It won't be effortless for WannaCry hackers to get their cash
Congrats. You’ve just pulled off a global ransomware attack.
Now comes the hard part: Accessing your money.
WannaCry ransomware is believed to have infected more than 200,000 systems in over one hundred fifty countries since it was very first reported on May twelve — encrypting computers and requesting Bitcoin payments from unlucky victims in the process.
Albeit the attack has mostly stopped spreading, the ransom resumes to pile up in three Bitcoin addresses presumably managed by those responsible. But with the eyes of the world’s law enforcement locked in on those very addresses, will the perps ever see a millibit of their ill-gotten gains?
Bitcoin crashed into public view with the two thousand thirteen downfall of the dark web marketplace the Silk Road. The cryptocurrency isn’t explicitly tied to a person’s real-world name, thus making it well suited for the type of illegal online transactions that made the Silk Road famous.
However, that doesn’t mean Bitcoin transactions can’t be tracked.
“Assuming the criminals are sophisticated, they have fairly a range of options.”
Transactions are public and recorded in the blockchain by design. In the case of WannaCry ransom payments, there’s even a Twitter bot set to monitor both the balance of the three Bitcoin addresses in question and whether or not anything is withdrawn or transferred out.
Which brings us back to the person or persons responsible for the latest attack. How can they manage to turn their Bitcoin into cash — be that euro, dollar, or renminbi — without being identified and apprehended in the process?
According to one accomplished, Adam Gibson, the response is not likely to please anyone seeking justice.
“Assuming the criminals are sophisticated, they have fairly a range of options, albeit I suppose none are without risk,” Gibson, who is one of the main contributors to the Bitcoin anonymizing service JoinMarket, explained.
That the options are risky will likely not slow down the culprits behind what is being described as the largest ransomware attack ever. It will, however, force those responsible to go to unusual lengths to obscure the source of their ransomed Bitcoin — or chance losing their freedom along with their BTCs.
Let’s assume the attacker wants his or her hard-earned cryptocurrency, but doesn’t want to give away identifying information while converting it into cash. Hiding the source of the funds would be a good embark, but how do you launder Bitcoin?
There are fairly a few ways, it turns out, however all suggest varying degrees of reliability. People looking for some anonymity in their Bitcoin — not just criminals — can use services known as mixers or tumblers. These permit people to essentially throw their BTC into a virtual pot and get fresh BTC out (minus a service fee).
Another play would be to use a service like ShapeShift to exchange tumbled BTC for a more privacy-focused cryptocurrency like Monero. ShapeShift permits for account-free transactions of digital currencies, and exchanging tumbled BTC for Monero, and then Monero back to BTC, and then tumbling that again would make the gains from WannaCry exceptionally hard to track.
This is not what Bitcoin actually looks like.
Photo: George Frey/Getty Photos
The problem with all of this is that the Bitcoin addresses used by the WannaCry attackers have a yam-sized target painted on them by law enforcement, and tumbling services or exchanges like ShapeShift may decline the transactions as a result.
In that case, the attackers would be right back where they embarked — staring at BTC just out of their reach.
But all is not lost. The aforementioned JoinMarket, which is a decentralized method of making joint payments (called “CoinJoin”) and thus confusing third parties as to the source of Bitcoin, has no centralized authority that would decline a potentially blacklisted address like the ones used by the WannaCray attackers.
Gibson confirmed that JoinMarket is one of numerous possible ways an individual could theoretically hide the source of BTC — even pointing to a latest case where it emerges someone moved almost $800,000 worth of stolen Bitcoin through JoinMarket.
“I suspect, albeit for sure don’t know, that this mixing effort was successful in permitting them to budge and trade the coins elsewhere,” he explained.
As to the legality of these services? Basically, it’s a gray area.
“[It’s] difficult to even begin to work it out,” Gibson noted. “[Any] bitcoin transaction with more than one input and more than one output could be a coinjoin, so it’s kinda hard to see exactly how it would be determined what kind of transaction is ‘illegal.'”
Cash is king
But what if you just want to take the money and run? The idea of quickly turning the ransomed Bitcoin into dollar bills and then disappearing certainly has some appeal, and there are ways to sell troubled BTC for cash.
Doing it anonymously, on the other mitt, is tricky.
While companies like CoinSource suggest what they refer to as a Bitcoin ATM Network — permitting people to buy or sell BTC at one hundred nine machines around the U.S. — there are confinements in place that mean selling large amounts of criminally-tainted Bitcoin through these machines would not be the smartest idea.
Hitting up a Bitcoin ATM.
Pic: David Ryder/Getty Photos
In the case of WannaCry, even if the attackers were in the U.S. and near these machines they would run into problems. A CoinSource spokesperson confirmed that their ATMs have a daily limit of $Three,000, and that any transaction over $800 requires an ID.
What’s more, CoinSource reports to the United States Financial Crime Enforcement Network and the United States Office of Foreign Assets Control — two organizations you’re looking to steer clear of if you’re behind WannaCry.
One method around these roadblocks would be to sell the Bitcoin via a local peer-to-peer exchange like LocalBitcoins. LocalBitcoins operates in two hundred forty eight countries and lets you set your own terms for transactions — including requiring cash — and meet in person to conduct them.
This would be a straightforward way to interchange the ransomed BTC for cash, but you’d still need to break the total into smaller amounts to avoid detection and find enough people looking to quickly score cryptocurrency.
Oh, and it would help if those people were not undercover cops.
There is another option.
The amount of ransom stringing up out in those three Bitcoin addresses is actually not that much when you consider the scale of the attack. That’s because despite WannaCry’s success in spreading, thanks in part to the leaked NSA exploit EternalBlue, only a fraction of victims have paid up. We know this because, again, Bitcoin transactions are public.
At the time of this writing, the combined addresses display a total of just around forty one BTC in ransom payments. That equals approximately $72,000. And while that amount will certainly increase, it may not go up all that much.
Word shows up to have gotten out that the attackers are not providing decryption keys — even in cases where people have paid. And without those keys, victims aren’t going to regain access to their digital stuff.
A lot of reports that people have paid the ransom and not gotten decryption keys. The system looks manual which is unlikely to scale.
For victims, the calculus of determining whether or not to pay switches dramatically when they can be reasonably sure that they won’t be given the decryption keys either way. Why pay if your data is lost regardless of what you do?
DO NOT PAY the ransom for WCRY, a manual human operator must activate decryption from the Tor C2. See screenshots, I’ve attempted to hack it… pic.twitter.com/xzbK8eqw3Q
— Hacker Fantastic (@hackerfantastic) May 14, 2017
And so with law enforcement agencies from around the world on the hunt for the perpetrator, whoever released WannaCry may simply determine to cut their losses and walk away — leaving the ransom untouched and inaccessible in the process.
In the end, tho’, why go to all this trouble just to leave the money sitting on the proverbial table?
Especially if you can get away with it.
Gibson believes that it’s technically feasible for the attackers to escape with their loot in tow. Whether or not they actually pull that off, however, all comes down to their level of sophistication.
“[What] I’ve seen (I’ve only followed the story a bit) is anything but sophisticated, with only three receiving addresses, which seems amateurish to say the least,” wrote Gibson. “Alternatively, it’s a deliberate attempt to *look* amateurish, who knows :)”
And that’s the thing about ransomware and cryptocurrency: It’s almost unlikely to know who’s doing what until someone slips up. And you better believe the actors behind WannaCry are doing their best to make sure that never happens.