Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Post-Bitcoin Cryptocurrencies, Off-Chain Transaction Channels, and Cryptocurrency Analytics Techniques

308 views

Published on

A tutorial.

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Post-Bitcoin Cryptocurrencies, Off-Chain Transaction Channels, and Cryptocurrency Analytics Techniques

  1. 1. TUTORIAL Post-Bitcoin Cryptocurrencies, Off-Chain Transaction Channels, and Cryptocurrency Analytics Techniques Austrian Financial Market Authority (FMA) 2018-05-25 Dr. Bernhard Haslhofer Senior Scientist, Center for Digital Safety & Security
  2. 2. 2 2014 20202017 BITCRIME EU H2020 TITANIUM Legal, Societal, Ethical Aspects Tool and Service Ecosystem Darknet Marketplaces Cross-ledger Analytics Mixing-Service Detection Information Sharing Post-Bitcoin Cryptocurrencies Blockchain-based Electronic Markets GRAPHSENSE BACKGROUND | CRYPTOCURRENCY RESEARCH BITCOIN Introduction, Technical Aspects,
 and Ongoing Developments Bernhard Haslhofer, AIT Aljosha Judmayer, SBA Research Austrian Financial Market Authority (FMA) 2015-04-30
  3. 3. “A decentralized currency without central authorities and trusted third parties” BITCOIN | PROMISES AND EXPECTATIONS 3
  4. 4. “De-facto centralization and concentration among a small number of intermediaries at various levels of the Bitcoin system” [Böhme et al. 2015] BITCOIN | REALITY 4 Currency Exchanges Digital Wallet Providers Mixing / Tumbler Services Mining Pools (Darknet) Market Places < 200 exchanges Top 5 w. 50% market share [e.g., coinhills.com] ”Top 4 Bitcoin miners have more than 53% of the average mining power. 61% of the weekly power was shared by only three Ethereum miners” [Gencer et al, 2018].
  5. 5. BITCOIN | REALITY 5
  6. 6. “Anonymous payments, no pre-assumed identities” BITCOIN | PROMISES AND EXPECTATIONS 6
  7. 7. “The use of pseudonymous addresses in Bitcoin does not provide any meaningful level of anonymity” [Kappos et al. 2018] BITCOIN | REALITY 7 De-anonymization Techniques P2P Network Analytics Blockchain Network Analytics Clustering Heuristics [e.g., Biryukov et al., 2014] Multiple-Input Heuristics [Nakamoto, 2008] Change Heuristics [Meiklejohn, 2013] Temporal Behaviour [Ortega, 2013] …
  8. 8. “Instant global transactions with minimal fees” BITCOIN | PROMISES AND EXPECTATIONS 8
  9. 9. “Achieving VISA-like capacity on the Bitcoin network is not possible today” [Poon and Dryja 2016] BITCOIN | REALITY 9 Bitcoin VISA Avg. transactions / sec 3.5 2,000 Peak volume (txs/sec) 7 47,000 47,000 x avg. Bitcoin tx size (300 bytes) x 10 min = 8GB … to be synchronized among peers every 10 min
  10. 10. BITCOIN | EXPECTATIONS VS. REALITY 10 Decentralization De-facto centralization Waste of energy resources Anonymous Payments Instant global transactions Low transaction fees No meaningful level of anonymity Scalability problems Relatively high transaction fees New consensus protocols (e.g., Proof of Stake) Privacy-enhancing Cryptocurrencies (e.g., Monero, Zcash) Off-Chain Transaction Channels (e.g., Lightning Network)
  11. 11. • Cryptocurrency Recap • Privacy-enhancing Cryptocurrencies • Off-Chain Payment Channels • Cryptocurrency Analytics • Q & A MY PLAN FOR TODAY 11
  12. 12. BITCOIN | EXAMPLE TRANSACTION 12
  13. 13. ASYMMETRIC CRYPTOGRAPHY 13Source: https://de.wikipedia.org/wiki/Asymmetrisches_Kryptosystem Asymmetric Encryption Digital Signature
  14. 14. New Transaction Input Output BITCOIN | EXAMPLE TRANSACTION 14 Previous Transaction Input Output archive.org’s Wallet Bernhard’s Wallet Next Transaction Input Output archive.org’s Bitcoin Address
  15. 15. TRANSACTION PROCESSING Broadcast Transaction Blockchain 15 Bitcoin P2P Network
  16. 16. TRANSACTION PROCESSING Collect pending Transactions Blockchain 16 Bitcoin Miners Bitcoin P2P Network
  17. 17. TRANSACTION PROCESSING Find & Broadcast Block Bitcoin P2P Network Bitcoin Miners Blockchain 17
  18. 18. TRANSACTION PROCESSING Synchronize Blocks Blockchain 18 Bitcoin P2P Network
  19. 19. BITCOIN | ANATOMY OF A TRANSACTION 19 txid: a6b06e... blockhash: 0000ba7.. txid: 7f252a …. vout: 1 scriptSig: Signature value: 0.00460479 n: 0 addresses: [1Archive…] value: 0.00566296 n: 1 addresses: [1MuSWq…] List of inputs List of outputs Bitcoin Addresses Reference to unspent output of previous transaction (UTXO)
  20. 20. BITCOIN | INSPECT EXAMPLE TRANSACTION 20
  21. 21. • Cryptocurrency Recap • Privacy-enhancing Cryptocurrencies • Off-Chain Payment Channels • Cryptocurrency Analytics • Q & A MY PLAN FOR TODAY 21
  22. 22. PRIVACY ENHANCING CRYPTOCURRENCIES 22 Monero ZCash Dash Stealth addresses Ring signatures Ring CTs Shielded transactions Private Send
  23. 23. • One of the first and the most widely adopted CryptoNote currency • “An open source technology and concepts for the cryptocurrencies of the future” • Untraceable payments • Unlinkable transactions • Egalitarian proof of work • … • https://cryptonote.org/coins MONERO 23
  24. 24. MONERO | EXAMPLE TRANSACTION 24
  25. 25. • Stealth addresses: outside observers do not know which addresses certain transaction outputs are assigned to • Ring signatures: hide spent output among seemingly plausible ones • Ring confidential transactions (Ring CTs): hide transaction amount MONERO | SECURITY FEATURES 25 Transaction X value: ? address: ? Transaction Y Transaction Z ???
  26. 26. Private spend key: for signing transactions and spending funds Private view key: view all transaction related to account (can be shared to see balance) Public spend key: part of Monero account address Public view key: part of Monero account address 26 MONERO | KEYS Monero Account Monero Address 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DB LWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2V BBEt7f2wfn3RVGQBEP3
  27. 27. 27 MONERO | KEY RELATIONSHIPS Monero Address 44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DB LWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2V BBEt7f2wfn3RVGQBEP3 Private spend key Private view key hash Public spend key Public view key slid otherwise jeers lurk swung tawny zodiac tusks twang cajun swagger peaches tawny Mnemonic seed
  28. 28. MONERO | STEALTH ADDRESS 28 New Transaction Input Output Bob’s AccountAlice’s Account Bob’s Monero Address ( + ) One-time public key Stealth address ( + + random)
  29. 29. MONERO | VIEW OUTPUT(S) 29 New Transaction Input Output Bob’s AccountAlice’s Account Private view key Public spend key ( + )
  30. 30. One-time private spend key ( + ) MONERO | SPEND OUTPUT(S) 30 New Transaction Input Output Bob’s AccountAlice’s Account
  31. 31. • A type of signature that can be performed by any member of a group • Each user has private / public key pairs • Signature is created from a number of public keys • Message signed with ring signature is endorsed by someone in a particular group of people • Not possible to compute which of the group members’ keys as used to produce signature 31 MONERO | RING SIGNATURES
  32. 32. 32 MONERO | RING SIGNATURES New Transaction Input Output Prev. Transaction 1 Input Output Prev. Transaction 2 Input Output Prev. Transaction 3 Input Output Bob’s Account Public Spend Keys Signer’s Private Spend Key Ring signature
  33. 33. MONERO | INSPECT EXAMPLE TRANSACTION 33
  34. 34. ZCASH 34 • Bitcoin fork with optional anonymity • Two transaction types • Transparent transactions (as in Bitcoin) • Shielded transactions (encrypted) • Shielded transactions hide the sender, recipient, and the value on the blockchain • Backed by highly regarded research
  35. 35. • t-to-t: visible quantities of ZEC move between visible t addresses • t-to-z: a visible amount of ZEC moves from a visible t address to a hidden z address within the shielded pool • z-to-z: a hidden quantity of ZEC moves between hidden z-addresses • z-to-t: a hidden quantity of ZEC moves from a hidden z address out of the shielded pool to a visible t address ZCASH | TRANSACTION TYPES 35 z-to-zt-to-zt-to-t shielded pool z-to-t Figure 1: A simple diagram illustrating the different types of Zcash transactions. All transaction types are depicted and de- scribed with respect to a single input and output, but can be generalized to handle multiple inputs and outputs. In a t-to- t transaction, visible quantities of ZEC move between visible t-addresses (tIn,tOut 6= /0). In a t-to-z transaction, a visible amount of ZEC moves from a visible t-address into the shielded pool, at which point it belongs to a hidden z-address (tOut = /0). In a z-to-z transaction, a hidden quantity of ZEC moves be- [Kappos et al. 2018]
  36. 36. ZCASH | ANATOMY OF A TRANSACTION 36https://blog.z.cash/anatomy-of-zcash/
  37. 37. ZCASH | SHIELDED TRANSACTION 37
  38. 38. ZCASH | TRANSPARENT TRANSACTION 38
  39. 39. • Cryptocurrency Recap • Privacy-enhancing Cryptocurrencies • Off-Chain Payment Channels • Cryptocurrency Analytics • Q & A MY PLAN FOR TODAY 39
  40. 40. PAYMENT CHANNELS | MOTIVATION 40 Blockchain Blocksize: 1 MB ca. 1500 - 2000 transactions ca 10 min Maximum throughput: ca. 7 tx / sec Major design issue: All transactions are stored on the blockchain and replicated among peers.
  41. 41. • Move massive bulk of transactions off-chain • Users • carry out transactions off-chain between each other • rely on blockchain • for settlement • to resolve dispute in case of disagreement PAYMENT CHANNELS | BASIC IDEA 41 Blockchain Off-chain transactions Settlement Resolve dispute
  42. 42. PAYMENT CHANNELS | PHASES 42 Inspired by R. Böhme “Prinzip von Off-Chain Zahlungskanälen” Blockchain Time Funding Tx Input Output Input Phase 1 “Open Payment Channel” Settlement Tx Input Output Phase 3 “Close Payment Channel” Output Phase 2 “Off-Chain Transactions”
  43. 43. • A specific payment protocol operating on top of a blockchain (Bitcoin) • Status • testing phase since January 2018 • 1st mainnet release: March 2018 • Implementation: https://github.com/lightningnetwork/lnd • Some (unreliable) statistics • ~ 2000 nodes • ~ 6000 channels PAYMENT CHANNELS | LIGHTNING NETWORK 43
  44. 44. • Cryptocurrency Recap • Privacy-enhancing Cryptocurrencies • Off-Chain Payment Channels • Cryptocurrency Analytics • Q & A MY PLAN FOR TODAY 44
  45. 45. CRYPTOCURRENCIES | BIRD’S EYE VIEW Real-world actors: Currency Exchanges, Wallet Providers, Mixers, (Darknet) Marketplaces, etc.
  46. 46. Investigate and develop scalable quantitative methods, tools and services that contribute to a better understanding of the structure and dynamics of cryptocurrency ecosystems. CRYPTOCURRENCY ANALYTICS | GOALS 46 Macroscopic AnalysisMicroscopic Analysis
  47. 47. CRYPTOCURRENCY ANALYTICS | APPROACH 47 A A A AA C T BlockchainAddress Graph Address Cluster Tags Enrichmentprocess Statistics (as of Sept. 2017) Transactions: 249,408,683 Addresses: 296,862,290 Clusters: 30,645,426 Address graph - nodes (= addresses): 296,862,290 - edges (= aggregated transactions): 1,567,227,841 All data points are pre-computed and stored in a de-normalized form
  48. 48. CRYPTOCURRENCY ANALYTICS | TOOL 48
  49. 49. STAKEHOLDERS 49 Science Public Authorities FinTech
  50. 50. EXAMPLE 1 Macroscopic Analysis | Ransomware Payments 50
  51. 51. • Ransomware has become dominant cybercrime threat • Over 500 families • Ransom payments almost exclusively in Bitcoin • More comprehensive, evidence-based picture still missing ANALYTICS EXAMPLE | RANSOMWARE 51
  52. 52. ANALYTICS EXAMPLE | RANSOMWARE 52 Family Addresses BTC USD 1 Locky 6,827 15,399.01 7,834,737 2 CryptXXX 1,304 3,339.68 1,878,696 3 DMALockerv3 147 1,505.78 1,500,630 4 SamSam 41 632.01 599,687 5 CryptoLocker 944 1,511.71 519,991 6 GlobeImposter 1 96.94 116,014 7 WannaCry 6 55.34 102,703 8 CryptoTorLocker2015 94 246.32 67,221 9 APT 2 36.07 31,971 10 NoobCrypt 17 54.34 25,080 11 Globe 49 33.03 24,319 12 Globev3 18 14.34 16,008 13 EDA2 23 7.1 15,111 14 NotPetya 1 4.39 11,458 15 Razy 1 10.75 8,073 Table 4: Received payments per ransom family (Top 15). 10 key addresses, with a few number of transactions and no tags, received money from both the TowerWeb and Cryptohitman ad- dresses. Intuitively, we can assume that these two families might be related to the same real-world actors who may run two families ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 1031 593 480 36 4690 245 108 2698 534 1035 225 171 15 7713 278 $0 $2,500 $5,000 $7,500 APT CryptXXX CryptoLocker CryptoTorLocker2015 DMALockerv3 EDA2 Globe GlobeImposter Globev3 Locky NoobCrypt NotPetya Razy SamSam WannaCry Figure 3: Mean payment per family with standard mean er- Family Addresses BTC USD 1 Locky 6,827 15,399.01 7,834,737 2 CryptXXX 1,304 3,339.68 1,878,696 3 DMALockerv3 147 1,505.78 1,500,630 4 SamSam 41 632.01 599,687 5 CryptoLocker 944 1,511.71 519,991 6 GlobeImposter 1 96.94 116,014 7 WannaCry 6 55.34 102,703 8 CryptoTorLocker2015 94 246.32 67,221 9 APT 2 36.07 31,971 10 NoobCrypt 17 54.34 25,080 11 Globe 49 33.03 24,319 12 Globev3 18 14.34 16,008 13 EDA2 23 7.1 15,111 14 NotPetya 1 4.39 11,458 15 Razy 1 10.75 8,073 Table 4: Received payments per ransom family (Top 15). 10 key addresses, with a few number of transactions and no tags, received money from both the TowerWeb and Cryptohitman ad- dresses. Intuitively, we can assume that these two families might be related to the same real-world actors who may run two families of ransomware simultaneously or may launder money on behalf of the two dierent groups. ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 1031 593 480 36 4690 245 108 2698 534 1035 225 171 15 7713 278 $0 $2,500 $5,000 $7,500 APT CryptXXX CryptoLocker CryptoTorLocker2015 DMALockerv3 EDA2 Globe GlobeImposter Globev3 Locky NoobCrypt NotPetya Razy SamSam WannaCry Figure 3: Mean payment per family with standard mean er- rors.
  53. 53. ANALYTICS EXAMPLE | RANSOMWARE 53 ●● ● ● ● ●●●●●● ●●● ● ● ● ● ● ● ● ● ●●● ● ●● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●●● ●●●●● ● ● ● ● ●● ●● ●● ●● ● ● ●● ● ● ● ● ● ● ●● WannaCry SamSam 05/2017 06/2017 07/2017 08/2017 09/2017 10/2017 01/2016 07/2016 01/2017 07/2017 $0 $200,000 $400,000 $600,000 $0 $25,000 $50,000 $75,000 $100,000 Figure 4: Longitudinal payment trend per family. ows of ransomware payments and identify destinations, such as Bitcoin exchanges or gambling services, when contextually related information (tags) was available. Our method is reproducible and could be repeated for additional families with an updated seed dataset. Plus, computation of address clusters over the most recent state of the Bitcoin blockchain, along with more identication of clusters belonging to specic groups, could greatly increase the knowledge on the dierent end routes of ransomware monetary ows. However, we are well aware that our approach has a number of limitations. First, our methodology relies on a set of seed ad- dresses manually collected and the eectiveness of the multiple- input heuristics for uncovering previously unknown addresses linked to this family. Thus, it misses other ransomware families as well as other addresses that might belong to the same family, but cannot be linked to the same cluster. Still, the more addresses from various families become available, the more accurate the picture of the overall market for ransom payments will become. We address this limitation by constraining our analysis to lower bound direct nancial impacts, to ensure we are not claiming to assess the total impacts of a ransomware family or of the entire market for ransom payments. Second, our approach is limited by the extent and quality of the attribution data (tags) available. Without this information, clusters remain anonymous and inferences about their real-world nature are impossible. Nevertheless, we believe that such data will increasingly ● ●●●●●●●●●●●●●● ● ●●●●●●●●●●●●●●●●●●●●●● ●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ● ●●●●●●●●●●●● ●● ●●● ● ●● ●● ●●●● ●● ●● ● ● ●● ● ● ● ●●●●●● ●●● ● ● ● ● ● ● ● ● ●●● ● ●● ● ● ● ● ●● ● ● ● ● ● ● ●● ● ● ● ●● ● ● ● ● ● ● ● ● ● ● ●● ●●●● ●●●●● ● ● ● ● ●● ●● ●● ●● ● ● ●● ● ● ● ● ● ● ●● WannaCry SamSam Locky 01/2016 07/2016 01/2017 07/2017 04/2016 07/2016 10/2016 01/2017 04/2017 $0 $2,000,000 $4,000,000 $6,000,000 $8,000,000 $0 $200,000 $400,000 $600,000 $25,000 $50,000 $75,000 $100,000 th 5 O to ad o w B in co da st cl k o d in li w ca va
  54. 54. ANALYTICS EXAMPLE | RANSOMWARE 54 Ransomware Payments in the Bitcoin Ecosystem Masarah Paquet-Clouston GoSecure Research Montreal, Canada mcpc@gosecure.ca Bernhard Haslhofer Austrian Institute of Technology Vienna, Austria bernhard.haslhofer@ait.ac.at Benoit Dupont Université de Montréal Montreal, Canada benoit.dupont@umontreal.ca ABSTRACT Ransomware can prevent a user from accessing a device and its les until a ransom is paid to the attacker, most frequently in Bit- coin. With over 500 known ransomware families, it has become one of the dominant cybercrime threats for law enforcement, secu- rity professionals and the public. However, a more comprehensive, evidence-based picture on the global direct nancial impact of ransomware attacks is still missing. In this paper, we present a data-driven method for identifying and gathering information on Bitcoin transactions related to illicit activity based on footprints left on the public Bitcoin blockchain. We implement this method on-top-of the GraphSense open-source platform and apply it to empirically analyze transactions related to 35 ransomware families. We estimate the lower bound direct nancial impact of each ran- somware family and nd that, from 2013 to mid-2017, the market for ransomware payments has a minimum worth of USD 12,768,536 (22,967.54 BTC). We also nd that the market is highly skewed with only a few number of players responsible for the majority of the payments. Based on these research ndings, policy-makers and law enforcement agencies can use the statistics provided to understand the size of the illicit market and make informed decisions on how best to address the threat. KEYWORDS the time of writing, there are 5051 known ransomware families detected and almost all of them demand payments in Bitcoin [27], which is the most prominent cryptocurrency. Yet, global and reliable statistics on the impact of cybercrime in general, and ransomware in particular, are missing, causing a large misunderstanding regarding the severity of the threat and the extent to which it fuels a large illicit business. Most of the statistics available on cybercrime and ransomware are produced by private corporations (cf. [29, 38, 39]) that do not disclose their underlying methodologies and have incentives to over- or under- report them since they sell cybersecurity products and services that are supposed to protect their users against such threats [23]. Also, both cybercrime and ransomware attacks take place in many regions of the world and reporting the prevalence of the threat on a global level is dicult, especially when it involves a blend of fairly sophisticated technologies that may not be familiar to a large num- ber of law enforcement organizations [23, 37]. This is unfortunate because the lack of reliable statistics prevents policy-makers and practitioners from understanding the true scope of the problem, the size of the illicit market it fuels and prevents them from being able to make informed decisions on how best to address it, as well as to determine what levels of resources is needed to control it. But ransomware oers a unique opportunity to quantify at least the direct nancial impact of such threat: ransomware payments are transferred in Bitcoin, which is a peer-to-peer cryptocurrency Preprint available at: https://arxiv.org/abs/1804.04080
  55. 55. • Cryptocurrency Recap • Privacy-enhancing Cryptocurrencies • Off-Chain Payment Channels • Cryptocurrency Analytics • Q A MY PLAN FOR TODAY 55
  56. 56. THANK YOU! 56 bernhard.haslhofer@ait.ac.at
  57. 57. • [Nakamoto, 2008]: Bitcoin: A peer-to-peer electronic cash system • [Reid and Harrigan 2012]: An Analysis of Anonymity in the Bitcoin System • [Meiklejohn, 2013]: A fistful of bitcoins: characterizing payments among men with no names • [Ortega, 2013]: The bitcoin transaction graph—anonymity • [Biryukov et al., 2014]: Deanonymisation of clients in Bitcoin P2P network • [Fleder et. al, 2015]: Bitcoin Transaction Graph Analysis • [Böhme et al., 2015]: Bitcoin: Economics, Technology, and Governance • [Haslhofer et. al, 2016]: O Bitcoin Where Art Thou? Insight into Large-Scale Transaction Graphs. • [Gencer et al. 2018]: Decentralization in Bitcoin and Ethereum Networks • [Kappos et al., 2018]: An Empirical Analysis of Anonymity in Zcash REFERENCES 57

×