A bitcoin how-to for hapless hackers
First, we'd better explain bitcoin. It's a crypto-what?
Bitcoin is what's called a cryptocurrency. There are pictures of bitcoin, but they don't physically exist. You couldn't bite on one to test its value, as you might if you were a cartoon cowboy. The coins are "mined" using computers, and yet they don't get spat out like the winnings at a casino. They are data, strings of code. The "crypto" in cryptocurrency refers to the use of cryptography to secure a currency and protect the privacy of those who use it. If you're in law enforcement, protecting privacy is good and bad - bad when it concerns criminals like ransomware hackers. After all, you'd want to bring them to book, but you can't if you don't know their identities. Fortunately, cryptocurrencies, as with most technologies, are imperfect.
Cryptography is often used to keep secrets. But when it comes to bitcoin, it's more about transparency, making every transaction traceable. It's one reason why governments love cryptocurrencies. They would like to adopt some of the underlying technology in everyday financial operations. But governments also loath cryptocurrencies. While the transactions are traceable, the people making the transactions might not be - they may hide behind fake names or use sophisticated digital clearing houses to wash dodgy earnings.
Cryptocurrencies are an "underground" technology thought to be largely used by nefarious characters either holding unsuspecting people to ransom or dealing drugs. Oh, and no one's paying tax on that, so that's a big no-no, too.
Forget tax for a minute. I can use cryptocurrencies to buy stuff?
Yes, some things you might "need" and other things you'd do better without. As with "real" physical cash - those grotty banknotes and coins we love to lose down the cracks of sofas - a cryptocurrency is a form of payment. It's used digitally - on the internet - for buying anything from drugs to guns and porn on the darknet, or what famously became the most expensive pizza ever (it cost 10,000 bitcoins in 2010, worth $7 million, or 6.3 million euros, three years later).
The darknet, or deep web as it's also known, is not only frequented by criminals. It's also used by investigative journalists and activists, for instance, who need to communicate anonymously. And they might buy stuff, too.
But it's only on the internet?
Well, you can export your bitcoin for "hard cash" in the real world, the same as with a PayPal account. But why bother exporting bitcoin when pubs and cafes in Berlin will accept it as legal tender via a smartphone? On the other hand, if you were a ransomware hacker and you'd made a killing, you definitely would want to export your wad. To paraphrase Damian Lewis' character in the TV show "Billions," how else could you rub it in people's faces?
The problem is exporting your cryptocurrency leaves you more traceable than you might like, especially if you are dealing in criminal activities. Your cash will have to go somewhere - a bank account or credit card - and even if you've stolen a batch of credit card numbers, you'll want to spend it somehow. And that won't go unnoticed. Ransom-hackers beware!
So is bitcoin an über-currency, like euros and dollars?
Not quite. There are at least 100 different cryptocurrencies, including newcomers Ethereum, Zcash and TCC (The Champ Coin). Bitcoin just happens to be one of the better known ones. Perhaps that's to do with the mystery surrounding its inventor, Satoshi Nakamoto. People still ask whether Nakamoto ever existed. The name is a pseudonym, so much is clear, but who is behind it? Is it a man or a woman, an individual, or a group of people, whose make-up constantly evolves? Occasionally, pretenders like Australian Craig Wright pop up, claiming the title, but the issue has never been settled, and it probably doesn't even matter.
The fact is that bitcoin - while far from mainstream - has been relatively influential and credited with a general drive towards a "cashless society." That's in part due to its use of "blockchain" technology.
Sorry, what? Blockchain?
Blockchain refers to a handful of technologies in one. For instance, a blockchain might use a "hash chain" to create a "tamper evident" log, as researcher Andrew Miller told DW in a 2016 interview. That means that whenever a piece of information in the chain is altered, there's a log of that. A lot of cryptocurrencies do that.
Bitcoin, however, was the first to introduce a decentralized, public ledger. The bitcoin ledger is anonymous, up to a point.
"It's pseudonymous," said Miller. "You don't have to register with your real name, but your transactions are generally linkable […] unless you take special measures to "mix" your transactions.
Hey, I'm a ransomware hacker. Tell me more about these special measures!
Well, it's not that we'd like to encourage any criminal activity. But say you had some "tainted" bitcoins. You could use a clearing house or bitcoin mixing service, like CoinMixer. As they write on their website: "[It] severs the links between your old address and a new address by sending coins from you to other people and coins from them to you. It also randomizes transaction amounts and adds time delays to the transactions. Generally there is no link between the original transactions and the final address of the coins."
But, surely, crime ain't as easy as that?
Nope. If there's honor among - or about - thieves, and you're using technology for your heist, then make sure you know what you're doing, especially on bitcoin. Put another way: If you say you'll hand over the goods when people pay, make sure you know how. Don't do like the WannaCry attackers.
Matthew Hickey, a cyber security expert and director of Hacker House in London, says the code behind the WannaCry attack suggests "an amateurish behavior."
The attackers seem "unable to handle an attack of this scale," Hickey told DW.
There are two main elements in a ransonware attack. There's the ransomware, which is the actual payload, the thing that does the dirty work, and a worm, which is the "delivery vehicle." And it's possible, says Hickey, the two elements of WannaCry were written by two different authors who had different motivations. "This attack may not have been financially motivated," he said.
But that is having a second impact on anyone who decides to pay the ransom of $300. First you're hit and your computer is blocked. All your files are encrypted, rendering them useless to you. So you pay to have your files decrypted and set free. The problem is the attackers have no way of automatically knowing who has paid. They could have assigned each payee a unique bitcoin address, rather than what they have done, which is to ask payments to go to one of only four bitcoin addresses. All payments are lumped randomly together.
"They could have tracked payments to unique infections," said Hickey, "but instead a human - one of the attackers - has to manually press a button and send the decryption key, which would be overwhelming."
And that seems like a lot of hard work for a spot of easy money.