Hear Andy’s considerate commentary on cybercrime, legislation enforcement, anonymity, privateness, and whether or not we actually want a “war against cryptography” – codes and ciphers that the federal government can simply crack if it thinks there’s an emergency – to cement our collective on-line safety.
PAUL DUCKLIN. Hello, all people.
Welcome to this very, very particular episode of the Naked Security podcast, the place now we have essentially the most superb visitor: Mr. Andy Greenberg, from New York City.
Andy is the writer of a e-book I can very significantly suggest, with the fascinating title Tracers within the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.
So, Andy, let’s begin off…
..what made you write this e-book within the first place?
It appears fascinatingly difficult!
ANDY.GREENBERG. Yes, nicely, thanks, Paul.
I assume [LAUGHS]… I’m undecided if that’s a praise?
DUCK. Oh, it’s, it’s!
ANDY. Thank you.
So, I’ve coated this world of hackers, and cybersecurity, and encryption for about 15 years now.
And round, let’s see – I assume 2010 – I began engaged on a e-book, a unique e-book, that was in regards to the cypherpunk motion within the Nineteen Nineties…
…and the ways in which it gave rise to the trendy web, but additionally to issues like WikiLeaks, and other forms of encryption, anonymity instruments, and in the end what we now name the darkish internet, I suppose.
And I’ve at all times been fascinated with the methods, on this beat, that anonymity can play this fascinating, dramatic position – and permit folks to turn into another person, or to disclose to you in secret to who they really are.
And as I dug into this cypherpunk world, round 2010 and 2011, I came across this factor that gave the impression to be a brand new phenomenon in that world of on-line anonymity – which was Bitcoin.
I wrote, I feel, the primary print journal piece about Bitcoin for Forbes journal in 2011.
I interviewed one of many first Bitcoin builders, Gavin Andresen, for that piece.
And Gavin and plenty of others on the time have been describing Bitcoin as a kind-of nameless digital money for the web.
You may truly use this new invention, Bitcoin, to place unmarked payments in a briefcase, principally, and ship it throughout the web to anybody on this planet.
And, being the sort of reporter I’m, I’m within the subversive and typically legal, typically politically motivated… I don’t know, the underhanded and darkish corners of the web.
I simply noticed how this is able to allow a brand new world of… sure, folks looking for monetary privateness, but additionally cash laundering, and drug dealing on-line, and all of this that might come to cross within the subsequent few years.
But what I didn’t foresee is that, ten years later or so, it could be by then obvious that Bitcoin is definitely the *reverse* of nameless.
I imply, that’s the large shock, and the massive reveal.
For me, it was a sort of slow-motion epiphany to understand that cryptocurrency was truly *extraordinarily* traceable.
It was the alternative of this “anonymous cash for the internet” that many individuals as soon as thought it was.
And the consequence, I feel, was that it served as a sort of entice for many individuals looking for monetary privateness… and criminals, over that decade.
And as I realised the extent of this… I absolutely realised it in 2020 or so.
I started, on the identical time, to see that this one firm, Chainalysis, a blockchain-analysis Bitcoin cryptocurrency tracing agency, was being venked in a single US Department of Justice announcement after one other in all of those main busts.
And so I began speaking to Chainalysis, after which to their clients and legislation enforcement, and slowly realised that there had been this one small group of detectives that had figured this out a lot sooner than me.
They had began truly tracing Bitcoins years earlier, and had used this extremely highly effective investigative method to go on this spree of 1 large cybercriminal bust after one other…
…utilizing cryptocurrency as this shock entice that had been laid for therefore many individuals on the darkish internet, and within the cybercriminal world as a complete.
DUCK. Now, I suppose we shouldn’t actually be stunned at that, ought to we, as you clarify within the e-book?
Because the entire thought, not less than of the Bitcoin blockchain, is that it’s, by design, totally and completely public and irrevocable.
That’s the way it can work as a ledger that’s equal to one thing that might usually be held privately and individually by your financial institution.
It doesn’t even have your title on it, however it has a magic identifier that, as soon as tied to you, can’t actually be lower unfastened…
…if there’s different proof to say, “Yes, long-hexadecimal-string-of-stuff is Andy Greenberg, and here’s why.”
Now attempt denying it!
So, I feel you’re proper.
This concept that it’s *doable* to commerce anonymously with Bitcoin – I feel was taken by very many individuals to imply that it’s essentially nameless and ever-untraceable.
But the world shouldn’t be like that, is it?
ANDY. I typically look again on my 2011 self, and in that piece for Forbes, I *did* write that Bitcoin was probably untraceable.
And I kind of scold myself, “How could you be such an idiot?”
The entire thought of Bitcoin is that there’s a blockchain that data each transaction.
But then I remind myself that even Satoshi Nakamoto, the mysterious creator of Bitcoin (whoever he, she or they’re), of their first electronic mail to a cryptography mailing listing introducing the concept of Bitcoin…
…listed amongst its options that contributors may be nameless.
That was a function of Bitcoin as Satoshi described it.
So I feel there’s at all times been this concept that Bitcoin, if it’s not nameless, not less than is pseudonymous, that you would be able to conceal behind the pseudonym of your Bitcoin handle, and that for those who can’t determine any person’s handle, you may’t determine their transactions.
I assume all of us ought to have identified… I ought to have identified, and possibly even Satoshi ought to have identified, that, given this large corpus of knowledge, there can be patterns in it that permit folks to establish clusters of addresses that each one belong to 1 individual or service.
Or to comply with the cash from one handle to a different to search out fascinating giveaways on this large assortment of knowledge.
The largest giveaway of all is whenever you money in or money out at a cryptocurrency alternate that has Know-Your-Customer [KYC] necessities, as virtually all of them do now.
They have your identification, so if any person can simply subpoena that alternate, then they’ve your precise driver’s licence in hand.
And any phantasm of anonymity simply utterly backfires.
So that’s the story, I feel, of how Bitcoin’s anonymity turned out to be the alternative.
DUCK. Andy, do you suppose, maybe, although, that there’s nothing unsuitable with Satoshi Nakamoto saying, “You *can* be anonymous when you use Bitcoin?”
I feel what’s unsuitable is that numerous folks assume that as a result of expertise *can* allow you to do one thing that’s fascinating on your privateness, due to this fact, *nonetheless you utilize it*, it at all times will.
And the unique thought of Bitcoin didn’t embody exchanges, did it?
And so there wouldn’t be any exchanges that might take a duplicate of your driving licence if Bitcoin have been utilized in its authentic kind of cypherpunk manner, so far as I can see…
ANDY. Well, I definitely don’t blame Satoshi for not predicting the whole cryptocurrency economic system, together with the ways in which exchanges would interface with the standard finance world.
It’s all extremely advanced economics; Bitcoin was good sufficient as it’s.
But I do suppose that it’s extra than simply, “You *can* be anonymous with Bitcoin if you’re careful, but most people are not careful.”
It seems, I feel, that the chance, irrespective of how sensible you might be, of utilizing Bitcoin anonymously is vanishingly small.
Also, there may be the property of blockchain *that it’s ceaselessly*.
So, for those who use the sort of smartest concepts of the day to attempt to keep away from any of those patterns that reveal your transactions on the blockchain, however then somebody years later figures out a brand new trick to establish transactions…
…then you definately’re nonetheless screwed.
They can return in time, and use their new concepts to foil your cutting-edge anonymity tips from years earlier.
DUCK. Absolutely.
With a financial institution fraud you may think about you *may* get fortunate, couldn’t you?
That simply whenever you’re about to be investigated, years later, you discover the financial institution’s had an information safety catastrophe, and so they’ve misplaced all their backups and, oh, they’ll’t get better the information…
With the blockchain, that ain’t by no means going to occur! [LAUGHS]
Because all people’s bought a duplicate, and that’s a requirement for the system to work because it does.
So, as soon as locked in, at all times locked in: it will probably by no means be misplaced.
ANDY. That’s the factor!
To be nameless with cryptocurrency, you actually must be excellent – excellent forever.
And to catch somebody who’s attempting to be nameless with cryptocurrency slipping up, you simply must be sensible, and protracted, and work on it for years, which is what, first, Chainalysis…
…truly, first was educational researchers like Sarah Meiklejohn on the University of California at San Diego, who, as I doc the e-book, got here up with numerous these methods.
But then Chainalysis, this startup that’s now virtually a nine-billion-dollar unicorn, promoting polished cryptocurrency tracing instruments to legislation enforcement companies.
And now, all of those legislation enforcement companies which have skilled Bitcoin tracers – their savvy, their know-how in doing this, is simply rising by leaps and bounds.
And I feel it’s virtually only a higher rule to say, “No, you cannot be anonymous with cryptocurrency,” that it’s absolutely clear.
That’s a safer technique to function, virtually.
To be truthful, Satoshi Nakamoto mentioned contributors *can* be nameless… however it seems that the one participant who has *remained* nameless is Satoshi Nakamoto.
And that’s, partly, as a result of only a few folks have that other-worldly restraint that Satoshi needed to amass 1,000,000 Bitcoins after which by no means spend them or transfer them.
If you try this… sure, I feel you may maybe be nameless.
But for those who ever wish to use your cryptocurrency, or to place it in a liquid type the place you may spend it, then I feel you’re toast.
DUCK. Yes, as a result of there are some superb issues which have occurred, certainly one of which you allude to as a result of it was within the works simply on the finish of the e-book…
…[LAUGHS] what I name the Crocodile Lady and her husband: Heather Morgan and Ilya Liechtenstein.
Self-styled “Crocodile of Wall Street” arrested with husband over Bitcoin megaheist
They’re alleged to have one way or the other obtained a complete load of cryptocoins from a cryptocurrency financial institution theft towards Bitfinex.
In their circumstances, they obtained stolen cryptocurrencies in huge portions, in order that they might fairly actually have been billionaires *if they might have cashed it out*.
But when bust, they nonetheless had the overwhelming majority of that stuff sitting round.
So it appears that evidently, in numerous cryptocurrency crimes, your eyes is usually a lot greater than your abdomen.
You might reside the excessive life a bit bit… the Crocodile Lady and her husband, it does appear they have been dwelling fairly a flash way of life.
But once they have been bust, what was the quantity?
It was greater than $3 billions’ price of Bitcoins that that they had, however couldn’t money out.
ANDY. The Department of Justice mentioned that they seized $3.6 billion from them.
That was the most important seizure not simply of cryptocurrency in historical past, however of cash within the historical past of the Department of Justice.
In truth, as I doc within the e-book… truly, certainly one of these occurred after the e-book, however the IRS legal investigators, who’re the principle topics of this e-book, have now pulled off the primary, second, and third-biggest seizures of cash in American legal justice historical past, by following cryptocurrency and seizing Bitcoins.
Your level is totally proper, which is that cryptocurrency is straightforward to steal, it seems… that’s, I feel, certainly one of its large drawbacks for the companies, like exchanges, which have to carry typically billions of {dollars} in a sort of digital secure.
But then for those who do steal it, for those who pull off certainly one of these large heists – and two of the three of the circumstances that we’re discussing are literally individuals who stole cash from the Silk Road darkish internet drug market…
DUCK. Yes [LAUGHS]… whenever you steal from a criminal, it’s nonetheless against the law, eh?
ANDY. [LAUGHS] Yes, sadly – for these crooks, anyway.
DUCK. One of essentially the most intriguing bits for me within the e-book was any person that you simply establish as “Individual X”, solely as a result of that’s the way in which they have been recognized by the courtroom.
This particular person had stolen 70,000 Bitcoins, and was busted, and principally gave them again… sort-of in return for getting let off.
They didn’t get prosecuted, they didn’t go to jail, they didn’t – I think about – even get a legal report.
And they have been by no means named.
ANDY. That’s proper.
DUCK. So that looks like an virtually unreadable thriller, doesn’t it?
If we glance ahead just a few years, now that Bitcoin’s… what, within the final 12 months, it’s gone all the way down to a few third of its worth; Ether is all the way down to a few third; Monero is about half.
Do you suppose that that gambit of claiming, “I’ll give the money back, let me off” would have labored if the costs have been reversed, and what they have been handing again was now price a fraction of what it was when it was stolen?
Or do you suppose that Individual X was fortunate as a result of what they needed to hand again was truly price rather more than once they stole it?
ANDY. I feel it’s the latter.
Individual X stole that cash whereas the Silk Road was nonetheless on-line…
DUCK. Wow!
So that might have been when BTC was, what, lots of [of dollars] then?
ANDY. Yes, most likely, or hundreds at most – Silk street went offline in 2013, when Bitcoin had simply damaged by way of $1000, if I bear in mind.
This individual (I don’t wish to say “guy” – who is aware of who Individual X is?) sat on these 70,000 Bitcoins for seven years, in the end…
…most likely, precisely as you mentioned, simply terrified to maneuver them or money them out for concern of being caught.
DUCK. Yes, are you able to think about?
“Hey, I’m a millionaire!”
“Hey, I’m a *billionaire*!”
“Oh, golly, but where am I going to get my rent money?”
[LAUGHS] Shouldn’t snigger….
ANDY. As you say – just like the hand caught within the cookie jar!
The hand simply will get greater and larger till it’s all-consuming, and you can’t transfer it, you may’t get it out.
In truth, even with out attempting to get it out, IRS legal investigators discovered it by way of different means, together with the seizure of the BTC-e alternate, which was a kind-of money-laundering, legal Bitcoin alternate.
DUCK. That was a rogue alternate that principally did as little as is humanly doable alongside the Know Your Customer entrance?
“Ask no questions, tell no lies,” that sort of factor?
Is that proper?
ANDY. Yes, precisely.
That was one other shock for a lot of customers who believed that, “Maybe I can use BTC-e a little bit and not get caught, because that doesn’t have Know Your Customer, that doesn’t co-operate with law enforcement.”
But, nonetheless, when that alternate was busted and its servers seized, that offered extra clues to the IRS.
That helped, in truth, to determine who Individual X was… I don’t know who they’re, however the authorities does.
And to knock on his or her door and say, “Hey, hand over a billion dollars or you’re going to jail,” and that’s precisely what occurred.
Now, poor James Zhong is a really comparable case.
Silk Road medication market hacker pleads responsible, faces 20 years inside
He appears to have taken 50,000 Bitcoins from the Silk Road, most likely across the identical time, after which held onto them for even longer.
And then, a 12 months after Individual X, Zhong bought a knock on his door…
Similarly, that they had traced the cash, regardless that he had simply left it sitting on a USB drive in a popcorn tin beneath the floorboards of his closet.
In his case, he didn’t handle to make a deal one way or the other, and he’s being criminally charged.
DUCK. *And* he has given the cash again, clearly?
[WRY LAUGH] Aaaargh!
ANDY. He was a Bitcoin billionaire, and now’s going through legal costs… and by no means bought to even spend his loot.
The Bitfinex case, I don’t know… I’ve much less sympathy for them as a result of they really have been attempting to launder a large theft from a reliable enterprise.
And they did, I feel, launder a few of it.
They tried a number of totally different intelligent methods.
They put the cash by way of…. I imply, that is all alleged, I ought to say; they’re nonetheless harmless till confirmed responsible, this couple in New York.
But they tried to place the cash by way of the AlphaBay darkish internet market as a sort of laundering method, pondering that might be a black field that legislation enforcement wouldn’t have the ability to see by way of.
But then AlphaBay was busted and seized.
That’s maybe the most important story I inform within the e-book, essentially the most thrilling cloak-and-dagger story: how they tracked down the kingpin of AlphaBay in Bangkok and arrested him.
DUCK. Yes… spoiler alert, that’s the place the helicopter gunships are available!
ANDY. lLAUGHS] Yes!
Yes, and rather more!
I imply, that story is likely one of the craziest that I’ll most likely inform in my profession…
But then, additionally, this New York money-laundering couple tried to place a number of the cash by way of Monero, a cryptocurrency that’s marketed as a privateness coin, a probably actually untraceable cryptocurrency.
And but, within the IRS paperwork the place they describe how they caught this couple in New York, they present how they continued to comply with the cash, even after it’s exchanged for Monero.
So that was an indication to me that maybe even Monero – this newer, “untraceable” cryptocurrency – is a bit traceable too, to a point.
And maybe this entice persists… that even cash which are designed to outstrip Bitcoin by way of their anonymity usually are not all they’re cracked as much as be.
Although I ought to say that Monero folks hate it after I even say this out loud, and I don’t understand how that labored…
…all I can say is that it appears very doable that Monero tracing was utilized in that case.
DUCK. Well, there could possibly be some operational safety blunders that the Crocodile Lady and her husband made as nicely, that sort of tied all of it collectively.
So, Andy, I’d wish to ask you, if I’ll…
Thinking of cryptocurrency tokens like Monero, which as you say, is supposed to be extra privateness targeted than Bitcoin as a result of it inherently, for those who like, joins transactions collectively.
And then there’s additionally Zcash, designed by cryptography specialists particularly utilizing expertise identified within the jargon as zero-knowledge proofs, which is not less than speculated to work in order that neither facet can inform who the opposite is, but it’s nonetheless unattainable to double-spend…
With all eyes on these rather more privacy-focused tokens, the place do you suppose the long run goes?
Not only for legislation enforcement, however the place do you suppose it’d drag our legislators?
There’s definitely been a fascination for many years, amongst typically very influential parliamentarians, to say, “You know what, this encryption thing, it’s actually a really, really bad idea!”
“We need backdoors; we need to be able to break it; somebody has to ‘think of the children’; et cetera, et cetera.”
ANDY. Well, it’s fascinating to speak about crypto backdoors and the authorized debate over encryption that even legislation enforcement can’t crack.
I feel that, in some methods, the story of this e-book reveals that that’s usually not vital.
I imply, the criminals on this e-book have been utilizing conventional encryption – they have been utilizing Tor and the darkish internet, and none of that was cracked to bust them.
Instead, investigators adopted the cash and *that* turned out to be the backdoor.
It’s an fascinating parable, and instance of how, fairly often, there’s a side-channel in legal operations, this “other leak” of data that, with out cracking the principle communications, gives a manner in…
…and doesn’t necessitate any sort of backdoor in Tor, or the darkish internet, or Signal, or exhausting disk encryption, or no matter.
In truth, talking of ‘thinking of the children’, one of many final main tales that I dig deeply into within the e-book is the bust of the Welcome To Video marketplace for little one sexual abuse movies that accepted cryptocurrency.
And because of this, the IRS investigators on the centre of the e-book have been capable of observe down and arrest 337 folks world wide who used that market.
It was the most important bust of what we name little one sexual abuse supplies, by some measures, in historical past…
…all based mostly on cryptocurrency tracing.
DUCK. And they didn’t must do something that you’d actually think about privacy-violating, did they?
They fairly actually adopted the cash, in a path of proof that was public by design.
And in conjunction, admittedly, with warrants and subpoenas from locations the place the cash popped out, and the place web connections have been made, they have been capable of establish the folks concerned…
…and largely to keep away from trampling on tens of millions of people that had completely no reference to the case by any means.
ANDY. Yes!
I feel that it’s an instance of a technique to do… it’s, in some methods, mass surveillance – however mass surveillance in a manner that nonetheless doesn’t require weakening anyone’s safety.
I assume that cryptocurrency customers, and individuals who consider within the energy of cryptocurrency for enabling activists, and dissidents, and journalists, and cash transmissions to nations like Ukraine, that want injections of cash for survival…
They would argue that, nonetheless, we have to repair cryptocurrency to make it as untraceable as we as soon as thought it may be.
And that’s the place we get into the brand new, I’d say *a* new, crypto-war over cryptocurrency.
We’re simply beginning to see the start of that with instruments like Monero and Zcash, as you mentioned.
I do suppose that there’ll most likely nonetheless be surprises in regards to the ways in which Monero may be traced.
I’ve seen a leaked Chainalysis doc the place they advised Italian legislation enforcement… it’s a presentation in Italian to the Italian police from Chainalysis, the place they are saying that they’ll hint Monero, within the majority of circumstances, to discover a usable lead.
I don’t understand how they try this, however it does look like it’s probabilistic greater than definitive.
Now I don’t suppose lots of people perceive – that’s usually sufficient for legislation enforcement to get a subpoena, to start out subpoenaing cryptocurrency exchanges, simply based mostly on a probabilistic guess.
They can simply examine each chance, if there are just a few sufficient of them.
DUCK. Andy, I’m aware of time, so I’d like to complete up now by simply asking you one ultimate query, and that’s…
In ten years’ time, do you see your self being ready the place you’ll have the ability to write a e-book like this one, however the place the “unravelling” components are much more fascinating, difficult, thrilling, and superb?
ANDY. I attempted, with this e-book, *not* to make too many predictions.
And, in truth, the e-book begins with this “mea culpa” that ten years in the past I believed precisely the unsuitable factor about Bitcoin.
So no person ought to hearken to any ten-year prediction that I’ve!
[LAUGHTER]
But the best prediction to make, that *has* to be true, is that this cat-and-mouse recreation will nonetheless be happening in ten years.
People will nonetheless be utilizing cryptocurrency pondering that they’ve outsmarted the tracers…
…and the tracers will nonetheless be developing with new tips to show them unsuitable.
The tales, as you say, will, I feel, be rather more convoluted as a result of they’ll be coping with these cryptocurrencies like Monero, that construct in huge mix-networks, and Zcash, which have zero-knowledge proofs.
But it does appear that there’ll at all times be a way – and possibly not even cryptocurrency, however in another facet channel… as I used to be saying, there can be a brand new one which unravels the entire thing.
But there’s no query that this cat-and-mouse recreation will go on.
DUCK. And I’m certain there’ll be one other Tigran Gambaryan someday sooner or later so that you can interview?
ANDY. Well, I do suppose the sport of anonymity…
…it does favour the Tigran Gambaryans of the world.
They, as I mentioned, simply must be persistent and sensible.
But the mice on this cat-and-mouse recreation must be excellent.
And nobody is ideal.
DUCK. Absolutely.
ANDY. So, if I do must make a prediction…
…then I’d simply place my guess on the cats, on the Tigran Gambaryans of the world.
DUCK. [LAUGHS] Andy, thanks a lot.
Before we go, why don’t you inform our listeners the place they’ll get your e-book?
ANDY. Yes, thanks, Paul!
The e-book known as “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.”
[ISBN 978-0-385-54809-0]
And it’s out there in any respect the conventional locations books are offered.
But for those who go to https://andygreenberg.net/, then you may simply discover hyperlinks to a bunch of locations.
DUCK. Andy, thanks a lot on your time.
It was as fascinating speaking to you and listening to you because it was studying your e-book.
I like to recommend it to anyone who desires a galloping learn that’s however detailed and insightful about how legislation enforcement works…
…and, importantly, why legal convictions for cybercrimes usually solely occur years after the crime occurred.
The satan actually is within the particulars.
ANDY. Thank you, Paul.
It’s been a super-fun dialog.
I’m simply glad you loved the e-book!
DUCK. Excellent!
Thanks to all people who listened.
And, as at all times: Until subsequent time, keep safe!
[MUSICAL MODEM]