When hackers hold their victims’ data for ransom, as happened in the WannaCry and NotPetya ransomware attacks that spread across the globe in mid-2017, a key to the criminals’ success is getting away with the money. That often means they use cryptocurrencies like bitcoin to collect payment, hoping to remain hidden behind a digital mask.
At the Initiative for Cryptocurrencies and Contracts, we have explored the ways cryptocurrency systems protect users’ anonymity. Anonymity in cryptocurrencies is fueling crime by enabling criminals to evade identification by law enforcement. We believe that this problem will get worse as cryptocurrencies evolve stronger privacy protections and become more flexibly programmable. We also believe there’s no simple solution.
Masking criminal identities
All cryptocurrency systems work in roughly the same way. Groups of computers receive transaction information directly from users who want to send each other money. The computers order and permanently record these transactions in a public ledger so that anyone can read them. The public ledger also makes it possible to keep track of how much currency individual users own. Developers tweak the code in different cryptocurrency systems to add additional features, like fast transaction processing or improved anonymity.
The first major cryptocurrency system, bitcoin, allows users to conceal their real names. But users’ transaction amounts and bitcoin account numbers (known as “addresses”) are visible to anyone – even people who don’t use bitcoin but know how to read the transaction ledger. This approach offers more privacy than credit cards and bank accounts, even against powerful entities like governments who might try to trace money obtained by criminals. Bitcoin’s privacy both attracts users – law-abiding and otherwise – and raises law enforcement agencies’ suspicions.
It is true that bitcoin and other cryptocurrencies create opportunities for tax evasion, ransomware and illicit marketplaces selling everything from narcotics to illegal arms. Some concerns, though, like the potential uses for terrorists, are probably overblown.
When crimes happen that involve bitcoin, law enforcement and security experts can exploit the system’s privacy defects. They study illicit activity by analyzing chains of transactions. Sometimes they can trace criminals to systems where their true identities can be discovered.
If this isn’t possible, they can often still obtain clues about criminals’ behavior. For example, analysis of the bitcoin transaction patterns of WannaCry quickly showed that victims would not automatically receive decryption keys for their ransom payments. To identify a payer, bitcoin requires that the payer send payment to a unique address. This address acts like a kind of transaction serial number. WannaCry victims were all told to pay into just three bitcoin addresses. Because payments were commingled in this way, investigators realized that the WannaCry perpetrators could not figure out which victims actually paid the ransom.
Systems with stronger privacy have arisen to shield users – and criminals – from such scrutiny. One type, called “mixes,” such as CoinShuffle++ and TumbleBit, bundle transactions together, allowing bitcoin users to launder their money and achieve stronger anonymity. Distinct new cryptocurrencies have arisen that offer very strong privacy using powerful built-in mixes. These include Monero, Zcash and MimbleWimble.
Their success has been limited so far. Technical problems are one reason, but mainly their technical complexity and limited software support makes them hard for people to use. Ransomware usually requests payment in bitcoin. It is simply easier for victims to buy bitcoins than more exotic cryptocurrencies that better conceal ransomware creators’ identities. Ransomware creators hope to get the best of both worlds – enabling easy payment for victims in bitcoins, but then converting ransom payments to currencies like Monero to obtain strong privacy. Someday, once privacy-hardened cryptocurrencies are easier to use, though, ransomware creators and other criminals will be able to bypass this two-step process.
Criminal smart contracts
Cryptocurrencies are not limited to simple money transfers. Newer systems like Ethereum also include in the public ledger not just a record of which account sent money to whom, but small computer programs called “smart contracts.” Once entered into the ledger, these programs remain forever executable. They can store and send money in arbitrarily complex ways. Any user – or another smart contract – can trigger execution of a smart contract simply by sending it a transaction.
When autonomous smart contracts are combined with anonymous cryptocurrency, they provide opportunities to handle money in complicated ways that hackers can exploit. Twice, money has been stolen from Ethereum contracts in heists that each involved more money than the largest bank robbery in the United States. The identities of the thieves remain unknown.
In the future, “criminal smart contracts” may emerge. These might be programmed to make automatic payments when specific secrets are stolen, when particular websites are hacked and defaced, or even for physical crimes ranging from vandalism to terrorism. A person who wanted a particular crime to be committed could post a smart contract reward to be paid out to the criminal who actually does the deed. Someone seeking to claim the reward would, before committing the crime, add an encoded message to the smart contract containing specific details only the criminal would know beforehand – such as a unique phrase or long string of numbers to be posted on a hacked website.
When the crime is committed, the person who did the deed would decode the added message, revealing the details that had been specified in advance. The smart contract could then check the actual details of the crime and, if they matched, pay out the reward. The anonymity of the underlying cryptocurrency would hide the criminal’s identity.
Today, smart contracts cannot easily obtain trustworthy data from the internet about crimes like vandalism in a form that computer programs can easily understand. So criminal smart contracts have not yet come about. But advances in crime driven by smart contracts will eventually emerge, aided by continuing improvements in anonymity technologies.
The hard quest for balance
Anonymity isn’t all bad, of course. On the contrary, it’s a key ingredient of privacy-preserving systems, and necessary to prevent overreach and abuses by governments. Cryptocurrency cannot thrive without privacy protections. What’s hard is finding a socially responsible blend of privacy and accountability.
Today, law enforcement authorities can exploit privacy weaknesses in systems like bitcoin to identify certain cryptocurrency as belonging to criminals and thus as “tainted.” They try to catch criminals when, for example, they convert tainted currency into ordinary currency like U.S. dollars or euros. This strategy will no longer work when stronger privacy technologies conceal tainted cryptocurrency.
Scientists have for decades sought to design systems that balance law enforcement needs with individual privacy in digital currency. Most of these systems provide what is called “conditional anonymity,” allowing authorities to learn user identities selectively through a technical process that can involve courts or other overseers. Appealing as it sounds, this approach is unworkable. If one authority, say the U.S. federal court system, has the ability to strip users of anonymity, then all authorities will want it. Privacy will then be meaningless.
Crime-fighting tools require empowerment of authorities. Cryptocurrencies are innately anti-authority technologies. How this tension is resolved will determine the future of the world’s monetary systems. There is no simple answer.