Digital Laundry An analysis of online currencies, and their use in cybercrime
Digital Laundry An analysis of online currencies, and their use in cybercrime
Bitcoin was developed in 2009 and is based on the work of Satoshi Nakamoto (a pseudonym or group of people) as a peer‐to‐peer currency system created in open‐source C++ programming code. Its inventor describes it as a purely peer‐to‐ peer version of electronic cash that allows online payments to be sent directly from one party to another without going through a financial institution.
Bitcoin can be accessed from anywhere in the world, with no sign‐up requirements or fees to pay, and anybody can join and participate. As a peer architecture, there is no central organization, and no list of approved Bitcoin payment processors. To start with Bitcoin, the customer has to download and install client software, or use an online wallet service. In either case, Bitcoins are stored in digital wallets and can be sent to anyone else who has a Bitcoin address. These addresses are used to ensure anonymity, and transactions are done between addresses. We see an example of these addresses in Figure 5, which includes the public parts of asymmetric encryption keys that define these addresses. Generating one address per transaction is highly advisable.
Figure 5. Bitcoin transactions done by address.
Bitcoin wallets are not necessarily encrypted. Transactions are public. The levels of anonymity afforded to transactions are not absolute, but they are stronger than traditional electronic payment systems and discretion is guaranteed by pseudonymous ownership. To receive or to send coins, people need just a receiving or a sending address.
Bitcoin is slowly becoming a synonym for virtual currencies, even though earlier examples in this report show that other platforms have had varying degrees of success. Nonetheless, Bitcoin is currently banking on a very successful future, not only in publicity but also in value. On February 28, 1BTC cost US$33. By April 10 the value had skyrocketed to US$266, stabilizing at around US$100 in July. The value as of September 4 was US$144.
10 Digital Laundry11 Digital Laundry
Figure 6. Bitcoin mining explained.
Since the release of the Bitcoin generator, many more miners have appeared. Recent tools can mine Bitcoins on remote computers via Web Workers (background scripts) in HTML5. Although there is no evidence that this trend will continue, the implications are significant. Not all miners are malicious. Dedicated hardware allows users to install their own mining software or join a pool of miners. However, there are miners that use nefarious distribution methods without the consent of users. These methods use specific malware or a dedicated botnet. The initial peak of such botnets and malware occurred in the third quarter of 2011 and corresponded to the first boom in Bitcoin rates. Once cybercriminals recognized the monetary opportunity in Bitcoin, it became a key focus of their activity.
12 Digital Laundry
Attacking a Bitcoin exchange
In June 2011, Mt.Gox.com, the main Bitcoin exchange site, was hacked. A series of fraudulent transactions plunged the Bitcoin economy into chaos for a full week (see Figure 7). The Bitcoin rate crashed from US$17.50 to almost valueless. Other exchanges were able to continue business, but the overall value of a Bitcoin was less than US$1.
Figure 7. The June 2011 attack on Bitcoin exchange Mt. Gox.
This attack was not isolated; multiple targeted attacks plagued Bitcoin. Recent analysis by McAfee Labs into a Bitcoin botnet19 found samples of botnets communicating with Bitcoin mining services. These bots were commanded by a control server that, once installed, registered with online mining services with credentials provided by the attacker, resulting in the Bitcoins being credited to the attacker (see Figure 8). In June 2011 a half‐million dollars were stolen from a Bitcoin user with the pseudonym Allivain. Someone hacked into his computer and transferred Bitcoins to the attacker’s wallet. Because transactions are irreversible, Allivain will probably never get his Bitcoins back.
Figure 8. Inside the Bitcoin botnet.
13 Digital Laundry
Botnets are available for sale. In the example in Figure 9, the attacker can purchase an array of functionality for only a few dollars, with further settings for controlling Bitcoin mining, as well as a dashboard providing the attacker an overview of infected systems (see Figure 10).
Figure 9. Command list for a Bitcoin botnet.
Figure 10. Dashboard for Bitcoin Statistics
Other examples of recent attacks against Bitcoin are included in a McAfee Labs blog by coauthor Francois Paget20 as well as in the McAfee Threats Report: Second Quarter 2013.21
Recent research into Bitcoins has raised significant concerns about potential privacy implications. A new academic study22 by researchers from the University of California, San Diego and George Mason University detailed the challenges of staying anonymous due to Bitcoin’s “blockchain,” a public ledger that records transactions and makes the claim that all transactions are completely transparent. Due to such concerns about the public nature of the blockchain, additional platforms have been developed to increase the level of anonymity for users.
The main challenger to Bitcoin appears to be Litecoin, a potential alternative for cybercriminals should attacks, policy changes, or further investigations into Bitcoin deter cybercriminals from using that service. However, Litecoin is not immune to malware, with samples (for example, MSIL/PSW.LiteCoin.A) already targeting the currency.
14 Digital Laundry
We’ve discussed the use of virtual currencies for money laundering and the attacks against such platforms. Another key element is where cybercriminals can use virtual currencies to acquire illegal products and services. We covered some of this in our report Cybercrime Exposed, but that paper focused on easily accessible tools and services that facilitate cybercrime.
One former example was the Silk Road, which was created in February 2011 as a Bitcoin‐based online bazaar selling products across a number of categories.
Figure 11. The Silk Road may be gone, but another site already offers similar products and services, paid by Bitcoins.
On October 1 the FBI seized the Silk Road site and arrested an individual for engaging in a “massive money‐laundering operation and of trying to arrange a murder‐for‐hire.”23 As we saw previously with the demise of e‐gold and Liberty Reserve, however, new services quickly come online to meet criminal demand for products or services. Silk Road is no different. In Figure 11, we can see an alternate service that can offer Silk Road customers the products they desire. Silk Road and its alternatives are by no means unique. In Figure 12, we see the introduction of another type of service that relies on the perceived anonymity that virtual currencies afford, namely the Hitman Network. This service offers potential customers access to three “contract killers,” who will kill a target in exchange for virtual currency. The only qualification appears to be the refusal to target those under age 16 and high‐profile politicians.
There is no indication that the Hitman Network actually fulfills its promises, and verifying this would likely come at some personal risk. We include it to demonstrate that confidence in the privacy of virtual currencies has enabled the sale of some frightening services.
15 Digital Laundry
Figure 12. If we can believe it, the Hitman Network offers assassinations paid in Bitcoins.
The service in Figure 13 appears to offer do‐it‐yourself tools that match the service offered by the Hitman Network. Again, payment is by virtual currency.
Figure 13. Guns for Bitcoins.
16 Digital Laundry
Richard Weber, head of the US Internal Revenue Service’s criminal investigation division, has made the stark assessment that if Al Capone were alive today he would use these services to hide his money.24 There is no question that virtual currencies have been used by criminals to conceal and transfer their ill‐gotten gains with the click of a button.
Attempts to close down such services have historically resulted in criminals simply moving their businesses elsewhere, with the migration to and from Liberty Reserve serving as an example. Despite such an attractive proposition for criminals, global law enforcement is collaborating in its efforts both internationally and with the private sector to identify, seize, and arrest those individuals operating such platforms.
Virtual currencies will not go away. Despite the apparent challenges posed by DDoS attacks, the use of these exchanges for money laundering, and the facilitation of cybercrime, opportunities also abound for legitimate uses. Ignoring this market opportunity is likely to cost potential legitimate investors significant revenue, but failure to address the potential risks may cost a lot more.
About the Authors
Raj Samani is vice president and CTO, EMEA, McAfee. He is an active member of the information security industry through his involvement with numerous initiatives to improve the awareness and application of security in business and society. Samani has worked across numerous public sector organizations in many cybersecurity and research‐orientated working groups across Europe. He is the author of the recently released Syngress book Applied Cyber Security and the Smart
Grid. Samani is currently the Cloud Security Alliance’s strategic advisor for EMEA and is also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, an expert on both searchsecurity.co.uk and the Infosec portal, and regular columnist for Computer Weekly. You can follow Raj Samani on Twitter at http://twitter.com/Raj_Samani.
François Paget is a senior researcher and one of the founding members of McAfee Labs. He has identified and analyzed new threats, and has created countersteps to detect and eliminate them. Today, Paget conducts a variety of forecast studies and performs technological monitoring for McAfee and its clients. He focuses particularly on the various aspects of organized cybercrime and the malicious use of Internet for geopolitical purposes. Paget is active in various partnership actions with French and international authorities involved in fighting cybercrime. You can follow François Paget on Twitter at http://twitter.com/FPaget. http://blogs.mcafee.com/author/Francois‐Paget
Matthew Hart is a software developer within the cloud computing team at McAfee Labs in Aylesbury, United Kingdom. He has more than 30 years’ experience within the industry and takes a keen and active interest in using technology to make cyberspace a safer place.
About McAfee Labs
McAfee Labs is the global research team of McAfee. With the only research organization devoted to all threat vectors— malware, web, email, network, and vulnerabilities—McAfee Labs gathers intelligence from its millions of sensors and its cloud‐based service McAfee Global Threat Intelligence. The McAfee Labs team of 500 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public. http://www.mcafee.com/labs
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the world’s largest dedicated security technology company. McAfee delivers proactive and proven solutions and services that help secure systems, networks, and mobile devices around the world, allowing users to safely connect to the Internet, browse, and shop the web more securely. Backed by its unrivalled global threat intelligence, McAfee creates innovative products that empower home users, businesses, the public sector, and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our customers safe. http://www.mcafee.com