Bitcoin is sometimes described as the “currency of criminals,” and we all see stories about how criminals use bitcoin to move money and extract ransoms. But did you know that law enforcement also uses the blockchain—bitcoin’s distributed, immutable, permanent record of transactions—to investigate cybercrime? Come learn more about how bitcoin’s underlying technology helps fight cybercrime
(Source: RSA Conference USA 2017)
Extensible Python: Robustness through Addition - PyCon 2024
Fighting Cybercrime Using the Blockchain
1. SESSION ID:
MODERATOR:
PANELISTS:
SESSION ID:
#RSAC
LAW-F02
Kathryn Haun
Stanford University, Assistant United States
Attorney, Northern District of California*
* In her personal capacity
Alan Cohn
Co-Chair, Blockchain and Digital Currency Practice, Steptoe & Johnson LLP and Counsel, Blockchain Alliance
@fifteencharlie
Fighting Cybercrime Using the
Blockchain
Jonathan Levin
Co-Founder and CRO
Chainalysis, Inc.
@jony_levin, @chainalysis
6. #RSAC
Ransom Sum
6
Your files have been encrypted and you are required to pay a 3 BTC to
following Bitcoin address : 12z5dAHP7GJjZsYvHHVsmwjqQLREwHZqix
7. #RSAC
FBI Guidance
7
While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability
issues, will evaluate all options to protect their shareholders, employees, and customers.
When Reporting Ransomware to a local field office please give
Date of Infection
Ransomware Variant (identified on the ransom page or by the encrypted file extension)
Victim Company Information (industry type, business size, etc.)
How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
Requested Ransom Amount
Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
Ransom Amount Paid (if any)
Overall Losses Associated with a Ransomware Infection (including the ransom amount)
Victim Impact Statement
How do I contact the FBI?
Visit nomoreransom.org
10. #RSAC
Ransom on the blockchain
10
https://blockchain.info/address/12z5dAHP7GJjZsYvHHVsmwjqQLREwHZqix
11. #RSAC
Analyzing the Ransomware behavior
11
Same cluster
My wallet
(e.g. CoinBase)
Ransom wallet
(may be unique)
Ransom wallet
(may be unique)
Sweeper Deposit Wallet
Another victim’s
wallet
Full
payment
Partial
payment
Legend
Victims
Ransomware
Exchange
Each exchangedeposit
wallet corresponds to one
ransomware operation.
25. #RSAC
OSINT Gathering
25
DarkNetSoftware | Alphabay User Profile
NO DELIVERY IS GUARANTEED ON A SPECIFIC DATE
After some downtime of Alphabay, we have added our listings of our same products
ABRAXAS – DarkNetSoftware1
DREAM MARKET – DarknetSofrtware12
REAL DEAL – DarkNetSoftware
ATTENTION New BTC address
1D4h7KYG3F7XjiNbvT1y1YGzVziiKXqS3M
1GZbTevmN1qob8sHFY57ohh2ksam3R7opR
29. #RSAC
Apply What You Have Learned Today
29
After today’s session, you should understand:
How law enforcement conducts cybercrime investigations using the blockchain
What resources exist to assist law enforcement and private companies with
blockchain analytics
Should you become the victim of a ransomware attack or other
cybercrime involving digital currencies, you should be able to:
Effectively engage with law enforcement and prosecutors with respect to
investigating and prosecuting the crime
Take steps to make it easier to investigate and prosecute the crime
30. #RSAC
Contact
30
Alan Cohn – acohn@steptoe.com
Jonathan Levin – jonathan@chainalysis.com
Kathryn Haun – kathryn.haun@usdoj.gov