Charting transactions from an alleged theft
Some readers may remember that some time ago I wrote a post about Bitcoin, an interesting online payment experiment in the shape of a cryptographic currency. My conclusion was that the currency was probably illegal in the U.S. and Europe, and left it at that. At the time Bitcoin’s star was on the rise, there was a lot of hype surrounding the currency, lots of press, and even some minor interest from regulators and policy-makers. The intervening months however have not been kind to Bitcoin, with several scandals ranging from large thefts of coins from unencrypted purses, the major exchange being hacked, the second largest exchange losing a large chunk of its coins, and one of the major online purses simply disappearing into the ether (or more likely, those involved are now enjoying some cocktails by the Caribbean). Similarly, the talk of trojans, market manipulation and outright fraud seems to continue to plague the currency, with the latest scandal being that one of the most public figures in the BTC community may very well be involved in fraudulent practices.
All throughout these problems, the community has seemed to have held faith. There is a core of believers that fervently think that Bitcoin is the future. These range from hard-core libertarians to techno-geeks, with a few day traders and speculators still trying to profit from the large swings in value experienced since June. A big aspect of the faith held by the technically-minded people in the crypto-currency is precisely its security features, Bitcoin has been touted as a very secure and anonymous method of transferring value from one computer to the other. The currency works by allocating a public cryptographic key to arbitrary units of value held in a proprietary non-proprietary client. Because they are public, the keys can be inspected by everyone, but a private key is needed to make the transaction. These units of value are held in “wallets”, small .dat files hosted in the computer. This setup serves two purposes, as long as the keys are secure, only the wallet’s owner will be able to transfer the bitcoins to make a payment. Similarly, the keys make the transactions anonymous.
Or so most people thought. As with many things online, the theory is often defeated by a combination of greed, laziness, ignorance, and simple intermediary failure. Bitcoin’s cryptography is very strong, so a hacking attack would not be able to break the security. But a hacker doesn’t need to defeat the SHA-256 cryptographic hash in order to remove bitcoins from the wallet, a simple $5 dollar wrench would suffice. Practice has been bearing this out, the Bitcoin client does not encrypt the wallet.dat file itself, which leaves the currency vulnerable. Similarly, hackers have been targeting the exchanges, the places where people pay in real money to buy bitcoins. And finally, all of the encryption in the world won’t protect you against fraudsters and scam artists.
So we were left with anonymity as the biggest selling point for Bitcoin. This was made evident after a Wired article informed college students everywhere of the existence of Silk Road, a site where they could buy drugs using bitcoins. Bitcoin’s value exploded, usage shot up, and mining rigs went up, driving the price of top-end GPUs through the roof. The idea is that because the currency is encrypted, there is no manner to trace any given transaction to individual users. But there is a new paper from Fergal Reid and Martin Harrigan of University College Dublin that claims that Bitcoin’s much-touted anonymity is seriously flawed. They used network analysis to trace transactions down a chain of distribution, and discovered that by treating transactions as a links in a network, and sender and recipients were vertices, they could get a very good idea of who was doing what. Moreover, they claim that this information can be easily cross-referenced with information in public spaces and intermediaries, so anonymity would be seriously compromised. They explain:
“There is no user directory for the Bitcoin system. However, we can attempt to build a partial user directory associating Bitcoin users (and their known public-keys) with off-network information. If we can make sufficient associations and combine them with the network structures above, a potentially serious threat to anonymity emerges. Many organizations and services such as on-line stores that accept Bitcoinis, exchanges, laundry services and mixers have access to identifying information regarding their users, e.g. e-mail addresses, shipping addresses, credit card and bank account details, IP addresses, etc. If any of this information was publicly available, or accessible by, say, law enforcement agencies, then the identities of users involved in related transactions may also be at risk.”
As a case study, they used a highly-publicised theft of 25,000 BTCs (with a value at the time of theft of approximately $500,000 USD). They were able to follow the involved transactions using their network tools, and charted these with high level of accuracy. Then the authors conclude that:
“Using an appropriate network representation, it is possible to map many users to public-keys. This is performed using a passive analysis only. Active analyses, where an interested party can potentially deploy marked Bitcoins and collaborating users can discover even more information. We also believe that large centralized services such as the exchanges and wallet Using an appropriate network representation, it is possible to map many users to public-keys. This is performed using a passive analysis only. Active analyses, where an interested party can potentially deploy marked Bitcoins and collaborating users can discover even more information. We also believe that large centralized services such as the exchanges and wallet.”
This is extremely interesting, because it is something that I envisaged when writing my forthcoming book on network theory. One of the chapters deals specifically with cybercrime, where I believe that network tools like social network analysis could have a large impact. Examples such as the above are precisely the type of uses that law enforcement could emply to tackle high-tech online crime.
One thing about Bitcoin is true. Maybe some libertarians are finally finding out why we have strong regulation of financial markets.