How bitcoin helped uncover the Russian election hackers
Bitcoin is the best double agent any law enforcement agency could ask for.
Bitcoin was the currency of choice for the Russian hackers involved in 2016 US election tampering, says the Department of Justice indictment (PDF).
Depending on how you look at it, it either helped them get as far as they did or proved to be their undoing.
"The Defendants conspired to launder the equivalent of more than $95,000 through a web of transactions structured to capitalise on the perceived anonymity of cryptocurrencies such as bitcoin," the indictment reads. "Although the Conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity."
Unlike the other payment methods, bitcoin naturally kept an impeccable and perfectly traceable record of all the transactions so with just a couple of slip-ups on their part, the bitcoin ledger ended up providing a wealth of information for investigators.
An evidence-gathering machine
By tracking the bitcoin payments, investigators were able to more easily build a picture of the different moving pieces, get a sense for how many different individuals were involved, uncover aliases and find threads to pick at.
For example, bitcoin payments proved the link between the "Guccifer 2.0" persona and the DCLeaks website as well as many of the other parties involved.
The brief background here is that the Democratic National Convention announced that it had been hacked by Russian government actors. According to the indictment, they got in through "spearphishing" emails, which are essentially personalised phishing attacks designed to get one specific person to open a suspicious email attachment. In response, the Russian group started pushing the narrative that an individual from Romania, "Guccifer 2.0," was just a lone whistleblower doing it alone.
The bitcoin ledger was one of the pieces of evidence that disproved this. The hackers used the same bitcoin wallet to buy a VPN, to lease a server in Malaysia that hosted DCLeaks, to pay a Romanian company to register the website and to log into the Guccifer Twitter account through that VPN.
The same VPN was also used to register the malicious domains that were used to send the spearphishing emails, while bitcoin was also used to pay for them.
"Conspirators used the same pool of bitcoin funds to purchase a virtual private network (VPN) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website. On or about July 6, 2016, the Conspirators used the VPN to log into the @Guccifer_2 Twitter account. The Conspirators opened that VPN account from the same server that was also used to register malicious domains for the hacking of the DCCC and DNC networks."
Connecting the conspirators
Bitcoin also helped the investigators to uncover the emails and accounts used by other conspirators and to get a sense of the scale of the operation and a clear look at exactly where all the money was going.
"The Conspirators used several dedicated email accounts to track basic bitcoin transaction information and to facilitate bitcoin payments to vendors," the indictment reads. "For example, on or about February 1, 2016, the gfadel47 account received the instruction to "[p]lease send exactly 0.026043 bitcoin to" a certain thirty-four character bitcoin address. Shortly thereafter, a transaction matching those exact instructions was added to the Blockchain."
Not only can those two bitcoin wallets and emails be tied together, but they can then both be tracked onwards. Just as good, the bitcoin transaction history can never be deleted or modified either. No matter how long it takes, the investigators can follow an unbroken trail and see exactly where the money goes.
As soon as the trail bounces into the "real world" in the form of a transaction that can be attached to a person's identity, such as on an exchange that follows AML/KYC procedures or at a shop that can be contacted, the trail might be followed back as needed.
It's also worth noting that the conspirators did take steps to cover their tracks and obscure the source of their funds, but this didn't help them with the fundamental lack of anonymity on the bitcoin ledger.
"The Conspirators acquired bitcoin through a variety of means designed to obscure the origin of the funds. This included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards," the indictment says. "They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity."
Did bitcoin help them at all?
"The use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds," the indictment says.
And that's probably about it. The Kremlin has explicitly said that it wants to use cryptocurrency as an economic weapon to undermine the dominance of the US dollar, but these particular hackers ended up getting negative mileage out of it.
On the whole, it's reasonable to say that bitcoin seems to have helped the investigation a great deal because in the absence of bitcoin, the hackers certainly wouldn't have just shrugged and used bank transfers under their real names.
Rather, they'd have resorted to one of the many anonymous, expensive and inconvenient ways of sending funds, such as buying a gift card with cash and emailing the numbers on the card to someone else so they can spend it online or sending cash (or prepaid cards, etc) to PO boxes. They could have also just opened a bank account under a false name and sent the funds by bank transfer along with the other countless billions of dollars of dirty money that passes through banks each year, or they could have used a cryptocurrency that is actually anonymous.
Amidst the probably inevitable talk of how the Russian hackers used bitcoin in the future, it's worth remembering that bitcoin ended up being the best double agent anyone could ask for. It lured the hackers into a false sense of security and gained their trust, all while keeping a meticulous record of their transactions, including the senders and receivers as well as the exact times, dates and amounts of each transaction. It doesn't get any better than that.
Disclosure: At the time of writing, the author holds ETH, IOTA, ICX, VET, XLM, BTC and NANO.