Cryptocurrency and the Evolving Threat of Ransomware

good morning besides ct 2020 good morning how are you guys doing today uh our first talk for the red track today is by chris anti i think you guys are really going to like this talk uh he's going to talk about cryptocurrency blockchain ransomware and at the end of his talk he's going to bring it all together for you and make it all sense and you'll uh see where um everything just meets up on these uh three different technologies so let me bring chris in now [Music] can you guys see me and hear me i can hear you chris thanks awesome all right take it away okay well big thanks to the b-sides connecticut team

for uh giving me the opportunity to speak i think um a positive of having these virtual conferences especially during the global pandemic is that i guess people from other geographically located areas are able to participate in conferences like this so i i'm not part of the i guess i'm not located near the connecticut uh new england area so i think it's really cool that i have this opportunity so thank you for that let me share my screen

okay give me one second guys okay so what i'm going to be talking about today is cryptocurrency and the evolving threat of ransomware um thank you guys again for joining pretty early on a saturday but this i think this topic is is pretty interesting so hopefully it'll keep you guys awake and um involved and just interested in general so uh i guess just as a general disclaimer the stuff i'll talk about in this presentation was research and done in my own individual accord and on my own time it's not representative of miter's views on the technologies or some of the um different concepts that i'm talking about here so just wanted to lay that out there um so

quick intro about myself so i work for the mitre corporation as a cyber security engineer if you're not familiar with mitre we are not for profit that works in the public interest so that means working with the federal government working with state and local governments by also putting out public solutions for the general community to use whether it be in info securi or information security healthcare aerospace we cover a bunch of different technology domains but my focus at mitre is working on cyber threat intelligence and some of you might be familiar with the attack framework and i believe there was also a workshop on this yesterday if you guys had the chance to attend it unfortunately i wasn't but uh

if you're not familiar attack stands for the adversarial tactics techniques and common knowledge framework uh and it's basically a knowledge base of adversarial tactics and techniques that have been used in the wild by legitimate threat actors whether it be from nation states or cyber criminals and really just building upon threat intelligence gathered from reporting and incorporating that into your own security posture whether it be through red teaming security operations defensive operations there's a bunch of different use cases and i could talk about attack for a while but that's a little bit about my current position so some of my interests uh like i mentioned cyber threat intelligence uh adversarial emulation so that's combining red teaming plus uh

threat intelligence um from legitimate reporting and adversaries uh techniques and combining that all together industrial control systems and the internet of things blockchain hence why i'm talking about this specific topic cloud some of my previous roles include working as a technology consultant at ibm where i had worked with a lot of these new emerging technologies that's actually how i kind of got my start in blockchain cloud devsecops and i think just the evolving nature of technology and how it i guess it manages to change and vastly become vastly different on a yearly basis is really exciting and i think this is definitely the field to be in so before ibm or before my position ibm i worked as the

program director of cyber security for the national student leadership conference uh this was a leadership conference for high school students where i would uh teach both technical cyber skills as well as leadership skills for them to get excited about you know becoming eventual leaders in the field if this is something that they did want to pursue down the line um so i'm also pursuing a masters in applied intelligence just to supplement and build upon my just overall interest and passion around cyber threat intelligence and understanding adversary intent uh the cultural context behind why certain cyber criminals nation states hacktivists uh go about the i guess the actions that they participate in um so i am also pursuing that

uh in my free time i love to play piano if you you can see a picture here uh i guess my collection and it shows a a variety of different fandoms or uh different media forms i'm a fan of so baby yoda pikachu so on so forth uh the the picture on the left is a picture of me attempting to birdwatch unfortunately i don't think in this specific picture that i was able to see any actual birds but it's something i've also picked up during quarantine uh which is a pretty nice you know social distancing activity it's really relaxing to just kind of get out there and enjoy the simple things in life um like

birds and then i will tell this to everyone normally as my my first icebreaker but i'm heavily anti-pineapple on pizza feel free to discuss that with me after this presentation and discord or shoot me a tweet i'll share my contact info but we can have a discussion about that just know that i'm big anti-pineapple on pizza so i don't have an outline slide but i guess i'll talk about what um i guess the general topics that will be covered in this presentation so first off i'll start talking about uh the general technology behind blockchain how it operates some attacks on the blockchain the history of ransomware dating back to the early 90s and making its way to the present day

and how some of the techniques of deploying ransomware and just the way ransomware operates has evolved throughout the past two decades or so um and then comparing different cryptocurrencies like bitcoin and monero which is a privacy coin um it's a cryptocurrency that is focused and has security and privacy built into it um and i'll explain the differences between those and then uh towards the end i'll try to bring it all together and you know relate it back to our current situation and stuff you should be i guess just generally weary about so another quick disclaimer uh this presentation is not going to be me pitching any specific cryptocurrency i'm solely going to be talking about

uh the technologies and how cryptocurrencies are used by malicious actors from pretty high level i won't dive too deep into any one any one specific topic but hopefully you'll you know carry out from this conversation and this presentation um and be able to give a quick elevator pitch to to someone if they were to ask you uh can you give me um a quick primer on what blockchain is like i always hear about it on the news or um how do i invest in cryptocurrency you won't learn how to invest in cryptocurrency but you'll have a better understanding of what it is why it's important and why just the general world is starting to you know really keep their eyes on it

it's been pretty popular i'd say for the past five years or so um but it's continuing to grow in popularity and you know the technology has a lot of implications and uh useful use cases that if used correctly um can definitely be beneficial to society in general so quick disclaimer there uh no stunks so what is blockchain and a really simple way to think of it is that it's essentially a digital record or a ledger so a ledger is the term that the blockchain security community likes to use but it's essentially a digital record of transactions uh just a large uh yeah i'm hesitant to call it a database but it's essentially a record of all

these different transactions and i guess what differentiates itself from a traditional database are these key characteristics here so the first one is immutability so every time a transaction is added to a blockchain network it can never be changed that ensures integrity and just ensures that you know people operating on the blockchain don't do things they're not supposed to and obviously there are caveats to this that i'll cover in a little bit but generally blockchains are immutable decentralization so the idea of a blockchain network is that people operate blockchain nodes um and that can just be a server that they're running on their their house or in their house um on a device running a specific blockchain node

um and if that specific node goes down uh the blockchain network will continue to persist ensuring that there's no single point of failure rather than um you know a centralized database being behind some um you know bank pay system and if a malicious actor takes down that database um then that's a huge data breach and it would be very hard for that specific organization to recover because it was centralized in one location so fault tolerance is is really uh key in just the concept of a blockchain network and it being distributed so anyone can host a blockchain network depending on the specific blockchain of course but it kind of falls in with the past point about

blockchain being decentralized transparency so this is really important um with most blockchains especially bitcoin and uh other popular uh cryptocurrencies like litecoin ethereum you could go out and go on a specific website which we'll do later on in this presentation and look at all the historical transactions and data that have occurred on uh the blockchain network so in this case for bitcoin you can go back as far as 2009 and just download all the historical data and just do a quick analysis of how transactions have changed and um you know just examine the the characteristics and different transactions that have happened throughout the years and arguably the most important point is that blockchain is intended to be secure by using really

complex cryptographic protocols um and again there are caveats to this and i think a problem that a lot of non-technical users or really people who don't understand blockchain is they assume blockchain is the end-all be-all solution to a back-end or once they implement quote-unquote blockchain into their enterprise or their network or in some application in some way that it will solve all their problems and they won't have to worry about that but obviously as security professionals we know that's not the case and you know honestly in my opinion there's no perfect system i'm not sure other people have differing opinions but you know considering the evolving technological landscape there will never be a perfectly secure system because of

human error and again the evolving technological landscape so those are the key characteristics of a blockchain and here's just a quick infographic of how it works so a user will request a transaction um that transaction is represented in a block that block is then broadcasted to the the nodes that are hosting the blockchain network so all the different servers and devices that are hosting that specific blockchain network those nodes then validate that transaction and once that validation happens that block is added to the chain thus making a blockchain and the transaction is you know confirmed and executed so hopefully all of you now know just generally how a blockchain works and how transactions are are added um and that i guess what i

just talked about is pretty much the same across all types of blockchains there there are uh nuances between uh different different cryptocurrencies and different use cases but in general that's how they operate so speaking of use cases besides cryptocurrency there there are some pretty significant use cases that are in the works right now in academia and research and even industry that are trying to implement blockchain so uh what the first one is digital identity you know being able to prove who you are and uh making sure your identity isn't compromised in some way and blockchain is a technology that could potentially help in bridging together that gap between identification and you know making sure not and

not too much personal information is leaked out then than necessary supply chain is another good use case so making sure all the parts of maybe your hardware components or a computer that you're trying to build or any kind of hardware components along the supply chain get to the place that they need to and again aren't tampered with or aren't stolen and you know they're not meant to you know be tampered with in some way and yeah so that supply chain is a very useful use case for for blockchain right now healthit so this is similar to digital identity in a way just making sure that both your i.t health networks are secure but also making sure that your personal health

information is um you know it doesn't get into the hands of people that shouldn't be seeing this information on a health it network and then finances of course so that brings us to cryptocurrency and you might recognize some of the the cryptocurrencies here but um if you let me see if i can do a can i do a laser pointer yeah i can awesome um so this one right here is bitcoin you probably all recognize it in some capacity you've seen it on the news or just talked about uh this is monero this is the logo for monero the privacy coin i mentioned at the beginning of the talk this is ripple litecoin ethereum and then dogecoin so you've probably

seen this uh meme dawn pretty pretty often but these are some of the most popular cryptocurrencies and this infograph i believe is i'm not sure if this is the one from may or if i updated it but just real just know that generally these are the top 10 most popular cryptocurrencies you know at all times and bitcoin and ethereum will always um essentially be at the top and let's actually talk about some of the differences between cryptocurrency like bitcoin and ethereum so with bitcoin a thing to keep in mind is that bitcoin is really just an application of a blockchain network and the purpose of bitcoin is to serve as a digital currency platform whereas

something like ethereum ethereum is built off blockchain but ethereum itself is an application platform it's a competing platform that has cryptocurrency uh functionality so ethereum's cryptocurrency is actually called ether but the ethereum platform allows for robust applications to be built on the ethereum blockchain and one of the most important features of ethereum is something called smart contracts which allows users on the ethereum network to execute certain business rules for their application and that's a really high level way of putting it but the way it's implemented allows users to add in additional complex features that will only execute transactions modify transactions uh when a certain condition is met and this is something that isn't offered in in bitcoin so the

consensus algorithm is how a bitcoin or ethereum um is collected so you might have heard of bitcoin mining that essentially is trying to solve really complex mathematical cryptographic problems to be able to earn bitcoin and the point to where it is now bitcoin mining is is quite difficult there are um there are dedicated cities in china you might have heard of this in the news but there are dedicated mining cities in in china that are running 24 7 just trying to mine bitcoin but um as it's grown throughout the years and since its conception in um 2009 it's become that much more increasingly difficult to mine bitcoin and ethereum so ethereum right now also works on the

same consensus algorithm but they're moving towards what's called proof-of-stake uh a proof-of-stake protocol means that the more i guess presence or the more the more stake for lack of a better term that you have in the ethereum network the more mining power you'll have so what does that mean that means if you operate uh an ethereum node that gives you that much more ability to successfully mine ethereum and this is still incredibly difficult but it gives a little incentive for for community users in the community to help contribute back to um cryptocurrency and just blocked in blockchain in general because it is so community driven and um you know blockchain really is dependent on its

users from all around the world and all over the community and just a quick thing so bitcoin has a max supply of 21 million so once 21 million bitcoin have been mined there will be no more bitcoin um whereas ethereum or i should say ether the cryptocurrency there's no fixed supply for that so there are some specific cryptocurrency attacks and they can be bundled into about three buckets i want to say there's more categories than this but in general these are some of the more popular and documented cryptocurrency attacks that have happened throughout the years so the first one is attempting to directly attack the blockchain network and what the first option here is called uh symbol attack

and the way this works is that it will target the entire blockchain network um but it will be one individual or group operating under the the guise of multiple blockchain or cryptocurrency addresses so from an outside perspective it may look like the addresses that are operating on the blockchain network are you know happening from different individuals but really it's one collective group or one individual who's trying to gain influence on that blockchain network so that's a simple attack 51 attack so this is similar to building upon the proof of stake protocol this means that if you control 51 of the mining power on a blockchain network theoretically you can influence the blockchain network to function in ways that it wasn't

necessarily intended to so this will would allow you to train change historical transactions modify transactions uh double spend um and the concept of double spending is essentially um you know buying cryptocurrency and doubling your money in a in a way uh that is not meant to be within the balance of the the blockchain network and this is only doable on smaller or newer blockchain networks and again this is theoretical but a 51 attack is is not feasible on um a bitcoin or ethereum network litecoin one of the more popular uh blockchain networks so a smart contract based attack is the next attack that is a direct attack on the blockchain network and the most popular

example of this smart contract based attack was the decentralized autonomous organization attack and this was a vulnerability actually in the ether cryptocurrency where the smart contract was susceptible to being exploited with its withdrawal feature and before that final confirmation from all the blockchain nodes operating on the ethereum network malicious actor was able to pull out funds and i think it was something about like a hundred million dollars worth um usd worth in ethereum that they're able to exploit out of the dao attack so pretty pretty big stuff so that covers blockchain attacks the second bucket is cryptojacking so this is essentially turning devices in a network into tools that'll help you mine a specific cryptocurrency so this involves um you

know maliciously taking over someone's desktop a laptop a phone and adding them into a malicious mining network so crypto jacking is is quite popular as well and then ransomware so we're gonna dive a little deeper into this but ransomware in its simplicity is it's malware that will encrypt and lock your files until a certain financial amount is paid to the malicious actor that deployed the the ransomware onto your account so let's talk about a brief history of ransomware and just how it's evolved throughout the years so this screenshot is from 1991 and i'm i want to bet that some of you probably didn't know that ransomware um was around this this early or i guess the concept of uh

holding a ransom and deploying a computer malware onto someone's device for a certain amount of money but with this specific piece of ransomware or this is referred to as the aids or pc cyborg ransomware and it was coined aids because this was mailed to i believe in aids research distribution mailing list and pc cyborg because that was a fake organization that the malicious actors would you know make these victims pay out the certain payment to so you could see the note here uh full amount of 189 or 378 dollars um and the way this would work was once it made its way onto the victims machine and normally this like i mentioned this was through a

mailing list so typical spearfishing or or fishing attachment that would be clicked on by the victim and it would encrypt the the c drive so this was a windows operated malware it would encrypt the c drive after after 90 boots and it would replace the the batch script um with the trojan horse that would then load load this message after after 90 boots so this is one of the first you know really popular instances of ransomware but people kind of just dusted it off and you know one about their business not really worrying about computer security or the idea of ransomware around this time so let's jump ahead quite a few years so this is

i think this operating system is xp i could be wrong or 2003. um but this this ransomware is called archives and again it would operate very similarly to how a normal ransomware would work it would load itself onto the victim machine and you'd be prompted with a message to make a certain financial payment to a certain address or a certain victim or not victim not victim certain malicious actor and keep in mind this could be in cash this could be in a check order this could be in gift cards at this time there are a variety of different methods and i guess options that malicious actors would ask their their victims to to pay out their their ransoms to so

again this would equip the users files and you would be given the password after making the the certain payment so luckily in 2006 the the password was cracked to archives so if you're one of the unlucky souls to somehow um get hit by archives or for some reason or running windows xp or windows 2003 in a vm and you get hit by archives uh the password is easily googleable or searchable i don't know if google's word um but you could easily search it up and just paste it in and you're free to go um but i hope some i hope you guys aren't running xp or 2003 unless you're trying to test your buffer overflows or

something like that so moving on this is and some of you guys might have come across this in just your daily lives or just your experiences throughout the years but this is referred to as what's called uh police ransomware so this ransomware would make its way to a victim's machine and operate under the guise of scaring you into thinking that the operator of this ransomware is from a legitimate federal agency so it's not specific to the us they could have this could happen across the globe in any specific country and they could use um you know the scare tactics of the federal government spying on you to coerce you to making a certain payment out and they throw all these different

legal terms um 17 us code s 512 to make it seem you know very official and that the government is legitimately tracking what you're doing so collected technical data some of the information that they'll present back to you like your ip address your internet service provider the operating system that you're using some of the things that you might be doing even if you're not you know engaging in in these things again scare tactics to coerce you to making a a payment and keep in mind the federal government will never ask you to to make payments like this especially just especially out of the blue and scared tactics like this and um you know in the infosec community

we all basically know this at this point um but you know to help out our relatives and maybe those who aren't as keen on proper cyber hygiene and security practices you know just be sure to i guess brief them and let them know that if they do come across something like this to not fall into the tricks and fall into you know the fancy emblems you know you could literally just look up the nsa logo on google and um paste it on your image and somehow it's officially nsa official so and then throwing in the swat team in there too don't fall into this i'm sure all of us are are keenly aware of this but again

a proper cyber security uh and proper infrastructure in cyberspace really requires all of us to share the wealth and share the information so this was police ransomware and this specific uh version of police ransomware was called uh reviton and i guess a side thing to note was that in i think around july 2013 this was one that was pretty popular the os x version would use javascript iframes and every time you would close a certain pop-up window another one would pop up so it was really annoying when you would be hit by rebitin and you would be forced to run like a hard reset on your computer and when you open it back up uh the ransomware would still be

there and you'd be falling back into the endless clicking you know war with with the rabbits and ransomware so that must have been fun to deal with for whoever had to um you know deal with this unfortunate situation so that's around 2013 and we're jumping a little ahead um to about modern times but um cryptolocker and wannacry so you might have also seen these names in the news but cryptolocker was the first ransomware that decided to switch its demands to uh to bitcoin so um this was around the september 2013 and may 2014 time span timeline and there was a large international effort to take down the botnet that helped propagate cryptolocker among all these different uh machines

that were affected by cryptolocker and the private key luckily was or all the different private keys to unlock the cryptolocker affected machines were stored on the malicious actors command and control server so the international co-op or operation carried out by i believe europol you know the us department of justice interpol um all these different organizations collaborated together to retrieve these private keys so um those affected by cryptolocker could unlock their computers once again and then jumping about three years to wannacry so may 2017 and uh this was huge wannacry affected um a ton of out-of-band windows devices that uh weren't properly patched and uh the group that was behind wannacry the shadow brokers uh utilized the nsa

exploit eternal blue and eternal blue is an exploit targeted towards smb or the server message block and this exploit worked on a ton of outdated windows machines across the world and it made it or this obviously got microsoft's attention so microsoft released out of band security updates for a lot of these machines but at that time these machines were already affected by eternal blue so it was hard to recover some of the the damage that shadow brokers already did and this was attributed back to to north korea at some point and then i also have august 2018 listed here as a date because that was the most recent variant of wannacry that hit taiwanese semi-conductor manufacturing companies

um and again these are new demands because they started to uh request bitcoin rather than your traditional check cash gift card order um and cryptocurrency was evolving in its popularity at this time so taking a look at our timeline now we're about around the 2018 timeline and this is an infographic from ibm security showing that uh during 2018 ransomware actually started to decline and cryptojacking like i mentioned earlier in the presentation started to increase its its popularity um quite a lot actually you know it increased pretty steadily throughout the year uh in 2018 but despite ransomware's decline in 2018 um i'm sure many of you are familiar that ransomware has not gone away by any

means if anything it has blown up especially in the past month or so so some of the new age ransomware that um will be covered the first one is ryok and some of you guys might have heard of ryok in the news because it actually has been in the news um pretty recently there was a huge i guess story around the trickbot botnet um that would help propagate the the rio ransomware and there was a or there were separate takedowns by both the microsoft uh threat hunting team and u.s cyber command that you know work to take down both trickbot and uh ryok and ryuk is in it's it's in its own separate field as

well because it's also been largely targeting health i.t networks i the most recent example i can think of was the takedown of the united health systems health i.t networks and it was very detrimental um so this specific news headline uh i believe was from a couple years ago but this was when ryok was starting to get popular and um the way it started to evolve is ransomware traditionally would target individual individuals but now it's starting to target actual critical infrastructure like oil and gas facilities hospitals like i mentioned um and then using and targeting a specific infrastructure like active directory so active directory is used and i believe it's 95 of enterprise i.t networks around the world nowadays so um

the the version of i guess ransomware um nowadays is that it's beginning to target um more of these low-hanging fruit that are you know really beneficial and essential for individuals and just normal businesses to go about their daily operations so pure locker is an interesting case because uh the way this ransomware works is that it uses the programming language pure basic which um is a fork off the the basic programming language so one of the um you know first really popular programming languages that some of you might have experience with um but it's pulled up it's built off pure basic and it made it really difficult for um av and threat intel companies to detect

this at first because pure basic is so underutilized and it was it was pretty unusual that they would pick this uh specific technology but it seemed to work in the malicious actors you know favor at the time so i thought that was worth noting and then there's so do no kibi or you know the easier way to say that is are you evil but ari evil and ryok they fall into um a family of ransomware that most of you i'm sure are familiar with but it falls into what's called ransomware as a service and the way ransomware as a service works is that it functions very similar to just a regular business model um these ads for ras

are scattered all across the dark web and you know once you come across an ad that's advertising uh ras or just any general ransomware as a service they're meant to be very easily deployed so you hire the specific threat actor uh you tell them the target that they want you to or that you want them to send ransomware to and it's a very low effort on your end and these ransomware kits are scalable based on um the package that you want to give the specific cyber criminal or threat actor that is you know willing to propagate and you know release this ransomware onto you know whoever you want to send this ransomware to don't don't go around doing that but

um if that was that's the mindset of malicious actors and these are some of the screenshots that you'll find for ras scattered across the dark web so uh like i mentioned they really will try to you know sell it as a a market pitch telling you that it's fully customizable you'll get 50 off uh the decryption price and it will just tell you the different features that are offered with the different versions of ransomware as a service that are scattered across the dark web and an important thing to note about um these ransomwares is that they really heavily emphasize uh the use of cryptocurrency bitcoin is really popular but re evil specifically so going back a few

this specific ransomware suite started to recently make the switch to monero and again like i mentioned manero it's a privacy coin um but just keep down the back of your minds and that is definitely an important point that i will touch upon in a little bit so let's talk about the traceability and trackability of a bitcoin so like i mentioned blockchain in general is quite transparent and you can go on a um you know a website like blockchain.info and look at historical transactions that have happened throughout the longevity of the cryptocurrencies network in this case it's bitcoin and bitcoin is uh one of the most transparent there are definitely security features and different techniques that you can use to to limit

your traceability on your blog on the blockchain network but in general you're able to you know pull out some pretty juicy information if you decide to uh start an investigation on maybe a bitcoin address or a transaction that might look a little malicious to you might look a little suspicious but you need a little more info so you would come to a website like blockchain.info and start your investigation so this is my pseudo demo these are just in screenshots but clicking on this transaction ash right here will bring us to a summary of the transaction so this bitcoin address is sending about half a bitcoin or 0.4 for bitcoin to this bitcoin address and blockchain.info and all these

different blockchain tracing websites will give you the ability to look at the metadata and information of this specific bitcoin address so clicking on the 39 vavs address it'll tell us that two transactions took place it received 0.44 bitcoin but it also sent out 0.44 bitcoin out of this address so that's some of the information that you could pull out from a blockchain explorer from the get-go but what if we wanted to learn a little more information about this specific bitcoin address we could go to uh bitcoin who's who dot com and we can plug in this address to see if we can gain any more information on the specific bitcoin address whether it's been involved in some fraudulent scam

whether it's been spotted on the dark web and that's really the key feature of bitcoin who's who providing users the ability to to manually update and generate reports of specific bitcoin addresses that might seem malicious or they've had some you know bad interaction with and a bitcoin who's who will flag that uh bitcoin address as a scam or potentially malicious so if we click on search here gonna act like i'm clicking on the search button this will give us more information than we were able to pull out from just the the general transaction history searching website for this specific bitcoin address so it tells us that um it belongs to this wallet name um and a cryptocurrency

wallet is essentially where you you know store your cryptocurrency uh you share out cryptocurrency transactions and normally you will or individuals or groups that operate wallets will have multiple bitcoin addresses associated with this wallet and then there's wallet searching software out there as well you could look up blockchain wallet or bitcoin wallet you know searcher on your favorite search engine and you know plug this wallet name into there as well it'll tell you the current balance of this bitcoin address again how much it's received how much i guess it doesn't show how much it's sent out but um it shows you how much it's received the transactions that were sent out how many transactions have happened

in general the dates of the first and last transactions a lot of good good information for an ocean investigator open source intelligence or really anyone just trying to to probe around on the blockchain and collect more information so that's bitcoin who's who just kind of a theoretical way to do an investigation if we were to do a specific use case you guys might remember from a few months ago former president barack obama generously gave the option of people sending a thousand dollars to this bitcoin address and because you know he's so gracious as a president he was willing to to double your your payment back to yourself so um you know people sent this over you

know crossing their fingers and really just hoping that they would get back double the amount of their money uh lo behold this was a typical scam uh the double spending scam that some of you might be familiar with on uh video game platforms like runescape this was a scam that's happened um all throughout the video game industry but with this specific uh incident it wasn't just barack obama's twitter account that was compromised elon musk's and uh i believe coinbase two uh just a variety of different high profile twitter accounts were were compromised but they all had this specific bitcoin address so for those who were interested or you know just have you know general interest in looking into

cryptocurrencies you know providing this bitcoin address had you know these different bitcoin investigators researchers cryptocurrency researchers foaming at the mouth you know this is good information to start your investigation off of so if we were to do that follow the same methods that we tried before we'll plug this bitcoin address into uh blockchain.info and we see again the number of transactions that have happened you know a lot of people fell for this uh bitcoin scam unfortunately uh it received over 12 bitcoin and if you do the conversions i think bitcoin is about 15 000 usd right now so uh this equal i don't want to do that path in my head right now but i think at the time bitcoin

12.8 bitcoin equaled out to about 150 000 us dollars and a key thing to note as an investigator is that it also sent out the total amount that it received in bitcoin so that tells us that the money is not persisting in this wallet you'll see a final balance here but that's really just the leftover um cryptocurrency transaction fees that occur from transaction to transaction so this is this is just arbitrary money at this point but seeing this is is really important so as an investigator or as a you know infosec professional if we want to go down deeper the rabbit hole we could see that this bitcoin address the twitter bitcoin address sent it out to

these addresses and we could follow down that money trail manually and if we want to be organized we could use some kind of mind mapping software to keep track of um bitcoin addresses that you know seem interesting or seem like they can um you know provide a little more information but it's very easy to go down um this intermingled web of different bitcoin addresses and um you know the format of a bitcoin address will you know they will confuse you if you decide to go down uh the specific rabbit hole of just manually clicking through the different transactions and there are commercial tools out there that will help you do this obviously they're commercial so you would have to

pay for them but there are you know different scripts on github and different open source tools that'll also help automate and better organize your your investigation or just your general research if you want to look into a bitcoin address so what we can do from here is actually plug in this bitcoin address into bitcoin who's who again and if you notice that plugging that bitcoin address the bc1 twitter address will redirect us to this bitcoin address and this is obviously different but a cool feature of bitcoin who's who is because of its scam reporting functionality it will help cross-correlate some of the the information across these reports and at some point they were able to

associate this bitcoin address with the original bc1 twitter bitcoin address and we're getting a lot of juicy information here so 57 transactions for for this address that 57 is is pretty high for a bitcoin address in general 400 for that twitter bitcoin address was very significant but 57 is still uh worth noting and now that we know that this address is associated with that original uh bitcoin address twitter bitcoin scam address i'm saying bitcoin address a lot um we could look at the other fields that bitcoin who's who can give us and use these as pivot points for different research points that we could further go to so from here we can see that the first

transaction actually happened on may 3rd 2020 but the twitter bitcoin scam happened around this time frame so july 16 2020. so this gives us a timeline of the malicious actors or the cyber criminals that were operating with this specific bitcoin address or maybe at the time they weren't even specifically involved or you know planning on hacking twitter at the time but this gives us a timeline of you know different transactions we can look into and start to fingerprint who this individual might be and probably the most important part here is that it actually gives us ip addresses for the last transaction and i don't have a slide here for it but if you plug this ip address

into or both ip addresses actually into some ipg locator i forget which one it is but one of them uh redirects to the united kingdom and if you look up what happened um or the aftermath of the twitter bitcoin scam it's actually found that one of the uh twitter bitcoin scammers there were three of them one of them was operating at florida he was a 17 year old and then the other two were i believe like 20 21 year olds um but one of the the older individuals was actually located in the united kingdom as well so um you know a resource like bitcoin news who is really useful in identifying some of the key information

like that and you're able to again it doesn't always give you information like the ip address or you know when the first transaction or last transaction happened or i should say it's not always useful it might just be in the same day or someone might use a bitcoin address as an individual throwaway address and never use it again but again there's a lot of information that we could use off of here for you know our research purposes or you know looking into the the bitcoin money trail so actually if we try to directly paste the twitter bitcoin address into bitcoin usu unfortunately bitcoin who's who doesn't process this uh specific format of bitcoin address i believe it's a functionality that

they're working to implement but luckily because of that cross-correlation from the past slide um we were able to get the information we needed to at least continue on uh with our research so that generally covers you know very high level um collecting open source intelligence on bitcoin and you know how easy it is to gain really significant information and collect information that could be vital to either your research your investigation um or just your general bitcoin cryptocurrency interests and i kept talking about monero in the past but let's actually dive a little deeper into it so if we were to attempt the same sort of methodology with uh narrow we're tldr you're not going to get the

same results again monero is a privacy coin it has privacy features and security features built into its core making it that much more difficult for um investigators and researchers to trace and collect information on so sudo demo again if we click on i believe it's this block hash regardless so clicking on you know the address that um or the hash that's offered um on moneroblox.info so it's a similar blockchain searching website like uh blockchain.info for for bitcoin it'll give us transactions that you know really don't tell us that much information actually doesn't give us the output total so if we click on this transaction hash again it really doesn't give us that much information at least compared to

to bitcoin and you know there's not much we can really pull out of here and again this is because monero has features that are built into its core to help ensure its confidentiality and there are two key features implemented right now and then there's one that's actively you know being worked on the first one are what's called stealth addresses so every transaction from outside um from an outside perspective so if you go onto moneroblocks.inflow and you look at the transaction history all those addresses are different they're one-time addresses for the transactions and the only ones who will know the legitimate addresses going from a receiver to a sender are the users participating in that transaction

so think of this as the end-to-end encrypted version of a transaction on a blockchain network and monero does this really well because of their stealth address functionality another key feature are what's called ring confidential transactions or ring ct these are built off the ring signature cryptographic protocol i'm not a cryptography expert by any means but in the use case of monero this means that from an outside perspective too we saw that all the transactions were confidential but if you were able to maybe get your hands on an amount or some kind of clear text amount for the funds being transacted between an address and another address uh those random those funds will not be accurate because there are

randomized funds that are thrown into every transaction meant to obfuscate um the you know actual transaction happening between the um the different individuals and then covering so this is a active development feature that's incorporating a technology similar to tor so onion routing um and again this is just to ensure its security and privacy which is so essential to the monero network i'm running out of time so i'm going to have to burst through these next few slides a little quickly so this is another use case and just really shows the difficulty of tracking you know monero address and the the us department of treasury operates what's called the office of uh foreign asset controls and specially

designated nationals black persons list that's a that's a mouthful but essentially they uh sanction certain individuals um both in normal fiat currency so this is usds and then also cryptocurrencies and you'll notice here that they've marked a monero address at least what they assume to be a monero address right here but if we were to go to the same monero blocks website we'll actually see that this is a payment id this is an address associated to an individual these are arbitrary outside identifiers given to a transaction um you know by the specific exchange that the individuals are operating on or wherever they're sending monero from so sanctioning the payment id essentially does nothing and this is really just to show

how difficult it is to track monero and point it back to a certain individual and just honestly applause to the monero team monero research team for putting that much effort into ensuring the security and privacy of you know individuals operating with monero but again obviously there are uh it's there's gray area for cyber criminals now switching over to monero and increasing their um lack of traceability i would say you know making it that much more difficult for law enforcement to track them down and they continue to operate with their listed activities so this is my kind of conclusion slide so why does this all matter in the i guess the the time frame of you know kobe 19 we've been in

quarantine for about um eight nine months now almost the entire year working remotely and not everyone has this luxury but for the infosec world you know this is something that we have been blessed with working remotely definitely makes us more susceptible we're on our devices constantly and you know i think the human aspect definitely falls into this because we're so used to being around our devices and our work laptops you know so often uh we can kind of get complacent um in terms of keeping up with our cyber hygiene so this is more of just a you know a reminder to you know be resilient and make sure you're um practicing safe cyber practices discovery of insecure software so this

was you know definitely key in the beginning of kobe 19 you might have mentioned remember the the zoom vulnerabilities that were going around huge um tick tock you know large talks around security vulnerabilities there just the the general nature of the platform and who it's being operated by cyber crime has risen exponentially during coven 19 especially in the the past month and then just in general digital currency um in my view is definitely going to become one of the standards of the financial industry whether it is decentralized or centralized so um certain governments around the world have started to implement a digital currency um but is being operated by the government so it's not necessarily

blockchain based it's not decentralized but in general digital currency virtual currency will definitely become one of the norms as we begin to to go through these years and then these are some of the resources that i recommend there's a book dedicated to investigating cryptocurrencies uh there's a podcast video series uh dedicated to monero and some of the vulnerabilities and then just generally hunting cyber criminals uh this is something i like to to do in my free time and just do open source investigations and participate in the trace labs missing persons capture the flag competitions really cool stuff if you are not aware about that um but that being said that brings me to the end of my presentation

are there any questions and here's my contact info there's my email my twitter feel free to follow me and then my linkedin too feel free to connect with me but um does anyone have any questions let me take a look at the does blockchain have a use case in voting and reducing voter fraud yes so great question um obviously from the beginning blockchain you know as an inherently secure platform was proposed as a solution to ensuring electoral integrity and security um and honestly i don't know all the specific reasons but in general blockchain um is not only difficult to implement into uh an electoral system uh voting system but it it's hard to it becomes very muddled when it comes to

being able to identify voters and you know ensuring that um you know proper identifications and guardrails are in place to ensure that uh voter counts are you know not tampered with and you know counted and i know that's kind of a non-answer but um blockchain is not the solution to election security but um shout out to you know the cyber security infrastructure and security agency team for you know providing the most secure uh election in american history i think you know that is a big feat in itself and they didn't have to use blockchain so i think that's worth noting but down the line i think if they're able to find a more robust solution

to implementing blockchain i think it definitely could work i think just some of the um the functionality and features of privacy um incorporated into blockchain are a little difficult to deconflict when it comes to being able to identify voters and confirm that voters are legitimately registered with you know a certain system so other questions actually there are still many yes that that is very crazy point of sale systems um i'm sure you guys know are big targets so um yeah they're they're definitely susceptible to vulnerabilities or like the archives ransomware or or even zero days that have been patched on modern day machines but you know pos systems like you mentioned are pretty outdated manufacturing has plenty

too

thanks chris shout out to another chris um yeah so it doesn't look like there's any other questions chris thank you very much that was a very interesting talk i uh really liked how you brought everything back at the end of your talk and made it all makes sense for us that was great yeah thanks for giving me the opportunity to talk had a good time yeah you're welcome and um you there is a channel in our discord on the red team track for your talk so maybe if you want to jump in there you might have a couple questions in there as well okay sure um thank you thank you chris um