Why does crypto work for Russian ransomware, but it wasn't useful for the Ottawa truckers?

[This is a repost of my recent article for CoinDesk exploring why bitcoin has been demonstratively useful for certain illegal activities, like ransomware, but fails when it comes to others, like the Ottawa trucker convoy. Spoiler: bitcoin's usefulness for engaging in non-permitted transactions very much depends on the onramping and offramping processes, and whether these threshold points are tightly controlled or not.] 

 The Ramps Killing Bitcoin's Dissident Thesis

 Crypto is marketed by its fans as an unstoppable dissident technology and feared by governments for its subversiveness. But the many shortcomings of a recent bitcoin fundraiser to support an illegal Ottawa, Ontario, trucker convoy (more on that later) suggests that crypto isn't as unstoppable or subversive as it is often made out to be.

But if Ottawa contradicts the standard crypto narrative, we also have an example that confirms it. Waves of successful Russian ransomware attacks relying on the Bitcoin network to extract ransom payments suggest that crypto is an incredibly effective technology for evading rules.

So which is it: unstoppable or not? The short answer: It depends on the off-ramps and on-ramps. Let's explore why crypto was a dud in Canada, but is highly successful for Russian ransomware operators.

What crypto brings to the table is the ability for two people to make a digital peer-to-peer transfer that cannot be preempted by a third party. But a peer-to-peer crypto transfer is only the middle step in a three-step circuit that begins with on-ramping into crypto and ends with off-ramping out of crypto. If either the on-ramping or the off-ramping processes are closed or guarded, much of crypto's fabled ability to circumvent restrictions is neutered.

The Ottawa trucker convoy bitcoin fundraiser is a good example of the off-ramping process being leveraged by law enforcement to defang crypto. I described the convoy’s financing last month for CoinDesk. Over the last few weeks various Canadian parliamentary committees and court rulings have shed more light on the fate of the convoy’s finances.

By early February, the convoy of truckers blockading downtown Ottawa had transitioned from legal protest to illegal mischief. Sending donations through centralized fiat-based crowdfunding sites became impossible. The convoy’s main fundraising campaign, hosted on GoFundMe, was shut down on Feb. 4. A pivot by convoy organizers to rival crowdfunding platform GiveSendGo [which is powered by Stripe] was rendered useless by an Ontario court's restraint order a few days later.

That left a bitcoin fundraiser by the name of HonkHonk Hodl as the only way to connect with the rogue blockaders.

The on-ramping stage of the convoy’s bitcoin fundraiser proceeded unimpeded. Any American who wanted to donate to the illegal blockade could freely swap U.S. dollars for bitcoin via an exchange such as Coinbase. Once the cryptocurrency was acquired, no force on earth could stop that bitcoin from being transferred from an American’s personal wallet across the border to the Canadian organizers' bitcoin address.

The bitcoin fundraiser eventually raised $1.1 million in bitcoin. It was at the final stage, off-ramping back into Canadian dollars, that things fell apart.

From the outset, the identities of the people in control of the convoy’s bitcoin wallets had been broadcast across social media. Once the convoy was deemed illegal mischief, these public-facing organizers and their wallet addresses became easy targets of police investigations, freezing orders, injunctions and class-action suits, all of which prevented them from off-ramping out of donated bitcoins into spendable fiat.

The strategy of publicizing the identities of the organizers might seem like a mistake, but it wasn’t. A fundraiser can't gain any momentum if the people collecting the money aren't identified. Anonymous organizers could very well be scammers, and the whiff of fraud would doom fundraising.

Nicholas St. Louis, the lead organizer of the bitcoin fundraiser and a suspect in a criminal investigation, was forced to give up seed phrases for his fundraising wallets to the Royal Canadian Mounted Police, which is Canada’s version of the FBI. Parallel to that, a separate civil court injunction on behalf of an Ottawa class-action suit named hundreds of bitcoin addresses associated with the fundraiser. To comply with the order, St. Louis eventually forfeited $250,000 in undistributed bitcoins to a court-appointed escrow agent. That sum will potentially be used to compensate Ottawa citizens damaged by the convoy's actions.

Just hours before the court injunction fell, St. Louis managed to distribute two-thirds of the donated bitcoins to around 100 truckers. To prove they were honestly distributed, St. Louis recorded himself giving envelopes to each trucker and published the recordings on social media. That made it a cinch for the RCMP, litigators and aggrieved Ottawa citizens to determine the identities of the truckers who received the donations.

The transparency of bitcoin’s blockchain means that all of the distributed bitcoin has been flagged by law enforcement as well as being listed in the court’s freezing order. Anti-money laundering officers at exchanges are on guard, and any effort on the part of the 100 truckers to off-ramp their cryptocurrencies into spendable currency by selling marked bitcoin on an exchange will result in forfeiture. Worse, the truckers could run into potential legal trouble if they try, because ignoring the court’s freezing order is punishable by fine or imprisonment.

Truckers brave enough to risk contravening the court order might try to evade exchange blacklists by directly buying goods and services with bitcoin. (They would have to use retailers that don’t rely on compliant crypto payments processors like BitPay.) Given that bitcoin is so rarely accepted in trade, this is tantamount to barter, and bartering is inconvenient.

So the truckers have been left holding a bunch of mostly useless, even dangerous, injuncted crypto. As for the remaining undistributed donations, they have all been confiscated by the courts. What a mess.

If bitcoin failed the truckers, let's see why it has worked so well for ransomware operators. Ransomware is malicious software that takes control of a computer by encrypting files or threatening to publicly expose data. The ransomware operator, typically located in Russia, releases that control only after receiving a ransom payment, usually bitcoin. In one of the more notorious incidents, JBS USA, the world’s largest meat supplier, paid an $11 million bitcoin ransom to free its computers.

The ransom payment on-ramping process is completely fluid. That is, it is 100% legal for the U.S. victim of a ransomware attack – usually a corporation such as JBS, a school board or a government agency – to buy bitcoin on an exchange like Coinbase in order to pay the ransom. In fact, a new industry known as ransomware payments facilitation has emerged to service this need.

Whereas a wire payment to a Russian bank account might be frozen or clawed back, a bitcoin payment made to a Russian ransomware operator's wallet can't be. That's tremendously useful to ransomware operators.

Most importantly, Russian officials have made little attempt to inhibit the off-ramping process. As long as ransomware gangs don’t attack Russian companies, their ability to operate on Russian soil has been tolerated as has their access to Russian off-ramps. For instance, nested exchanges with Russian links such as Suex and Chatex have been used by Ryuk and Conti ransomware operators to convert bitcoin ransoms into useful currency.

And that's why ransomware has been so successful. The combination of 1) unimpeded U.S. on-ramping 2) a US-to-Russia bitcoin bridge and 3) unimpeded Russian off-ramping creates an unstoppable monetary circuit. By contrast, Canadians' closure of the off-ramping process crippled the convoy's bitcoin fundraising circuit.

(Incidentally, this is why one of the quickest ways to end the ransomware threat is to shut off the on-ramps: Make it illegal for U.S. entities to pay crypto ransoms. It also illustrates why Russians can’t rely on crypto to evade sanctions: the big off-ramps like Binance and Bitfinex can be controlled by U.S. sanctions policy.)

Governments, whether they be democracies or dictatorships, are often fearful of crypto's censorship-resistance, leading to calls for bans. The lesson from the Ottawa trucker convoy and Russian ransomware gangs is that as long as the on-ramping and off-ramping process are regulated, these fears are overblown.

As for advocates of bitcoin’s capacity to help dissidents, if the trucker convoy proves anything, it’s that these advocates have their work cut out for them.

Why do ransomware gangs like bitcoin? It's the censorship resistance

A new type of crime has recently emerged: big-ticket repeatable ransomware. Bitcoin is the chosen payments method for ransomware gangs. But these gangs don't use bitcoin because it is anonymous. They've chosen it because it is censorship-resistant.

Here's a quick illustration of how ransomware works. A university's servers are encrypted by a ransomware operator. Common victims also include corporations, hospitals, or police departments. Only a payment of, say, $1.14 million in bitcoins will release them (see below). The gang may up the ante by threatening to auction off the institution's data if a ransom isn't paid.

Ouch. The University of California San Francisco just paid $1.14 million in bitcoin to ransomware operator Netwalker: https://t.co/fFbBK99lRb

Here's UCSF's statement explaining why it paid the ransom: https://t.co/vBA8dx5GW3 pic.twitter.com/Q0pKQMhscP

— John Paul Koning (@jp_koning) July 1, 2020

Ransomware isn't new. What is new and unique about the recent spate of ransom attacks is that they are:
 
• big-ticket
• factory-scale

That is, the average size of these attacks registers around $170,000, according to Sophos. Prior bouts of ransomware involved much smaller amounts. Secondly, these aren't isolated one-off attacks. They are manufactured at industry-scale with gangs like Ryuk or REvil carrying out dozens of attacks each day.

What makes bitcoin such a great tool for carrying out big-ticket repeatable attacks?

It's not the anonymity. A lot of people think that bitcoin is anonymous – it's actually pseudonymous. All bitcoin transfers can be seen on the blockchain, or Bitcoin's public ledger. This is inconvenient for ransomware gangs because a ransom can be tracked from the original victim to its final destination. While it's possible to use a tool called a mixer to obfuscate one's bitcoin transactions, most ransomware gangs don't bother. Nor do gangs use cryptocurrencies that provide native anonymity, like Monero.

All of this points to the fact that anonymity is not really important to Ryuk, REvil, and other ransomware operators.

So what is it about Bitcoin that is attractive to these gangs? The feature they are after is something called censorship resistance. That is, Bitcoin allows value to be electronically transferred across vast distances without being halted or frozen. A ransomware gang can extort $1.14 from a victim in a country like the U.S. with strong law enforcement and repatriate it to a country with weak law enforcement like Russia, and then sell it for hard cash – all without having to worry about a bank or the FBI freezing their funds somewhere in-between.

Bitcoin isn't the only censorship resistant payment network.

You wouldn't think it, but gift cards like iTunes and Google Play cards are (semi) censorship resistant payments networks, and it is for this reason that they've become popular with criminals. Scammers in call centres located in India frighten their U.S. victims with the fake threat of being apprehended by IRS agents, then tell the victim send a $500 gift card number by text in order to be exonerated. The gang will either resell the card number for cash or spend the balances in an app that they control. Gift card issuers don't have effective measures to freeze balances, so the bad guys can more-or-less use gift card networks with impunity.

So why are today's ransomware gangs using bitcoin instead of gift cards to extort money from the likes of the University of California San Francisco?

At the outset of this post I specified that one of the unique features of modern ransomware is that it is big ticket. A gang that wants to extort a victim for $1.14 million can't do so using gift cards. The maximum gift card size is $500. University of California San Francisco would have to buy 2,500 cards and send the attacker all the card numbers. And then the gang would have to launder all those cards. It's just too inconvenient. 

No, some other payment rail is necessary to do big ticket ransoms. Bitcoin is perfect for this – there is no limit on transfer size.

What about carrying out big ticket ransom attacks via wire transfers? A wire transfer is an electronic payment from one bank account to another, often overseas.

Wire transfers are ideal for big ticket payments, but they aren't censorship resistant. Banks require identification and can freeze suspicious transfers. Our ransomware gang might be able work around this by setting up a network of money mules and accounts using fake ID in a foreign jurisdiction with weak law enforcement. They could then order a victim such as the University of California San Francisco to wire $1.14 million to the gang's foreign bank account. If the $10 million successfully arrives without being frozen, the gang  quickly withdraws the funds as cash before an injunction arrives.

But remember, the second key feature of modern day ransomware is that these gangs are carrying out multiple attacks each day. Setting up fake accounts at various foreign banks in order to receive wire transfers requires a lot of effort. Once one account has been used, it is compromised forever. By contrast, using the Bitcoin network over and over is a cinch. 

In short, wire transfers don't scale. Only Bitcoin allows for the mass production of ransom payments.

So now we know why ransomware gangs like to use Bitcoin. It's not the anonymity. Rather, Bitcoin opens up the field to big-ticket repeatable censorship-resistant payments. 

The next question we may want to ask ourselves is this: should we try and modify the Bitcoin payment network to stop these attacks?

We have a long history of making changes to payments systems that have become popular with criminals. When electronic gold issuer E-Gold became a tool for carders, it had to introduce a customer identification program. Western Union became a haven for “wire money to get me out of jail!” scams. It was fined and introduced much stricter know-your-customer rules. In the early 2010s Green Dot's MoneyPak became a popular network for FBI scams. Green Dot shut MoneyPak down for a year and rebuilt it from scratch to make it much harder for scammers to penetrate.

Bitcoin can't be modified, though. It is censorship-resistant. Which means we need other responses.

One possibility is to ban cryptocurrency. But as I wrote in a recent article for the Sound Money Project, I'm not a big fan of that solution. It seems like overkill. Rather, I suggested putting an embargo on the ransom payments themselves in order to cut off ransomware gangs' revenue. (I also fleshed this idea in an article for Coindesk in 2020.)

Here's another option. The U.S. government could make it difficult for ransomware operators by dusting off Section 311 of the USA Patriot Act. Let me explain how this would work.

A big chunk of the ransom payments that gangs like REvil collect are routed to cryptocurrency exchanges in jurisdictions with minimal anti-money laundering controls. The bitcoins then get converted into cash. Without these liquid offshore exchanges, it would be difficult for ransomware operators to launder their funds into spendable cash.

According to cryptocurrency analysis firm Chainalysis, one large Russian cryptocurrency took in nearly 44% of all ransomware funds sent to exchanges in 2019. (Chainalysis refused to name names). More recently, I stumbled on the following anecdote. It shows how a certain Russian exchange (perhaps the same one that Chainalysis mentions?) converts incoming bitcoin ransomware directly to U.S. dollar banknotes.

Unreal. I've always wondered how ransomware gangs converted bitcoin ransom payments to fiat. For a fee of 4%, this Russian exchange insider does anonymous cash drop-offs. Suggested cash-out amount is $1 million, which weighs 10 kg.

Source: https://t.co/0HSms8tzxN ht @smdiehl pic.twitter.com/lsafCQgV3s

— John Paul Koning (@jp_koning) May 13, 2021

Now, without rogue exchanges such as the one above it would be difficult for ransomware operators to engage in business. But these exchanges are usually located outside of U.S. jurisdiction, so there seems to be little that the U.S. can be done about it.

This is where Section 311 comes in.

Section 311 allows the the Financial Crimes Enforcement Network (FinCEN), an arm of the U.S. Treasury, to designate any foreign based financial institution (like our Russian cryptocurrency exchange) as a primary money laundering concern. Once so designated, it becomes illegal for any U.S. financial institution to interact with the listed entity. 

For those readers with long memories, Section 311 was used to shut down Liberty Reserve, a Costa Rican-based electronic money issuer that became popular with criminals involved in identity fraud and credit card theft. Below is a list of entities that have been designated under Section 311.

Entities designated by FinCEN under Section 311 of the Patriot Act

What really provides Section 311 with the extra oomph for reaching rogue exchanges is that it allows FinCEN to require that U.S. financial institutions stop doing business with any other entity that provides banking services to the designated entity. Think of this strategy as the friend of my enemy is my enemy. Any Russian bank that offers an account to the offending Russian cryptocurrency exchange could be cut off from the U.S. banking system, too. Because the U.S. market is such an important market, most Russian banks will stop doing business with the exchange just to stay friendly with the US.

So Section 311 would cripple ransomware-friendly exchanges by severing them from the financial system. And without these rogue exchanges, it becomes much trickier to be a ransomware gang.

To sum up, Bitcoin is censorship-resistant. That's why ransomware gangs like it. This very same feature also prevents democratic societies from modifying the Bitcoin protocol to exclude ransomware gangs. Bitcoin may be censorship resistant, but the venues where it is traded are not. Section 311 and other tools that allow for leverage over these venues remain one of the best ways to attack bitcoin-based ransomware.

The ECB's digital euro: anonymous or not?

 

The European Central Bank (ECB) recently published a report that explores the idea of introducing a digital euro for use by the general public. This project is known as a central bank digital currency, or CBDC, and many other countries are exploring the same idea. John Kiff has a useful database here showing how far these projects have progressed.

Will the ECB's new euros-for-all be relatively open and anonymous like cash? Or will they require ID and permission like a bank account?

In short, the report says that anonymity may have to be "ruled out." It says that regulations do not allow anonymity in electronic payments, and the ECB must comply with regulations. I quote the passage below:

"While [anonymity] is currently the case for banknotes and coins, regulations do not allow anonymity in electronic payments and the digital euro must in principle comply with such regulations (Requirement 10)."

But I'm pretty sure the report is wrong on this. EU regulations do allow for anonymity in electronic payments. The Fifth EU Anti-Money Laundering Directive (AML5) exempts issuers of e-money/prepaid cards from collecting customer information as long as long as fixed monetary thresholds aren't exceeded. Yes, these exemptions are very small:

Source: Paytechlaw

So if the ECB believes that it must comply with existing regulation for electronic payments then surely a digital euro falls under e-money law, and thus it can have some anonymity. (Jerry Brito has pushed back on the first assumption, asking why a CBDC can't just occupy the same legal framework that has already been created for banknotes.)

By the way, the U.S. and Canada also provide such exemptions. That's why people can walk into a pharmacy and get a $200 Vanilla prepaid debit card without showing any ID and, say, buy food online for delivery. Or to make an anonymous donation.

Putting aside for the moment the ECB's views about payment anonymity, an interesting question is why democracies allow for small amounts of payments anonymity in the first place. 

On Twitter, we talk a lot about the civil liberties case for anonymity i.e. the right to stay anonymous. But that's not why regulatory exemptions to all-pervasive know your customer obligations exist. They exist because of political appeals to financial inclusion. Disadvantaged people often lack ID. To ensure that these people aren't locked out of the digital payment system, electronic money & prepaid card issuers are allowed to avoid collecting information when the amounts held are small.

So let's bring the conversation back to the ECB's report on a digital euro. Yes, the report did wrongly state that it can't legally provide anonymity. And yes, we can chide the ECB from a civil liberties perspective for not wanting to activate a feature for which it has legal right.

But given my earlier point about financial inclusion, a better critique is this:

The EU has chosen to build an anonymity exemption into payments law in order to ensure that all Europeans, including those without ID, can make digital payments. Why is the ECB choosing to avoid exploiting this exemption? In the very same report, after all, the ECB states that the decline in cash could "exacerbate financial exclusion for the 'unbanked' and for vulnerable groups in society, forcing the central bank to intervene." Isn't the ECB contradicting itself by saying that it wants to help the vulnerable while simultaneously refusing to activate a feature—anonymity—that might help reach this demographic?

Central banks such as the ECB are sailing into dicey political territory by choosing to pursue a new retail payment product. Who are they trying to serve, and why? More controversially, who are they choosing to not serve? Anonymity (or its lack) will be one of the most contentious design elements of a potential digital euro. Let's hope the ECB does a better job discussing this particular issue in the future. In this recent attempt it could be construed to be ducking behind non-exist laws rather than directly engaging with a tricky topic.

By the way, I understand why the ECB might not want to provide anonymity. The exemptions that AML5 permits are tiny. Is it even worth if for the ECB to exploit them? And let's face it, anonymity can attract bad actors. Due to their relative anonymity, iTunes and Steam gift cards are being repurposed by IRS and Social Security scammers as a safe way to extort payments from their victims. And ransomware operators have converged on bitcoin as a safe way to extort ransoms.

Ransomware developer Sodinokibi deposits $1 million in bitcoins on a Russian-speaking hacker forum. The idea is to attract affiliates by proving that they mean business: https://t.co/ZlxGsPkc6G pic.twitter.com/LSz6uM9MCk

— John Paul Koning (@jp_koning) October 3, 2020

Balanced against the dangers of anonymity are peoples' very legitimate concerns about civil liberties and financial inclusion. It's a tough issue. I don't envy the ECB. 

Why Fedcoin

Six years ago I wrote a blog post about Fedcoin. Fedcoin is a type of central bank digital currency, or CBDC. (I called it Fedcoin at the time, but it could be any central bank that issues it, not just the Federal Reserve.)

So why Fedcoin?

The rough idea was that it might make sense for the Federal Reserve to create a digital version of the banknotes it issues. To do so it would use a blockchain, much like the blockchains that power Ethereum or Bitcoin. Anonymous users all over the world could download Fedcoin software and run it on their computers. In the same way that anyone can use a U.S. banknote (or bitcoin), anyone could get some Fedcoins and spend them.

Why a blockchain?

Public blockchains have many well-known problems. Because they are decentralized, they rely on work-intensive methods to process transactions. This reduces the throughput they can achieve. Transactions start to lag and they system becomes unusable.

To avoid these capacity issues, people generally advocate an alternative approach to CBDC. If a central bank is going to issue digital money that regular folks can hold, best to do so by providing a basic bank account. Sort of like PayPal, except run by the Fed. It would be faster and more efficient. 

Fedcoin has some benefits that Fed PayPal doesn't, though.

Like I said earlier, Fedcoin would replicate many of the features of a banknote. The banknote system already operates in a decentralized manner. This means that it is fairly robust. If the Fed is hit by a computer virus and has to close down for two weeks, the banknote system will continue to function just fine. That's because we banknote users—individuals, businesses, banks—operate large parts of the cash system, independently of the Fed.

Fedcoin would be similarly decentralized, thanks to its blockchain. And so hopefully it would still function when disasters, hacks, and invasions knock the Fed out of action. At least, more so than a PayPal account hosted on Fed servers.

More controversially, if the U.S. is going to create a digital currency, should it should be an anonymous one?

PayPal-like accounts at the Fed aren't anonymous. I mean, the Fed could allow people to sign up anonymously. Sort of like how egold, the anonymous PayPal that operated in the 2000s, allowed pseudonymous usage. But account holders would never really know what the Fed was doing behind the scenes. Might it be tracing everyone's account activity such that it could build an accurate portrait of each user?

No, if it wants to provide anonymous payments, then the Fed probably needs to give people a means of verifying that its technology is actually doing the job.

With Fedcoin, everyone could download and run the software, poke and prod it, audit it etc. This would allow the public to confirm that no one was operating behind the curtains. What you see is what you get. Sort of like how a $100 banknote is obviously anonymous. Just pull it apart. No surveillance technology. Just cotton, ink, and a security ribbon. I doubt the Fed could provide that sort of transparency with a Fed version of PayPal.

A fully anonymous digital dollar would have some good properties. It would protect us from surveillance by governments and corporations. In a recent article for Coin Center, Matthew Green and Peter Van Valkenburgh explore how this might work.

But anonymity is no panacea.

An anonymous Fedcoin would be the perfect medium for fraudsters and extortionists. Granny extortion schemes are a big business right now. (Head over to Kitboga to see how they work). These boiler-room operations, many of which are run from India, rely on awkward payments methods like Western Union or Walmart gift cards to get granny's money.

But imagine how easy things would be for an extortionist if they could get granny to convert her $100,000 portfolio of savings bonds into sleek & anonymous Fedcoins, and then send them instantly to India.

Or take ransomware. Criminals plant a virus on a corporation's servers and then demand a ransom to free their files. Ransomware operators—most of whom operate from Russia—rely entirely on bitcoin for payment, which is illiquid, volatile, and traceable. But imagine if the criminal could get paid in anonymous digital dollars. That would make the ransom process much easier.

So as you can see, anonymity is messy. It helps good people to avoid harm. But it helps bad people evade good rules.

One way to tidy up this mess might be an anonymity tax. (In my last paper for R3, I explored this idea. And in a previous blog post, I talked about an anonymity tax on banknotes). Briefly, the Fedcoin system would be designed so that anyone can get as much anonymous money as they want, and use it however they like. But they'd have to pay for this privilege. One technique for setting a tax is to charge an hourly fee, or a negative interest rate, on anonymous balances. Another option, which I get from Ilan Benshalom, is to implement a withdrawal fee, say 5%, on anonymous Fedcoins.

By taxing anonymity, the tax revenues from Fedcoin usage might be used by the government to offset the negative effects of payments anonymity. For instance, it could be used to bolster the budgets of fraud departments at the FBI, or to compensate victims of ransomware.

But even this remedy is messy.

An anonymity tax puts regular people and criminals into the same bucket. That hardly seems fair. And it subtly ostracizes licit users of anonymous Fedcoin. We want anonymous payments to be a regular good, not something icky or tainted.

That's where I'll leave it. Sorry, no neatly wrapped and bowed conclusion. With anonymity, there are never clean options. Just kludges. Hopefully some are less kludgy than others.

What happens when a 96 bitcoin ransom payment ends up on Bitfinex?

"Hello, to get your data back you have to pay for the decryption tool, the price is $1,200,000... You have to make the payment in Bitcoins."

This is a snippet from a recent court case concerning ransomware that just crossed my desk. Companies that fall victim to ransom attacks fear the publicity it might attract, so the details of these attacks are usually swept under the table. But in this case, the ransom payer—a British insurer that traced the bitcoins to Bitfinex, a major bitcoin exchange—has appealed to the UK High Court for an injunction, thus providing us with a vivid peak into the inner workings of an actual attack.

Ransomware is a big issue these days. A hacker maliciously installs software on a victim's computers, encrypts various files, and then asks for a bitcoin ransom to fix the problem.

It's the bitcoin leg of this transaction that has made these attacks economical. Prior to bitcoin, running an illicit business based on ransom payments was fraught. Bank accounts leave a paper trail. Cash, though anonymous, can't be transferred remotely. And gift cards are limited to small amounts. With bitcoin, hackers finally gained access to a form of electronic cash that allowed them to not only make remote ransom demands, but large ones too.

A steady parade of ransomware has since emerged. While early types of ransomware like WannaCry, CryptoLocker, and Locky targeted personal computers for small amounts of money, the most recent strains—Maze, Sodinokobi, Nemty, and others—attack governments and enterprises for million dollar amounts. The Nunavut government, a territory in Northern Canada, was a recent victim:

The Nunavut government was crippled by bitcoin ransomware DoppelPaymer on November 2, leaving thousands reliant on food vouchers well into December. https://t.co/gbpzCzc3aO

— John Paul Koning (@jp_koning) December 8, 2019

One thing I've never really understood is why ransomware can be so widespread given that all bitcoin transactions are written to the public blockchain. I mean, can't a bitcoin ransom payment be easily tracked to its final destination, say a bitcoin exchange, and frozen?

The court case in question, AA v Persons Unknown & Others, Re Bitcoin, provides some insights into just that. Although the judge heard the case back on December 13, 2019, the text of the injunction was only released a few days ago.

It makes for entertaining reading. Here's a short timeline:

• In Autumn 2019, a Canadian company was hacked. The hacker installed BitPaymer, a strain of ransomware, which encrypted the company's files
• The hacker demanded $1.2 million in bitcoins
• Luckily, the Canadian company had cyber crime attack insurance with a British insurer
• The British insurance company hired an "Incident Response Company" to pay the ransom
• The response company negotiated for a reduction in ransom to $905,000
• The bitcoins were acquired and sent to the hacker on October 10, 2019. According to the injunction, the purchase of the 109.25 coins was conducted by "an agent of the Insurer, who was referred to as JJ."
• Having receive the ransom, the hacker provided the fix. The files were successfully decrypted
• The insurance company wanted its money back, so in December it hired a blockchain analytics company, Chainalysis, to trace the ransom payment
• Chainalysis tracked 96 of bitcoins to an address linked to Bitfinex, a major bitcoin exchange
• The insurer then went to British High Court to force Bitfinex to reveal the identity of "PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN" and to freeze the 96 bitcoins.

So were the 96 bitcoins returned to the insurer?

For now, we don't know the final outcome. The document only brings us up to December 13, 2019, when the judge gave Bitfinex till December 19 to provide the names of “persons unknown”, the owner of the 96 bitcoins. To prevent "persons unknown" from getting wind of the proceedings and fleeing with their coins, the hearing was held in private and the text of the case suppressed. The document having been made public, we can assume that some sort of resolution was arrived at.

It's interesting to speculate what this resolution might have been. Bitcoin is still a relatively new, and thus largely undefined, phenomenon. As bitcoin cases slowly trickle into the court system, the decisions made by judges will be important in determining the eventual legal status of cryptocurrencies.

It could be that "persons unknown" is the same individual who perpetrated the initial ransom attack, and they just haven't yet sold the 96 bitcoins yet. In which case the conclusion is simple: the guilty party will be prosecuted and Bitfinex will return the bitcoins.

But it is more interesting (and more likely) that "persons unknown" is a third-party (say an over-the-counter broker) who bought the bitcoins from the hacker, and deposited them at Bitfinex, and hasn't sold them yet.

This third-party could be entirely innocent about the origin of the coins. They might try to say to the judge: "hey—we didn't know the 96 bitcoins we bought were linked to ransom payments. We shouldn't have to give them back."

But that's not how property law works. Even if you accidentally come into possession of stolen property—and surely ransomed bitcoins qualify as stolen—then a judge can still force you to give them back to the rightful owner. This would be bad news for the innocent broker. Being obliged to cough up 96 bitcoins could easily bankrupt it.

"Persons unknown" might respond to the injunction by pleading that the 96 bitcoins are a form of money, like banknotes, and so they needn't be returned. Banknotes, coins, and other highly-liquid paper instruments have a very special legal status. If you unknowingly accept some banknotes from someone who just obtained them illegally (say via ransom or theft), the law can't compel you to give those banknotes back to the original victim. Money, as the great British jurist Lord Mansfield once declared, isn't like regular property: it "can not be recovered after it has passed into currency."

This special legal status (which I’ve written about before) was granted to banknotes centuries ago in order to ensure that these early forms of money remained highly liquid. If every merchant had to verify that the notes they were about to receive weren't stolen, the wheels of trade would have ground to a halt. Whether a modern judge would be willing to extend this sanctuary to cryptocurrency, and thus allow “persons unknown” to keep the 96 coins, remains to be seen. But I’m skeptical.

Another possibility is that the person (or company) that innocently accepted the 96 ransomed bitcoins and deposited them on Bitfinex has already sold them. If so, which party does the British insurance company have to pursue? Some entity (or group of entities) must now be in possession of the 96 bitcoins, right? Can’t the insurer just go after the next person down the chain?

I don't know the specifics about how an exchange like Bitfinex hold bitcoins for clients, but it may be very difficult to pinpoint who actually has title to those specific 96 bitcoins. When bitcoins are deposited at an exchange, they are sent to the exchange's hot wallet along with all other incoming bitcoin deposits. So the ransomed bitcoins would have been commingled with a bunch of clean bitcoins.

When the person who originally deposited the 96 bitcoins on Bitfinex put in an order to sell on the exchange's order book, the unsuspecting buyers (all of them Bitfinex customers) would now have a claim on various bitcoins held in Bitfinex's hot wallet. Are the bitcoins on which they have a claim necessarily the ransomed ones, and thus subject to the injunction? Or do the buyers just have a general claim on any random bitcoin held on their behalf by Bitfinex? If so, would that mean that Bitfinex itself is on the hook for paying the insurer 96 bitcoins?

Anyways, you can see how this all gets complicated very fast. A lot is riding on how thoroughly the history of unspent bitcoin outputs can be traced.

Given bitcoin traceability and the ease of getting an injunction, one can imagine that it might make sense for insurers, bitcoin exchanges, and over-the-counter traders to build some sort of private "ransom registry". The moment that an insurer pays a ransom to a hacker, that insurer simultaneously announces the offending address to the registry. A verified OTC trading desk can now protect itself from potential bankruptcy by always checking the registry to make sure that any bitcoins offered to it are "good" bitcoins. Exchanges too would likewise cross-check incoming bitcoin deposits against the registry.

This would be good news for potential ransom victims. With the exits for ransom payments being choked off, these sorts of exploits would become less feasible. Extortionists may simply stop trying to run their schemes.

You could also imagine hackers coming up with strategies for dissuading victims from posting transactions to the ransom registry. "If you announce the ransom payment to the registry, we'll leak your files to the public," or something along those lines.

Or maybe extortionists will simply start to use bitcoin mixers more. Mixers are services that allow people to commingle their bitcoins in order to preserve anonymity. Astonishingly, most ransom payments don't currently go through mixing services. According to Chainalysis, the company that was hired by the British insurer, around half of the addresses to which ransom is paid redirect the bitcoins to an exchange.

But even if hackers did use mixers, bitcoin exchanges may be reticent to accept incoming deposits. Binance, for instance, recently refused to make a payout to Wasabi, a wallet that automatically mixes bitcoins. Should exchanges like Bitfinex all refuse to accept bitcoins that have been mixed, that chokes off the ability to extort people using bitcoin as ransom.

For now, we don't know how the defendant’s responded to the injunction. But in any case, it makes for interesting speculation.