Last year a few noteworthy things happened in terms of cryptocurrencies. The IRS won their case against Coinbase and over 14,000 people who traded over $20,000 USD in 2015 now have to face the IRS. Exchanges in Asia started forcing KYC (Know Your Customer) requirements on customers as did most of the rest of the world. Bitfinex decided to block all U.S. customers in November of 2017 due to regulatory issues and uncertainty. What this means is that Bitcoin and cryptocurrency is becoming harder to trade anonymously and without paying taxes. This is what happens because of legitimacy from regulation, lawful trade and taxation. I am not saying there isn’t much debate still regarding the legality, legitimacy or utility of cryptocurrencies; I’m saying 2017 had a significant change in how it is viewed. Today, the SEC in the U.S. has been discussing forcing cryptocurrency exchanges to register with the SEC and there is no definitive answer to what this is going to mean or if it is going to happen.
Current views on whether an asset is a security tends to follow the “Howey Test,” which comes from a 1946 U.S. Supreme Court case. The ruling says a security involves the investment of money in a common enterprise, in which the investor expects profits primarily from others’ efforts. Many speculate that Bitcoin in itself is not an enterprise, however Initial Coin Offerings or ICOs may fall into that category. With many organizations adopting blockchain technologies today, we may begin to see the ICO as needing to register with the SEC from the Howey Test. What this could mean is that tokens or “alt coins” may begin to see heavier regulation than just following KYC and AML (Anti Money Laundering).
What we’ve seen in the past from ransom campaigns is that buying cryptocurrencies has gotten more and more difficult. If I were to ask you to procure 3-5 Bitcoin within 24 hours, could you do it? What steps would you have to take? Depending on where you are, you might NOT be able to simply wire the funds for 3-5 Bitcoin and have it within 24 hours. Because of KYC and AML, you may find that purchasing 3-5 BTC could take you between 5-8 days. In the U.S., Coinbase has limits for new users. Coinbase today will allow instant purchases for customers who have been fully verified and have linked bank accounts (and have purchase habits that justify the limit) to buy up to $25,000 per week. New customers may not purchase on day one. Here in India, some organizations have basic verification limits of 2 Crore Rupees per day, or 10 Crore Rupees per month in Bitcoin buying. Bitcoin is 5 Crore Rupees right now. So, if you think of these limits, and the verification processes, you may NOT be able to purchase enough Bitcoin to pay a ransom.
So, with that, you may have to ask: When Uber lost 57 million passengers’ data and silently paid, did Uber pay $100,000 in Bitcoin? The answer could be that they would have had to stockpile Bitcoin in the event that they needed to pay the ransom. Research studies have been published that 33% of organizations are stockpiling bitcoin to pay ransoms. Two years ago, Radware’s Emergency Response Team Report found 7% of organizations were stockpiling cryptocurrencies to pay for ransoms.
One of the difficulties that WannaCry had last year was customer service. Because of the size and magnitude of infection of WannaCry, it was considered a large failure for the hackers to monetize because of the difficulty of buying cryptocurrencies. This could also be a large factor in the increase of companies buying and stockpiling cryptocurrencies to pay ransoms.
A month after WannaCry, the same vulnerability was exploited in Linux-based computers running un-patched Samba services. This new exploit based on WannaCry was called Eternal Miner. It was designed to NOT encrypt the hard drive and send a ransom note. Instead, it just made the machines mine a more anonymous cryptocurrency known as Monero. This simplified the process of monetization and eliminated the need to do customer support in teaching the victims how to buy cryptocurrency and send it to the criminals. Since then, we have seen over 500,000 unpatched Windows computers joined onto the Smominru botnet which has earned the hackers over $3.6 Million USD. So, using the same vulnerability to fumble out $170,000 turns to $3.6 million when the tactic changes to cut out the end user here.
Bitcoin’s underpinning blockchain technology was initially designed to record transactions on the public ledger. The digital ledger also stores addresses of the sender and receiver of a payment with the exact time. Investigators have developed databases and tactics to use this data to tackle criminal activities.
Monero, created in 2014, encrypts addresses and produces fake addresses to shroud the sender. Additionally, the cryptocurrency feature can also conceal the amount of the transaction. Hence, providing a safe haven for wrongdoers and regular privacy-minded users alike.
Because of this difference, the hacking and Darknet communities have switched to favoring Monero. With this change, it definitely is going to make tracking criminals much harder in the near future. Law enforcement worldwide will now have to focus more on money laundering. This may be part of the reason why the regulators are looking to track the crypto-exchange activities, as getting record of trade activity is going to be one of the ways to identify criminals. The next couple of years are going to be interesting as we watch these changes in regulation weave into investment platforms and assist law enforcement. The rollercoasters of the markets will probably continue as we see these scenarios play out.
Read “2017-2018 Global Application & Network Security Report” to learn more.
As Director of Security Solutions, David Hobbs is responsible for developing, managing, and increasing the company’s security practice in APAC. Before joining Radware, David was at one of the leading Breach Investigation Firms in the US. David has worked in the Security and Engineering arena for over 20 years and during this time has helped various government agencies and world governments in various cyber security issues across all sectors.