Recent developments on the Colonial Pipeline hack have demonstrated both the volatility of Bitcoin and, to a degree, the ability to chase those funds when you have enough resource to do so. It has been reported that U.S. law enforcement was able to trace and seize a substantial ransom that was transferred to DarkSide, through the breach of a cryptowallet. The figures of the final amount reported vary, namely due to the nature of the recovery and the change in value of Bitcoin since the initial payment.
This has generated some issues for cybercriminals who have historically been reliant on the cryptocurrency, driving them to adopt alternative forms of cryptocurrency. It may have also piqued victims’ interest regarding the possibility of tracing and retrieving the substantial amounts they have paid to a threat actor group to recover their systems and to ensure deletion of data.
From a UK perspective, we have also seen the success of a proprietary injunction to seize Bitcoin following the payment of a ransom in AA v Persons Unknown. In that case, a Canadian insurance company brought an application in private and in part without notice in relation to nearly $1m that they had paid in Bitcoin as a ransom following a ransomware incident. This followed a painstaking process to identify the Bitcoin as it moved through wallets and exchanges, eventually residing in the cryptoasset exchange, Bitfinex.
Those recent developments have created challenges for both Insurers and cybercriminals, specifically a greater focus on alternative forms of cryptocurrency which allows for obfuscation of their activities.
Bitcoin transactions are associated with the public ledger, visible to any user and lacking in a substantial degree of anonymity. The real challenge is association of a particular wallet to an individual. It has been the preferred cryptocurrency for cybercriminals for many years. On the Bitcoin blockchain, you can review the origin, destination, wallet and amount all on the blockchain.
This degree of public visibility allows specialists to trace Bitcoin payments as they move until such a point as they are transferred out to alternative currency, or the funds get split down and mixed so much that they are impossible trace. However, more recently, that tracing has become less of a challenge.
Due to the perceived risks regarding the use of Bitcoin, our own experience has seen threat actor groups such as REvil move towards an alternative form of currency, Monero. The privacy tokens associated with Monero have the ability to obfuscate all details associated with a transaction inclusive of origin, destination and amounts. Essentially, making it far harder to trace.
As a consequence, threat actors are now charging a premium for the ‘risk’ associated with the payment in Bitcoin and the ability to trace, often offering close to 20% discounts for the payment in Monero instead. The practical implications of this move have the potential to substantially impact the Insured given: (i) the regulatory concerns with Monero due to its illiquidity which makes it harder to obtain; and (ii) the anonymity of Monero which impacts the ability to apply the relevant sanctions checks before funds are transferred to a threat actor.
In order to pay any form of ransom, the victim and/or their Insurers need to be satisfied that they are not paying a sanctioned entity or associated Bitcoin wallet. The issue with Monero is that it is much harder to know who is being paid which makes Insureds and Insurers more fearful of non-compliance with the sanction regimes. The due diligence that can be performed will be limited.
However, this is not the first time we have seen the switch to Monero. Readers may recall that WannaCry Bitcoin was converted to Monero in 2017 and Sodinokibi (associated with Revil) were reported last year as only moving towards Monero. The recent developments do show the cyber race that we are in; one step forward for the victims in Bitcoin recovery and one step towards untraceable altcoin for the threat actors. The excitement around AA v Persons Unknown and the Colonial Pipeline may be short lived for standard cyber victims as they do not have resources recover Bitcoin which is both costly and not without risk. If there is an uptick in the proactive recovery of Bitcoin, we may see more organisations move further into the darkness of cryptocurrency.