red 
Earlier this month, the US Department of Justice (DOJ) indictment of Russian hackers described how twelve Russian intelligence operatives allegedly used a series of cyberattacks to interfere in the 2016 US presidential election.
A DOJ investigation found that the attacks were facilitated by infrastructure purchased with cryptocurrency. Perhaps it should come as no surprise that hackers have chosen to use cryptocurrencies as a means of concealing their identity. This serves as a significant fact, but it is even more noticeable that the attempt to make their activity invisible has failed.
The indictment claims that operatives, officers of the GRU (Russian military intelligence agency), hacked the email accounts of employees and volunteers of Hillary Clinton’s presidential campaign, as well as the computer systems of the Democratic Congressional Campaign Committee and the Democratic Party. National Committee. Tens of thousands of documents were allegedly stolen by these hacks and then released using fictitious online personas, including “DCleaks” and “Guccifer 2.0”.
Bitcoin was the primary means of payment for infrastructure used in hacking activities, including website domain registrations, servers and VPN services. The indictment explains that the cryptocurrency was used to conceal ties to Russia and the Russian government, “by avoiding direct relationships with traditional financial institutions, allowing them to avoid greater scrutiny of their identity and source of funds.”
The operatives took measures to further disguise the source of these bitcoins and prevent them from being traced back to an account and tied to an individual. This included using peer-to-peer exchanges, transferring to and from other cryptocurrencies and using prepaid cards. The DOJ also alleges that the operatives mined their own bitcoins, providing them with funds without a previous transaction history on the blockchain that could be used to trace their origins.
Fighting bad actors with Bitcoin Blockchain Analysis
Despite the measures taken by GRU officers, an analysis of the bitcoin blockchain allowed investigators to link the online persons used to leak the stolen data back to the police officers themselves:
- Analysis of the bitcoin blockchain revealed that the same pool of bitcoins used to register the dcleaks.com domain was also used by the GRU to purchase other domains used in the GRU’s phishing operations.
- Funds from the same bitcoin address were used to purchase a VPN service that was used to log into the @Guccifer_2 Twitter account, and to rent a Malaysian server that hosted the dcleaks.com website.
The indictment does not mention any specific bitcoin addresses or transaction IDs associated with this activity, but describes a transaction made by one of the operatives:
By searching the bitcoin blockchain for transfers of exactly this value, we can identify the specific transaction this corresponds to, made on February 1, 2016:
Using Forensic software from Ellipticwe can determine the source of the funds used in this transaction. Elliptic identified the funds as coming from a European-based exchange that allows the exchange of US dollars, euros and Russian rubles for cryptocurrencies, including bitcoin.
Cryptocurrency forensics foiled again
The DOJ indictment is not the first documented use of cryptocurrency to pay for infrastructure used by Russian intelligence-linked hacking groups. Late 2017 Elliptic worked with the BBC investigate the use of Bitcoin by the cyber espionage group “Fancy Bear”, which is registered that he is connected to the GRU, which is connected to the same attack on the Democratic National Committee that is alleged in the DOJ indictment.
The DNC hack, as well as others targeting the German Parliament 2014, attendees Farnborough Air Showand numerous Apple device users, were connected to or committed from computers rented from “Crookservers”, a server distributor based in the UK and Pakistan.
Over the course of three years, Fancy Bear rented numerous servers from Crookservers, remaining anonymous by using fake identities, VPNs, and bitcoin payments.
Elliptic analyzed these bitcoin transactions and was able to trace them back to a central wallet, apparently controlled by Fancy Bear. Bitcoins in this wallet are further traced to a number of sources including:
- BTC-e, a cryptocurrency exchange that was shut down by the US Department of Justice in July 2017. It allowed trading between the US dollar, Russian ruble, euro and various cryptocurrencies. Russian citizen Alexander Vinnik was arrested in Greece for his alleged role in running BTC;
- An online exchange, believed to be based in Slovakia, that allows the exchange of cryptocurrencies and other digital currencies such as Webmoney and Perfect Money;
- The same European cryptocurrency exchange identified above as the source of funds for payments made by “gfadel47,” as detailed in the DOJ indictment.
It is clear that cryptocurrencies are emerging as a key tool to support espionage and cyber-attacks carried out by nation-states. North Korea has been linked to the Wannacry ransomware that caused widespread disruption around the world in May 2017, and cryptocurrency payments have been touted as a means by intelligence agencies to agents of the fund abroad.
The same properties of cryptocurrencies that make them attractive to criminals, such as resistance to censorship, pseudonymity, and the ease with which they can be transferred across borders, also make them valuable tools for any nation-state actors seeking to finance covert operations.
However, the Justice Department’s indictment makes clear that analysis of blockchain transactions can be used to trace the flow of funds, link actors together, and potentially identify them. While crypto may seem attractive for engaging in illicit activities, software like Elliptic Forensics exists to help law enforcement and regulators track the flow of funds and potentially identify who is behind such acts.
