Hear Andy’s considerate commentary on cybercrime, legislation enforcement, anonymity, privateness, and whether or not we actually want a “battle towards cryptography” – codes and ciphers that the federal government can simply crack if it thinks there’s an emergency – to cement our collective on-line safety.
PAUL DUCKLIN. Hey, all people.
Welcome to this very, very particular episode of the Bare Safety podcast, the place now we have essentially the most wonderful visitor: Mr. Andy Greenberg, from New York Metropolis.
Andy is the writer of a guide I can very drastically advocate, with the fascinating title Tracers within the Darkish: The International Hunt for the Crime Lords of Cryptocurrency.
So, Andy, let’s begin off…
..what made you write this guide within the first place?
It appears fascinatingly difficult!
ANDY.GREENBERG. Sure, properly, thanks, Paul.
I assume [LAUGHS]… I’m unsure if that’s a praise?
DUCK. Oh, it’s, it’s!
ANDY. Thanks.
So, I’ve coated this world of hackers, and cybersecurity, and encryption for about 15 years now.
And round, let’s see – I assume 2010 – I began engaged on a guide, a distinct guide, that was in regards to the cypherpunk motion within the Nineteen Nineties…
…and the ways in which it gave rise to the fashionable web, but in addition to issues like WikiLeaks, and other forms of encryption, anonymity instruments, and finally what we now name the darkish net, I suppose.
And I’ve all the time been fascinated with the methods, on this beat, that anonymity can play this fascinating, dramatic function – and permit folks to turn into another person, or to disclose to you in secret to who they really are.
And as I dug into this cypherpunk world, round 2010 and 2011, I stumbled on this factor that appeared to be a brand new phenomenon in that world of on-line anonymity – which was Bitcoin.
I wrote, I feel, the primary print journal piece about Bitcoin for Forbes journal in 2011.
I interviewed one of many first Bitcoin builders, Gavin Andresen, for that piece.
And Gavin and plenty of others on the time have been describing Bitcoin as a kind-of nameless digital money for the web.
You might truly use this new invention, Bitcoin, to place unmarked payments in a briefcase, mainly, and ship it throughout the web to anybody on the earth.
And, being the type of reporter I’m, I’m within the subversive and typically felony, typically politically motivated… I don’t know, the underhanded and darkish corners of the web.
I simply noticed how this is able to allow a brand new world of… sure, folks searching for monetary privateness, but in addition cash laundering, and drug dealing on-line, and all of this that may come to go within the subsequent few years.
However what I didn’t foresee is that, ten years later or so, it could be by then obvious that Bitcoin is definitely the *reverse* of nameless.
I imply, that’s the large shock, and the large reveal.
For me, it was a type of slow-motion epiphany to understand that cryptocurrency was truly *extraordinarily* traceable.
It was the alternative of this “nameless money for the web” that many individuals as soon as thought it was.
And the end result, I feel, was that it served as a type of entice for many individuals searching for monetary privateness… and criminals, over that decade.
And as I realised the extent of this… I totally realised it in 2020 or so.
I started, on the identical time, to see that this one firm, Chainalysis, a blockchain-analysis Bitcoin cryptocurrency tracing agency, was being venked in a single US Division of Justice announcement after one other in all of those main busts.
And so I began speaking to Chainalysis, after which to their prospects and legislation enforcement, and slowly realised that there had been this one small group of detectives that had figured this out a lot sooner than me.
That they had began truly tracing Bitcoins years earlier, and had used this extremely highly effective investigative approach to go on this spree of 1 large cybercriminal bust after one other…
…utilizing cryptocurrency as this shock entice that had been laid for thus many individuals on the darkish net, and within the cybercriminal world as a complete.
DUCK. Now, I suppose we shouldn’t actually be stunned at that, ought to we, as you clarify within the guide?
As a result of the entire thought, at the very least of the Bitcoin blockchain, is that it’s, by design, solely and completely public and irrevocable.
That’s the way it can work as a ledger that’s equal to one thing that may usually be held privately and individually by your financial institution.
It doesn’t even have your identify on it, however it has a magic identifier that, as soon as tied to you, can’t actually be lower unfastened…
…if there’s different proof to say, “Sure, long-hexadecimal-string-of-stuff is Andy Greenberg, and right here’s why.”
Now attempt denying it!
So, I feel you’re proper.
This concept that it’s *doable* to commerce anonymously with Bitcoin – I feel was taken by very many individuals to imply that it’s essentially nameless and ever-untraceable.
However the world is just not like that, is it?
ANDY. I typically look again on my 2011 self, and in that piece for Forbes, I *did* write that Bitcoin was probably untraceable.
And I form of scold myself, “How may you be such an fool?”
The entire thought of Bitcoin is that there’s a blockchain that data each transaction.
However then I remind myself that even Satoshi Nakamoto, the mysterious creator of Bitcoin (whoever he, she or they’re), of their first electronic mail to a cryptography mailing checklist introducing the concept of Bitcoin…
…listed amongst its options that members might be nameless.
That was a function of Bitcoin as Satoshi described it.
So I feel there’s all the time been this concept that Bitcoin, if it’s not nameless, at the very least is pseudonymous, that you could disguise behind the pseudonym of your Bitcoin handle, and that when you can’t determine anyone’s handle, you possibly can’t determine their transactions.
I assume all of us ought to have recognized… I ought to have recognized, and possibly even Satoshi ought to have recognized, that, given this large corpus of knowledge, there can be patterns in it that permit folks to determine clusters of addresses that each one belong to at least one individual or service.
Or to observe the cash from one handle to a different to search out attention-grabbing giveaways on this large assortment of knowledge.
The most important giveaway of all is if you money in or money out at a cryptocurrency alternate that has Know-Your-Buyer [KYC] necessities, as nearly all of them do now.
They’ve your id, so if anyone can simply subpoena that alternate, then they’ve your precise driver’s licence in hand.
And any phantasm of anonymity simply utterly backfires.
So that’s the story, I feel, of how Bitcoin’s anonymity turned out to be the alternative.
DUCK. Andy, do you assume, maybe, although, that there’s nothing fallacious with Satoshi Nakamoto saying, “You *can* be nameless if you use Bitcoin?”
I feel what’s fallacious is that plenty of folks assume that as a result of expertise *can* allow you to do one thing that’s fascinating on your privateness, subsequently, *nevertheless you employ it*, it all the time will.
And the unique thought of Bitcoin didn’t embrace exchanges, did it?
And so there wouldn’t be any exchanges that may take a replica of your driving licence if Bitcoin have been utilized in its authentic form of cypherpunk manner, so far as I can see…
ANDY. Effectively, I actually don’t blame Satoshi for not predicting your entire cryptocurrency economic system, together with the ways in which exchanges would interface with the standard finance world.
It’s all extremely advanced economics; Bitcoin was sensible sufficient as it’s.
However I do assume that it’s extra than simply, “You *can* be nameless with Bitcoin when you’re cautious, however most individuals usually are not cautious.”
It seems, I feel, that the likelihood, regardless of how good you’re, of utilizing Bitcoin anonymously is vanishingly small.
Additionally, there may be the property of blockchain *that it’s eternally*.
So, when you use the type of smartest concepts of the day to attempt to keep away from any of those patterns that reveal your transactions on the blockchain, however then somebody years later figures out a brand new trick to determine transactions…
…you then’re nonetheless screwed.
They will return in time, and use their new concepts to foil your cutting-edge anonymity tips from years earlier.
DUCK. Completely.
With a financial institution fraud you possibly can think about you *may* get fortunate, couldn’t you?
That simply if you’re about to be investigated, years later, you discover the financial institution’s had an information safety catastrophe, they usually’ve misplaced all their backups and, oh, they’ll’t get better the information…
With the blockchain, that ain’t by no means going to occur! [LAUGHS]
As a result of all people’s acquired a replica, and that’s a requirement for the system to work because it does.
So, as soon as locked in, all the time locked in: it will possibly by no means be misplaced.
ANDY. That’s the factor!
To be nameless with cryptocurrency, you actually must be good – good all the time.
And to catch somebody who’s attempting to be nameless with cryptocurrency slipping up, you simply must be good, and protracted, and work on it for years, which is what, first, Chainalysis…
…truly, first was educational researchers like Sarah Meiklejohn on the College of California at San Diego, who, as I doc the guide, got here up with loads of these methods.
However then Chainalysis, this startup that’s now nearly a nine-billion-dollar unicorn, promoting polished cryptocurrency tracing instruments to legislation enforcement companies.
And now, all of those legislation enforcement companies which have skilled Bitcoin tracers – their savvy, their know-how in doing this, is simply rising by leaps and bounds.
And I feel it’s nearly only a higher rule to say, “No, you can’t be nameless with cryptocurrency,” that it’s totally clear.
That’s a safer technique to function, nearly.
To be truthful, Satoshi Nakamoto stated members *can* be nameless… however it seems that the one participant who has *remained* nameless is Satoshi Nakamoto.
And that’s, partly, as a result of only a few folks have that other-worldly restraint that Satoshi needed to amass 1,000,000 Bitcoins after which by no means spend them or transfer them.
When you try this… sure, I feel you possibly can maybe be nameless.
However when you ever wish to use your cryptocurrency, or to place it in a liquid type the place you possibly can spend it, then I feel you’re toast.
DUCK. Sure, as a result of there are some wonderful issues which have occurred, certainly one of which you allude to as a result of it was within the works simply on the finish of the guide…
…[LAUGHS] what I name the Crocodile Woman and her husband: Heather Morgan and Ilya Liechtenstein.
Self-styled “Crocodile of Wall Road” arrested with husband over Bitcoin megaheist
They’re alleged to have in some way obtained a complete load of cryptocoins from a cryptocurrency financial institution theft towards Bitfinex.
Of their circumstances, they obtained stolen cryptocurrencies in huge portions, in order that they might fairly actually have been billionaires *if they might have cashed it out*.
However when bust, they nonetheless had the overwhelming majority of that stuff sitting round.
So it appears that evidently, in loads of cryptocurrency crimes, your eyes is usually a lot larger than your abdomen.
Chances are you’ll reside the excessive life slightly bit… the Crocodile Woman and her husband, it does appear they have been dwelling fairly a flash way of life.
However once they have been bust, what was the quantity?
It was greater than $3 billions’ value of Bitcoins that they’d, however couldn’t money out.
ANDY. The Division of Justice stated that they seized $3.6 billion from them.
That was the largest seizure not simply of cryptocurrency in historical past, however of cash within the historical past of the Division of Justice.
Actually, as I doc within the guide… truly, certainly one of these occurred after the guide, however the IRS felony investigators, who’re the principle topics of this guide, have now pulled off the primary, second, and third-biggest seizures of cash in American felony justice historical past, by following cryptocurrency and seizing Bitcoins.
Your level is totally proper, which is that cryptocurrency is straightforward to steal, it seems… that’s, I feel, certainly one of its large drawbacks for the companies, like exchanges, which have to carry typically billions of {dollars} in a type of digital secure.
However then when you do steal it, when you pull off certainly one of these large heists – and two of the three of the circumstances that we’re discussing are literally individuals who stole cash from the Silk Highway darkish net drug market…
DUCK. Sure [LAUGHS]… if you steal from a criminal, it’s nonetheless a criminal offense, eh?
ANDY. [LAUGHS] Sure, sadly – for these crooks, anyway.
DUCK. One of the crucial intriguing bits for me within the guide was anyone that you just determine as “Particular person X”, solely as a result of that’s the way in which they have been recognized by the court docket.
This particular person had stolen 70,000 Bitcoins, and was busted, and mainly gave them again… sort-of in return for getting let off.
They didn’t get prosecuted, they didn’t go to jail, they didn’t – I think about – even get a felony report.
They usually have been by no means named.
ANDY. That’s proper.
DUCK. In order that looks as if an nearly unreadable thriller, doesn’t it?
If we glance ahead just a few years, now that Bitcoin’s… what, within the final 12 months, it’s gone all the way down to a couple of third of its worth; Ether is all the way down to a couple of third; Monero is about half.
Do you assume that that gambit of claiming, “I’ll give the cash again, let me off” would have labored if the costs have been reversed, and what they have been handing again was now value a fraction of what it was when it was stolen?
Or do you assume that Particular person X was fortunate as a result of what they needed to hand again was truly value way more than once they stole it?
ANDY. I feel it’s the latter.
Particular person X stole that cash whereas the Silk Highway was nonetheless on-line…
DUCK. Wow!
So that may have been when BTC was, what, lots of [of dollars] then?
ANDY. Sure, in all probability, or 1000’s at most – Silk highway went offline in 2013, when Bitcoin had simply damaged via $1000, if I keep in mind.
This individual (I don’t wish to say “man” – who is aware of who Particular person X is?) sat on these 70,000 Bitcoins for seven years, finally…
…in all probability, precisely as you stated, simply terrified to maneuver them or money them out for concern of being caught.
DUCK. Sure, are you able to think about?
“Hey, I’m a millionaire!”
“Hey, I’m a *billionaire*!”
“Oh, golly, however the place am I going to get my hire cash?”
[LAUGHS] Shouldn’t snigger….
ANDY. As you say – just like the hand caught within the cookie jar!
The hand simply will get larger and larger till it’s all-consuming, and you can’t transfer it, you possibly can’t get it out.
Actually, even with out attempting to get it out, IRS felony investigators discovered it via different means, together with the seizure of the BTC-e alternate, which was a kind-of money-laundering, felony Bitcoin alternate.
DUCK. That was a rogue alternate that mainly did as little as is humanly doable alongside the Know Your Buyer entrance?
“Ask no questions, inform no lies,” that type of factor?
Is that proper?
ANDY. Sure, precisely.
That was one other shock for a lot of customers who believed that, “Perhaps I can use BTC-e slightly bit and never get caught, as a result of that doesn’t have Know Your Buyer, that doesn’t co-operate with legislation enforcement.”
However, nonetheless, when that alternate was busted and its servers seized, that offered extra clues to the IRS.
That helped, in reality, to determine who Particular person X was… I don’t know who they’re, however the authorities does.
And to knock on his or her door and say, “Hey, hand over a billion {dollars} otherwise you’re going to jail,” and that’s precisely what occurred.
Now, poor James Zhong is a really related case.
Silk Highway medication market hacker pleads responsible, faces 20 years inside
He appears to have taken 50,000 Bitcoins from the Silk Highway, in all probability across the identical time, after which held onto them for even longer.
After which, a 12 months after Particular person X, Zhong acquired a knock on his door…
Equally, they’d traced the cash, though he had simply left it sitting on a USB drive in a popcorn tin below the floorboards of his closet.
In his case, he didn’t handle to make a deal in some way, and he’s being criminally charged.
DUCK. *And* he has given the cash again, clearly?
[WRY LAUGH] Aaaargh!
ANDY. He was a Bitcoin billionaire, and now could be going through felony expenses… and by no means acquired to even spend his loot.
The Bitfinex case, I don’t know… I’ve much less sympathy for them as a result of they really have been attempting to launder an enormous theft from a legit enterprise.
They usually did, I feel, launder a few of it.
They tried a number of totally different intelligent methods.
They put the cash via…. I imply, that is all alleged, I ought to say; they’re nonetheless harmless till confirmed responsible, this couple in New York.
However they tried to place the cash via the AlphaBay darkish net market as a type of laundering approach, considering that may be a black field that legislation enforcement wouldn’t be capable to see via.
However then AlphaBay was busted and seized.
That’s maybe the largest story I inform within the guide, essentially the most thrilling cloak-and-dagger story: how they tracked down the kingpin of AlphaBay in Bangkok and arrested him.
DUCK. Sure… spoiler alert, that’s the place the helicopter gunships are available!
ANDY. lLAUGHS] Sure!
Sure, and way more!
I imply, that story is likely one of the craziest that I’ll in all probability inform in my profession…
However then, additionally, this New York money-laundering couple tried to place a number of the cash via Monero, a cryptocurrency that’s marketed as a privateness coin, a probably actually untraceable cryptocurrency.
And but, within the IRS paperwork the place they describe how they caught this couple in New York, they present how they continued to observe the cash, even after it’s exchanged for Monero.
In order that was an indication to me that maybe even Monero – this newer, “untraceable” cryptocurrency – is a bit traceable too, to a point.
And maybe this entice persists… that even cash which can be designed to outstrip Bitcoin by way of their anonymity usually are not all they’re cracked as much as be.
Though I ought to say that Monero folks hate it after I even say this out loud, and I don’t understand how that labored…
…all I can say is that it appears to be like very doable that Monero tracing was utilized in that case.
DUCK. Effectively, there could possibly be some operational safety blunders that the Crocodile Woman and her husband made as properly, that type of tied all of it collectively.
So, Andy, I’d prefer to ask you, if I could…
Considering of cryptocurrency tokens like Monero, which as you say, is supposed to be extra privateness centered than Bitcoin as a result of it inherently, when you like, joins transactions collectively.
After which there’s additionally Zcash, designed by cryptography specialists particularly utilizing expertise recognized within the jargon as zero-knowledge proofs, which is at the very least imagined to work in order that neither facet can inform who the opposite is, but it’s nonetheless unimaginable to double-spend…
With all eyes on these way more privacy-focused tokens, the place do you assume the long run goes?
Not only for legislation enforcement, however the place do you assume it would drag our legislators?
There’s actually been a fascination for many years, amongst typically very influential parliamentarians, to say, “You already know what, this encryption factor, it’s truly a extremely, actually unhealthy thought!”
“We want backdoors; we’d like to have the ability to break it; anyone has to ‘consider the kids’; et cetera, et cetera.”
ANDY. Effectively, it’s attention-grabbing to speak about crypto backdoors and the authorized debate over encryption that even legislation enforcement can’t crack.
I feel that, in some methods, the story of this guide exhibits that that’s typically not obligatory.
I imply, the criminals on this guide have been utilizing conventional encryption – they have been utilizing Tor and the darkish net, and none of that was cracked to bust them.
As an alternative, investigators adopted the cash and *that* turned out to be the backdoor.
It’s an attention-grabbing parable, and an excellent instance of how, fairly often, there’s a side-channel in felony operations, this “different leak” of knowledge that, with out cracking the principle communications, presents a manner in…
…and doesn’t necessitate any type of backdoor in Tor, or the darkish net, or Sign, or onerous disk encryption, or no matter.
Actually, talking of ‘considering of the kids’, one of many final main tales that I dig deeply into within the guide is the bust of the Welcome To Video marketplace for youngster sexual abuse movies that accepted cryptocurrency.
And because of this, the IRS investigators on the centre of the guide have been in a position to monitor down and arrest 337 folks around the globe who used that market.
It was the largest bust of what we name youngster sexual abuse supplies, by some measures, in historical past…
…all based mostly on cryptocurrency tracing.
DUCK. They usually didn’t must do something that you’d actually contemplate privacy-violating, did they?
They fairly actually adopted the cash, in a path of proof that was public by design.
And in conjunction, admittedly, with warrants and subpoenas from locations the place the cash popped out, and the place web connections have been made, they have been in a position to determine the folks concerned…
…and largely to keep away from trampling on tens of millions of people that had completely no reference to the case by any means.
ANDY. Sure!
I feel that it’s an instance of a technique to do… it’s, in some methods, mass surveillance – however mass surveillance in a manner that nonetheless doesn’t require weakening anyone’s safety.
I assume that cryptocurrency customers, and individuals who imagine within the energy of cryptocurrency for enabling activists, and dissidents, and journalists, and cash transmissions to nations like Ukraine, that want injections of cash for survival…
They’d argue that, nonetheless, we have to repair cryptocurrency to make it as untraceable as we as soon as thought it could be.
And that’s the place we get into the brand new, I’d say *a* new, crypto-war over cryptocurrency.
We’re simply beginning to see the start of that with instruments like Monero and Zcash, as you stated.
I do assume that there’ll in all probability nonetheless be surprises in regards to the ways in which Monero might be traced.
I’ve seen a leaked Chainalysis doc the place they advised Italian legislation enforcement… it’s a presentation in Italian to the Italian police from Chainalysis, the place they are saying that they’ll hint Monero, within the majority of circumstances, to discover a usable lead.
I don’t understand how they try this, however it does look like it’s probabilistic greater than definitive.
Now I don’t assume lots of people perceive – that’s typically sufficient for legislation enforcement to get a subpoena, to begin subpoenaing cryptocurrency exchanges, simply based mostly on a probabilistic guess.
They will simply verify each chance, if there are just a few sufficient of them.
DUCK. Andy, I’m aware of time, so I’d like to complete up now by simply asking you one ultimate query, and that’s…
In ten years’ time, do you see your self being able the place you’ll be capable to write a guide like this one, however the place the “unravelling” components are much more fascinating, difficult, thrilling, and wonderful?
ANDY. I attempted, with this guide, *not* to make too many predictions.
And, in reality, the guide begins with this “mea culpa” that ten years in the past I believed precisely the fallacious factor about Bitcoin.
So no one ought to hearken to any ten-year prediction that I’ve!
[LAUGHTER]
However the easiest prediction to make, that *has* to be true, is that this cat-and-mouse sport will nonetheless be occurring in ten years.
Individuals will nonetheless be utilizing cryptocurrency considering that they’ve outsmarted the tracers…
…and the tracers will nonetheless be developing with new tips to show them fallacious.
The tales, as you say, will, I feel, be way more convoluted as a result of they’ll be coping with these cryptocurrencies like Monero, that construct in huge mix-networks, and Zcash, which have zero-knowledge proofs.
But it surely does appear that there’ll all the time be a way – and possibly not even cryptocurrency, however in another facet channel… as I used to be saying, there shall be a brand new one which unravels the entire thing.
However there’s no query that this cat-and-mouse sport will go on.
DUCK. And I’m positive there’ll be one other Tigran Gambaryan someday sooner or later so that you can interview?
ANDY. Effectively, I do assume the sport of anonymity…
…it does favour the Tigran Gambaryans of the world.
They, as I stated, simply must be persistent and good.
However the mice on this cat-and-mouse sport must be good.
And nobody is ideal.
DUCK. Completely.
ANDY. So, if I do must make a prediction…
…then I’d simply place my guess on the cats, on the Tigran Gambaryans of the world.
DUCK. [LAUGHS] Andy, thanks a lot.
Earlier than we go, why don’t you inform our listeners the place they’ll get your guide?
ANDY. Sure, thanks, Paul!
The guide is known as “Tracers within the Darkish: The International Hunt for the Crime Lords of Cryptocurrency.”
[ISBN 978-0-385-54809-0]
And it’s obtainable in any respect the conventional locations books are bought.
However when you go to https://andygreenberg.internet/, then you possibly can simply discover hyperlinks to a bunch of locations.
DUCK. Andy, thanks a lot on your time.
It was as fascinating speaking to you and listening to you because it was studying your guide.
I like to recommend it to anyone who desires a galloping learn that’s nonetheless detailed and insightful about how legislation enforcement works…
…and, importantly, why felony convictions for cybercrimes typically solely occur years after the crime occurred.
The satan actually is within the particulars.
ANDY. Thanks, Paul.
It’s been a super-fun dialog.
I’m simply glad you loved the guide!
DUCK. Glorious!
Because of all people who listened.
And, as all the time: Till subsequent time, keep safe!
[MUSICAL MODEM]