Tracking Stolen Cryptocurrencies
Good article about the current state of cryptocurrency forensics.
Good article about the current state of cryptocurrency forensics.
Clive Robinson • September 27, 2021 8:07 AM
@ Bruce, ALL,
It’s not that surprising that there is tracability, thus forensics. Due to fundamental crypto-currency requirments, it’s effectively “built in”.
So the “obfuscate arms race” applies. The result as always will be that people will “move on” to other technologies as they become available, and the game start again.
The thing is, the advantage is not with the libertarians, but the governments.
The detection and tracing methods are going to improve, as are prevention methods. As China is indicating the whip hand is under the control of the “guard labour” and their masters. Likewise the US idea of “whitelisting” or more importantly “black listing” crypto-coins as they see as not meeting their approval.
But at the end of the day all crypto-currencies so far have the seeds of their own destruction built in.
So the question arises as to if these issues can be designed out, such that governments do not have the upper hand?
I guess we will have to wait and see but I’m not hopefull.
SpaceLifeForm • September 27, 2021 2:46 PM
@ Jesse Thompson
I would not conclude that Monero is truly safe because of DNS traffic analysis.
I can see a use case for a cryptocurrency that has a limit for transaction size, say $100.
If someone was to try to launder big money thru a blockchain with a transaction limit, then the traffic would stand out.
I think that would be acceptable to regulators that are concentrating on large money laundering operations.
Clive Robinson • September 27, 2021 5:19 PM
@ Jesse Thompson,
Re – Monero and others.
Monero already has a checkered past, and is still effectively in “development”.
One of the “health warnings” all crypto algorithms should come with but usually don’t, is “time based side channels” in “practical implementations” leaking information to anyone who cares to look for it, sometimes at considerable distances (think of jitter on network packets still visable several routers down the line).
Whilst the Ring Signitutes may be “mathmatically secure” you realy should be asking “Are they practically secure?”. The answer is most likely “not at all”.
As I’ve indicated in the past, we have good reason to believe the NSA “backdoored” the NIST AES competition by hoodwinking NIST thus “finessing” the rules. The result was very fast but very insecure code was available to all to download without restriction. Even though a proof of concept attack against the AES implementation via cache based time side channels was found in short order, it did not change things. Because but by then “the code” that contained the side channel was in lots and lots of code libraries etc. If you know how to look you will find that there are still many AES using applications out there with time based side channels that can be exploited across a communications connection…
It’s why I advise the use of two computers at any user “end point”.
One is connected to the communications network and does no cryptography or handling of confidential information in plain text or other cipher text form (some File/disk encryption is shall we say not what it could be). I used to suggest the use of CD/DVD ROM based linux distributions that require no hard drive. However the use of “Flash ROM for Everything” in PC’s and the like this century kind of negates that advice, and the problem is getting worse with time (it’s why I use older microcontroler family based communications nodes I’ve designed and built myself).
The second computer is NEVER EVER connected to any communications and these days it’s advisable due to Flash ROM devices getting every where not to “share” any hardware between the computers lest the trick I came up with to attack “voting machines” is used not just via the likes of USB devices, but even power supplies you plug into the mains supply… It is on this computer you do your confidential / private work and encryption / decryption.
Whilst “air gapping” is the minimum you should consider if your privacy / finances are important, full on “energy gapping” would be prudent if you are using crypto-currency above a thousand dollars or so.
If you can, investigate and use “smart cards” or other external crypto devices to do certain “crypto functions” off of the second computer (think HSM). That way if the second computer is “physically accessed” you have some degree of protection as long as the crypto device is kept separately.
I won’t go into how to safely cross air or energy gaps, it’ll take up to much space. I’ve mentioned a few ways in sufficient detail on this blog in the past so looking it up is there as an option. But what ever method you use, remember the most important feature is “the ease of secure destruction”. Whilst a piece of paper may not hold much data even in digital form, it does burn to unusable ashes in less than ten seconds, faster if you “strip shred” it first to get a good volume of air in it.
Clive Robinson • September 27, 2021 6:09 PM
I forgot to add to my above,
“DO NOT TRUST commercial FDE or other crypto apps / libraries”.
There is just way to much of it that realy is not secure in practical systems (even Microsoft with CVE-2020-0601 and CVE-2021-31199 that’s two serious crypto security faults in less than 18months).
There are times when “secure paper and pencil codes and ciphers” start to look quite attractive for certain types of traffic. However practical implementations need carefull thought in design and use.
 Some people say “Quantum Cryptography”(Q-crypto) via “Quantum Key Distribution”(QKD) is the way to go. But at the end of the day it uses the principle of the “One Time Pad” to transfer symetric, or asymeyric “Key Material”(KeyMat) but with lesser “Key Managment”(KeyMan) issues. So the actuall data communications is still via AES or similar using a “session key” sent by QKD. There is no reason in principle why you can not do a similar thing with an ordinary pencil and paper One Time Pad…
 One design mistake often seen is putting “checksums” in the wrong places as they can leak information. Similar mistakes can happen with some types of compression algorithms.
 One of the big problems with all forms of crypto, is that in reality you are using it to “move a problem” not “solve a problem”. You see this easily with OTP’s, yes you get secure communications when you need it… but only if you use them correctly, which requires good operator OpSec. However you actually shift the security issue on to the moving and now storing the KeyMat securely, and that requires often complex KeyMan issues and much more exacting OpSec (something QKD supposadly solves but actualy just moves issues).
Bill • September 27, 2021 10:05 PM
I agree to a point. I was indicted by the Secret Service and Homeland Security (same umbrella). They even had NASA involved on our case to use their super computers. They could NOT access several of my laptops with FDE. They even tried to make it part of my plea. They had the laptops for about 4 years before sentencing in 2014 and never were able to access. This was a no budget, major cybercrime case that went all the way to the White House. The case was the result of Obama’s new Cybercrime Task Force and had a blank check for investigation costs and prosecution. I had Norton FDE on those computers. I believe the builds were in the 6’s. However, I would agree that today, I would not trust them. I used to use SecurStar and look who ran that! A criminal. I only chose Norton at the time because it was Phil Zimmermanns original PGP and I didn’t believe they had built in any backdoors. Turns out, I was right.
Z.Lozinski • September 28, 2021 4:23 AM
Some people say “Quantum Cryptography”(Q-crypto) via “Quantum Key Distribution”(QKD) is the way to go.
QKD is theoretically secure, in a similar way as a one time pad. The challenge as ever with high grade security is in the implementation. With OTP you have the problem of key distribution, where the key material has the same volume as the data you want to transmit. There are also implementation errors with OTP, see VENONA (1940s) and Gordon Correra’s recent book (2000s). With QKD you are dependent on the integrity of the nodes that generate and detect the entangled photons. In particular that there are no side channels, though to be fair you should treat the QKD node as a BLACKER device with the associated risk profile. If you need QKD repeaters due to distance limitation in dark fibre that is the other obvious weak point.
Clive Robinson • September 28, 2021 7:07 AM
@ Bill, ALL,
I only chose Norton at the time because it was Phil Zimmermanns original PGP and I didn’t believe they had built in any backdoors.
As you note, that was then… It probably would not run on OSs and hardware of now.
Which brings us to a point @Nick P and myself used to have a minor disagreement on which you can see if you look back on the blog.
I favoured hardware pre 1995 and he thought 2005 was the cut off point. Turns out “meltdown” and similar was visable in 2005 CPU’s. I suspect but can not say that even 486 CPU’s had security faults due to “specmanship” so that takes us back to the early 1990’s.
Which raises the question of other hardware faults in practical implementation,
@ Z.Lozinski, ALL,
The challenge as ever with high grade security is in the implementation.
Leqving asside for the moment the “high grade security” argument, I’ve yet to see a consumer, or commercial grade OS or bit of hardware I would consider sufficiently secure for ordinary privacy. It’s why so many crooks make large amounts of money…
In fact I would argue, that the situation is getting worse on an almost daily basis.
As our host @Bruce has been known to point out a security system is in effect a chain of links, that is onlyvas strong as the weakest of the links.
I am known to point out the issues with “user end points” that are just one part of the overall security chain.
It’s all fine and dandy having the strongest encryption system known for the “communications link” but…
1, What real use is that if the OS Comms stack, alows an attacker to get almost effortless access to the User Interface where everything is in “plaintext”.
2, Likewise if the encryption software creates multiple time based side channels that can be seen on the comms network several nodes away.
3, Also if the hardware creates,multiple time based side channels…
Which brings us onto Quantum Key Distribution (QKD) it’s had a long history from before 1984 to today it has been plagued with side channels. The first was noted by one of QKD’s inventors, he used an “optical light bench” to build an experimental version and the electronically controlled polarizers made so much noise he could tell what state they were in just standing there.
Over the years I amongst others have pointed out that there were various tricks you could do to tell the state of the polarizers, one obvious one is monitor the power usage of the QKD device either directly or due to the EMC issues. But as most QKD devices did not have frequency specific filters, it was possible to use a coherant light source of an entirely different frequency and inject it into the QKD optical channel and see what got reflected off of the polarizers thus know how they were set. Then there was the issue that the early photon sources actually emitted multiple photons… Oh and lots of other stuff as time went on. But it’s major issue is path loss that limits the range of use significantly.
So QKD was actually of very limited use even on point to point links…
As most people who have payed attention to ICTsec over the past half decade or so now know, “link security” is not what is wanted. What is wanted is “end to end security”. That way you as the first party and the second party you are communicating with do not have to trust any chanbels or nodes beyond your control and subject to third parties evesdropping or subversion etc.
QKD can only give end to end security over very short fixed lengths as such it’s fairly usless for most communications networks, that require switching between multiple network nodes.
It’s the same reason “monorail” trains never took off in the 1960’s nobody could work out how to make the switches…
Whilst things are improving with repeaters and switches, they all currently have “security issues”. Whilst they can be solved for Nation State actors who can throw the resources, legislation, and enforcment at the problem, the same is not true for anyone else, especially where a Nation State regards everyone else as the “enemy” thus has a “collect it all” policy and who can also “throw the resources, legislation, and enforcment at the problem” of ensuring it…
But realistically the massive cost of designing and operating secure nodes is commercially prohibitive and this will keep QKD sidelined from all but a few niche areas.
Will this change? Probably not a lot, the communications channel security rests on one law of physics and the communications channel range limitation on another law of physics. There is actually not much room in between to play with.
But even when you only use two end points, the engineering is such that stopping all side channels in them is not possible. So there is the distinct probability of information leakage.
 However I do have an 8088 machine I still use with MS-DOS 3, it only has old fashioned ROM technology in it and no fancy Flash ROM.
 The “high grade security” argument, should be one of symantics, but unfortunately prosecutors use it as a method of arguing that a person is some how a criminal because they have something to hide, rather than just have an acceptable level of “privacy” which is a primary requirment for the society we currently have.
Winter • September 28, 2021 9:01 AM
I think the WSJ article is rather uninformed, e.g.,
Whether it’s a ransom payment or stolen funds, all crypto transactions — illicit or not — are linked to a least one public crypto address, similar to a public bank account number.
And then they treat the crypto address as a personal account number. Also the treatment of the cold-wallets is rather puzzling and gives completely the wrong impression. But these addresses can be generated per transaction. Criminals who still use fixed addresses are low hanging fruit for LEOs. Following the money into and out of an “account” is nonsense.
What is done is that money is followed from address to address. The analysts try to find the point where cryptocurrencies are converted into fiat money and/or products. That is, when it enters an exchange. In case of illicit money, the addresses that are used to transfer the money are blacklisted and any bitcoins flowing out of them are tainted and followed. Exchanges will simply refuse to handle the tainted bitcoins flowing out of these blacklisted addresses. It can become impossible to cash out these coins. It is rather easy to add mixers into this tainted tracks making anything that comes out of a mixer useless.
As has been argued time and again, what Bitcoin tries to do has nothing to do with “anonymity”. Bitcoin solves only two related problems:
1) How to reach consensus without trust
2) How to prevent double spending of money
This it does very well. Only an attacker that can outrun all other miners combined can corrupt (rewrite) the ledger. Which is a well known, quantifiable risk.
Zcash and Monero try to give full transaction anonymity. They seem to be quite good at it, but the costs in resources are still high. I am not qualified to judge the quality of the anonymity.
Clive Robinson • September 28, 2021 10:05 AM
@ Winter, ALL,
I am not qualified to judge the quality of the anonymity.
I don’t think anybody is realy, as it’s a fairly fast moving game. So what was anonymous last week, may well not be this week etc.
There is a physical forensics principle thought up by Dr Edmund Lockard around a century ago.
Called the “Exchange” or “Contact” Principle” put simply it argues that when two objects come into contact they leave trace evidence of each other on the other object.
Whilst information has no physical form and is thus not effected by forces, the use of information for,
Requires it to currently “interact” with the physical world, which can only be done presently by impressing information onto either energy or matter, which are constrained by forces and other laws of nature.
Thus the question arises “Does Dr Locard’s principle apply?” to which the answer at some level is almost certainly yes. But the secondary question of “Is it currently of practical use or not?” arises. History tends to suggest if there is sufficient need technology will at some point become available. So most likely the subject of anonymity is going to change.
But since Dr Locard came up with his principle things have changed. Back then the notion of meta-evidence had not received much consideration. Since the realisation of “traffic analysis” and similar during WWII meta-data has had a good toe hold on the intelligence arena. Forensics in effect is associated with intelligence, thus we should now consider “information” as a form of “object” and ask what traces follow information in communication and processing of it.
I suspect we will see quite a bit of effort go into developing methods. Not because of “crimes” –though that will be the excuse– but because of the desire to “tax” and raise revenue to “buy influence”.
Which for me is probably the best reason to avoid crypto-currencies there is, and speculators real should take that into account when making their “bets”.
 Locard’s Principle and information forensics, has been discussed in atleast on academic setting,
Winter • September 29, 2021 3:08 AM
“Which for me is probably the best reason to avoid crypto-currencies there is, and speculators real should take that into account when making their “bets”.”
One reason to invest heavily in cryptocurrencies, beside the obvious Crime&Money Laundering, Tax Evasion, and Evading Capital Export restrictions, is a hedge against a collapse of the USA dollar.
The really big capital hoards expect an end to fossil fuels soon (over 50% of all viable fossil fuel reserves, 90% of coal, have to remain underground ), combined with a pandemic size large investment in sustainable energy and carbon capture, and an increase in taxation to fund this and repaying the pandemic stimulus packages. What these all predict is an end to the US dollar as a global reserve currency and mainly, and with an end to oil, an end to a lot of the global power of the USA.
All in all, Big Capital expects a crash of the US dollar, and the Euro. Bitcoin is then seen as one way to hedge against that . Real estate is another (see soaring prices).
 “Most fossil-fuel reserves must remain untapped to hit 1.5 °C warming goal” ht tps://www.nature.com/articles/d41586-021-02444-3
 This hedge against a dollar crash depends on there being strong demand for bitcoin from “stable” currencies, e.g., the Chinese yuan. With the Chinese rooting out bitcoin, that might cut off this escape route.
Winter • September 29, 2021 3:52 AM
There is a lot published on the coming crash of the US$:
Earlier this year:
Not that I feel qualified to have an opinion on this. I remember the same prediction passing by several times since 2000. However, some ridiculously rich people do seem to factor this eventuality in.
Clive Robinson • September 29, 2021 7:28 AM
One reason to invest heavily in cryptocurrencies, beside the obvious Crime&Money Laundering, Tax Evasion… …is a hedge against a collapse of the USA dollar.
Whilst I’ve said the USD is “over subscribed” and only held out of the toilet because it’s used as the worlds trading currency since before the first Gulf War, others say otherwise, and to a certain extent they have been right so far.
However even though I think USD is a basket case and the US will head down the crapper faster than toilet tissue in one of those vaccum toilets on aircraft when the flush happens, I would not “invest heavily” in crypto currencies to hedge against the USD getting flushed.
A sensible investor looking to hedge agsinst a USD flush, would “spread wide” not “go deep”.
Which suggests one of two things,
1, The money is from speculators not hedgers.
2, If it is from hedgers then it is just a small fraction of their spread.
When you look at the amount of chump cash going into crypto currencies and think option 2, then you can not help but wonder, how much value is realy being taken out of USD and put in other investments as a hedge…
It would in effect be at the very least equivalent to all the criminal enterprise value in the entire US and it’s dependencies. Think for a moment just how big that “black economy” actually is. If you took all the value of the big Silicon Valley Corps you would not even be close. Which begs the question,
“Where is it all coming from?”
It’s not what you might call “personal wealth”.
 I view them in the same way people finally viewed black tulip bulbs. A “hot potato game, that’s easy to get into, but near impossible to get out of”. Worse those crypto currencies that are “pegging” tend to do it with the USD so their value will go down the crapper just as fast as USD or ehat ever else they are pegged to.
Karl Zander • September 29, 2021 10:49 AM
Great comments. Thanks.
My acronym for Satoshi is N omega Sa
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Leave a comment