There’s a scene that recurs in heist films: invariably, a gang of bank robbers demands a large sum in “small, unmarked bills.”

It’s a smart stipulation (whether or not it’s common in real bank robberies). “Unmarked” means the serial numbers have not been recorded by the police. The bills’ numbers should also be random, rather than consecutive, making it harder to determine whether they are “dirty.” The point is to prevent law enforcement from later identifying—and blacklisting—the ill-gotten loot.

This brings us to last week’s Twitter breach: the Bitcoin nabbed by the hackers is very much “marked.”

In case you missed it, last week a group of hackers compromised prominent Twitter accounts and used them to trick onlookers into sending them Bitcoin. By stealing access to an internal Twitter “admin” tool, the hackers were able to take control of—and issue scam-tweets from—prized accounts, including those of cryptocurrency companies, like Coinbase and Binance, and celebs, such as Kim Kardashian, Joe Biden, and Jeff Bezos.

The hackers’ scam netted 13.14338599 Bitcoins, or roughly $120,000, per an analysis by Chainalysis, a cryptocurrency-tracing firm. But there’s a problem: Bitcoin is, as mentioned, inherently marked money. Every single Bitcoin is logged on a global blockchain ledger, open to inspection by all. Whenever a Bitcoin moves, everyone can follow it.

In the immediate aftermath of the attack, I noted that it would be downright crazy for the fraudsters to attempt to cash out. Law enforcement’s gaze is fixed on all Bitcoin wallets involved. Then again, the hackers were crazy enough to commit the crime in the first place, so maybe they will, indeed, make a run for the finish line.

In fact, since the big hack, the ill-gotten Bitcoin has already moved a number of times. The majority of the funds, originally residing in three wallets, now sit in 24 wallets. (Smaller sums have been split across an even greater number of wallets.) About 3 Bitcoins have been transferred to “mixers,” including Wasabi and ChipMixer, online services for obscuring and concealing cryptocurrency movements.

Dave Jevens, CEO of CipherTrace, another cryptocurrency-tracking firm, says that the hackers are attempting “to obfuscate the flow of funds” through a process known as “peeling.” This involves sending fractions of the loot, little by little, into mixers and exchanges that multiply the complexity of the transaction chains and make them harder to follow. (Jevens says he suspects the hackers may be trying, in some cases, merely “to troll” investigators.)

The movement of Bitcoin following last week’s Twitter hack, courtesy Ciphertrace

Such antics might be difficult for a human to track, but they’re no match for computers. Maddie Kennedy, a Chainalysis spokesperson, notes that the money launderers’ “main tactic”—using mixers—“is often possible to trace.” She adds, “With many eyes on the stolen money, any counterparties to the perpetrators will face close scrutiny.”

Tom Robinson, the chief scientist and cofounder of Elliptic, another Bitcoin-tracing firm, says the hackers will have to use unregulated, foreign exchanges that collect minimal data on users to maintain anonymity. From there, they could convert the Bitcoin, using so-called “coin swap” services, into harder-to-trace cryptocurrencies, like privacy-preserving Zcash or Monero.

“It’s very difficult to mask all your activity when you’re using a system that’s as transparent as Bitcoin,” Robinson said. “It’s likely the hackers will be able to cash out in some way, [but] the question is whether they will be able to do so in a way that cannot be traced back to them.”

What’s bound to ensue is a hi-tech version of an ancient artifice: the shell game. Under the noses of the Feds, the money launderers will test their ability to claim the spoils, shuffling the Bitcoin through mixers and swappers in a complicated dance of digital cups. Time will tell whether the hackers’ legerdemain is skillful enough to elude justice.

But most of us already know how these movies tend to end.

Robert Hackett




Source link