April 18, 2024

Hear Andy’s considerate commentary on cybercrime, legislation enforcement, anonymity, privateness, and whether or not we actually want a “battle in opposition to cryptography” – codes and ciphers that the federal government can simply crack if it thinks there’s an emergency – to cement our collective on-line safety.


PAUL DUCKLIN. Good day, all people.

Welcome to this very, very particular episode of the Bare Safety podcast, the place we’ve essentially the most superb visitor: Mr. Andy Greenberg, from New York Metropolis.

Andy is the creator of a ebook I can very enormously advocate, with the fascinating title Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.

So, Andy, let’s begin off…

..what made you write this ebook within the first place?

It appears fascinatingly difficult!

ANDY.GREENBERG.  Sure, properly, thanks, Paul.

I assume [LAUGHS]… I’m undecided if that’s a praise?

DUCK.  Oh, it’s, it’s!

ANDY.  Thanks.

So, I’ve lined this world of hackers, and cybersecurity, and encryption for about 15 years now.

And round, let’s see – I assume 2010 – I began engaged on a ebook, a distinct ebook, that was concerning the cypherpunk motion within the Nineteen Nineties…

…and the ways in which it gave rise to the trendy web, but in addition to issues like WikiLeaks, and different kinds of encryption, anonymity instruments, and in the end what we now name the darkish internet, I suppose.

And I’ve at all times been fascinated with the methods, on this beat, that anonymity can play this fascinating, dramatic function – and permit individuals to change into another person, or to disclose to you in secret to who they really are.

And as I dug into this cypherpunk world, round 2010 and 2011, I came across this factor that appeared to be a brand new phenomenon in that world of on-line anonymity – which was Bitcoin.

I wrote, I feel, the primary print journal piece about Bitcoin for Forbes journal in 2011.

I interviewed one of many first Bitcoin builders, Gavin Andresen, for that piece.

And Gavin and plenty of others on the time have been describing Bitcoin as a kind-of nameless digital money for the web.

You can really use this new invention, Bitcoin, to place unmarked payments in a briefcase, principally, and ship it throughout the web to anybody on the earth.

And, being the form of reporter I’m, I’m within the subversive and typically prison, typically politically motivated… I don’t know, the underhanded and darkish corners of the web.

I simply noticed how this might allow a brand new world of… sure, individuals in search of monetary privateness, but in addition cash laundering, and drug dealing on-line, and all of this that will come to go within the subsequent few years.

However what I didn’t foresee is that, ten years later or so, it could be by then obvious that Bitcoin is definitely the *reverse* of nameless.

I imply, that’s the large shock, and the large reveal.

For me, it was a form of slow-motion epiphany to grasp that cryptocurrency was really *extraordinarily* traceable.

It was the other of this “nameless money for the web” that many individuals as soon as thought it was.

And the consequence, I feel, was that it served as a form of lure for many individuals in search of monetary privateness… and criminals, over that decade.

And as I realised the extent of this… I absolutely realised it in 2020 or so.

I started, on the similar time, to see that this one firm, Chainalysis, a blockchain-analysis Bitcoin cryptocurrency tracing agency, was being venked in a single US Division of Justice announcement after one other in all of those main busts.

And so I began speaking to Chainalysis, after which to their prospects and legislation enforcement, and slowly realised that there had been this one small group of detectives that had figured this out a lot sooner than me.

They’d began really tracing Bitcoins years earlier, and had used this extremely highly effective investigative method to go on this spree of 1 large cybercriminal bust after one other…

…utilizing cryptocurrency as this shock lure that had been laid for therefore many individuals on the darkish internet, and within the cybercriminal world as a complete.

DUCK.  Now, I suppose we shouldn’t actually be shocked at that, ought to we, as you clarify within the ebook?

As a result of the entire concept, not less than of the Bitcoin blockchain, is that it’s, by design, totally and completely public and irrevocable.

That’s the way it can work as a ledger that’s equal to one thing that will usually be held privately and individually by your financial institution.

It doesn’t even have your identify on it, however it has a magic identifier that, as soon as tied to you, can’t actually be lower free…

…if there’s different proof to say, “Sure, long-hexadecimal-string-of-stuff is Andy Greenberg, and right here’s why.”

Now attempt denying it!

So, I feel you’re proper.

This concept that it’s *doable* to commerce anonymously with Bitcoin – I feel was taken by very many individuals to imply that it’s essentially nameless and ever-untraceable.

However the world is just not like that, is it?

ANDY.  I typically look again on my 2011 self, and in that piece for Forbes, I *did* write that Bitcoin was doubtlessly untraceable.

And I kind of scold myself, “How might you be such an fool?”

The entire concept of Bitcoin is that there’s a blockchain that information each transaction.

However then I remind myself that even Satoshi Nakamoto, the mysterious creator of Bitcoin (whoever he, she or they’re), of their first e mail to a cryptography mailing record introducing the thought of Bitcoin…

…listed amongst its options that individuals may be nameless.

That was a function of Bitcoin as Satoshi described it.

So I feel there’s at all times been this concept that Bitcoin, if it’s not nameless, not less than is pseudonymous, you can cover behind the pseudonym of your Bitcoin deal with, and that when you can’t work out someone’s deal with, you may’t work out their transactions.

I assume all of us ought to have recognized… I ought to have recognized, and perhaps even Satoshi ought to have recognized, that, given this large corpus of knowledge, there could be patterns in it that enable individuals to establish clusters of addresses that each one belong to at least one individual or service.

Or to observe the cash from one deal with to a different to seek out attention-grabbing giveaways on this large assortment of knowledge.

The largest giveaway of all is whenever you money in or money out at a cryptocurrency change that has Know-Your-Buyer [KYC] necessities, as virtually all of them do now.

They’ve your identification, so if someone can simply subpoena that change, then they’ve your precise driver’s licence in hand.

And any phantasm of anonymity simply utterly backfires.

So that’s the story, I feel, of how Bitcoin’s anonymity turned out to be the other.

DUCK.  Andy, do you assume, maybe, although, that there’s nothing improper with Satoshi Nakamoto saying, “You *can* be nameless whenever you use Bitcoin?”

I feel what’s improper is that plenty of individuals assume that as a result of expertise *can* allow you to do one thing that’s fascinating on your privateness, subsequently, *nonetheless you utilize it*, it at all times will.

And the unique concept of Bitcoin didn’t embrace exchanges, did it?

And so there wouldn’t be any exchanges that will take a replica of your driving licence if Bitcoin have been utilized in its unique kind of cypherpunk approach, so far as I can see…

ANDY.  Effectively, I actually don’t blame Satoshi for not predicting all the cryptocurrency financial system, together with the ways in which exchanges would interface with the standard finance world.

It’s all extremely complicated economics; Bitcoin was good sufficient as it’s.

However I do assume that it’s extra than simply, “You *can* be nameless with Bitcoin when you’re cautious, however most individuals are usually not cautious.”

It seems, I feel, that the likelihood, regardless of how sensible you might be, of utilizing Bitcoin anonymously is vanishingly small.

Additionally, there may be the property of blockchain *that it’s eternally*.

So, when you use the form of smartest concepts of the day to attempt to keep away from any of those patterns that reveal your transactions on the blockchain, however then somebody years later figures out a brand new trick to establish transactions…

…then you definately’re nonetheless screwed.

They will return in time, and use their new concepts to foil your cutting-edge anonymity tips from years earlier.

DUCK.  Completely.

With a financial institution fraud you may think about you *might* get fortunate, couldn’t you?

That simply whenever you’re about to be investigated, years later, you discover the financial institution’s had a knowledge safety catastrophe, and so they’ve misplaced all their backups and, oh, they’ll’t get well the information…

With the blockchain, that ain’t by no means going to occur! [LAUGHS]

As a result of all people’s obtained a replica, and that’s a requirement for the system to work because it does.

So, as soon as locked in, at all times locked in: it will probably by no means be misplaced.

ANDY.  That’s the factor!

To be nameless with cryptocurrency, you actually must be excellent – excellent all the time.

And to catch somebody who’s attempting to be nameless with cryptocurrency slipping up, you simply must be sensible, and chronic, and work on it for years, which is what, first, Chainalysis…

…really, first was tutorial researchers like Sarah Meiklejohn on the College of California at San Diego, who, as I doc the ebook, got here up with a variety of these methods.

However then Chainalysis, this startup that’s now virtually a nine-billion-dollar unicorn, promoting polished cryptocurrency tracing instruments to legislation enforcement companies.

And now, all of those legislation enforcement companies which have skilled Bitcoin tracers – their savvy, their know-how in doing this, is simply rising by leaps and bounds.

And I feel it’s virtually only a higher rule to say, “No, you can’t be nameless with cryptocurrency,” that it’s absolutely clear.

That’s a safer strategy to function, virtually.

To be honest, Satoshi Nakamoto stated individuals *can* be nameless… however it seems that the one participant who has *remained* nameless is Satoshi Nakamoto.

And that’s, partly, as a result of only a few individuals have that other-worldly restraint that Satoshi needed to amass one million Bitcoins after which by no means spend them or transfer them.

For those who do this… sure, I feel you may maybe be nameless.

However when you ever wish to use your cryptocurrency, or to place it in a liquid type the place you may spend it, then I feel you’re toast.

DUCK.  Sure, as a result of there are some superb issues which have occurred, considered one of which you allude to as a result of it was within the works simply on the finish of the ebook…

…[LAUGHS] what I name the Crocodile Woman and her husband: Heather Morgan and Ilya Liechtenstein.

Self-styled “Crocodile of Wall Road” arrested with husband over Bitcoin megaheist

They’re alleged to have one way or the other obtained a complete load of cryptocoins from a cryptocurrency financial institution theft in opposition to Bitfinex.

Of their circumstances, they obtained stolen cryptocurrencies in huge portions, in order that they might fairly actually have been billionaires *if they might have cashed it out*.

However when bust, they nonetheless had the overwhelming majority of that stuff sitting round.

So evidently, in a variety of cryptocurrency crimes, your eyes could be a lot larger than your abdomen.

It’s possible you’ll dwell the excessive life slightly bit… the Crocodile Woman and her husband, it does appear they have been residing fairly a flash life-style.

However after they have been bust, what was the quantity?

It was greater than $3 billions’ value of Bitcoins that they’d, however couldn’t money out.

ANDY.  The Division of Justice stated that they seized $3.6 billion from them.

That was the largest seizure not simply of cryptocurrency in historical past, however of cash within the historical past of the Division of Justice.

In truth, as I doc within the ebook… really, considered one of these occurred after the ebook, however the IRS prison investigators, who’re the primary topics of this ebook, have now pulled off the primary, second, and third-biggest seizures of cash in American prison justice historical past, by following cryptocurrency and seizing Bitcoins.

Your level is completely proper, which is that cryptocurrency is simple to steal, it seems… that’s, I feel, considered one of its large drawbacks for the companies, like exchanges, which have to carry typically billions of {dollars} in a form of digital protected.

However then when you do steal it, when you pull off considered one of these large heists – and two of the three of the circumstances that we’re discussing are literally individuals who stole cash from the Silk Street darkish internet drug market…

DUCK.  Sure [LAUGHS]… whenever you steal from a criminal, it’s nonetheless against the law, eh?

ANDY.  [LAUGHS] Sure, sadly – for these crooks, anyway.

DUCK.  Probably the most intriguing bits for me within the ebook was someone that you just establish as “Particular person X”, solely as a result of that’s the way in which they have been recognized by the courtroom.

This particular person had stolen 70,000 Bitcoins, and was busted, and principally gave them again… sort-of in return for getting let off.

They didn’t get prosecuted, they didn’t go to jail, they didn’t – I think about – even get a prison report.

And so they have been by no means named.

ANDY.  That’s proper.

DUCK.  In order that looks as if an virtually unreadable thriller, doesn’t it?

If we glance ahead just a few years, now that Bitcoin’s… what, within the final 12 months, it’s gone all the way down to a few third of its worth; Ether is all the way down to a few third; Monero is about half.

Do you assume that that gambit of claiming, “I’ll give the cash again, let me off” would have labored if the costs have been reversed, and what they have been handing again was now value a fraction of what it was when it was stolen?

Or do you assume that Particular person X was fortunate as a result of what they needed to hand again was really value way more than after they stole it?

ANDY.  I feel it’s the latter.

Particular person X stole that cash whereas the Silk Street was nonetheless on-line…

DUCK.  Wow!

So that will have been when BTC was, what, a whole lot [of dollars] then?

ANDY.  Sure, most likely, or hundreds at most – Silk street went offline in 2013, when Bitcoin had simply damaged via $1000, if I bear in mind.

This individual (I don’t wish to say “man” – who is aware of who Particular person X is?) sat on these 70,000 Bitcoins for seven years, in the end…

…most likely, precisely as you stated, simply terrified to maneuver them or money them out for concern of being caught.

DUCK.  Sure, are you able to think about?

“Hey, I’m a millionaire!”

“Hey, I’m a *billionaire*!”

“Oh, golly, however the place am I going to get my lease cash?”

[LAUGHS] Shouldn’t chuckle….

ANDY.  As you say – just like the hand caught within the cookie jar!

The hand simply will get larger and larger till it’s all-consuming, and you can not transfer it, you may’t get it out.

In truth, even with out attempting to get it out, IRS prison investigators discovered it via different means, together with the seizure of the BTC-e change, which was a kind-of money-laundering, prison Bitcoin change.

DUCK.  That was a rogue change that principally did as little as is humanly doable alongside the Know Your Buyer entrance?

“Ask no questions, inform no lies,” that form of factor?

Is that proper?

ANDY.  Sure, precisely.

That was one other shock for a lot of customers who believed that, “Possibly I can use BTC-e slightly bit and never get caught, as a result of that doesn’t have Know Your Buyer, that doesn’t co-operate with legislation enforcement.”

However, nonetheless, when that change was busted and its servers seized, that supplied extra clues to the IRS.

That helped, in reality, to determine who Particular person X was… I don’t know who they’re, however the authorities does.

And to knock on his or her door and say, “Hey, hand over a billion {dollars} otherwise you’re going to jail,” and that’s precisely what occurred.

Now, poor James Zhong is a really related case.

Silk Street medication market hacker pleads responsible, faces 20 years inside

He appears to have taken 50,000 Bitcoins from the Silk Street, most likely across the similar time, after which held onto them for even longer.

After which, a 12 months after Particular person X, Zhong obtained a knock on his door…

Equally, they’d traced the cash, though he had simply left it sitting on a USB drive in a popcorn tin beneath the floorboards of his closet.

In his case, he didn’t handle to make a deal one way or the other, and he’s being criminally charged.

DUCK.  *And* he has given the cash again, clearly?

[WRY LAUGH] Aaaargh!

ANDY.  He was a Bitcoin billionaire, and now could be going through prison expenses… and by no means obtained to even spend his loot.

The Bitfinex case, I don’t know… I’ve much less sympathy for them as a result of they really have been attempting to launder an enormous theft from a reputable enterprise.

And so they did, I feel, launder a few of it.

They tried a number of completely different intelligent methods.

They put the cash via…. I imply, that is all alleged, I ought to say; they’re nonetheless harmless till confirmed responsible, this couple in New York.

However they tried to place the cash via the AlphaBay darkish internet market as a form of laundering method, considering that will be a black field that legislation enforcement wouldn’t be capable to see via.

However then AlphaBay was busted and seized.

That’s maybe the largest story I inform within the ebook, essentially the most thrilling cloak-and-dagger story: how they tracked down the kingpin of AlphaBay in Bangkok and arrested him.

DUCK.  Sure… spoiler alert, that’s the place the helicopter gunships are available in!


Sure, and way more!

I imply, that story is without doubt one of the craziest that I’ll most likely inform in my profession…

However then, additionally, this New York money-laundering couple tried to place among the cash via Monero, a cryptocurrency that’s marketed as a privateness coin, a doubtlessly actually untraceable cryptocurrency.

And but, within the IRS paperwork the place they describe how they caught this couple in New York, they present how they continued to observe the cash, even after it’s exchanged for Monero.

In order that was an indication to me that maybe even Monero – this newer, “untraceable” cryptocurrency – is a bit traceable too, to some extent.

And maybe this lure persists… that even cash which might be designed to outstrip Bitcoin by way of their anonymity are usually not all they’re cracked as much as be.

Though I ought to say that Monero individuals hate it after I even say this out loud, and I don’t understand how that labored…

…all I can say is that it appears very doable that Monero tracing was utilized in that case.

DUCK.  Effectively, there may very well be some operational safety blunders that the Crocodile Woman and her husband made as properly, that form of tied all of it collectively.

So, Andy, I’d prefer to ask you, if I could…

Considering of cryptocurrency tokens like Monero, which as you say, is supposed to be extra privateness centered than Bitcoin as a result of it inherently, when you like, joins transactions collectively.

After which there’s additionally Zcash, designed by cryptography consultants particularly utilizing expertise recognized within the jargon as zero-knowledge proofs, which is not less than alleged to work in order that neither aspect can inform who the opposite is, but it’s nonetheless unimaginable to double-spend…

With all eyes on these way more privacy-focused tokens, the place do you assume the long run goes?

Not only for legislation enforcement, however the place do you assume it would drag our legislators?

There’s actually been a fascination for many years, amongst typically very influential parliamentarians, to say, “You already know what, this encryption factor, it’s really a very, actually dangerous concept!”

“We need backdoors; we want to have the ability to break it; someone has to ‘consider the kids’; et cetera, et cetera.”

ANDY.  Effectively, it’s attention-grabbing to speak about crypto backdoors and the authorized debate over encryption that even legislation enforcement can’t crack.

I feel that, in some methods, the story of this ebook reveals that that’s usually not crucial.

I imply, the criminals on this ebook have been utilizing conventional encryption – they have been utilizing Tor and the darkish internet, and none of that was cracked to bust them.

As a substitute, investigators adopted the cash and *that* turned out to be the backdoor.

It’s an attention-grabbing parable, and an excellent instance of how, fairly often, there’s a side-channel in prison operations, this “different leak” of knowledge that, with out cracking the primary communications, provides a approach in…

…and doesn’t necessitate any form of backdoor in Tor, or the darkish internet, or Sign, or exhausting disk encryption, or no matter.

In truth, talking of ‘considering of the kids’, one of many final main tales that I dig deeply into within the ebook is the bust of the Welcome To Video marketplace for youngster sexual abuse movies that accepted cryptocurrency.

And because of this, the IRS investigators on the centre of the ebook have been in a position to monitor down and arrest 337 individuals world wide who used that market.

It was the largest bust of what we name youngster sexual abuse supplies, by some measures, in historical past…

…all based mostly on cryptocurrency tracing.

DUCK.  And so they didn’t must do something that you’d actually contemplate privacy-violating, did they?

They fairly actually adopted the cash, in a path of proof that was public by design.

And in conjunction, admittedly, with warrants and subpoenas from locations the place the cash popped out, and the place web connections have been made, they have been in a position to establish the individuals concerned…

…and largely to keep away from trampling on thousands and thousands of people that had completely no reference to the case in any respect.

ANDY.  Sure!

I feel that it’s an instance of a strategy to do… it’s, in some methods, mass surveillance – however mass surveillance in a approach that nonetheless doesn’t require weakening anyone’s safety.

I assume that cryptocurrency customers, and individuals who consider within the energy of cryptocurrency for enabling activists, and dissidents, and journalists, and cash transmissions to nations like Ukraine, that want injections of cash for survival…

They might argue that, nonetheless, we have to repair cryptocurrency to make it as untraceable as we as soon as thought it may be.

And that’s the place we get into the brand new, I’d say *a* new, crypto-war over cryptocurrency.

We’re simply beginning to see the start of that with instruments like Monero and Zcash, as you stated.

I do assume that there’ll most likely nonetheless be surprises concerning the ways in which Monero may be traced.

I’ve seen a leaked Chainalysis doc the place they informed Italian legislation enforcement… it’s a presentation in Italian to the Italian police from Chainalysis, the place they are saying that they’ll hint Monero, within the majority of circumstances, to discover a usable lead.

I don’t understand how they do this, however it does appear to be it’s probabilistic greater than definitive.

Now I don’t assume lots of people perceive – that’s usually sufficient for legislation enforcement to get a subpoena, to begin subpoenaing cryptocurrency exchanges, simply based mostly on a probabilistic guess.

They will simply verify each risk, if there are just a few sufficient of them.

DUCK.  Andy, I’m acutely aware of time, so I’d like to complete up now by simply asking you one ultimate query, and that’s…

In ten years’ time, do you see your self being able the place you’ll be capable to write a ebook like this one, however the place the “unravelling” elements are much more fascinating, difficult, thrilling, and superb?

ANDY.  I attempted, with this ebook, *not* to make too many predictions.

And, in reality, the ebook begins with this “mea culpa” that ten years in the past I believed precisely the improper factor about Bitcoin.

So no one ought to take heed to any ten-year prediction that I’ve!


However the easiest prediction to make, that *has* to be true, is that this cat-and-mouse sport will nonetheless be occurring in ten years.

Individuals will nonetheless be utilizing cryptocurrency considering that they’ve outsmarted the tracers…

…and the tracers will nonetheless be developing with new tips to show them improper.

The tales, as you say, will, I feel, be way more convoluted as a result of they’ll be coping with these cryptocurrencies like Monero, that construct in huge mix-networks, and Zcash, which have zero-knowledge proofs.

However it does appear that there’ll at all times be a way – and perhaps not even cryptocurrency, however in another aspect channel… as I used to be saying, there can be a brand new one which unravels the entire thing.

However there’s no query that this cat-and-mouse sport will go on.

DUCK.  And I’m certain there’ll be one other Tigran Gambaryan someday sooner or later so that you can interview?

ANDY.  Effectively, I do assume the sport of anonymity…

…it does favour the Tigran Gambaryans of the world.

They, as I stated, simply must be persistent and sensible.

However the mice on this cat-and-mouse sport must be excellent.

And nobody is ideal.

DUCK.  Completely.

ANDY.  So, if I do must make a prediction…

…then I’d simply place my wager on the cats, on the Tigran Gambaryans of the world.

DUCK.  [LAUGHS] Andy, thanks a lot.

Earlier than we go, why don’t you inform our listeners the place they’ll get your ebook?

ANDY.  Sure, thanks, Paul!

The ebook known as “Tracers within the Darkish: The World Hunt for the Crime Lords of Cryptocurrency.”

[ISBN 978-0-385-54809-0]

And it’s obtainable in any respect the traditional locations books are offered.

However when you go to https://andygreenberg.net/, then you may simply discover hyperlinks to a bunch of locations.

DUCK.  Andy, thanks a lot on your time.

It was as fascinating speaking to you and listening to you because it was studying your ebook.

I like to recommend it to anyone who desires a galloping learn that’s nonetheless detailed and insightful about how legislation enforcement works…

…and, importantly, why prison convictions for cybercrimes usually solely occur years after the crime occurred.

The satan actually is within the particulars.

ANDY.  Thanks, Paul.

It’s been a super-fun dialog.

I’m simply glad you loved the ebook!

DUCK.  Glorious!

Due to all people who listened.

And, as at all times: Till subsequent time, keep safe!