In last month’s blog we talked about the basics of Bitcoin, and how its simultaneous transparency and anonymity make it a unique opportunity for investigators.
This month we’re continuing the cryptocurrency theme, taking a deeper look at Bitcoin itself, but firstly we are looking at the diverse world of alternative cryptocurrencies…
Please note, if you have little to no knowledge of cryptocurrency, we advise you to read last month’s blog before attempting this one!
Bitcoin is not the only cryptocurrency.
Yes, It is the most widely used (it’s the one most featured in the media due to incidents such as high-profile ransomware cases, or it’s sudden sharp increase in value) and the market cap (dollar-value of the Bitcoin total) is higher than the alternatives… but there are hundreds of others out there! Some of the more well-known altcoins include Litecoin, Ether(eum), Monero, and Ripple.
As we discussed last month, cryptocurrency is based on Blockchain technology, usually with a distributed public ledger to keep track of transactions.
Blockchain itself is a very powerful technology, and it has many applications beyond cryptocurrency. Often, a blockchain’s tokens (of which bitcoins are an example) are just an essential ‘by-product’, which hold real-world value according to two things: 1) the actual usefulness of the blockchain in question, and 2) the perceived future value of that use.
What does that mean in ‘real-terms’
To try and make sense of all of this, imagine that someone has invented a machine which did something super useful. How about a machine that accurately predicted the exact weather conditions for your precise location? Then imagine the machine could only work (predicting the weather) by circulating special tokens around a network of other identical machines.
The tokens aren’t created to be used as currency, but because they have a real-world use they assume a real-world value. If the public now considered the weather-predicting machine to have a bright future, the chances are that they would want to buy more of these tokens.
This makes the demand exceed the supply, and the market value rises accordingly – something which has been seen with Bitcoin in the past months.
Ethereum is also built on a blockchain, and its stated purpose is to provide a platform for smart contracts… so, like the weather machine, it was not explicitly created to be a currency.
This means that because of Ethereum’s wide range of applications and other desirable features, it needed tokens (Ether) to power it, therefore making Ether hold value.
The current value (at time of writing) of one Ether is £243.
Okay… so, how are tokens actually created?
To answer this, we’ll go back to Bitcoin. Last month we covered how bitcoins are sent from one address to another, but we didn’t get into the details of where they come from in the first place. This is called mining.
These problems are defined by the Bitcoin protocol, and require enormous computing power. Indeed, while it is possible for anybody to set up their machine to work mining Bitcoin, the overwhelming majority of mining is done by pools of high-powered, purpose-built supercomputers.
When a miner comes up with the correct solution to a problem, they place the next block on the blockchain.
This block will contain details of lots of transactions which have taken place since the previous block was mined, as well as a ‘hash’ of the rest of the chain up to that point. This means that any given block contains a way to check if any of the previous blocks have been altered at any time, and serves to validate the chain as a whole.
The details of the new block are sent around the whole Bitcoin network, where it is validated and added to the chain, or ledger.
Miners are compensated for their computing efforts in the form of newly-created bitcoins.
For each block that is mined, the successful miner receives 12.5 bitcoins. Every bitcoin in existence was mined in this exact way.
With current standing on a single bitcoin’s value being £3465, this is incredibly lucrative!
There are a couple of features of the mining process that make bitcoin work:
Computer power vs. difficulty of problems
The difficulty of the problem is scaled according to the amount of computing power used to work on it. This means that the frequency with which blocks are mined can be kept reasonably steady. With Bitcoin, one block is mined approximately every ten minutes. If advances in technology suddenly make it much quicker to solve the problems, then the difficulty is increased accordingly, therefore there can never be a huge increase in the frequency with which blocks are mined.
The rate of reward is halved every four years. In 2020, the reward for mining a block will reduce from 12.5BTC to 6.25BTC, and so on. There will never be more than 21 million bitcoins mined, and that total will be effectively achieved around the year 2140. This feature is what gives bitcoin its scarce nature.
Finally, as the Bitcoin blockchain shows the history of every amount of bitcoin, it is possible to trace any transaction to the original block where the bitcoins were mined.
Can I actually find something useful from the Blockchain?
Yes. With some manual analysis of the blockchain, it is possible to trace transactions and identify some of the entities to which bitcoins have been sent.
Our CRYPTOCURRENCY INVESTIGATOR training will give you a deeper understanding of how this works, but as a brief example let’s look at a recent high-profile ransomware case, and see if we can interactively ‘follow the money’…
Examining the blockchain of NotPetya
In June this year, a strain of ransomware dubbed NotPetya spread around the world. It mostly affected Russian and Ukrainian networks, but also had an enormous impact on some giant firms including Merck and Maersk, among others.
The ransomware demanded payment of $300 worth of bitcoin be paid to an address called: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX.
Immediately, we can examine this address on the blockchain – click here and open in a new tab to examine…
- On the site, look carefully at the number in the top-right portion of the screen… at the time of writing, the address had engaged in a total of 65 transactions, and had received a total of 4.13 bitcoins. The ‘Final Balance’ shows that there are currently 0.099 bitcoins still in the address.
- If we scroll down on the site, we can see every transaction in the address’s history – all of those with a green arrow denote an incoming payment.
- Scroll down again, this time far enough to see transactions up to 28 June 2017, where you will see that most payments are for approximately 0.12 bitcoins, which were at the time roughly $300 worth.
These instances are almost certainly instances of victims paying the ransom, as demanded. Unfortunately, there are also many smaller payments and analysis of these suggests that they are ‘topup’ payments, from the same victims, possibly as a result of confusion around exchange rates.
What is interesting about the NotPetya address isn’t the incoming payments, however, it is the outgoing ones.
- Scrolling to 28 June, you will see three outgoing transactions.
- The last of these was, at the time, for the entire amount remaining in the wallet. It was the offender moving the coins elsewhere, possibly to be ‘tumbled’ or sold on. The first two transactions are actually more interesting…
- Both are for just over 0.011 bitcoins – at the time, around £20. The recipient address was 1DP6EvcA8E3n8mBzHZ3n3Fy8m3r7SMqdqG. If we look at this address – click here – we see that it has received many, many transactions for approximately the same amount.
Using some common sense, this would suggest that the address is one that is publicly listed for people to send bitcoin to, for a purchase that costs a standard of £20. With this in mind, and a little Googling, shows us that this address was one advertised by pastebin.com – a popular text paste repository – as an address to be used for donations, in order to upgrade to Pastebin Pro.
Looking even further into this, we can see that the process for upgrading in this way is to send an email to Pastebin, then, once payment has been made, the account will be upgraded.
- Did this happen?
- Did the NotPetya suspect email pastebin for an account upgrade?
- Was it an anonymous donation?
We can’t say at this stage, however the point is that by digging a little into the transactions on the blockchain, we have now established a line of enquiry.
The second of these £20 transactions similarly takes us to another online text paste repository, and so is another line of enquiry.
This example is only a very brief insight into what is possible by examining the blockchain. It is never going to be as simple as linking a bitcoin address directly to a person, but by layering our findings with other sources of data such as open source intelligence… the possibilities are certainly there and are not to be ignored by investigators in today’s world.
Make sure YOU are prepared…
With cryptocurrency becoming a growing area that we cannot ignore, it is imperative that investigators have the knowledge to deal with incidents effectively.
We at Blue Lights Digital are therefore proud to launch our revolutionary CRYPTOCURRENCY INVESTIGATOR training – the only course of its kind in the UK!
Our expert trainers give a rounded understanding of how cryptocurrency is used, both legally and illegally, using hands-on interactive teaching, making sure that you get the best outcomes possible.