Blockchain security

Bitcoin May Turn from Cybercriminals’ Biggest Asset into Their Biggest Liability

Dimitar Kostadinov
July 20, 2016 by
Dimitar Kostadinov

Why is Bitcoin the cybercriminals' most favorite payment method?

Adam Kujawa is the head researcher at the antivirus company Malwarebytes, and he estimates that ransomware nowadays amounts to 70% of all malware downloaded from web pages on the Internet. One look at the cybersecurity headlines from the beginning of the year is enough to name 2016 'The Year of the Ransomware.'

Learn Blockchain Security

Learn Blockchain Security

Build your blockchain security skills with five courses covering blockchain structure, blockchain attacks, smart contract security and more.

Throughout the last couple of years, there has been a great variety of ransomware strains, and each of them managed to bring something new to the table. Whether one would choose to call it a process of evolution or mutation, the result is always a new ransomware strain which is more difficult to be removed from the infected machine.

Bitcoin is a digital currency promoted as the new online alternative to gold, an improved way to execute international transfers, and the force that will drive the e-commerce to new heights all rolled into one. During the dawn of ransomware, popular payment methods were wire transfers, prepaid cards, or mobile/SMS transactions. The criminals cannot rely on the utilities that go hand in hand with traditional payment methods, such as technical support, so in the Bitcoin technology they see a method that works for them. Gradually Bitcoin has surpassed other ransom payment techniques in popularity. Most of the ransomware strains even exclude any other payment options (or just make it the cheapest option).

It is all about Bitcoins today. Nowadays almost every type of ransomware demands varying ransom sums to be delivered to the cyber criminals in the form of Bitcoins in exchange for a decryption tool with which the victim can regain access to his/her encrypted files. Therefore, what the entire spectrum of ransomware malware has in common is the method of payment through which the victim delivers the ransom into hands of those who have criminogenic needs to fulfill.

Bitcoin is so closely tied to ransomware (or other cyber crimes such as DDoS attacks and cyber extortion) that a new study reveals how companies are stockpiling Bitcoin so that they can pay up as quickly as possible should their data is held ransom by this type of malware. Nevertheless, as Tom Simonite from technologyreview says: "Acknowledging that you are ready to pay—and perhaps don't have a good backup system—could attract the attacks this policy is designed to handle."

Bitcoin has become a very popular currency associated with the Dark Web – the underground equivalent of the Internet — and the popular drug market known as the Silk Road, which came into existence in 2011. As of now, the conversion rate is around $677. Despite that the word "Bitcoin" may take on a negative connotation for the fact that it is mixed up all the time with various cyber crimes, it has been used by many legitimate online retailers, venture capitalist, and even the British government. Moreover, according to Eugene Kaspersky, the founder of the famous security vendor Kaspersky Lab, Bitcoin holds the potential to be a global currency one day.

Bitcoin is convenient because it is a reliable, swift, and verifiable technology not controlled by any government or institution. Consequently, what made Bitcoins the preferred payment method for criminals is the ease of transactions (See how a Bitcoin transaction works) and the certain degree of anonymity. Or at least what is perceived as anonymity.

Are Bitcoin transactions traceable?

In the article "Could bitcoin hold the key to stopping ransomware?," the researcher at the cyber security firm Sentinel One, Caleb Fenton, deduces: "You can actually follow the money." An investigator could trace back the Bitcoin transaction thread to physical Bitcoin exchange locations, apprehend the suspects, or at least catch them on surveillance footage, the moment they convert the virtual currency into cash. That is what Peter Van Valkenburgh, the director of research at Coin Center, also shares in "Could bitcoin hold the key to stopping ransomware?" He further adds on that matter: "Anonymity is not the tool that makes bitcoin palatable to criminals. It's just very fast, it's reversible, and it's a lower cost to use than other payment systems, like mailing pre-paid credit cards."

It has been proven that combining information obtained from a blockchain, i.e. a decentralized, public ledger that records all Bitcoin transactions, with the intelligence derived with the help of some tracking methods could reveal the identity of the people involved in Bitcoin transactions, even if Bitcoin users seemingly preserve their anonymity through the usage of screen names. In this regard, Bitcoin transactions are pseudonymous at best in case investigators decide to put in some extra effort.


Steve Jurvetson

It may come as a surprise to many people, but prepaid cards and vouchers possess a higher standard of non-disclosure since they are designed to provide money exchanges on a cross-border or national level without any references whatsoever to the parties involved. On the other hand, with Bitcoin transfers, there is a high probability of a third party intercepting the IP and username of the person who proceeds to change the virtual money into national currency. Blockchain transactions are traceable and can expose the individuals behind them. In all actuality, the ostensible anonymization (you can call it pseudonymization as well) led to the detention and incarceration of a lot of negligent cybercriminals.

Obfuscation Techniques

Bitcoin "laundry services" do exist: Bitcoinlaundry, Bitmix, and Bitlaundry are several examples. Once you pass your money through such a service, it is much harder and almost impossible for law enforcement personnel to establish their origin.

Additionally, there are Bitcoin anonymity tools, for example, Dark Wallet or Bitcoin Fog, whose goal is to cover up the digital trail a Bitcoin transaction leaves behind.

Dread Pirate Roberts is the pseudonymous administrator of the Silk Road, and he boasted the website privacy features before the Forbs' journalist Andy Greenberg: "We employ an internal tumbler for when vendors withdraw their payments and a more general mix of all deposits and withdrawals. This makes it impossible to link your deposits and withdrawals and makes it really hard even to tell that your withdrawals came from Silk Road."

While the Bitcoin researcher Sarah Meiklejohn may hold a tool that can partially blow away the smokescreen (read the part before the Conclusion), the Silk Road can still offer superficial protections to its visitors. Besides, not everything on the site is illegal – your mere presence there is not per se a crime.

It is a curious thing to know, but conventional money laundering schemes, such as transfers to offshore accounts, may actually work better for cyberspace-driven scams than what Bitcoin has to offer these days (simply because this technology is relatively new and has not withstood the test of time yet).

Maybe the main question that stands out from the rest is: Is it possible to attribute Bitcoin transactions to a particular person?

"They are traceable unless they are expressly designed not to be so. This is the case with certain Bitcoin obfuscation techniques, or with a cryptocurrency like Dash's Darksend," is the short answer by Derick Smith, Architect at Protocol in Blockchain Solutions.

To look it from another perspective, the principle of transparency on which Bitcoin is based can serve as a clue for digital forensic experts in their attempts to identify and locate the ransomware criminals.
"You're putting your transactions on an immutable ledger that will never disappear. You can't eliminate that feature of the blockchain – you're potentially exposing your entire criminal conspiracy to an audit," said Van Valkenburgh.

The Bitcoin blockchain has been adopted by banks and organizations in other industries, but a fact like this does not render the whole distributed system completely tamper-proof. Security experts already pointed out several vulnerabilities in the blockchain, which make the system susceptible to malware that stores harmful code or commands. By way of illustration, describes the process like that: "…the blockchain enables the hackers to discharge the decryption key without human intervention. Once the victim has made the payment, each computer affected is marked with a unique ID, and once the payment is done, the decryption key is sent out automatically."

According to the financial expert Paul Glass (See his article "How secure is blockchain?"), Interpol has elaborated a concept of special software which can first turn into malware and then subvert the blockchains by introducing data unrelated to the transactions. Furthermore, scholars from the University of Newcastle presented at the beginning of 2015 the concept of Blockchain-based botnets.

Real-world Evidence of Beating the Blockchain

Although the blockchain contains transactions recorded only as addresses, without actually being linked to anyone's identity, the events from the past couple of years provide us with enough examples to consider that a transaction can be traced back to a particular person.

Caleb Fenton investigated a ransomware variant called CryptXXX. His efforts resulted in the discovery of considerable amounts of data, Bitcoin addresses and amounts paid, among other things. Presumably, all of the relevant information was not readily available. The security expert has been able to link the payments to blockchain screen names, but not to the names of specific people because users frequently change addresses for each transaction. In all fairness, technical savvy criminals could have maximized the anonymity level of their Bitcoin laundering the funds via Altcoin (similarly to the conventional money laundering) and other alternative cryptocurrency variants.

Kaspersky Labs, for instance, has successfully tracked down several suspected cyber crooks behind Bitcoin ransomware attacks. Their security researchers followed the Bitcoin transaction trail which springs from the blockchain. Apparently, the technique 'Follow the Money' has yielded great results in the pre-Internet era, and it will continue to do so now. The only major difference is that instead of following banknotes or electronic networks, investigators follow cryptographic hashes recorded on the ledger.

Successful cases of law enforcement applying the methods for revealing the true identity of cyber criminals who utilize the Bitcoin technology do exist. Perhaps the most famous one is connected to the arrest of the Silk Road's founder Ross Ulbricht. A former federal agent Ilhwan Yum has been able to trace 3,760 bitcoin transactions from Silk Road servers to Ross Ulbricht's personal laptop by following these transactions described in the blockchain, which had left a visible digital trail from the marketplace to his personal wallet.

"Bitcoin is insanely traceable," reaffirms Nicholas Weaver, a researcher at UC Berkeley's International Computer Science Institute. "The Silk Road bitcoins are well known, not just the ones seized but the entire cloud of Bitcoins. Add in the known purchases from law enforcement, and it becomes downright trivial to create the "history cluster" that is Silk Road."

Each wallet has a persistent identity and amount of funds associated with that identity. Under normal circumstances, the identity behind a particular wallet is anonymous so long as there are not enough personal identifiers to tie it to its owner; then his financial activities become publicly available at once. On top of that, access to Silk Road's server logs will likely provide plenty pieces of evidence to connect an individual's dirty transactions to his personal Bitcoin wallet, as in the Ulbricht case.

The idea behind the blockchain is to record payments made across the Bitcoins's decentralized system – essentially; it comes down to mapping out who has what amount of coins and when – to tackle counterfeiting and fraud.
Scientists from UCSD and George Mason University have discovered how a little spying in the blockchain may reveal who the actual owner of the Bitcoin addresses of interest is. As it is explained in their paper, they utilize "clustering" methods which spot signs of how the coins are normally aggregated or distributed to single out relevant addresses based on several transactions only.

In a test conducted under the patronage of Forbes, Sarah Meiklejohn, the leader of that group of scientists was able to append every transaction the publisher had made to the addresses associated with their account on one of the most popular Bitcoin wallet services. Those Bitcoin addresses were handed over to her by Forbes, but, theoretically speaking, any law enforcement agency can acquire this information if it sends Coinbase a subpoena.

To Ride on the Coattails of Ransomware Hysteria

While there is a tremendous number of experts that try to provide a solution to the ransomware scourge, there will always be someone who will try to play the carpe diem card (a Latin phrase for "seize the day" or "seize the moment"). While the fact that this occurrence has its own Latin phrase is indicative enough to show that we are talking about something that has been happening before and will very certainly continue to happen in future, it does not always signify something negative. Yet a negative event such as the massive surge in ransomware attacks paves the avenue for other persons, not necessarily outright outlaws, to take advantage of cornered victims. For instance, Patrick Wardle, the former National Security Agency computer expert, creates a free ransomware alert system dubbed RansomWhere? , on the other hand, other firms are offering to deliver you from ransomware evil for some $1500-5000 per infected computer unit (at the same time the ransom demand is usually $300-500…so it sounds like a daylight robbery, isn't it?), according to a 2015 article entitled "WHICH IS WORSE? Bitcoin RansomWare or Removal Services Profiting From It? " by dinbits. Strictly speaking, the latter service falls in the legal gray area (overcharging is not illegal, yet promising to "decrypt" AES 256-bit encrypted files and instead of doing so just purchase the decryption key behind the victim's back is something different), but it is a good example of how some cunning foxes will always be there to ride on the Bitcoin ransomware criminals' coat-tails and make matters worse for the victim.


David Balaban states in his article "Bitcoin Roots of Ransomware" that "Bitcoin is merely a technological innovation and know-how, like the Internet and email. No one blames the Internet for cyber-crimes any longer, however without Bitcoin ransomware would not spread so quickly." Due to how mainstream media regards Bitcoin as a catalyst of cybercrime, and more specifically of ransomware, people are inclined to see Bitcoin technology in a negative light. This is a factor which affected adoption rates of the most famous digital currency. Nevertheless, the Bitcoin popularity can undergo a 180-degree turn as soon as there are tools to track down criminal Bitcoin transactions effectively and map out their command and control infrastructure.

The follow-the-money tactic through a close-up examination of Bitcoin blockchain ushered in lately a new market niche for firms specializing in Bitcoin intelligence. With trailblazers like the British blockchain companies Elliptic and Chainanalysis, both of which that raised $5 million and $1.6, respectively, this security sector related to the most widely adopted virtual currency has already drawn investors' attention and will undoubtedly continue to attract significant investments from the venture capital world.

Fenton is optimistic about the role of bitcoin technology in future investigations:

"What I think we're going to start seeing is more and more technology that allows you to trace bitcoin transactions. Once they figure out where the command-and-control servers are, they can do a lot of information gathering tactics to figure out what [internet protocol address] were used, what the domains were, and who registered them."

For several years the cyber criminals on the Silk Road managed to hide their nefarious activities successfully under the cover of this brand new at the time technology. Due to escrow wallets and Bitcoin tumblers, everything for the criminals went smooth as silk for a while, and they remained off the radar of law enforcement agencies. In effect, these times exactly helped Bitcoin to establish itself and gain many die-hard users.

The tide is turning now. Many people deem the Bitcoin-ransomware relationship to be similar to mutualism, i.e., "a symbiotic relationship in which both organisms benefit." It seems, however, that Bitcoin may become the weakest organism in the criminal self-sustaining ecosystem. Bitcoin is not as anonymous as cyber crooks have been thinking, and they are about to learn that lesson the hard way.

Reference List (2016). Bitdefender Labs Unveils Bitcoin Ransomware Solution. Available at (17/07/2016) (2016). New Technology May Make Bitcoin Ransomware Obsolete. Available at

Balaban, D. (2016). Bitcoin Roots of Ransomware. Available at (17/07/2016) (2016). Ransomware Plague: Blame It All on Unauthorized Access Rather Than Bitcoin Cryptocurrency. Available at (17/07/2016)

Brandom, R. (2015). In the Silk Road trial, Bitcoin is a cop's best friend. Available at (17/07/2016)

Constantin, L. (2016). Ransomware authors use the bitcoin blockchain to deliver encryption keys. Available at (17/07/2016)

Constantin, L. (2016). Many ransomware victims plead with attackers. Available at (17/07/2016)

Detsch, J. (2016). Could bitcoin hold the key to stopping ransomware? Available at (17/07/2016)

Detsch, J. (2016). As ransomware rises, cybersecurity researchers fight back. Available at (17/07/2016)

dinbits (2015). WHICH IS WORSE? Bitcoin RansomWare or Removal Services Profiting From It? Available at (17/07/2016)

Greenberg, A. (2015). Prosecutors Trace $13.4M in Bitcoins From the Silk Road to Ulbricht's Laptop. Available at (17/07/2016)

Greenberg, A. (2016). Follow The Bitcoins: How We Got Busted Buying Drugs On Silk Road's Black Market. Available at (17/07/2016)

Marinos, K. (2015). Are Bitcoin Transactions Traceable? Available at (17/07/2016)

samchan. Science 10 Biology Definitions. Available at (17/07/2016)

Simonite, T. (2016). Companies Are Stockpiling Bitcoin to Pay Off Cybercriminals. Available at (17/07/2016)

"Fig. 1 Anatomy of a Ransomware Attack" is based on a diagram created by that can be found here. In "Fig. 1 Anatomy of a Ransomware Attack" are used:

Bitcoin ATM Plate.jpg by Mrnett1974

Learn Blockchain Security

Learn Blockchain Security

Build your blockchain security skills with five courses covering blockchain structure, blockchain attacks, smart contract security and more.

Monitor padlock.svg by Lunarbunny

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.