Ransomware : comment traque-t-on les gains des cybercriminels ?

Ransomware: how do we track the profits of cybercriminals?
Cybercriminals are mostly paid ransoms in Bitcoin. The transparency of the blockchain makes it possible to follow transactions and financial movements after payment. This monitoring is essential in the fight against cybercrime and money laundering.
Valéry Riess-Marchive
par
Valéry Rieß-Marchive, Editor-in-Chief
Published on: Jan 25, 2023
In mid-January 2023, the activity of the Bitzlato exchange platform was interrupted by law enforcement. Six people were arrested and more than 16 million euros in assets were seized in the process. The result of an investigation opened since September 2022 by the Paris prosecutor's office. A suprise ? Not really.

Cybercriminals are not lacking in inventiveness to cover their tracks . They are also looking to move away from Bitcoin, in favor of other cryptocurrencies , with more or less success. In particular because investigators are more and more experienced in monitoring financial movements in bitcoin. And the examples illustrating it multiply . But how do we do it in practice?

Transparent transactions
The editorial staff of MagIT did it itself, in 2021, to follow the activity of the Avaddon and Conti groups , relying on tools accessible to everyone, as well as those of Crystal Blockchain, starting with its explorer , free to use with some limitations.

Screenshot of the results enabled by the use of Crystal Blockchain tools to trace financial flows to probable ransom payments.CRYSTAL BLOCKCAHIN
Crystal Blockchain tools allowed us to trace financial flows to probable ransom payments.
Transactions recorded in the Bitcoin blockchain can be viewed by anyone. They are public and this is one of the key characteristics of this blockchain , with its traceability.

In practice, there is no shortage of tools and services for this. But most are very severely limited: they allow you to see what has been received on a Bitcoin payment address, and what has left, or even the details of a transaction.

Screenshot of the activity history associated with a Bitcoin address.OTX.ME
History of activity associated with a Bitcoin address.
This data is very insufficient for tracking financial flows and truly monitoring the activity of cybercriminals. Other tools, graphs, allow to go further. One of those of Learnmeabitcoin allows for example to look for connection points between Bitcoin addresses. Problem: some points may only be trading platforms. Not enough to draw the slightest conclusion on the activity of cybercriminals. However, a very large number of transactions makes it possible to identify them and leave them aside.

Some addresses of significant interest may therefore emerge, as they reappear frequently, but without displaying thousands of transactions on the counter. Long before the leaks that affected the Conti group , we were able to identify the address 1AXiwETqqQoA52Jk5CmJkbAPuW8nR7VUYz attributed, since the famous Conti Leaks , to Stern. ClearSky Security and Whitestream had also spotted it , along with another address: 1NhNuPogvydJWfTGVp41Rgghqw8MNMjTh3.

Screenshot of finding connections between Bitcoin addresses.LEARN ME A BITCOIN
Search for connections between Bitcoin addresses.
Some addresses stand out as being used for consolidation purposes: portions of ransoms paid following cyberattacks regularly end up there, whether they are intended for a trustee or a franchise operator. Once these addresses have been identified, the exercise consists of seeking to go back in time in order to identify the transactions that contributed to the feeding of the address and likely to have corresponded to ransom payments.

Since the patterns of distribution of earnings between franchise operators and trustees are more or less precisely known, old payments can then be identified. In addition, it is possible to estimate whether an address is used by a franchise operator or by an affiliate.

More effective tools
A major development has occurred in the past two years, besides the Conti Leaks : awareness of bitcoin ransom payment addresses has improved significantly.

The Ransomwhe.re initiative of Jack Cable, now Senior Technical Advisor to the US Cybersecurity and Infrastructure Security Agency (CISA), has collected and made available, in open source, more than 7 500 addresses that were used for ransom payments. The CISA itself has made some public, for example for the Karakurt group in June 2022.

Diagram of an analysis of the financial flows linked to a bitcoin address.BREADCRUMBS
Analysis of financial flows linked to a bitcoin address.
This knowledge makes it possible to allocate, in the tools for analyzing financial flows in bitcoin, the addresses or even to group them. Already, at the beginning of 2021, Chainalysis had thus brought out connections between Maze and Suncrypt , suggesting the existence of an affiliate working for the two franchises. Another link emerging between Egregor and DoppelPaymer.

This knowledge is added to another: that of addresses belonging to portfolios managed by exchange platforms. Because obviously, cybercriminals do not fail to use such platforms. For example, at the end of May 2022, a member of the Conti galaxy transferred over 75 btc to RenVM's bitcoin reserve.

Enough to allow seizures, at least partial, of paid ransoms, as for Colonial Pipeline , in particular, or the taking of sanctions against exchange platforms refusing to collaborate with the authorities, such as Suex , in September 2021. So many actions involved in the fight against cybercrime.