[Cryptography] Bitcoin theft and the future of cryptocurrencies

grarpamp grarpamp at gmail.com
Mon Dec 25 16:45:47 PST 2017


> https://www.reddit.com/r/DarkNetMarkets/comments/5cb74u/blockchain_analysis_and_antimoney_laundering/
>
> (Unfortunately the original text of the above post has been deleted. I've
> been looking for an archived copy but haven't found one yet. Suffice to say,
> it showed that as of 2016 law enforcement already had off-the-shelf software
> capable of deanonymizing coinjoin'd transactions.)

Nothing really new here that wasn't understood by
blockchain tech community in early days...

==========
https://www.reddit.com/r/DarkNetMarkets/comments/5cb74u/blockchain_analysis_and_antimoney_laundering/
Blockchain Analysis and Anti-Money Laundering (X-post from /r/DarknetmarketsOz)
submitted 20161110T233518 by Realitybytes_
http://archive.is/zLPcs

As promised many months ago, I have attended my first CP session on
AML/CTF for cryptocurrency and I am now in a position to discuss at a
high level what the current state of play is.
While AML issues have not been touched on in this course yet
(strategies and counter strategies will be discussed in session 2), I
felt some of these issues are too important to wait for a better write
up post this time and the overall method they are using to undertake
AML analysis is now exceptionally clear.
I note some of the technology demonstrated to us in these sessions is
very new (been in use for less than 90 days) and from what we are
being shown, it's powerful enough that some significant steps may need
to be taken in the future to avoid being tagged, I will address this
after outlining what is being demonstrated to us.
────────
The current state of play
Not much surprise too many of you who are concerned with significant
opsec, however banks have been indiscriminately flagging every
transaction related to bitcoin purchases and sales for quite some
time, I even raised in this my previous post on AML/CTF.
When I raised this previously, I assumed it was just regular AML/CFT
controls, however I was wrong, this information has been used in a
project I was not privy too, and this data from the banks I have
worked with (in Australia) has been consolidated with many banks
within the 5 eyes and provided to a data science corporate (Palantir)
to conduct large scale inference matching alongside the distributed
ledger.
>From what was demonstrated, this software basically matches up all
transactions that show funds being flowed into the block chain (via
banks, credit cards and KYC/verified website sites) and matches this
information up to begin building out a map of who wallets relate to.
The software is currently being developed to undertake profile
matching (albeit this is only in a preliminary stage) so if you have
sent funds to the same wallet from a different wallet, it will link
them to the owner again (this is still inherently inaccurate).
────────
What this means for buyers
The systems in place seem heavily predecated around buyers not vendors
which I found surprising, with the early reports showing that in as
few as 2 transactions matched between the block chain distributed
ledger and bank accounts de-anonymising wallets which is undertaken
using information relating to a weight price of bitcoin (with
tolerances) and the tracking of the specific value of bitcoins being
sent, due to the finite nature of bitcoin transactions flowing from
bank accounts to wallets this is already being tracked in real time.
>From our conversations (and inherent alarm of this in the audience,
leading to the conclusion there are plenty of my peers buying from
markets) as far as we have ascertained, this data is not yet being
used for any purpose aside from mass de-anonymising users, which leads
my peers and me to believe that the movement of funds alone cannot be
used for raising charges, this does raise other concerns at an
administrative level, as it is likely this data could be shared
between government bodies to authorise a "probable cause" warrant on
mail and houses.
I can also confirm that this software was used in the most recent
police sting in New Zealand, adding weight to the conclusion that
judges are comfortable signing warrants on this information.
If you have always undertaken cash purchases of LBC, avoided KYC
requirements and never cashed out bitcoins, you are likely still
anonymous.
────────
What this means for vendors
As detailed above, as the software undertakes bank and transaction
matching to wallets as long as they have never directly cashed out
money from a wallet to their bank, they should still be safe.
This section will likely be expanded on post session two when we
address AML concerns.
────────
Tumblers are useless
Against my better judgement, I’m going with this click bait heading,
but the premise is correct.
Due to the software running real time analysis on the ledger, simply
avoiding taint and breaking up coins is now entirely ineffective, as
it matches the full bitcoin amount to be received over a period of
time, as the software is built around a neural net of sorts (talking
out of school here, I’m not a programmer) it appears to self-correct
in real time as a more "likely" or "accurate" owner conclusion is
reached.
────────
Frequently asked questions
These are the questions asked in the audience and their response (not
mine; I have no opinion either way).
How quickly can it de- anonymise a user? If the user has sent coins
from a KYC verified organisation, the wallets sent through will be
de-anonymised in real time, otherwise it will assign a unique primary
key to the wallet once it has been identified as unique and it will
flag all wallets believe to be owned by this user.
Who is this data currently being shared with? The information is
available to all major international anti-crime organisations; however
at this time the  analysis has been undertaken for Australia, New
Zealand, America, Canada and the United Kingdom.
How will this impact other cryptocurrencies? The overall process it
determined to be identical, if there is a block chain to be analysed
and a trade of cash to these coins it is anticipated we will continue
to de-anonymise wallets.
How will this to used to combat the drug trade? The software will
inherently flag dealer wallets in the same process it flags
purchasers; however as the overall end result between buyers and
sellers is the opposite this information will be used to assist law
enforcement to identify volume of sales based on turnover.
 - Are we legally allowed to utilise this information? As
cryptocurrencies are determined to be an asset not a currency, the
existing laws allow this to be  monitored similar to that of any
asset.
What about monero? We believe due to the low adoption rate difficult
in obtaining coins and converting into cash that monero adoption will
continue to be low, similar to that of any alternative cryptocurrency.
────────
What measures should now become the default
Under no circumstance should you be purchasing bitcoins from any KYC
verified organisation, and banks should be avoided.
Purchasing in cash is now the default.
 - Wallets should be changed regularly, at a "on a per transaction"
basis is possible.
Everyone should send bitcoins in rounded amounts from 0.25 to 1.0,
this would destroy the entire matching algorithm, if we all just send
coins in amounts of 1.0 it would be impossible to ascertain users if
we avoided KYC.
 - All bitcoin movements should be undertaken via a non-domestic VPN or TOR
────────
Apologies if this article seems like a doom and gloom speech, I am
actually surprised as to how well developed this process is.
I got to play with the software for a few minutes and I was surprised
to see it new I purchased bitcoins and what my wallet was (fortunately
for me, there was no solid line to a market).
If you have any questions, please let me know, I will do another
follow up post my session two, however this is booked in for February,
so in the meantime stay safe and stay anonymous.

==========


More information about the cypherpunks mailing list