The last week of September started with the news that The official Bitcoin domain (bitcoin[.]org) was invaded by cybercriminals who applied the infamous “we are giving back to the community.. At the end of the same week, on Friday (10/01), more than 6,000 investors registered on the cryptocurrency exchange platform Coinbase had their assets stolen by cybercriminals who exploited a vulnerability in the SMS authentication system on the broker’s platform.
The “we’re giving back to the community” scam is not new to anyone. In this case, too, because they managed to steal only U$19,000 (BRL 101,000), which is not even a relevant amount — as was the case with Poly Network, the biggest cryptocurrency theft in the history of technology, for example. It’s also not as relevant as Coinbase’s story, which left a very important question unanswered: whether cybercriminals found a vulnerability in the SMS authentication system but still needed login and password information to access user accounts , how did they compromise more than 6,000 customers? Where did these credentials come from?
Decentralized financial companies (DeFis), cryptoactive and cryptocurrency brokers, although they have this disruptive, innovative and technological aura, they are just like traditional companies, so they are subject to cybercrime. However, there is a fact about cryptocurrencies that we cannot ignore, most are completely anonymous, which makes them even more interesting for cybercriminals., both those with the objective of stealing cryptocurrencies, and those interested in laundering illegal money, achieved through digital extortion.
In certain cases of cryptocurrency theft, the companies responsible for them are able to recover the money and bring back the balance of their investors. But if cryptocurrencies are anonymous, how can DeFis’ wallets get them back?
It is important to remember that cryptocurrencies, although they are anonymous, they are fully traceable.. The idea that cryptocurrencies are used by criminals is because they are anonymous and untraceable is wrong. With the exception of a few that were designed to be untraceable as well (such as Monero, for example), most of them are completely traceable.
To better understand this concept of traceability of cryptocurrencies, we can analyze the case of the invasion of the official website of Bitcoin. In this case, cybercriminals have taken control of the site and added an alert with the following text: “The Bitcoin Foundation is giving back to the community! We want to support our users who have helped us over the years. Send bitcoin to this address [1NgoFwgsfZ19RrCUhTmmuLpmdek45nRd5N], and we will send you double the amount in return. […] Any amount sent to this address will be doubled and returned to the sender.”
On the Blockchain website[.]com we can see the assets stored in each cryptocurrency wallet, just have their address, which in this case is “1NgoFwgsfZ19RrCUhTmmuLpmdek45nRd5N”. Therefore, just search for this code in the search bar in the header of the Blockchain page and find out which transactions involved a particular portfolio.
When accessing the Bitcoin wallet (BTC) from this address, the first thing we see is a “summary” of the transactions: “This address has already transacted 10 times in the Bitcoin blockchain. It received a total of 0.40571238 BTC (US$19,624.05) and sent a total of 0.40571238 BTC (US$19,624.05). The current value of this address is 0.00000000 BTC (US$0.00).”. Thereby, we can conclude that this wallet, indicated in the malicious alert, inserted on the Bitcoin website by cybercriminals received U$ 19 thousand and because it has a zero current balance, which means he’s already got rid of all that money.
Further down the page, we can see the “Transactions” section where in the left column are the inputs and in the left column are the outputs. In the last item on this list we see an entry of 0.29891466 Bitcoin (somewhere around U$19 thousand), which was dissolved in 45 exits for different wallets. That is, cybercriminals transfer money to several different wallets to make the investigation process more difficult. But only make it difficult, as there is no way to make a Bitcoin transaction that does not generate a public trail.
As Daniel Conquieri, COO of BitcoinTrade explained, in an interview with The Hack in November of last year, specifically Bitcoins are extremely traceable. In addition, cryptocurrency brokers list the wallets, identifying which ones belong to the same owner and blocking transactions from wallets that were discovered with illegal money.
“There are platforms that do what we call blacklist or whitelist, which are wallets that are somehow identified as wallets that traded stolen bitcoins or were the target of scams. These wallets are blocked and the world’s leading bitcoin exchange agencies do not allow you to receive money from stolen wallets […] A user can open a private wallet and start moving around secretly. However, when he goes to trade in a large international brokerage, these portfolios will relate and the broker will identify that that deposit came from another portfolio, from the same owner…. In fact, the market has been evolving in this issue of traceability,” said Conquieri.
Since January 2009, when Bitcoin was launched (along with the whole cryptocurrency movement), the police, together with the entities that manage this system, are mapping and analyzing the cryptocurrency portfolios involved in cyber crimes and fruits. As a result, forensic investigators are becoming increasingly adept at mapping criminal activity on the blockchain to uncover the trails that lead to the perpetrators of a crime.
Based on this strategy, the FBI (of course, along with other unique forensic investigation technologies) managed to identify where part of the U$ 5 million paid by Colonial Pipeline went to to DarkSide ransomware operators and with it recovered U$ 2.3 million.
However, despite being quite transparent, as we can see in the example of the Bitcoin website, in some cases, tracking a high number of transactions may require specialized professionals and software, in addition to computational processing power.
UOne company that performs forensic investigation into cryptocurrency theft is Bitquery, which is based in New York, USA, but the raw computing work takes place in Finland, where, according to The Washington Post, the servers simultaneously process around 300 terabytes of data extracted from the Blockchain in real time.
The newspaper explains that there are even more advanced forensic tools, which can reveal the owner’s IP address and even if the wallet address was found published on the dark web, which helps in identifying cybercriminals.
These tools, which require a simultaneous processing power of 300 Terabytes, can be quite costly. But for a company that pays $40 million as a ransom for cybercriminals (as was the case with CNA Financial) maybe it’s not that expensive.