The document details a session on combating cybercrime using blockchain technology, featuring notable panelists who share insights on ransomware, including its emergence and best practices for law enforcement engagement. It highlights the implications of paying ransoms and offers guidance on reporting incidents to the FBI, while also stressing the importance of public-private partnerships to tackle these threats. Participants learn how to leverage blockchain analytics in investigations and improve their responses to cybercrime incidents.

1. SESSION ID:
MODERATOR:
PANELISTS:
SESSION ID:
#RSAC
LAW-F02
Kathryn Haun
Stanford University, Assistant United States
Attorney, Northern District of California*
* In her personal capacity
Alan Cohn
Co-Chair, Blockchain and Digital Currency Practice, Steptoe & Johnson LLP and Counsel, Blockchain Alliance
@fifteencharlie
Fighting Cybercrime Using the
Blockchain
Jonathan Levin
Co-Founder and CRO
Chainalysis, Inc.
@jony_levin, @chainalysis

2. #RSAC
Fighting cybercrime using the
blockchain
Two short stories

3. #RSAC
Act 1: The Ransom

4. #RSAC
Introducing some characters
4
Alan Cohn
“The Strategy Guy”
Kathryn Haun
“The Investigator”
Jonathan Levin
“The Analyst”
???????
“The Villan”

5. #RSAC
Emergence of Ransomware
5

6. #RSAC
Ransom Sum
6
Your files have been encrypted and you are required to pay a 3 BTC to
following Bitcoin address : 12z5dAHP7GJjZsYvHHVsmwjqQLREwHZqix

7. #RSAC
FBI Guidance
7
While the FBI does not support paying a ransom, it recognizes executives, when faced with inoperability
issues, will evaluate all options to protect their shareholders, employees, and customers.
When Reporting Ransomware to a local field office please give
Date of Infection
Ransomware Variant (identified on the ransom page or by the encrypted file extension)
Victim Company Information (industry type, business size, etc.)
How the Infection Occurred (link in e-mail, browsing the Internet, etc.)
Requested Ransom Amount
Actor’s Bitcoin Wallet Address (may be listed on the ransom page)
Ransom Amount Paid (if any)
Overall Losses Associated with a Ransomware Infection (including the ransom amount)
Victim Impact Statement
How do I contact the FBI?
Visit nomoreransom.org

8. #RSAC
Locky Infection
8

9. #RSAC
Teslacrypt Infection
9

10. #RSAC
Ransom on the blockchain
10
https://blockchain.info/address/12z5dAHP7GJjZsYvHHVsmwjqQLREwHZqix

11. #RSAC
Analyzing the Ransomware behavior
11
Same cluster
My wallet
(e.g. CoinBase)
Ransom wallet
(may be unique)
Ransom wallet
(may be unique)
Sweeper Deposit Wallet
Another victim’s
wallet
Full
payment
Partial
payment
Legend
Victims
Ransomware
Exchange
Each exchangedeposit
wallet corresponds to one
ransomware operation.

12. #RSAC
Analyzing the Ransomware behavior
12

13. #RSAC
We are not the only victim
13

14. #RSAC
Geographic distribution of victims
14

15. #RSAC
Following the money
15

16. #RSAC
Subpoena to exchange
16
Main Street Bitcoin Exchange

17. #RSAC
Subpoena Response
17
John Locky
939-876-9874
jlocky@google.com
IBAN NUMBER: 2139-12312394
BANK: BIG BANK

18. #RSAC
Private-Public Partnerships
18

19. #RSAC
Act 2: The Vendor

20. #RSAC
Malware shopping
20

21. #RSAC
Controlled buy requires BTC
21

22. #RSAC
Top up my alphabay account
22

23. #RSAC
Revenues estimates
23

24. #RSAC
Encrypted communications
24

25. #RSAC
OSINT Gathering
25
DarkNetSoftware | Alphabay User Profile
NO DELIVERY IS GUARANTEED ON A SPECIFIC DATE
After some downtime of Alphabay, we have added our listings of our same products
ABRAXAS – DarkNetSoftware1
DREAM MARKET – DarknetSofrtware12
REAL DEAL – DarkNetSoftware
ATTENTION New BTC address
1D4h7KYG3F7XjiNbvT1y1YGzVziiKXqS3M
1GZbTevmN1qob8sHFY57ohh2ksam3R7opR

26. #RSAC
Tracking the Bitcoin
26

27. #RSAC
Physical search warrant
27

28. #RSAC
Epilogue

29. #RSAC
Apply What You Have Learned Today
29
After today’s session, you should understand:
How law enforcement conducts cybercrime investigations using the blockchain
What resources exist to assist law enforcement and private companies with
blockchain analytics
Should you become the victim of a ransomware attack or other
cybercrime involving digital currencies, you should be able to:
Effectively engage with law enforcement and prosecutors with respect to
investigating and prosecuting the crime
Take steps to make it easier to investigate and prosecute the crime

30. #RSAC
Contact
30
Alan Cohn – acohn@steptoe.com
Jonathan Levin – jonathan@chainalysis.com
Kathryn Haun – kathryn.haun@usdoj.gov