We discuss the generalities of Cryptocurrency and go into the tactics, techniques, and procedures for conducting Cryptocurrency investigations. We also discuss some case studies and what proper outcomes look like for making it more expensive for the adversaries to conduct their operations in this generally unregulated world.
Here are the 3 Topics We Cover in This Episode:
1) Generalities, Functionalities, and Value of Bitcoin and Cryptocurrency:
In its simplest form, Cryptocurrency is digital coins or money (Bitcoin and Ethereum being the most popular). It is not run or governed by a central authority, but by a mathematical algorithm that verifies the transactions, controls the supply of the certain coin, and runs on the blockchain.
Blockchain, as it pertains to Cryptocurrency, is a ledger that verifies what has been sent and received from an account. It is pseudo-anonymous, it is not anonymous – which is why criminals have been leveraging it so aggressively.
When Bitcoin is transacted, the amount sent and received are recorded on the Bitcoin ledger (Blockchain) and associated with a Cryptocurrency wallet address. Criminals think they can hide their identities as a result of not needing a formally validated identity through a central authority.
Since Cryptocurrency is not controlled by a central government no one can modify the supply of the particular cryptocurrency. It derives value in the same way the US dollar used to derive value from gold – scarcity. The argument for Bitcoin’s value is similar to that of gold—a commodity that shares characteristics with the Cryptocurrency. The cryptocurrency is limited to a quantity of 21 million. Bitcoin’s value is a function of this scarcity.
2) Conducting Cryptocurrency Investigations – Decreasing Return on Investment to Criminals:
When criminals first started using Cryptocurrency in 2012 it was because they thought they could hide their identity. At the time, tools were not available to law enforcement to unmask and attribute actions to persons. That has changed.
The two kinds of investigations that clients engage in are reactive and proactive. Reactive are when scams have already been perpetrated against their brand. Proactive are when security teams engage with actors to derive the scam before a significant amount of loss occurs.
Legal and technical methods can be deployed to “burn down the infrastructure” to decrease the return on investment for online criminals. Oftentimes an outcome can be to contact a centralized bank or Cryptocurrency exchange (i.e. Coinbase) that is linked to the Cryptocurrency as a means to “cash out” the criminal proceeds, report the fraud, and disrupt the activity, thus increasing the costs to the criminals.
3) Provenance and Repudiation To Understand Truth, Accuracy, and Completeness:
As with any online crime investigation, investigative techniques identify stylometric attributes of the criminal infrastructure that reveal the provenance of data by the malicious actor. The end provides authorities the ability to repudiate this scheme in the future.
Often what we look for are lapses in operational security by the threat actors, which include but are not limited to the following:
- An actor registered a domain and failed to enable private registration before correcting their mistake.
- An actor forgot to use their VPN or proxy to connect to their C2 infrastructure and revealed their source IP range.
- An actor reused certificates on different infrastructure or failed to properly encrypt their C2 traffic.
Going a step further, we pivot from technical analysis to open source intelligence (OSINT) to add valuable context to the nature of the threat an organization faces. By exposing network infrastructure and drawing associations using threat information and other technology-enabled OSINT connections, we can determine the motivation and sophistication of the threat. We assess characteristics such as:
- Content, stylometric attributes, and similarities between criminal persona accounts and true-name accounts.
- Re-use of content in a spearphish that was similar to content existing elsewhere, such as blog or social media posts.
- Re-use of usernames or email addresses to register a malicious domain or subscribe to a third-party file server or virtual private server.
- Photographs that provide traceable location details such as landmarks or geographical attributes.
- Screenshots, files, or photos used by the actor that leave vital forensic clues revealing real identity or location.
- Details ascertained through direct engagement with the threat actor.