In mid-January 2023, the Bitzlato trading platform was shut down by law enforcement agencies. Six people were arrested and assets worth over 16 million euros were seized. The result of an investigation opened since September 2022 by the Paris prosecutor’s office. A surprise? Not really.
Cybercriminals have no shortage of inventiveness to cover their tracks. They are also trying to move away from Bitcoin, in favor of other cryptocurrencies, with more or less success. Particularly as investigators are increasingly adept at tracking financial movements in bitcoin. And the examples that illustrate it multiply. But how do we do it, in practice?
The MagIT editorial team made itself, in 2021, to follow the activity of the Avaddon and Conti groups, relying on tools accessible to all, in addition to those of Crystal Blockchain, starting with its explorer, free to use with some limitations .
Transactions recorded in the Bitcoin blockchain can be viewed by anyone. They are public and that is one of the key features of this blockchainwith its traceability.
In practice, there is no shortage of tools and services for this. But most are very limited: They allow you to see what has been received on a Bitcoin payment address and what is left, or even the details of a transaction.
This data is very insufficient to track financial flows and truly monitor the activity of cybercriminals. Other tools, graphs, allow you to go further. One of those of learnmebitcoin for example, it allows you to search for connection points between Bitcoin addresses. Problem: Some spots may just be trading platforms. Not enough to draw any conclusions about the activity of cybercriminals. However, a very large number of transactions allow you to identify them and leave them aside.
Some addresses of considerable interest could therefore emerge, as they reappear frequently, but without displaying thousands of transactions on the counter. Long before the leaks involving the Conti group, we were able to identify the address assigned 1AXiwETqqQoA52Jk5CmJkbAPuW8nR7VUYz, by the famous Conti Leaks, aft. ClearSky Security and Whitestream also spotted it, along with another address: 1NuPogvydJWfTGVp41Rgghqw8MNMjTh3.
Some addresses are notable for being used for consolidation purposes: portions of ransom payments paid as a result of cyber-attacks regularly end up there, whether intended for a trustee or a franchise operator. Once these addresses have been identified, the exercise is to try to go back in time to identify the transactions that contributed to the feed into the address and which most likely resulted in ransom payments.
Since the patterns of revenue distribution between franchise operators and trustees are more or less known, old payments can be identified. Furthermore, it is possible to estimate whether an address is used by a franchisee or a franchisee.
More effective tools
In the last couple of years there has been a major development, in addition to the Conti Leaks : Awareness of ransom bitcoin payment addresses has improved significantly.
The Ransomwhe.re initiative of Jack Cable, now Senior Technical Advisor of the US Cybersecurity and Infrastructure Security Agency (CISA), has collected and made available, in open source, more than 7 500 addresses that have been used for ransom payments. CISA itself has made them public, for example for the group Karakurt in June 2022.
This knowledge makes it possible to allocate addresses or even group them in bitcoin financial flow analysis tools. Already at the beginning of 2021 Chainalysis had thus revealed links between Maze and Suncrypt, suggesting the existence of an affiliate who worked for the two franchises. Another emerging link between Egregor and DoppelPaymer.
This knowledge is added to another: that of the addresses belonging to the wallets managed by the exchange platforms. Because of course cybercriminals do not fail to use such platforms. For example, in late May 2022, a member of the Conti galaxy transferred over 75 btc to RenVM’s bitcoin reserve.
Enough to allow the seizure, at least in part, of paid ransoms, such as for Colonial Pipeline, in particular, or the adoption of sanctions against exchange platforms that refuse to cooperate with the authorities, such as Suex, in September 2021. Many actions involved in the fight against cybercrime.