Cryptocurrencies: abuses and forensics
Conventional financial systems: they rely on external entities (centralizxedf authorities) to process transactions. Nowadays it's a point of failure: Example being Russia being cut off from SWIFT system.
Definition
Cryptocurrency on the other end is a completely decentralized way of managing transactions, it eliminates the need of a trusted authority.
Formal definition: it is an information technology breakthrough that defines and implements a secure and decentralized payment system. It is also a tool for the storage, verification, and auditing of information, including digital representations of values (e.g. NFTs).
The bitcoin protocol for example defines an overlay network over Internet that mine bitcoins, each node manage a group of addresses that holds coins, each address is a hashed image of an underlying private-public pair of cryptographic keys and act as a pseudonym of the coin’s holder.
The nodes view of this common state is formed by a blockchain, a shared, append-only, trustable, ledger of all coins transactions.
Notes:
We're studying this because their usage is widespread among criminals, for various reasons. The most important reasons are that crypto transations are non refundable and have a higher degree of anonimity with respect to traditional banking systems.
Asymmetric keys used to access the ledger are generated by users (recall: no CA because we're in a decentralized context). Those keys are pseudonyms, because they are associated to users but this association is not public.
We'll focus specifically on Bitcoins.
Wallets
Software/hardware technology which are used to store cryptocurrencies. More specifically they are used to:
Manage and store the public and private key for each of your bitcoin addresses.
Create and sign transactions
Track the balance
BTC Address
The bitcoin public address is an alphanumeric string from 26 to 35 characters. It works like the IBAN for a bank account. It is also your public key, you can give it anyone to receive payments and you can use it to access your transaction’s history.
Example of BTC address: 3D2oetdNuZUqQHPJmYcMdDhYoQkyNVsFk9.
Transaction lifecycle
A transaction contains the hash of previous transaction of that account, hashed with the receiver public key and signed with sender public key. Lifecycle:
To send coins to the network, you'll sign the transaction with your private key and decide how to split your BTC amount among some other users of the network, and also how much BTC give as fee to the miner which will validate the block containing your transaction.
Then it's sent to a node for validation by other network nodes (insertion in a block). The node checks if you have enough coins to perform the transaction and check the signature using your public key.
A block is inserted into the blockchain through the mining process: the nodes compete with each other to find a hash that matches certain criteria (e.g. first N bits equal to 0 ). This mechanism of “competition” is needed to prevent tampering with the transaction history.
This means that blocks are basically linked lists of transactions.
More on block consolidation (Proof of Work)
A block is composed by:
List of transactions
Hash of the previous block
Time of creation
Problem solution
Miners create blocks by putting together transactions and by changing block content to make it have a specific hash. This is done via bruteforcing. Once the hash is found, the miner who did it is rewarded with a fixes number of BTCs. Then the protocol keeps asking for hashes with increasing problem complexity. If simultaneous solutions are found, the chain is forked.
Transactions to be included in blocks are chosen basing on the amount of fee provided. This means that the lower your transaction fee, the longer for the transaction to be completed. Note also that a transaction is confirmed when it belongs to a block at least 6/7 blocks away from the end of the chain. The longer the path, the more computation was expended building it.
There are mainly two features that have contributed to the wide popularity of this consensus protocol:
It is hard to find a solution for the mathematical problem
It is easy to verify the correctness of that solution
The ‘hard mathematical problem’ can be written in an abstract way like below:
Given data A, find a number x such as that the hash of x appended to A results is a number less than B.
Crypto role in criminal activities
Pseudo-anonimity
Bitcoins are often used by cybercriminals to perform illegal transactions because the number of identities that one can have is arbitrarily large. This means that transactions to oneself are unidentifiable, even if transaction history is completely public and tracked. However:
If a transaction has multiple inputs, very likely that the inputs are all owned by the same entity. By analyzing the key we can associate group of keys together.
More advanced analysis can be performed to extract more information from the blockchain. There's a modular framework, BitIodine, which parses the blockchain, clusters addresses that are likely to belong to a same user or group of users, classifies such users and labels them, and finally visualizes complex information extracted from the Bitcoin network.
For example it can be used to scrape data regarding the founder of Silk Road transaction network. From fc14_submission_11.pdf (ifca.ai):
Sign up to silk road (We actually didn’t, we are using details posted publicly by a user)
Deposit a small amount
Take Note of the deposit address (In our instance,
1Q6nyjSQ79AAw67xAGHgXxXHRj9erLLqhD)Track the flow
Problem: coins are mixed by Silk Road (a typical protection mechanism) in this case with more than 25000 others.
Example of crypto usage
In the previous chapter we talked about ransomware. Ransomwares ask for ransom in cryptocurrencies for the reasons we specifies before. After someone sends some money via BTC to have his data back, it cannot be reverted. Can we track the payments? They can be clustered and tracked:
From the graph we can see that basically cryptocurrency transactions are directly proportional to ransom payments.
To recap, cryptocurrencies have the following properties:
Unstoppable
Non reversible
Not really anonymous
Not hidden
There are other cryptocurrecies with stronger sets of protection, for example Monero. Wannacry authors made victims pay in Bitcoins, and then converted the money to Monero.
Last updated