In March 2009, representatives of crime agencies including MI6 and the FBI, as well as Her Majesty’s Revenue and Customs, gathered for a closed session at a conference in a central-London hotel. The topic: the potential use of virtual currencies by organised criminals and terrorists.
“At the time, everyone was getting very exercised about Second Life,” recalls Dr Simon Moores, a former technology ambassador for the UK government, who convened the session as chair of the international e-Crime Congress. The online virtual world, launched in 2003, allowed users to buy virtual goods in virtual Linden Dollars, named after Linden Lab, the company behind the game.
“Bad guys were using this currency to buy virtual Picassos for $500,000 as a way of laundering the money,” Moores adds. Later that day, he wrote in his notes: “I’m still trying to digest the fantastic scale of the criminal opportunities and the money that can be made and laundered outside the control of law-enforcement agencies and Governments.”
Almost a decade later – an age in digital evolution – those same agencies are absorbing the impact of a rather different and wider ranging breach of cybersecurity, and the potentially vast implications for the current criminal currency of choice: bitcoin, which quietly landed online just weeks before the London conference.
Victims of the WannaCry ransomware attack, which started on Friday, received a simple message on their computer screens: if you want to see your computer files again, pay us $300 (£230) inside the next 72 hours and we’ll unlock them for you, no questions asked. The ransomware had spread automatically between computers with out-of-date security patches, affecting hundreds of thousands of users at dozens of organisations including the NHS, as well as railways in Australia and a car plant in France.
Analysis Who is to blame for exposing the NHS to cyber-attacks?
Could the government or intelligence agencies have done more to protect the health service from cybercriminals?
In the earliest days of ransomware attacks, which often gain initial entry to a system via an innocuous-looking email containing a link that, when clicked, offers a hacker access to a network, payment methods were limited. “The odd hacker here or there could deliver a message to send money via Western Union or to a bank account, but that transfer was always traceable once the authorities were involved,” says Dr Kevin Curran, professor of cybersecurity at Ulster University. Perhaps the first ransomware attack came in 1989, when the Aids trojan horse virus threatened to encrypt files unless a ransom of $189 was sent to a PO Box address in Panama.
Then came Bitcoin, a virtual or cryptocurrency invented by Satoshi Nakamoto, the alias for an anonymous programmer or collective, and launched in 2009. It offers two major advantages for cybercriminals: by operating as a decentralised currency, in which people pay each other without a middleman (like a bank or credit card company), it provides a lot of anonymity. Bitcoins, which are now worth more than £1,300 each (there are smaller denominations, naturally) can be held in virtual wallets identified only by a number. According to a recent Cambridge University study published last month, as many as six million people around the world have such a wallet, spending bitcoins on goods such as theatre tickets and beer from a growing number of retailers now accepting the currency, as well as illicit goods including drugs and weapons on the virtual black market.
Using the currency is also increasingly easy to do, and that also applies to cybercriminals seeking to launch ransomware attacks. “If you have the skills to get an iTunes account you can probably download a ransomware toolkit, an automated bit of software, and start distributing it,” says David Prince, a cybersecurity specialist and a director at Baringa Partners, a London-based tech consultancy. “You can then go on the darknet and ‘wash’ your bitcoins and convert them back into cash.”
The developers of these tools make money themselves by including a means for taking a cut of any criminal proceeds gained by the user. That’s automated, too, and the sophistication and accessibility of the software means attacks can be launched at scale. Ransom demands are made affordable, with instructions for how to create a virtual wallet and buy the sufficient bitcoins to pay the money in return for a code that will unlock the data on a computer or network. The ransomware industry is so rife that, according to research by cybersecurity firm Malwarebytes last summer, 40% of companies surveyed had been targeted worldwide, and 54% in Britain.
Increasingly, analysts say, targeted companies are choosing to cough up and move on. While he declines to name names, Moores says big banks are stockpiling bitcoin as ransom reserves. Prince has found the same across other industries, but warns companies to hesitate, lest organised gangs add them to a known list of payers, increasing the likelihood of further attacks. “There’s also nothing stopping them from adding a backdoor,” he says, by which he means a way for the attacker to copy or pass on the data they promise supposedly to release on payment of the ransom.
The potential for bitcoin to enable ever bigger cybercrime is hard to assess, but there are extortion attempts taking place that make WannaCry look like child’s play (notably, by this morning, monitoring of the anonymous accounts used to collect the ransom payments in Friday’s attack showed a total haul of only $50,000). “For some companies, sometimes ransomware demands aren’t even worth the time it takes to call IT to try to find out if there’s a backup,” says Moty Cristal, a professional negotiator at Nest Negotiation Strategies in Tel Aviv.
When the stakes are higher, bitcoin sums demanded in extortion cases can amount to millions of dollars. That’s when big corporations and governments call in Cristal, a former Lt Col in the Israeli Defence Force. He learned his trade in hostage situations. He says he helped secure the release in 2002 of Franciscan monks being held by suspected Palestinian militants inside a West Bank church. “In extortion scenarios, they threaten to leak data to competitors or steal identities,” he says from Moscow, where he is on business (he won’t elaborate). “Then the owner of that data is willing to pay a lot of money.” Cristal says last year he negotiated with the hackers of a major financial company, getting them to drop their ransom demand by half. “That was one of my best results,” he says. While the “emotional turbulence” in cyber-ransom scenarios is lower, he says the job is pretty much the same. “Basically, people are people are people,” he adds.
Where the ends are illicit, the means almost always involve bitcoins. Andres Baravalle, a computer scientist at the University of East London, studies retail on the darkweb, the sort of parallel internet where websites sit on heavily encrypted networks where identities can be easily hidden. Online marketplaces such as AlphaBay are booming and, when they are accessed, can be as user friendly as eBay or Amazon. Drugs and guns can be bought as well as black-market goods and even stolen Uber accounts or forged train tickets. Last year, AlphaBay began accepting Monero, an alternative cryptocurrency, launched in 2014, that offers yet more security. Another emerging rival is Ethereum, a more sophisticated system seen by many as bitcoin’s successor.
But right now, bitcoin dominates. But even Baravalle is keen to point out that not everything about the currency is dark, nor was it intended for criminal use. “Most of the use is actually in the clean economy – or clean enough,” he says. And while the currency’s popular association, not least this week, is with crime, the potential and momentum it has to transform industries is, its proponents argue, enough to combat the bad PR.
“Every financial-services firm and beyond are recognising the potential of the underlying tech and are spending a lot of money to use it,” says Paul Gordon, founder of Coinscrum, a cryptocurrency networking event in London, and the founder and former chair of the UK Digital Currency Association. He points out that some studies suggest as little as 1% of bitcoin transactions take place on the darkweb. “I also think attitudes are changing,” he adds. “Two or three years ago, with an attack like this, the finger would be pointed at bitcoin, but I sense that’s not happening after this attack.”
Moores says part of the currency’s power is in its use as a speculative instrument for trading – a digital gold – but also as a way for companies to make payments more cheaply and perform other functions. IBM and the Danish shipping giant Maersk announced last month a new strategy to use blockchain, the digital database that records bitcoin transactions, to help manage and track worldwide shipping transactions.
For consumers, Gordon envisages bitcoin being used as the financial machinery behind popular services. Already, people wishing to send money abroad may use Abra, which uses bitcoin to make a traditionally expensive process faster and cheaper. “Users don’t touch the bitcoin directly,” he says. “Think of it as a raw tech with layers on top. People won’t know they’re using it, but they’ll know that the cost and speed of transactions will make what we use today look very out of date.”
But Gordon accepts that credibility issues are limiting bitcoin’s legitimate spread. Tax collectors don’t love its anonymity, apart from anything. “There’s a lot of work going on to build identification systems to run in parallel and when they come together with bitcoin it could make it more efficient but also more trusted and transparent than it is now,” Gordon says. He calls this the “holy grail”, when the cryptocurrency revolution really gathers steam. Even in the meantime, Gordon attributes the steep recent rise in the value of bitcoin to a growing trust in its potential – in spite of its popularity among criminals.
Despite the initial alarm he observed in 2009, Moore is similarly optimistic about the power of Bitcoin to change lives, and believes its momentum is irresistible. “You and I are probably unrepresentative of so many people in the world who may not have access to bank accounts and credit cards,” he says. “There will always be millions of people who need ways to transact outside the immediate control of large institutions.” Closer to home, he says his own daughter, who has just started working for a cybersecurity company, is ineligible for a credit card. “For her generation, bitcoin is something attractive.” His only regret about bitcoin is that he didn’t buy any in 2009. Six hundred dollars bought even as late as 2011, when the bitcoin achieved parity with the US dollar, would today be worth a million dollars.