Thanksgiving may be a holiday for most people in the United States, but it’s no day off for hackers. On Monday, U.S. officials warned U.S. businesses and government officials to be extra vigilant against the November 25 attacks. Invariably, some ransomware attacks are successful and according to Ulisse Dell’Orto, Managing Director, Asia-Pacific, cryptocurrency research firm Chainalysis, common mistakes are made when investigating this type of cybercrime.
Capital.com: How difficult are ransomware attacks to investigate?
Ulisse Dell’Orto: The inherent transparency of blockchains makes it easier for law enforcement to investigate cryptocurrencies compared to financial investigations involving fiat money. Blockchains act as a permanent, publicly accessible record of almost all cryptocurrency transactions, allowing investigators to track the movement of funds between cryptocurrency addresses – something that is simply not possible with currency. fiduciary.
However, cryptocurrency addresses are pseudonyms. Investigators need reliable data assigning these addresses to departments and organizations in order to learn from blockchain transaction records.
Think of the blockchain as a map that shows you where the cryptocurrency is moving, providing the labels that allow investigators to understand who is in control of the funds as they move to a specific address. But the blockchain is also a map where none of the countries are labeled. Failure to understand this can lead investigators to false conclusions, resulting in wasted time and resources tracking down inaccurate leads.
CC: What role do coin collectors play in cryptocurrency surveys?
YOU DO: Failure to identify coin mixers is a major mistake made by ransomware investigators. Coin mixers work by “shuffling” all user coins into a central fund, then returning their value – minus a nominal fee to users – making them untraceable. Unsurprisingly, criminals are frequently used by criminals to hide their tracks, and although they come under increasing surveillance by criminals. law enforcement groups these services continue to proliferate.
CC: Are funds traceable after being sent via a coin mechanism?
YOU DO: Just because a coin blender was used doesn’t mean investigators can’t continue to track funds – but they must use a blockchain analytics tool that marked the addresses in question as belonging to a blender.
Take the example of the Colonial Pipeline attack, carried out by the hacking group DarkSide. In this case, US investigators were able to recover a substantial amount of the ransom paid using the type of technology just described.
Shortly after the attack, the administrator transferred funds to an intermediate wallet called “DarkSide Dormant Funds”. The funds were transferred to a second intermediate wallet, called DarkSide Consolidation, and about an hour later, transferred to a mixer, whose name remains hidden while the investigation is ongoing.
If users attempted to analyze this transaction using a public block explorer or blockchain analyzer that did not catalog the receiving address as part of a mixer, they would wouldn’t be able to tell what’s going on. Instead, they would see the funds moving quickly to several different addresses, in a pattern resembling a string of peels.
CC: What is a peelable chain?
YOU DO: A peel chain is a transaction pattern commonly seen in blockchain analysis, where funds appear to pass through multiple intermediary addresses. In reality, these intermediary addresses are part of a single wallet and are created automatically to receive the remaining currency resulting from certain transactions.
In the case of an unidentified coin mixer, the intermediate addresses are part of the mixer itself rather than a wallet, and the new addresses are designed not to receive transactions. Instead, it distributes funds to the new addresses that it also hosts, from which they can be forwarded to end users.
CC: Are peel chains only used by criminals?
YOU DO: The peel chain-like patterns resulting from the use of unidentified mixers have contributed to the belief that the peel chains themselves are a technique for criminals to launder cryptocurrency. While cybercriminals can often take advantage of peeling chains to hide their illicit earnings, these are actually natural patterns resulting from the way cryptocurrency wallets are designed to collect changes in transactions.
Failure to understand the natural appearance of peel chains can result in wasted time and resources by law enforcement teams as a result of false leads.
CC: Why do cybercriminals use exchanges?
YOU DO: Criminals often move cryptocurrency through intermediary wallets to exonerate investigators. These transactions are relatively easy to track with most blockchain analysis tools, as investigators can rely on the blockchain to show them which new address received funds after each transaction.
Investigations become trickier when funds reach a service like an exchange because it is impossible to trace where the funds are sent once they arrive at a deposit address hosted by a service. Without attribution data, the blockchain alone is no longer a reliable source of truth.
When a person sends cryptocurrency to their depositing address in a service, the cryptocurrency isn’t just there. Instead, the service moves it in-house, pools it, and mixes it with other users’ funds as needed. Only the exchange itself knows which deposits and withdrawals are associated with specific clients, and this information is kept in the exchange’s order books, which are not visible on blockchains.
Of course, blockchains don’t know that internal departmental fund movements are not ordinary transactions – they are recorded in the general ledger like any other transaction. Therefore, it makes no sense to continue tracking funds once they have been deposited into a service, as the owner of the deposit address is usually not the one who moves them after that point.
Again, this can cause investigators to waste time and resources following the wrong leads.
CC: What are nested services and merchant services?
YOU DO: Nested services are cryptocurrency entities that operate using addresses hosted by larger exchanges to tap the liquidity and trading pairs of those exchanges. Customers of merchant service providers operate in a similar fashion.
Merchant service providers allow mainstream businesses to accept cryptocurrency as a means of payment for products and services such as payment processors in the fiat world. Businesses using merchant service providers are analogous to nested services in that they receive cryptocurrency using addresses hosted by another business.
This means that investigators can draw the wrong conclusions if they trace funds to an address that is not properly labeled as belonging to a nested service or a merchant service provider.
CC: When did merchant services mislead cybercrime investigators?
YOU DO: In June 2021, certain media outlets reported that addresses associated with the Ever101 ransomware strain sent funds to an address owned by RubRatings, an adult website that accepts cryptocurrency payments. This finding was wrong. Ever101 had indeed sent funds to a deposit address hosted by a merchant service provider of which RubRatings was also a client.
Investigators were misled because they used a blockchain analysis tool that mislabeled all of the addresses in the merchant service provider’s wallets as belonging to RubRatings, without realizing that RubRatings was one. of the many customers receiving funds at addresses hosted by the merchant service provider.
This error led to false information and could have caused law enforcement to mistakenly cite RubRatings rather than the merchant service provider, who could have provided more account information using the address in question.
Tracking funds from ransomware attacks is no simple task, but greater awareness of some of the issues just discussed will mean investigator resources will be used more efficiently.
Read more: FBI, CISA issue warning on cyberattacks during the holidays
Ready to start?
Capital Com is an execution-only service provider. The material provided on this website is for informational purposes only and should not be construed as investment advice. Any opinion that may be provided on this page does not constitute a recommendation of Capital Com or its agents. We make no representations or warranties about the accuracy or completeness of the information provided on this page. If you rely on the information on this page, you do so entirely at your own risk.