Monitorable and traceable – The insecurity of Bitcoin

Ransomware criminals may refrain from Bitcoin payments in the future and switch to more anonymous alternative digital currencies.

Prof. Dr. Hartmut Pohl, softScheck GmbH Sankt Augustin / Cologne

The ransom of 75 Bitcoin paid by Colonial Pipeline Company in Bitcoin as part of the recent ransomware scandal in early May has since been partially recovered (63.7 Bitcoin) by the FBI. The wallets used were tracked by the FBI and the Bitcoins seized. However, due to the decline in the value of Bitcoin, only about 60 percent of the amount paid remains in dollars. The 15% difference to the 75 Bitcoins comes from the cut the hacker group „DarkSide“ collected as the attackers used their ransomware.

The case is not without a certain “comedy”, because the decryption software (and keys) provided by the criminals worked too slowly, so that Colonial then resorted to its own backups after all.

Overall, however, the results are encouraging: The increased criminal and intelligence investigations and counterattacks against cyber criminals announced by U.S. President Biden – somewhat in a roundabout way – are beginning to have an impact. Biden primarily targeted cyber criminals disguised as companies in Russia, some of whom have more than 1,000 employees.

Since everyone has access to the distributed blockchain, in which all transactions are logged, it is easy to track the money flow. It is just not apparent who the real owner of the wallet is. To seize the money from the corresponding wallet, a corresponding private key is needed. The FBI got hold of this key and was able to gain access to the wallet.

Generally, the security of a wallet stands and falls with the security of the private key. For this reason, most wallets store the private key in a password-encrypted file. But even in this case, it may be possible for attackers to get access to the private key, for example through a security vulnerability in the wallet software or via a keylogger.

What has been published, however, are four methods of identifiying unpublished security vulnerabilities, that can be exploited with attacks. These methods are also used by the intelligence services. The effort is a fraction of the ransomware cost. Some of the relevant methods are:

  • Evaluation of the safety level of the design
  • Source Code Analysis (Static Source Code Analysis)
  • Classic Penetration Testing as well as
  • Dynamic Code Analysis (Fuzzing)

Encryption software, which experience has shown to contain equally exploitable security vulnerabilities, are also examined in this way.