Sandia helps federal law enforcement develop a cryptocurrency forensics tool
As Bitcoin, the most widespread cryptocurrency in use, becomes an increasingly accepted medium of exchange across the global economy, criminals have turned to the digital currency for their transactions, making it harder for law enforcement to keep track of users.
To assist law enforcement, Sandia researchers have created a set of requirements for an analysis tool that can be used to overcome the challenges brought by Bitcoin.
Andrew Cox (8116), who is leading the work for Sandia, says the law enforcement community has identified the need for new approaches and tools to aid in a variety of investigation scenarios, including complex money-laundering schemes, cyber thefts, and straightforward transactions of illegal goods. Law enforcement’s most immediate need is to reduce the time and resources necessary to trace illicit commerce.
Advantages, but a dark side, too
“Our job was to understand how Bitcoin works,” says Andrew. “Bitcoin is a new semi-anonymous currency that holds the potential to change the way all sorts of transactions work in a way that might really benefit the economy. Some of the potential benefits include making monetary transactions much more efficient, and thereby driving down the costs of doing business, making transaction histories more transparent, which could help both financial markets and financial regulation, and — depending on who you ask — reducing the risks associated with inflation and reliance on centralized monetary institutions. All that being said, it has been clear that criminals have been pioneers in using Bitcoin. They use it for drugs, for guns, child pornography, and all sorts of terrible stuff.”
Sandia’s work, conducted for the Department of Homeland Security (DHS) Science and Technology (S&T) directorate, could ultimately be delivered to other federal law enforcement agencies. DHS S&T requested Sandia to set up a graphical user interface or a front end on the research environment so agents can test the algorithms Sandia is using in actual investigations.
“This will allow us to adjust what we’re doing to make sure we’re being of maximal use to them,” says Andrew.
The Sandia team includes Mark Boyd (8962), Lynne Burks (8116), Maggie Todd (8116), Kiran Lakkaraju (1463), Jovana Helms, Patricia Cordeiro (5635), and Ethan Chan (8954).
Keeping up with spawning innovations
Challenges faced by law enforcement include the significant time and resources needed to pinpoint users, especially since traditional means of establishing identity are not always possible. Since Bitcoin will likely spawn innovations that will enable new forms of both legitimate and illicit commerce, authorities have few battle-tested legal, policy, and technical tools to counter those illicit uses.
The basic obstacle was trying to truly understand all of the various patterns associated with Bitcoin transactions,” Sandia researcher Andrew Cox says. “We can use past investigations as examples of patterns that will enable us to find other configurations.”
There is not a “silver bullet” algorithm to effectively de-anonymize Bitcoin, says Andrew, explaining that to do so would involve cross-referencing anonymous data with other, traditional sources of investigative data to identify suspects.
“To be successful, the reality is it’s going to take different types of algorithms and additional types of investigative techniques including good old-fashioned police work,” he says. “They’re all going to have to be combined.”
A prime example of law enforcement trying to overcome a Bitcoin challenge, Andrew says, was an online market called Silk Road that was used to sell drugs. The market was successful for several years before law enforcement was able to eventually shut down it down. The success of Silk Road also demonstrated the effectiveness of The Onion Router (Tor) in maintaining the anonymity of online criminals. By using Tor, the site’s operators supported up to $1.2 billion in drug sales from more than 950,000 registered users.
“Even with the shutdown of the most famous example,” Andrew says, “the problem didn’t really abate. It just sort of slowed down but then has picked up pace again.”
Whatever its legitimate benefits, as the acceptance of Bitcoin spreads, its use as a means of conducting illicit commerce is likely to increase as well. Criminal enterprises have used Bitcoin at least in part because of the perceived ease with which transactions can be anonymized. Although anonymization of Bitcoin transactions is far from fool-proof, it has proved to be a non-trivial barrier to authorities slowing the growth of electronic illicit commerce.
“In many ways,” says Andrew, “figuring out how to effectively combat illicit Bitcoin commerce and reduce its perception as a tool of criminals can encourage more people and companies to adopt Bitcoin for legitimate purposes.”
Setting up the requirements
Sandia conducted a systems analysis of illicit e-commerce focusing on Bitcoin. The team set up a research environment to experiment with other algorithms that can de-anonymize illicit Bitcoin users. The research includes a mix of traditional and novel investigative techniques, along with existing financial regulation and innovative policy and process tools.
Once de-anonymization occurs, law enforcement can link the Bitcoin addresses to a specific alias and they will know all of the Bitcoin addresses they need to deal with.
“When you exchange Bitcoin, you don’t have information such as an e-mail address,” Andrew says. “Instead, it’s a completely random set of numbers and an anonymous Bitcoin address. Bitcoin users can use one or many Bitcoin addresses. This allows criminals to evade obvious patterns of transactions.”
The researchers were able to use some published methods to track down and understand that the same users are using the different Bitcoin addresses. They are now in the process of generating their own methods by characterizing transactions of Bitcoin users and applying machine learning methods to uncover patterns of interest.
“It doesn’t mean that we get their actual name because there aren’t any names associated with Bitcoin,” Andrew says, “But it will show that some transactions are controlled by the same user.”
Sandia will continue to work on the algorithmic research and focus on developing a graphical user interface so law enforcement officers can easily interact and make queries against Sandia’s research environment and what Bitcoin calls the “blockchain.”
“Our clients are happy about the requirements we’ve developed and the research we’ve done on what types of tools and capabilities are needed ,” Andrew says. “The bottom line is, the work is about spending time with law enforcement officers and making sure that we put their needs first.”
What’s a Bitcoin
Created in 2009 by Satoshi Nakamoto, Bitcoin is a digital currency based on cryptographic mathematics. The underlying software is a decentralized operation that includes a network of users that verifies the validity of transactions, rather than a bank.
Bitcoin is highly anonymous and it is difficult to know who is sending and receiving funds. The main risks of using Bitcoin — difficulties in liquidating funds and currency volatility — could be offset by the ease of transport and anonymization.
Once the Bitcoin application is downloaded to a user’s computers, spending the currency is as easy as sending an email.
“Bitcoin transactions refer to their precedent transactions, says Sandia researcher Andrew Cox. “Unlike cash, which doesn’t have memory of where you got that dollar that you paid for your coffee or your tea, with Bitcoin that’s not the case. Bitcoin actually refers back to previous transactions.”
“If you have received 10 Bitcoins,” Andrew says, “then Bitcoin refers backwards in time to all of the previous transactions that allowed you to ultimately receive that 10 Bitcoin. If you know the identity of those people who sent you those Bitcoin and whatever those previous transactions are, you know who that person is interacting with.”
He says the transactions have a key or a hash that says “for this transaction, refer back to these other transactions.”
“We know that the money came from this transaction,” he says. “This transaction in turn has a hash or a key that says all my money came from these three transactions. And so forth all the way back to the beginning.”