance of bitcoin used on such a global scale by a number of very dangerous criminal elements. In July 2013, there were approximately 957,079 Silk Road user accounts. The website was taken down by law enforcement in October 2013, and the primary operator is serving a life sentence in federal prison. Federal authorities were able to make a number of successful cases against users and administrators of the illegal enterprise, but truly, one of the more interesting incidents of criminal elements not taking enough precaution when it came to committing a crime involving bitcoin occurred after Silk Road was dismantled.

In her 2017 TEDx talk, former Assistant US Attorney and cryptocurrency/FinTech expert Kathryn Haun (TEDx Kathryn Haun) tells the story of a senior DEA investigator turned criminal making the same mistake highlighted in the latest Mueller indictment. While US federal law enforcement was in the process of dismantling Silk Road in 2013, it was discovered that 21,000 units of bitcoin from Silk Road vendor accounts that were to be confiscated, had disappeared. In August of 2018, trading at a per unit value of $6,460, the amount missing would be equal to approximately $135,660,000. The DEA Agent in question, who went by the nom de guerre Nob, began liquidating what investigators considered to be very large amounts of bitcoin each month and deposited the fiat currency into his personal bank accounts. Investigators were able to trace Nob's bitcoin back to the Silk Road and discovered they were in reality the product of Nob's extortion plot of Silk Road administrators. Investigators were able to discern from an analysis of the blockchain that Nob's pattern of bitcoin activity did not in fact match the pattern of activity linked to the missing 21,000 bitcoin. Further analysis linked the 21,000 missing bitcoin to the bank account of a shell company owned by a US Secret Service Agent also associated with the Silk Road investigation. Both federal agents pleaded guilty and are serving lengthy sentences in federal prison.

Without the advent of bitcoin, dark websites like Silk Road would not have experienced their (somewhat) brief success as a business, albeit an illegal business. The highly regulated financial institutions providing fiat-backed credit card products do not make service providers such as Visa and Mastercard viable options for those prone to selling outlawed good and services over the web. The decentralized global currency bitcoin, on the other hand, make it the perfect tool for the criminal, with the one significant liability being the currency's pseudonymity. In 2017, Europol released their annual Serious and Organized Crime Threat Assessment (SOCTA), which addressed crime in the new technological age (Europol SOCTA). The report refers to the role of bitcoin in ransomware and illegal arms sales and emphasizes that the advantage, at least to law enforcement, is the ability to track payments on the blockchain of cryptographic currencies. The report also points out that the rise in dark websites providing what is referred to as Crime-as-a-Service (CaaS), would not have taken place had cryptographic currencies not been the currency of choice by the service provider administrators. An example of CaaS would be ransomware kits that can be purchased with bitcoin on these sites for immediate use by the consumer wishing to launch a ransomware attack.

As pointed out by Kathryn Haun, in addition to observing transactional detail on the blockchain, those investigating incidents involving criminal activity can also see macro-level patterns of transactional activity. Similar to the way browser fingerprinting identifies unique component parts that make up a single computer, tools provided by blockchain forensic software provider Chainalysis have the ability to identify patterns of activity that go beyond transactional blockchain "fingerprints," but can also build cases against bad actors who choose to use various "mixing services" and privacy coins. These options are designed to assist criminals in "solving" their pseudonymity "problem" by adding an additional layer of "security," protecting the bad actors from the prying eyes of law enforcement. In addition to the advent of software that has the ability to reveal the users of these services, there are also two other factors working against bad actors who utilize mixing services and privacy coins in an attempt to obfuscate their trail of bad deeds. As pointed out by Jonathan Levin, co-founder and COO of Chainalysis, on a recent Laura Shin Unchained podcast (Unchained Chainalysis), sooner or later the bad actors will attempt to convert their illicit proceeds to fiat currency (off-ramping), at which time blockchain analysis software can complement "traditional" compliance monitoring software during the bad actor's attempt to convert their holdings from cryptographic form into more widely used (less traceable) sovereign forms of currency. Both Chainalysis and competing firm Elliptic are maintaining lists of cryptographic currency wallet addresses displaying signs of suspicious activity. This method of highlighting suspicious wallet addresses was made "official" in the eyes of regulators when the US Department of the Treasury's Office of Foreign Assets Control (OFAC) announced in early 2018 that lists of concerning cryptographic currency wallet addresses could be added to its list of Specially Designated Nationals (SDN) highlighting those, in the view of the US Government, who are affiliated with sanctioned nations, terrorist organizations, and trafficking enterprises. Once concerning activity is displayed by addresses considered to be illegal in nature, suspicious blockchain activity has the potential to be monitored in real-time.

In a study sponsored by the Center on Sanctions & Illicit Finance and Elliptic (Bitcoin Laundering Report), the authors Yaya Fanusie (Director, Foundation for Defense of Democracies' Center on Sanctions and Illicit Finance) and Tom Robinson (Chief Data Officer and Co-Founder of Elliptic) discovered that in their sampling of bitcoin transactions between 2013 and 2016, the majority of illicit bitcoin transactions ended up in exchanges based in Europe, where they were converted into fiat. According to the report the reason for this is based on weak cryptographic currency controls within Europe. At the other end of the spectrum is China, which, according to the study, has rather extreme controls in place restricting the movement of fiat currency out of the country, which is a deterrent to bad actors considering converting their cryptographic currency into fiat within China. The authors point to the relatively early and thoughtful application

of cryptographic currency conventions by regulators within the US as the reason that suspicious conversion activity taking place within the US was less common than that taking place within Europe.

According to public statements made by the US Department of Justice earlier this year, the FBI had 130 cryptocurrency related open cases involving human trafficking, drugs, kidnapping, and ransomware. (FBI Public Comments). Criminal elements will always find certain advantages to the use of bitcoin and other cryptographic currencies to carry out their criminal activities, so I would imagine this number of open cases will continue to grow. However, the merging of best practices on the part of cryptocurrency forensic service providers and "traditional" forensic service providers will ensure that law enforcement has the tools they need to root out criminal syndicates, thus paving the way for legitimate cryptographic currency adoption to continue worldwide.