On March 3, 2020, just before lunchtime in Washington, D.C., Stephen Ryan sent someone at the U.S. Treasury department a thank-you note with a curious detail.
The chief operating officer and co-founder of cryptocurrency sleuthing firm CipherTrace, Ryan was one of 16 executives who attended an industry summit the day before with then-Treasury Secretary Steven Mnuchin. Along with his gratitude for the meeting, Ryan attached a slide deck that laid out CipherTrace’s strategy for demystifing crypto wallets. Among those methods: “honey pots.”
This article is part of CoinDesk’s Privacy Week series.
Ryan’s note was part of a 250-page trove of Mnuchin's emails obtained by CoinDesk through a Freedom of Information Act (FOIA) request. Portions of his slide deck closely resemble CipherTrace’s public promotional materials. Those, too, have referenced “honeypots,” or the similar “crypto money pots,” since at least 2018.
What did CipherTrace mean by these terms? The cybersecurity community uses the phrase “honey pot” to describe a decoy target that collects intelligence on unsuspecting attackers. In other words, a trap.
Slide from CipherTrace presentation to Treasury, March 3, 2020.
CipherTrace, which payments giant Mastercard purchased last autumn for an undisclosed price, is part of a cottage industry that monitors the $14 billion-a-year crossroads of cryptocurrency and crime. Sifting through millions of daily transactions recorded on blockchains, or public ledgers, firms such as Chainalysis, TRM Labs and Elliptic search for red flags and illicit movements, labeling suspect addresses as they go.
The companies cast their services as essential to normalizing crypto and stamping out crime. Detractors lambast these tracing firms as on-chain narcs, even though they are primarily working with public information.
CipherTrace wouldn’t be the first company in this niche to set snares in hopes of capturing information that can’t be found on-chain. Chainalysis, the leading crypto tracing vendor, has for years owned a wallet explorer site that captures visitors’ IP addresses and links them to the blockchain addresses they looked up. The company acknowledged this practice only in October, a month after CoinDesk published an article drawing attention to it.
More than half a dozen cryptocurrency industry veterans told CoinDesk they had no idea what CipherTrace meant by “honeypots.” In a statement provided to CoinDesk, the Los Gatos, Calif.-based company gave the basic computer security definition without explaining what it meant in the context of blockchain analysis.
Screengrab of CipherTrace website, Jan. 27, 2021
“A ‘crypto money pot’ or ‘honeypot’ is a security term referring to a mechanism that creates a virtual trap to lure would-be-attackers,” CipherTrace said, adding that the documents mentioning these tactics are old. “CipherTrace does not use ‘crypto money pots” anymore," it said (although the company’s website touted both money and honey pots as of Thursday).
CoinDesk asked CipherTrace: “Does your firm collect IP address data for the purposes of linking them to wallet addresses?”
A CipherTrace representative responded: “As a privacy-focused company, CipherTrace does not map IP data to private individuals.”
She did not answer CoinDesk’s question of whether CipherTrace maps IPs to wallets. CoinDesk asked a second time if CipherTrace maps IP addresses to wallet addresses. CipherTrace did not respond.
Such caginess “is a frequent issue in the privacy space, when we talk about network identifiers like IP addresses.,” said Sean O’Brien, a cybersecurity researcher. “Companies try to distance themselves from what you would traditionally call personally identifiable information by saying IP addresses are something else. In fact, they're incredibly useful for identifying households, businesses and individuals.”
For example, “if you need to investigate a Bitcoin transaction related to a suspected cybercrime, IP addresses are exactly the kind of information you’d be looking for,” O’Brien said. “The earliest cases involving law enforcement and the internet hinge on IP addresses as evidence, for good reason. And, they’re just as useful to harass and stalk people as they are to prosecute them.”
Following the money
Tracing companies have long been a major if under-recognized force in crypto’s institutional march. Fighting back against the perception that bitcoin is primarily a criminal finance tool, they parse the data to pinpoint the meager share that actually is.
Chainalysis recently estimated that 0.15% of crypto transactions in 2021 were illicit – by far the smallest percentage on record. (“Illicit” wallets amassed a record-high $14 billion last year, a seemingly paradoxical stat that Chainalysis attributed to crypto’s booming growth.)
CipherTrace says its mission is to “grow the cryptocurrency economy by making it trusted by governments, safe for mass adoption and protecting financial institutions from crypto laundering risks.”
Taken from the presentation shared with the Treasury Department, that description would likely be shared by every competing firm. It gets at the heart of detractors' concerns. Privacy maximalists believe Bitcoin’s radically transparent but pseudonymous nature ought to flow independent of the state, and they see these companies’ work as a betrayal of that ideal.
“It's kind of an invasion of privacy of users, the same way that you might complain about centralized web analytics companies that are collecting IP addresses and putting cookies on people's computers and tracking them from site to site,” said John Light, a longtime crypto educator, writer, podcaster and event organizer.
On-chain analytics is, at its core, an attribution race.
In cybersecurity circles, attribution means identifying the perpetrators of a hack. In the crypto context, it refers specifically to blockchain sleuths’ practice of linking pseudonymous wallet addresses to identifiable actors. These actors could be licensed crypto exchanges or custodians, ransomware attackers, darknet marketplaces or sanctioned individuals or entities.
For example: Anyone with an internet connection can see that, say, wallet abc123 transferred 0.5 BTC to zxy987; this information is rather useless on its own. But a tracer database might document that the U.S. Office of Foreign Assets Control has identified zxy987 as belonging to a sanctioned African warlord. Or it could show that abc123’s bitcoin was stolen from an exchange.
That’s valuable information for exchanges that want to cut out illicit activity, for users who want to keep their coins clean, for governments who want to follow the money. It comes together through rigorous attribution.
With potentially millions of dollars in investigatory contracts up for grabs, these companies have an acute need to mine novel attribution data. CipherTrace, for example, has scored 20 contracts with federal agencies, worth up to $3.5 million, since 2018, the most recent being an expert witness job, according to public records.
CipherTrace contract data
In an industry that rewards builders of nuanced, detailed, attribution datasets – and a field where criminals are hungry for intelligence to help them escape notice – guarding the attribution secret sauce is paramount, two longtime practitioners said.
Nevertheless, in his email to the Treasury Department, Ryan offered a taste “of how cryptocurrency attribution is achieved.” Honeypots were listed as one of the “active” strategies in the slide deck.
Chainalysis: Blockchain attribution ace
CipherTrace’s biggest competitor began operating its own novel technique three years before.
Founded in 2014 and valued in June at $4.2 billion, Chainalysis is the tracing industry’s big kahuna. It has racked up tens of millions of dollars in federal contracts selling software that visualizes on-chain activity. While anyone with an internet connection can self-sift through public blockchain records, you’d need a little help to make sense of what you find down the rabbit hole.
But the tracer’s true business ace is its attribution dataset, three industry insiders said. No other company has amassed a trove of wallet data as detailed as Chainalysis’, the sources said.
That’s partly because no other tracer has as massive a business footprint. Chainalysis provides tracing software to 500 “virtual asset service providers,” or VASP, as regulators call them. It's a mutually beneficial relationship. The businesses get powerful crypto compliance tools, and Chainalysis adds their wallet addresses to its global database. It does not, however, ask clients for data on their customers.
“We can’t speak for all other vendors. It’s possible other vendors may ask for more information. But Chainalysis is concerned only with service-level transaction data,” the company explained in a 2019 blog post. In other words, it identifies only businesses that it knows control wallets, not people.
But that wasn’t the whole story, and Chainalysis’ customers, and public information about wallets, were not the firm’s only sources of intel.
In an undated slideshow for Italian police that was leaked in September, a Chainalysis sales team described how the company’s vast network of Bitcoin and Electrum wallet nodes capture valuable user data such as IP addresses from connecting wallets. This helped investigators follow meaningful criminal leads, the presentation said.
By Danny Nelson
Disclaimer : The above empty space does not represent the position of this platform. If the content of the article is not logical or has irregularities, please submit feedback and we will delete or correct it, thank you!
COPYRIGHT © 2021-2023 HZD.COM & WWW.HZD.AI ALL RIGHTS RESERVED
