Fiber optic cables, core Ethernet and copper cables feed switches inside a communications room in an office in London on May 21, 2018 (Jason Alden / Bloomberg)
Paolo Ardoino was at the forefront of one of the biggest cryptocurrency heists of all time.
He was inundated with calls and messages in August warning him of a breach at Poly Network, a platform where users exchange tokens between popular cryptocurrencies, like Ethereum, Binance, and Dogecoin. Hackers had stolen $ 610 million in crypto, belonging to tens of thousands of people. About $ 33 million of the funds were quickly converted to Tether, a “stable coin” with a value that reflects the US dollar.
Ardoino, CTO of Tether, took note. Typically, when savvy cybercriminals get by with cryptocurrency, they transfer assets between online wallets through transactions that are difficult to trace. And poof, the money is lost.
Ardoino kicked in and a few minutes later froze the assets.
“We were really lucky,” he said. “A few minutes after we issued the frozen transaction, we saw the hacker attempting to withdraw his Tether. If we had waited five more minutes, all of the Tether would have been gone.” Two weeks later, Tether returned the money to its rightful owners. And after the Poly Network threats, the online bandit gave up on the rest.
The seizure digs a hole in the long-held belief that cryptocurrency is impossible to trace. Cryptocurrency is computer code that allows people to send and receive funds, recording transactions on a public ledger known as a blockchain, rather than keeping the account holder’s information. Due to the lack of user data, cryptocurrencies like bitcoin have been hailed as a haven for criminal activity. Fueled by anonymity, the shadow industry allows hackers, tax evaders and other malicious actors to launder money in secret, outside the traditional banking system.
Online crooks made $ 2.6 billion in 2020, according to a Chainalysis report. That year, ransomware attacks more than quadrupled.
But forensic investigators are becoming increasingly savvy at carefully mapping activity on blockchains and determining who is behind specific accounts. This has sparked a “new cottage industry of data providers” who are able to track cryptocurrency accounts reported for illicit activity, said Zachary Goldman, lawyer specializing in new payment technologies at WilmerHale. “It has never really been available before.”
Through the follow-up, agents have recovered stolen crypto funds in a handful of high-profile cases. In June, the Federal Bureau of Investigations seized the $ 2.3 million Colonial Pipeline bitcoin ransom paid to hackers who infiltrated the company’s computer network. Investigators used the blockchain to track the flow of the ransom payment in order to locate the perpetrators. In 2020, the KuCoin crypto exchange recovered almost all of the $ 281 million stolen by suspected North Korean hackers and refunded the funds to customers.
“Tracking money remains one of the most basic but powerful tools we have,” Deputy Attorney General Lisa Monaco said in a Justice Department press release announcing Colonial Pipeline funds have been seized. . Authorities accessed the account holder’s private key, according to an affidavit, but did not specify how they accessed it, which could prevent hackers from understanding their methods, according to outside experts.
The FBI and Colonial Pipeline declined to comment on how they accessed the account. Others in the industry have theories.
There are thousands of cryptocurrencies with thousands of blockchains, which contain a public record of every crypto transaction made. But blockchains provide limited public user data, and large documents, supported through a network of servers, require specialized skills and terabytes of computer storage to download and analyze. This allows criminals to hide behind cryptic account numbers and conceal their assets by moving them quickly or spreading them across a wide range of wallets.
Blockchain watchdogs are successful in using software to extract transactional data from the blockchain, analyze it for suspicious activity, such as accounts linked to illicit dark web behavior, and help law enforcement agencies. the order to locate the funds.
Usually it starts with an account number.
Whether it is a ransom payment or theft of funds, all crypto transactions – illicit or not – are tied to at least one public crypto address, similar to a public bank account number. This number, a unique string of more than 25 characters, can lead officers to a wealth of information about the person behind it. It can report other transactions made by the person and identify the exchanges or wallets used by the account holder. If these exchanges or portfolios are managed by a third-party company, the assets are considered “centralized” and subject to seizure, according to experts.
Decentralized assets, however, are not audited or maintained by a centralized authority. They are maintained by code. As such, they cannot be frozen.
When transferring cryptocurrency, criminals sometimes inadvertently turn decentralized assets such as bitcoin into other digital tokens controlled or supported by a company. If the cryptocurrency is “swung” into a coin operated by a single entity, then “the company can actually freeze that currency, burn those tokens, or exercise significant control over it,” said Adam Lowe, director of the innovation at CompoSecure, a cryptocurrency holding company.
Since blockchains list the transaction history for each coin, rather than owner information, investigators use sophisticated software to analyze where currencies are flowing.
Bitquery, a blockchain search engine company, produces software that underpins analytics tools used by law firms, government agencies, and data analytics companies.
The computational work takes place in a warehouse in New York City, where servers processing up to 300 terabytes of data at a time scan the blockchain around the clock. “We extract the data from the blockchain, transform it in a useful way and put them in our databases where customers can access them, ”said Gaurav Agrawal, Head of Growth at Bitquery.
The software starts by finding all the transactions associated with a reported crypto address and generates graphs to show how the digital currency has flowed in and out of the account. It tries to identify patterns that could point to other payment services the hacker is using.
The most advanced forensic tools can tell investigators whether an account number has been active on the dark web or on a gambling site. They could reveal an IP address, which can reveal an exact home address, said Steve McNew, senior managing director of FTI Consulting, a company specializing in cryptocurrency investigations.
Cryptocurrency exchanges, wallets, and custodians require users to include personally identifiable information if they wish to register. These companies, if subpoenaed, may reveal the account holder information.
But there are limits to what the authorities can glean.
Several tactics can cause authorities to deviate from the track. People who wish to escape scrutiny can bundle their crypto into “mixers,” a wallet address that combines coins with other transactions, making them more difficult to trace. Hackers can also store their cryptocurrency keys in “cold” wallets that do not connect to the internet and are therefore more secure. They transfer the digital tokens to an online wallet at an address linked to their office or save account information and private keys on a device similar to a USB drive.
If you keep your crypto in a physical wallet, “the security is pretty bulletproof,” said David Sacco, a resident practitioner at New Haven University in the departments of finance and economics.
Despite a host of innovations in tracking technology, cryptocurrency still remains extremely difficult to follow. Most cybercriminals get away with it, McNew said.
“If the criminals store the keys in a cloud provider, or with a third-party data custodian, accessing those keys would be one way to apprehend the asset in question,” said Nic Carter, partner of Castle Island Ventures, a blockchain. targeted venture capital fund.
Storing information online means that it is more likely to be accessible, as authorities can subpoena the portfolio operator to obtain specific information about the account holder. When authorities can’t access an account, they wait for the cybercriminal to try to withdraw money or move the crypto somewhere in the United States before they leap.
“This is how we catch people most often,” McNew said. “As they move it from a private wallet to an exchange, hoping to cash it in their bank account, we assign the exchange, find out who owns the bank account, and catch them that way.”