Hear Andy’s considerate commentary on cybercrime, legislation enforcement, anonymity, privateness, and whether or not we actually want a “warfare in opposition to cryptography” – codes and ciphers that the federal government can simply crack if it thinks there’s an emergency – to cement our collective on-line safety.
PAUL DUCKLIN. Hey, all people.
Welcome to this very, very particular episode of the Bare Safety podcast, the place now we have essentially the most wonderful visitor: Mr. Andy Greenberg, from New York Metropolis.
Andy is the creator of a e-book I can very enormously advocate, with the fascinating title Tracers within the Darkish: The International Hunt for the Crime Lords of Cryptocurrency.
So, Andy, let’s begin off…
..what made you write this e-book within the first place?
It appears fascinatingly sophisticated!
ANDY.GREENBERG. Sure, effectively, thanks, Paul.
I assume [LAUGHS]… I’m unsure if that’s a praise?
DUCK. Oh, it’s, it’s!
ANDY. Thanks.
So, I’ve coated this world of hackers, and cybersecurity, and encryption for about 15 years now.
And round, let’s see – I assume 2010 – I began engaged on a e-book, a unique e-book, that was in regards to the cypherpunk motion within the Nineties…
…and the ways in which it gave rise to the trendy web, but in addition to issues like WikiLeaks, and different kinds of encryption, anonymity instruments, and finally what we now name the darkish internet, I suppose.
And I’ve at all times been fascinated with the methods, on this beat, that anonymity can play this fascinating, dramatic function – and permit individuals to grow to be another person, or to divulge to you in secret to who they really are.
And as I dug into this cypherpunk world, round 2010 and 2011, I came across this factor that appeared to be a brand new phenomenon in that world of on-line anonymity – which was Bitcoin.
I wrote, I feel, the primary print journal piece about Bitcoin for Forbes journal in 2011.
I interviewed one of many first Bitcoin builders, Gavin Andresen, for that piece.
And Gavin and lots of others on the time have been describing Bitcoin as a kind-of nameless digital money for the web.
You would really use this new invention, Bitcoin, to place unmarked payments in a briefcase, mainly, and ship it throughout the web to anybody on this planet.
And, being the form of reporter I’m, I’m within the subversive and typically legal, typically politically motivated… I don’t know, the underhanded and darkish corners of the web.
I simply noticed how this is able to allow a brand new world of… sure, individuals looking for monetary privateness, but in addition cash laundering, and drug dealing on-line, and all of this that may come to move within the subsequent few years.
However what I didn’t foresee is that, ten years later or so, it will be by then obvious that Bitcoin is definitely the *reverse* of nameless.
I imply, that’s the large shock, and the massive reveal.
For me, it was a form of slow-motion epiphany to understand that cryptocurrency was really *extraordinarily* traceable.
It was the other of this “nameless money for the web” that many individuals as soon as thought it was.
And the outcome, I feel, was that it served as a form of entice for many individuals looking for monetary privateness… and criminals, over that decade.
And as I realised the extent of this… I absolutely realised it in 2020 or so.
I started, on the identical time, to see that this one firm, Chainalysis, a blockchain-analysis Bitcoin cryptocurrency tracing agency, was being venked in a single US Division of Justice announcement after one other in all of those main busts.
And so I began speaking to Chainalysis, after which to their clients and legislation enforcement, and slowly realised that there had been this one small group of detectives that had figured this out a lot sooner than me.
They’d began really tracing Bitcoins years earlier, and had used this extremely highly effective investigative approach to go on this spree of 1 large cybercriminal bust after one other…
…utilizing cryptocurrency as this shock entice that had been laid for thus many individuals on the darkish internet, and within the cybercriminal world as a complete.
DUCK. Now, I suppose we shouldn’t actually be shocked at that, ought to we, as you clarify within the e-book?
As a result of the entire thought, not less than of the Bitcoin blockchain, is that it’s, by design, totally and totally public and irrevocable.
That’s the way it can work as a ledger that’s equal to one thing that may usually be held privately and individually by your financial institution.
It doesn’t even have your identify on it, nevertheless it has a magic identifier that, as soon as tied to you, can’t actually be reduce unfastened…
…if there’s different proof to say, “Sure, long-hexadecimal-string-of-stuff is Andy Greenberg, and right here’s why.”
Now strive denying it!
So, I feel you’re proper.
This concept that it’s *potential* to commerce anonymously with Bitcoin – I feel was taken by very many individuals to imply that it’s basically nameless and ever-untraceable.
However the world isn’t like that, is it?
ANDY. I typically look again on my 2011 self, and in that piece for Forbes, I *did* write that Bitcoin was doubtlessly untraceable.
And I type of scold myself, “How might you be such an fool?”
The entire thought of Bitcoin is that there’s a blockchain that data each transaction.
However then I remind myself that even Satoshi Nakamoto, the mysterious creator of Bitcoin (whoever he, she or they’re), of their first e mail to a cryptography mailing record introducing the thought of Bitcoin…
…listed amongst its options that individuals could be nameless.
That was a characteristic of Bitcoin as Satoshi described it.
So I feel there’s at all times been this concept that Bitcoin, if it’s not nameless, not less than is pseudonymous, that you could cover behind the pseudonym of your Bitcoin deal with, and that when you can’t determine any individual’s deal with, you may’t determine their transactions.
I assume all of us ought to have identified… I ought to have identified, and possibly even Satoshi ought to have identified, that, given this large corpus of knowledge, there could be patterns in it that enable individuals to determine clusters of addresses that each one belong to 1 particular person or service.
Or to observe the cash from one deal with to a different to seek out attention-grabbing giveaways on this large assortment of knowledge.
The largest giveaway of all is if you money in or money out at a cryptocurrency trade that has Know-Your-Buyer [KYC] necessities, as nearly all of them do now.
They’ve your id, so if any individual can simply subpoena that trade, then they’ve your precise driver’s licence in hand.
And any phantasm of anonymity simply fully backfires.
So that’s the story, I feel, of how Bitcoin’s anonymity turned out to be the other.
DUCK. Andy, do you suppose, maybe, although, that there’s nothing mistaken with Satoshi Nakamoto saying, “You *can* be nameless if you use Bitcoin?”
I feel what’s mistaken is that a lot of individuals assume that as a result of expertise *can* allow you to do one thing that’s fascinating on your privateness, due to this fact, *nevertheless you employ it*, it at all times will.
And the unique thought of Bitcoin didn’t embody exchanges, did it?
And so there wouldn’t be any exchanges that may take a replica of your driving licence if Bitcoin have been utilized in its authentic type of cypherpunk manner, so far as I can see…
ANDY. Effectively, I definitely don’t blame Satoshi for not predicting all the cryptocurrency economic system, together with the ways in which exchanges would interface with the standard finance world.
It’s all extremely complicated economics; Bitcoin was sensible sufficient as it’s.
However I do suppose that it’s extra than simply, “You *can* be nameless with Bitcoin when you’re cautious, however most individuals are usually not cautious.”
It seems, I feel, that the chance, irrespective of how sensible you’re, of utilizing Bitcoin anonymously is vanishingly small.
Additionally, there’s the property of blockchain *that it’s perpetually*.
So, when you use the form of smartest concepts of the day to attempt to keep away from any of those patterns that reveal your transactions on the blockchain, however then somebody years later figures out a brand new trick to determine transactions…
…you then’re nonetheless screwed.
They will return in time, and use their new concepts to foil your cutting-edge anonymity methods from years earlier.
DUCK. Completely.
With a financial institution fraud you may think about you *might* get fortunate, couldn’t you?
That simply if you’re about to be investigated, years later, you discover the financial institution’s had an information safety catastrophe, they usually’ve misplaced all their backups and, oh, they’ll’t get better the information…
With the blockchain, that ain’t by no means going to occur! [LAUGHS]
As a result of all people’s bought a replica, and that’s a requirement for the system to work because it does.
So, as soon as locked in, at all times locked in: it could actually by no means be misplaced.
ANDY. That’s the factor!
To be nameless with cryptocurrency, you really should be excellent – excellent all the time.
And to catch somebody who’s attempting to be nameless with cryptocurrency slipping up, you simply should be sensible, and chronic, and work on it for years, which is what, first, Chainalysis…
…really, first was tutorial researchers like Sarah Meiklejohn on the College of California at San Diego, who, as I doc the e-book, got here up with loads of these methods.
However then Chainalysis, this startup that’s now nearly a nine-billion-dollar unicorn, promoting polished cryptocurrency tracing instruments to legislation enforcement businesses.
And now, all of those legislation enforcement businesses which have skilled Bitcoin tracers – their savvy, their know-how in doing this, is simply rising by leaps and bounds.
And I feel it’s nearly only a higher rule to say, “No, you can’t be nameless with cryptocurrency,” that it’s absolutely clear.
That’s a safer method to function, nearly.
To be honest, Satoshi Nakamoto stated individuals *can* be nameless… nevertheless it seems that the one participant who has *remained* nameless is Satoshi Nakamoto.
And that’s, partially, as a result of only a few individuals have that other-worldly restraint that Satoshi needed to amass one million Bitcoins after which by no means spend them or transfer them.
When you do this… sure, I feel you may maybe be nameless.
However when you ever wish to use your cryptocurrency, or to place it in a liquid kind the place you may spend it, then I feel you’re toast.
DUCK. Sure, as a result of there are some wonderful issues which have occurred, one in every of which you allude to as a result of it was within the works simply on the finish of the e-book…
…[LAUGHS] what I name the Crocodile Girl and her husband: Heather Morgan and Ilya Liechtenstein.
Self-styled “Crocodile of Wall Road” arrested with husband over Bitcoin megaheist
They’re alleged to have someway acquired a complete load of cryptocoins from a cryptocurrency financial institution theft in opposition to Bitfinex.
Of their instances, they acquired stolen cryptocurrencies in huge portions, in order that they might fairly actually have been billionaires *if they might have cashed it out*.
However when bust, they nonetheless had the overwhelming majority of that stuff sitting round.
So plainly, in loads of cryptocurrency crimes, your eyes is usually a lot larger than your abdomen.
Chances are you’ll stay the excessive life a bit of bit… the Crocodile Girl and her husband, it does appear they have been residing fairly a flash life-style.
However after they have been bust, what was the quantity?
It was greater than $3 billions’ price of Bitcoins that that they had, however couldn’t money out.
ANDY. The Division of Justice stated that they seized $3.6 billion from them.
That was the largest seizure not simply of cryptocurrency in historical past, however of cash within the historical past of the Division of Justice.
In truth, as I doc within the e-book… really, one in every of these occurred after the e-book, however the IRS legal investigators, who’re the primary topics of this e-book, have now pulled off the primary, second, and third-biggest seizures of cash in American legal justice historical past, by following cryptocurrency and seizing Bitcoins.
Your level is totally proper, which is that cryptocurrency is straightforward to steal, it seems… that’s, I feel, one in every of its large drawbacks for the companies, like exchanges, which have to carry typically billions of {dollars} in a form of digital secure.
However then when you do steal it, when you pull off one in every of these large heists – and two of the three of the instances that we’re discussing are literally individuals who stole cash from the Silk Highway darkish internet drug market…
DUCK. Sure [LAUGHS]… if you steal from a criminal, it’s nonetheless a criminal offense, eh?
ANDY. [LAUGHS] Sure, sadly – for these crooks, anyway.
DUCK. One of the crucial intriguing bits for me within the e-book was any individual that you just determine as “Particular person X”, solely as a result of that’s the best way they have been recognized by the court docket.
This particular person had stolen 70,000 Bitcoins, and was busted, and mainly gave them again… sort-of in return for getting let off.
They didn’t get prosecuted, they didn’t go to jail, they didn’t – I think about – even get a legal report.
They usually have been by no means named.
ANDY. That’s proper.
DUCK. In order that looks as if an nearly unreadable thriller, doesn’t it?
If we glance ahead a number of years, now that Bitcoin’s… what, within the final 12 months, it’s gone right down to a few third of its worth; Ether is right down to a few third; Monero is about half.
Do you suppose that that gambit of claiming, “I’ll give the cash again, let me off” would have labored if the costs have been reversed, and what they have been handing again was now price a fraction of what it was when it was stolen?
Or do you suppose that Particular person X was fortunate as a result of what they needed to hand again was really price far more than after they stole it?
ANDY. I feel it’s the latter.
Particular person X stole that cash whereas the Silk Highway was nonetheless on-line…
DUCK. Wow!
So that may have been when BTC was, what, lots of [of dollars] then?
ANDY. Sure, in all probability, or hundreds at most – Silk street went offline in 2013, when Bitcoin had simply damaged by way of $1000, if I bear in mind.
This particular person (I don’t wish to say “man” – who is aware of who Particular person X is?) sat on these 70,000 Bitcoins for seven years, finally…
…in all probability, precisely as you stated, simply terrified to maneuver them or money them out for worry of being caught.
DUCK. Sure, are you able to think about?
“Hey, I’m a millionaire!”
“Hey, I’m a *billionaire*!”
“Oh, golly, however the place am I going to get my lease cash?”
[LAUGHS] Shouldn’t snort….
ANDY. As you say – just like the hand caught within the cookie jar!
The hand simply will get larger and greater till it’s all-consuming, and you can not transfer it, you may’t get it out.
In truth, even with out attempting to get it out, IRS legal investigators discovered it by way of different means, together with the seizure of the BTC-e trade, which was a kind-of money-laundering, legal Bitcoin trade.
DUCK. That was a rogue trade that mainly did as little as is humanly potential alongside the Know Your Buyer entrance?
“Ask no questions, inform no lies,” that form of factor?
Is that proper?
ANDY. Sure, precisely.
That was one other shock for a lot of customers who believed that, “Possibly I can use BTC-e a bit of bit and never get caught, as a result of that doesn’t have Know Your Buyer, that doesn’t co-operate with legislation enforcement.”
However, nonetheless, when that trade was busted and its servers seized, that offered extra clues to the IRS.
That helped, in actual fact, to determine who Particular person X was… I don’t know who they’re, however the authorities does.
And to knock on his or her door and say, “Hey, hand over a billion {dollars} otherwise you’re going to jail,” and that’s precisely what occurred.
Now, poor James Zhong is a really comparable case.
Silk Highway medication market hacker pleads responsible, faces 20 years inside
He appears to have taken 50,000 Bitcoins from the Silk Highway, in all probability across the identical time, after which held onto them for even longer.
After which, a 12 months after Particular person X, Zhong bought a knock on his door…
Equally, that they had traced the cash, though he had simply left it sitting on a USB drive in a popcorn tin underneath the floorboards of his closet.
In his case, he didn’t handle to make a deal someway, and he’s being criminally charged.
DUCK. *And* he has given the cash again, clearly?
[WRY LAUGH] Aaaargh!
ANDY. He was a Bitcoin billionaire, and now could be dealing with legal expenses… and by no means bought to even spend his loot.
The Bitfinex case, I don’t know… I’ve much less sympathy for them as a result of they really have been attempting to launder a large theft from a legit enterprise.
They usually did, I feel, launder a few of it.
They tried a number of completely different intelligent methods.
They put the cash by way of…. I imply, that is all alleged, I ought to say; they’re nonetheless harmless till confirmed responsible, this couple in New York.
However they tried to place the cash by way of the AlphaBay darkish internet market as a form of laundering approach, pondering that may be a black field that legislation enforcement wouldn’t be capable of see by way of.
However then AlphaBay was busted and seized.
That’s maybe the largest story I inform within the e-book, essentially the most thrilling cloak-and-dagger story: how they tracked down the kingpin of AlphaBay in Bangkok and arrested him.
DUCK. Sure… spoiler alert, that’s the place the helicopter gunships are available in!
ANDY. lLAUGHS] Sure!
Sure, and far more!
I imply, that story is likely one of the craziest that I’ll in all probability inform in my profession…
However then, additionally, this New York money-laundering couple tried to place a few of the cash by way of Monero, a cryptocurrency that’s marketed as a privateness coin, a doubtlessly really untraceable cryptocurrency.
And but, within the IRS paperwork the place they describe how they caught this couple in New York, they present how they continued to observe the cash, even after it’s exchanged for Monero.
In order that was an indication to me that even perhaps Monero – this newer, “untraceable” cryptocurrency – is a bit traceable too, to a point.
And maybe this entice persists… that even cash which might be designed to outstrip Bitcoin when it comes to their anonymity are usually not all they’re cracked as much as be.
Though I ought to say that Monero individuals hate it after I even say this out loud, and I don’t know the way that labored…
…all I can say is that it seems to be very potential that Monero tracing was utilized in that case.
DUCK. Effectively, there may very well be some operational safety blunders that the Crocodile Girl and her husband made as effectively, that form of tied all of it collectively.
So, Andy, I’d prefer to ask you, if I’ll…
Pondering of cryptocurrency tokens like Monero, which as you say, is supposed to be extra privateness centered than Bitcoin as a result of it inherently, when you like, joins transactions collectively.
After which there’s additionally Zcash, designed by cryptography specialists particularly utilizing expertise identified within the jargon as zero-knowledge proofs, which is not less than alleged to work in order that neither facet can inform who the opposite is, but it’s nonetheless unimaginable to double-spend…
With all eyes on these far more privacy-focused tokens, the place do you suppose the long run goes?
Not only for legislation enforcement, however the place do you suppose it’d drag our legislators?
There’s definitely been a fascination for many years, amongst typically very influential parliamentarians, to say, “You understand what, this encryption factor, it’s really a extremely, actually dangerous thought!”
“We want backdoors; we want to have the ability to break it; any individual has to ‘consider the kids’; et cetera, et cetera.”
ANDY. Effectively, it’s attention-grabbing to speak about crypto backdoors and the authorized debate over encryption that even legislation enforcement can’t crack.
I feel that, in some methods, the story of this e-book reveals that that’s usually not obligatory.
I imply, the criminals on this e-book have been utilizing conventional encryption – they have been utilizing Tor and the darkish internet, and none of that was cracked to bust them.
As an alternative, investigators adopted the cash and *that* turned out to be the backdoor.
It’s an attention-grabbing parable, and a great instance of how, fairly often, there’s a side-channel in legal operations, this “different leak” of data that, with out cracking the primary communications, affords a manner in…
…and doesn’t necessitate any form of backdoor in Tor, or the darkish internet, or Sign, or arduous disk encryption, or no matter.
In truth, talking of ‘pondering of the kids’, one of many final main tales that I dig deeply into within the e-book is the bust of the Welcome To Video marketplace for little one sexual abuse movies that accepted cryptocurrency.
And consequently, the IRS investigators on the centre of the e-book have been in a position to observe down and arrest 337 individuals around the globe who used that market.
It was the largest bust of what we name little one sexual abuse supplies, by some measures, in historical past…
…all primarily based on cryptocurrency tracing.
DUCK. They usually didn’t have to do something that you’d actually contemplate privacy-violating, did they?
They fairly actually adopted the cash, in a path of proof that was public by design.
And in conjunction, admittedly, with warrants and subpoenas from locations the place the cash popped out, and the place web connections have been made, they have been in a position to determine the individuals concerned…
…and largely to keep away from trampling on tens of millions of people that had completely no reference to the case in any respect.
ANDY. Sure!
I feel that it’s an instance of a method to do… it’s, in some methods, mass surveillance – however mass surveillance in a manner that nonetheless doesn’t require weakening anyone’s safety.
I assume that cryptocurrency customers, and individuals who imagine within the energy of cryptocurrency for enabling activists, and dissidents, and journalists, and cash transmissions to international locations like Ukraine, that want injections of cash for survival…
They might argue that, nonetheless, we have to repair cryptocurrency to make it as untraceable as we as soon as thought it may be.
And that’s the place we get into the brand new, I’d say *a* new, crypto-war over cryptocurrency.
We’re simply beginning to see the start of that with instruments like Monero and Zcash, as you stated.
I do suppose that there’ll in all probability nonetheless be surprises in regards to the ways in which Monero could be traced.
I’ve seen a leaked Chainalysis doc the place they informed Italian legislation enforcement… it’s a presentation in Italian to the Italian police from Chainalysis, the place they are saying that they’ll hint Monero, within the majority of instances, to discover a usable lead.
I don’t know the way they do this, nevertheless it does seem to be it’s probabilistic greater than definitive.
Now I don’t suppose lots of people perceive – that’s usually sufficient for legislation enforcement to get a subpoena, to start out subpoenaing cryptocurrency exchanges, simply primarily based on a probabilistic guess.
They will simply verify each chance, if there are a number of sufficient of them.
DUCK. Andy, I’m aware of time, so I’d like to complete up now by simply asking you one remaining query, and that’s…
In ten years’ time, do you see your self being ready the place you’ll be capable of write a e-book like this one, however the place the “unravelling” elements are much more fascinating, sophisticated, thrilling, and wonderful?
ANDY. I attempted, with this e-book, *not* to make too many predictions.
And, in actual fact, the e-book begins with this “mea culpa” that ten years in the past I believed precisely the mistaken factor about Bitcoin.
So no one ought to take heed to any ten-year prediction that I’ve!
[LAUGHTER]
However the easiest prediction to make, that *has* to be true, is that this cat-and-mouse recreation will nonetheless be happening in ten years.
Folks will nonetheless be utilizing cryptocurrency pondering that they’ve outsmarted the tracers…
…and the tracers will nonetheless be developing with new methods to show them mistaken.
The tales, as you say, will, I feel, be far more convoluted as a result of they’ll be coping with these cryptocurrencies like Monero, that construct in huge mix-networks, and Zcash, which have zero-knowledge proofs.
Nevertheless it does appear that there’ll at all times be a way – and possibly not even cryptocurrency, however in another facet channel… as I used to be saying, there will probably be a brand new one which unravels the entire thing.
However there’s no query that this cat-and-mouse recreation will go on.
DUCK. And I’m positive there’ll be one other Tigran Gambaryan someday sooner or later so that you can interview?
ANDY. Effectively, I do suppose the sport of anonymity…
…it does favour the Tigran Gambaryans of the world.
They, as I stated, simply should be persistent and sensible.
However the mice on this cat-and-mouse recreation should be excellent.
And nobody is ideal.
DUCK. Completely.
ANDY. So, if I do should make a prediction…
…then I’d simply place my guess on the cats, on the Tigran Gambaryans of the world.
DUCK. [LAUGHS] Andy, thanks a lot.
Earlier than we go, why don’t you inform our listeners the place they’ll get your e-book?
ANDY. Sure, thanks, Paul!
The e-book is known as “Tracers within the Darkish: The International Hunt for the Crime Lords of Cryptocurrency.”
[ISBN 978-0-385-54809-0]
And it’s out there in any respect the traditional locations books are bought.
However when you go to https://andygreenberg.internet/, then you may simply discover hyperlinks to a bunch of locations.
DUCK. Andy, thanks a lot on your time.
It was as fascinating speaking to you and listening to you because it was studying your e-book.
I like to recommend it to anyone who needs a galloping learn that’s however detailed and insightful about how legislation enforcement works…
…and, importantly, why legal convictions for cybercrimes usually solely occur years after the crime occurred.
The satan actually is within the particulars.
ANDY. Thanks, Paul.
It’s been a super-fun dialog.
I’m simply glad you loved the e-book!
DUCK. Glorious!
Because of all people who listened.
And, as at all times: Till subsequent time, keep safe!
[MUSICAL MODEM]