Modern field guide to security and privacy

Could bitcoin hold the key to stopping ransomware?

Bitcoin isn’t as anonymous as many once believed, and now researchers are using the cryptocurrency’s delivery mechanism to compile dossiers on suspected hackers.

Benoit Tessier/Reuters
A Bitcoin logo is pictured on a door at La Maison du Bitcoin in Paris.

When a police officer in Durham, N.H., opened an innocuous looking email last spring, the small New England department became victims of a totally new kind of crime – one that it had no idea how to solve.

Criminal hackers had seized the department’s entire network of 28 computers, locking police out of the system that keeps arrest records, outstanding warrants, and incident reports for 24 hours. The culprit: ransomware, a form of malicious software that encrypts a victim's computer files until they pay a fee via the virtual currency bitcoin.

Fortunately, Durham Police Chief Dave Kurz and his team had a backup server in place, allowing information technology teams to quickly restore access to the locked files. That’s not always the case, as ransomware victims risk losing their files for good if they don’t meet hackers’ demands.

“We would have had to explored paying a ransom,” Chief Kurz says. “It would have been a nightmare.”

To date, ransomware attackers have operated largely without fear of being caught, thanks to their use of encryption and the decentralized cryptocurrency bitcoin, which enables users to mask their identity during transactions.

Now, with attacks on the rise, (the cybersecurity firm Kaspersky has tracked 718,536 ransomware incidents since the Durham hack) security researchers are tracking down suspected ransomware hackers by borrowing an old technique from law enforcement: watching where the money flows. It's an investigative tactic so new that police in Durham wouldn't have been able to use it to track down the people who hacked them. 

But now, says Caleb Fenton, a researcher at the cybersecurity firm Sentinel One, “You can actually follow the money.” 

All bitcoin transactions are stored on a public ledger called the blockchain, where anyone can view transactions between bitcoin users. Though the blockchain users preserve their anonymity by using screen names, the public websites where payments are logged can serve as clues for investigators trying to track down ransomware criminals.

In fact, Mr. Fenton used the blockchain to gather a tremendous amount of data, including bitcoin addresses and amounts paid, as part of his own investigation into a new ransomware variant dubbed CryptXXX. That strain can also infect backup files, and hackers have already used it to extort $50,000 in bitcoin payouts from nearly 70 organizations in the past month. Fenton says he was able to determine the number of victims by tracking the payments on the blockchain.

Fenton says he’s found a new bitcoin wallet, used to store and access the currency, associated with CryptXXX. Since the CryptXXX-related bitcoin address first popped up in the beginning of June, Fenton says it's likely a new address dedicated to the campaign.

“What I think we’re going to start seeing is more and more technology that allows you to trace bitcoin transactions,” he said. “Once they figure out where the command-and-control servers are, they can do a lot of information gathering tactics to figure out what [internet protocol addresses] were used, what the domains were, and who registered them.”

Fenton has only been able to tie the payments to blockchain screen names, not specific people, since users often utilize different addresses for each transaction. What’s more, sophisticated criminals can better anonymize their bitcoin by laundering the funds through Altcoin and other cryptocurrencies that are variants to bitcoin. 

Still, blockchain is the type of tool that experts hope will eventually lead to more arrests. Investigators could track the extortion payments to physical bitcoin exchange locations, where users convert the virtual currency to cash, and apprehend suspects, or catch them on surveillance footage, suggests Peter Van Valkenburgh, director of research at Coin Center, a Washington think tank focused on bitcoin and blockchain technology.

“Old fashioned police work is always going to be the main method of investigation,” said Mr. Van Valkenburgh. “Anonymity is not the tool that makes bitcoin palatable to criminals. It’s just very fast, it’s reversible, and it’s a lower cost to use than other payments systems, like mailing pre-paid credit cards.”  

Bitcoin has become the most popular currency used to fund transactions on the Dark Web, the hidden criminal underbelly of the internet, since the popular online drug market known as the Silk Road emerged in 2011. Today, though conversion rates vary, bitcoins can sell for more than $600 each. The virtual currency remains in use by other drug markets, legitimate online retailers, venture capitalists, and is being explored for use by the British government.

US government investigators are on the case, too. The Department of Justice briefly disrupted the ransomware scheme known as CryptoLocker, and identified the suspects who allegedly stole more than $100 million as part of the scheme. That single ransomware variant may have infected as many as 260,000 computers around the world, according to Richard Downing, US acting deputy assistant attorney general.

“Despite these many challenges, law enforcement is actively working to disrupt and defeat ransomware schemes,” Mr. Downing said at a Senate Judiciary Committee hearing in May. “The FBI currently has over 30 active investigations into different ransomware variants.” The FBI did not respond to requests for comment on this story.

Government investigators also leveraged bitcoin payments as part of the Silk Road investigation. After agents apprehended Silk Road founder Ross Ulbricht, they accessed his computer to find sizable transactions to two unknown sources. Authorities say both of those trails led to corrupt federal agents who, along with investigating the Silk Road, also appeared to be taking bitcoin for themselves.

“The mere existence of these corrupt government agents was determined to be true by the blockchain,” said Coin Center's Van Valkenburgh.

Success like that has led to a small marketplace of bitcoin intelligence firms cropping up all over the world, attracting a significant influx of cash from the venture capital world. British blockchain firm Elliptic has already raised $5 million for services to monitor the platform for criminal investigations. And the firm Chainanalysis has raised $1.6 million, and will help assisting Europol in investigations.

“You’re putting your transactions on an immutable ledger that will never disappear," says Van Valkenburgh. "You can’t eliminate that feature of the blockchain – you’re potentially exposing your entire criminal conspiracy to an audit."


You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Could bitcoin hold the key to stopping ransomware?
Read this article in
QR Code to Subscription page
Start your subscription today