WannaCrypt Hackers May Have A Hard Time Claiming That Ransom Without Getting Caught

As organizations around the world continue to clean up from this weekend’s record-breaking malware outbreak, ransom payments continue to trickle in to bitcoin accounts set up by those behind the massive hack.

But even as victims transfer digital currency to the WannaCrypt extortionists in the hopes of recovering their scrambled files, it’s not at all clear that the hackers will ever be able to spend that virtual cash without getting caught.

Some security experts have suggested similarities between the ransomware code and previous attacks linked to North Korea might mean the isolated and impoverished country–previously accused in an $81 million digital robbery of the Bangladesh central bank, the notorious 2014 Sony Pictures hack, and even bitcoin thefts from South Korea computers–is behind the malware outbreak. Either way, after the hack took down systems at hospitals, police stations, and factories around the world, it’s inevitable that investigators around the world will be watching for any attempts to claim the ransom payments.

Bitcoin is seen as more anonymous than other digital payment tools like credit cards, since it’s effectively built around numbered accounts rather than names and addresses, making it a popular choice for illicit online transactions like ransom demands and drug sales. But the entire currency is built around a permanent, public log tracking how virtual coins have been transmitted from numbered account to numbered account, which experts say could make it difficult for the WannaCrypt creators to trade their digital coins for traditional cash without leaving a trail behind them for prosecutors to find.

“All these transactions are recorded in a public ledger, so everyone can follow each and every transaction that is going on,” says Marco Krohn, cofounder and CFO of bitcoin startup Genesis Mining. “It makes it relatively hard for people to launder money.”

Bitcoin analytics company Elliptic Enterprises has been tracking in real time exactly how much ransom has been sent to three virtual addresses associated with the ransomware. As of Tuesday morning, it’s just shy of $70,000 worth of the digital currency, according to the company. (Elliptic, with offices in London and Washington, D.C., didn’t immediately reply to requests for comment).

The company is one of several startups that’s sprung up to help bitcoin businesses, such as the exchanges that swap the cryptographic currency for traditional alternatives like dollars and euros, track the flow of the virtual funds, and steer clear of coins tied to shady operations. After all, despite bitcoin’s freewheeling reputation, exchanges doing business in many countries, including the United States, are typically licensed and regulated similarly to more traditional money-transmitting businesses like Western Union or MoneyGram.

“The tools that are out there, and the companies that are trying to do everything above board, tend to be pretty sophisticated when it comes to tracking illicitly received bitcoin and those movements,” says Daniel Romero, vice president of operations at San Francisco-based Coinbase, the largest bitcoin exchange in the U.S.

Romero declined to go into too much detail about the exchange’s security protocols, but he says that company policies and U.S. financial “know your customer” rules require Coinbase to verify customer identities before they can trade through the platform. And, he says, the company has safeguards in place to “verify public blockchain addresses that we know are associated with illegal activity” and prevent Coinbase from being used for criminal purposes.

“We have zero tolerance for this type of activity, and we’re doing everything in our power to make sure it doesn’t happen on our platform,” he says.

Even exchanges in jurisdictions with less stringent regulations might be reluctant to handle coins prominently linked to shady dealings, like a notorious ransomware attack, since bitcoin experts will quickly be able to link the exchanges with the unsavory practices.

“It becomes more a branding thing than anything else,” he says. “Whether or not you’re trying to do anything wrong, you’re going to be complicit and people are going to associate your exchange with the dirty money, so to speak.”

Still, the bitcoin economy has long included so-called mixing services, which advertise they can blend together bitcoins from several sources, breaking digital trails between observable transactions–in this case, ransom payments–and subsequent dealings. But criminals using those still have to trust that the service operators will really safeguard their anonymity. If they’re either intentionally or accidentally generating records that could later be obtained by law enforcement, transactions could still be traced.

“Any time one of these criminals uses an intermediary, there’s a chance that they leak some information about them,” says Jonathan Levin, cofounder of Chainalysis, a bitcoin anti-money laundering platform that says it’s checked the integrity of more than $15 billion in blockchain transactions.

Levin says Chainalysis customers, such as exchanges, can also use the fact that transactions passed through mixing services as a sign they might need a closer look.

“You would be able to identify mixing behavior in Chainalysis and then you would then assess whether you want to process those transactions or not, given the other information you know about that customer,” he says.

Still, Levin says, if the total ransom payment remains low, it’s possible that the ransom recipients will be able to cash out much of their earnings through private sales, potentially selling a few thousand dollars worth of bitcoin at a time to buyers who, for the right discount, won’t ask too many questions. That could naturally be more of an attractive option if the ransomware creators were relying on the hack to pay off debts, or simply to pay their monthly bills, he says.

“It actually really depends on the financial situation of the authors,” he says.

But part of the reason the total amount collected remains fairly low is the apparent lack of sophistication of the operation, says Levin. The authors only included a handful of bitcoin addresses–essentially, account numbers–to receive ransom payments, rather than create a unique address per extortion target as other scammers often do. That makes it easy to track payments to the scammers, since the addresses are hardcoded in the malware. But it likely makes it hard for them to match ransom payments with individual victims, something that Levin says could make some victims, such as companies with savvy security advisors, less likely to pay, out of skepticism they’ll actually get their files decrypted.

That may ironically make the ransom easier to liquidate, by making it small enough to sell to individual buyers, though the creators may be less than happy about the prospect of attracting the attention of the world’s law enforcement agencies for a share of just $70,000.

“It’s not that difficult to find people who are willing to meet you in the street with cash for the amount of money they’ve currently made,” Levin says. “If it goes a lot higher, it becomes a lot harder to cash out.”