Tag Archives: hacker

Cybercrime

Decentralized Cryptographic Information Black Market

1 Comment

Abstract:
This article highlights a new business appeared on the cybercrime underworld: a decentralized and anonymous black-market in which one can sell any confidential and valuable information. What is promoted as a platform for whistleblowers is in fact a place where one could sell stolen credit cards data, 0 day exploits and software vulnerabilities, child porn, stolen databases, and so on and so forth. We describe the mechanisms of this platform for cybercriminals, explain its fallacy, and argue for the need of protection for real ‘moral heroes’ – individuals protecting our human rights and pushing back against corruption and state powers.

Keywords:
whistleblower, cybercrime, bitcoin, cryptographic, black-market, information marketplace.

Buy and Sell data leaks anonymously

I have recently discovered Darkleaks, a decentralized and anonymous black-market in which you can sell any confidential and valuable information.

The service advertised all over the internet with a sales speech like this:
Do you want to be a whistleblower – or do you want to make a few bucks out of data leaks? Have you ever dreamed of distributing an encrypted data leak to the world, let people bid on this dark secret, and earn money anonymously through bitcoin?

Project’s developers promote it as:

the best tool to trade any kind of media, information, video, data and documents that have value.
> Hollywood movie
> Trade secrets
> Government secrets
> Proprietary source code
> Industrial designs like medicine or defense
> Zero day exploits
> Stolen databases
> Proof of tax evasion
> Military intelligence
> Celebrity sex pictures
> Corruption

How does it work?

When the leaker selects a document, it is broken up into segments. Each of the segments is hashed, and a Bitcoin address is generated using the hash as the secret key. From this public key, a new key is generated to encrypt the segments. The encrypted segments are released for public download with the list of Bitcoin addresses.

To prove the authenticity of the document, the system uses a trustless provably fair mechanism. When announcing the leak, the leaker chooses a date and number of the chunks to be released. Based on the Bitcoin block hash at that time, some provably fair random numbers are chosen to select segments to be unlocked. This allows the community to verify the veracity of the file and decide whether they want to pay for the remaining encrypted segments.

The buyers then send Bitcoins to these addresses. When the leaker decides to claim the Bitcoins from the private key, due to how Bitcoin is designed he must release the public key which allows the buyers to decrypt the document.

Because the leaker cannot pre-choose which segments are released, the buyers can verify the addresses are correct, and the segments can be decrypted. This makes for an authenticable and trustless mechanism for selling information on the decentralized black market.

We need to protect ‘moral heroes’… not another cybercriminal underground marketplace

Of course, we need individuals to protect our human rights and push back against corruption and state powers – and we need to protect these individuals.
After the whistle, most leakers of government secrets have their lives changed. Sentencing in media leak cases has historically been relatively light from 1973 to 2005, with only 24 months of prison time for the three whistleblowers prosecuted. Yet, ACLU observed that Obama has “secured 526 months of prison time for national security leakers,” with the vast majority given to Chelsea Manning, who was sentenced to 35 years.
Edward Snowden, former NSA employee who released classified documents on U.S. monitoring plans is now in Russia, with his destiny at stake. The Justice Department declared mid 2013 that it won’t seek the death penalty in prosecuting him, but he is still charged with thievery and espionage.

However, in the case of Darkleaks, I fear that this platform will also be an area where one could sell stolen credit cards data, 0 day exploits and software vulnerabilities, child porn, stolen databases, and so on and so forth. Indeed, there is a huge market for personal data, from US SSN to email addresses through credit cards data (Acquisti, Taylor, & Wagman, 2014). This black market will soon be overcrowded with  scammers – no crystal ball is required to predict that it will become a future playground for cybercriminals…

Could we compare Darkleaks market model with software vulnerabilities markets?
On this very topic, I really liked Kannan & Telang (2005) research on software vulnerability disclosure markets. The authors demonstrate that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive infomediary-type mechanism.
To sum up, a movement toward a market-based mechanism might not lead to a better social outcome…

The issue of anonymity remains. Whistleblower Protection Acts are a false hope. According to Martin (2003), they are just an appearance of protection: remarkably inefficient, flawed and unhelpful.
How to protect ‘moral heroes’ (Malin, 1982)?

Syta, Michael and Ford (2014) might have the solution – their convincing research pitch is as follows:

“In privacy-sensitive communications, one user sometimes needs to prove to be a member of some explicit, well-defined group, without revealing his individual identity.

Consider for example a whistleblower who wishes to leak evidence of corporate or government wrongdoing to a journalist, via an anonymous electronic “drop box”.

The journalist needs to validate the source’s trustworthiness, but the whistleblower is reluctant to reveal his identity for fear their communications might be compromised, or that the journalist will be coerced into testifying against the source.

The whistleblower thus wishes to authenticate anonymously as a member of some authoritative circle who plausibly has knowledge of and access to the leaked information, such as a corporate board member or executive, or a government official of a given rank.

Even if the whistleblower convinces the journalist of his authority, the journalist may also require corroboration: e.g., confirmation by one or more other members of this authoritative circle that the leaked information is genuine. Other members of this authoritative circle may be just as reluctant to communicate with the journalist, however. If a potential corroborator also demands anonymity, how can the journalist (or the public) know that the corroborator is indeed a second independent source, and not just the original source wearing a second guise?

In general, if the journalist knows k pseudonymous group members, how can he know that these pseudonyms proportionally represent k real, distinct group members, and are not just k Sybil identities?

Finally, the whistleblower is concerned that once the leak becomes public, he may be placed under suspicion and any of his computing devices may be confiscated or compromised along with his private keys.

Even if his keys are compromised, the whistleblower needs his anonymity forward protected, against both the journalist and any third-parties who might have observed their communications. Further, the whistleblower wishes to be able to deny having even participated in any sensitive communication, including the fact of having authenticated at all (even anonymously) to the journalist.”

Syta, Michael and Ford (2014) protocol satisfy the above requirements (anonymity, proportionality, forward anonymity, and deniability). Their research paper might be an interesting reading for journalists and wannabe moral heroes waiting to uncover corruption and wrongdoing.

References:

Acquisti, A., Taylor, C., & Wagman, L. (2014). The economics of privacy. Journal of Economic Literature.

Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726-740.

Malin, M. H. (1982). Protecting the Whistleblower from Retaliatory Discharge. U. Mich. jL Reform, 16, 277.

Martin, B. (2003). Illusions of whistleblower protection. UTS L. Rev., 5, 119.

Syta, E., Michael, B. P. D. I. W., & Ford, F. B. (2014). Deniable Anonymous Group Authentication. Retrieved from cpsc.yale.edu

***
Download this article: “Decentralized Cryptographic Information Black Market”

Cybercrime, Money Laundering, online scams

a fraud with bitcoins? Mycoin scandal has nothing to do with Bitcoin

12 Comments

Abstract:
Bitcoin is again drawing scrutiny –media from all over the world titled in February 2015 about “a tremendous fraud with bitcoins”. In wake associated with this scandal, Hong Kong’s central bank informed customers against acquiring virtual currencies. However, we argue that Mycoin scandal has nothing to do with Bitcoin. It is just a bitcoin-based scam that could have been done with any other crypto, digital or physical currency.

Keywords:
Bitcoin, Mycoin, Ponzi scheme, scam, Hong Kong, currency exchange.

 

***

Last summer, local Chinese investors took a trip to Hong Kong for a bitcoin event financed by Mycoin, the Hong Kong company that just all of a sudden closed shop, getting an approximated $390 million along with it.

Today, Mycoin’s business office is vacant, a managing director has supposedly transferred the firm’s financial assets to an Uk Virgin Islands account before leaving, and increasingly more people say that in spite of promoting itself as a hub for currency exchange, Mycoin in fact had no bitcoin at all.

Bitcoin is again drawing scrutiny, and in wake associated with this scandal, Hong Kong’s central bank informed customers against acquiring virtual currencies.

However, this has nothing to do with Bitcoin at all: MyCoin was basically running a Ponzi scheme based on Bitcoins.

This generates negative publicity for this cryptocurrency and contributes to its poor notoriety: nearly anonymous (Reid & Harrigan, 2013), risky and insecure (Moore and Christin, 2013; Eyal and Sirer, 2014).

In 2012, the bitcoin trading platform Mt.Gox froze records of users who possessed bitcoins that could be directly related to theft and fraud (Moser, Bohme, & Breuker, 2013). In spite of this, scamming people with bitcoin hasn’t ceased at all: it even turn out to be a remarkably lucrative business for cybercriminals (Richet, 2013; Tropina, 2014).

In their empirical study of Bitcoin-based scams, Vasek and Moore (2015) identify 192 scams and classify them into four groups: Ponzi schemes, mining scams, scam wallets and fraudulent exchanges. In 21% of the cases, they found the associated Bitcoin addresses, which enables them to track money into and out of the scams. They find that at least $11 million has been contributed to the scams from 13 000 distinct victims. Indeed, the most successful scams depend on large contributions from a very small number of victims…

References:

Eyal, I., & Sirer, E. G. (2014). Majority is not enough: Bitcoin mining is vulnerable. In Financial Cryptography and Data Security (pp. 436-454). Springer Berlin Heidelberg.

Moore, T., & Christin, N. (2013). Beware the middleman: Empirical analysis of bitcoin-exchange risk. In Financial Cryptography and Data Security (pp. 25-33). Springer Berlin Heidelberg.

Moser, M., Bohme, R., & Breuker, D. (2013, September). An inquiry into money laundering tools in the Bitcoin ecosystem. In eCrime Researchers Summit (eCRS), 2013 (pp. 1-14). IEEE.

Reid, F., & Harrigan, M. (2013). An analysis of anonymity in the bitcoin system (pp. 197-223). Springer New York.

Richet, J. L. (2013). Laundering Money Online: a review of cybercriminals methods. arXiv preprint arXiv:1310.2368.

Tropina, T. (2014, June). Fighting money laundering in the age of online banking, virtual currencies and internet gambling. In ERA Forum (Vol. 15, No. 1, pp. 69-84). Springer Berlin Heidelberg.

Vasek, M., & Moore, T. (2015) There’s No Free Lunch, Even Using Bitcoin: Tracking the Popularity and Profits of Virtual Currency Scams.  Financial Cryptography and Data Security 2015 Conference.

***

Download this article: “Bitcoins based-scams”

Cybercrime, Money Laundering

Laundering Money Online: an Overview

3 Comments

Abstract:
This chapter introduces my research on cybercriminals’ money-laundering methods (Richet, 2013). It is the first of a series of chapters dedicated to current trends in online money laundering. We all know the oldest ‘physical’ placement methods of money launderers: cash smuggling, casinos and other gambling venues, insurance policies, hawalas / fe chi’en or the black market peso exchange, shell corporations, and so on and so forth. But there is also a number of online money laundering schemes currently being used by criminal enterprises to pass illegally received funds through legitimate accounts, and new ones are popping up all the time. Some of the most widespread schemes will be detailed in this series of chapters.

Keywords:
Cybercrime, online gaming, money laundering, micro laundering, black markets.

***
Introduction

Money laundering is a critical step in the cyber crime process which is experiencing some changes as hackers and their criminal colleagues continually alter and optimize payment mechanisms. Conducting quantitative research on underground laundering activity poses an inherent challenge: Bad guys and their banks don’t share information on criminal pursuits. However, by analyzing forums, we have identified two growth areas in money laundering:

• Online gaming—Online role playing games provide an easy way for criminals to launder money. This frequently involves the opening of numerous different accounts on various online games to move money.

• Micro laundering—Cyber criminals are increasingly looking at micro laundering via sites like PayPal or, interestingly, using job advertising sites, to avoid detection. Moreover, as online and mobile micro-payment are interconnected with traditional payment services, funds can now be moved to or from a variety of payment methods, increasing the difficulty to apprehend money launderers. Micro laundering makes it possible to launder a large amount of money in small amounts through thousands of electronic transactions. One growing scenario: using virtual credit cards as an alternative to prepaid mobile cards; they could be funded with a scammed bank account – with instant transaction – and used as a foundation of a PayPal account that would be laundered through a micro-laundering scheme.

Laundering Money Online: a review of cybercriminals’ methods

Millions of transactions take place over the internet each day, and criminal organizations are taking advantage of this fact to launder illegally acquired funds through covert, anonymous online transactions. The more robust and complex the various online marketplaces become the more untraceable methods criminals are finding to pass ‘dirty’ money into online accounts and pull ‘clean’ money out of others. The anonymous nature of the internet and the ever evolving technologies available allow numerous opportunities for online money laundering operations to take place. Many of these methods involve using a ruse to pull unsuspecting participants into their money laundering schemes, often with serious financial and legal consequences for victims. The best way for law abiding citizens to avoid becoming complicit in such illegal activities is to stay informed as to the methods criminals are using to pull them in.

AML Jean loup richet
We all know the oldest ‘physical’ placement methods of money launderers: cash smuggling, casinos and other gambling venues, insurance policies (launderers purchase them and then redeem them at a discount, paying fees and penalties but receiving a clean check from the insurance company), hawalas / fe chi’en or the black market peso exchange (informal value transfer system), shell corporations, and so on and so forth. But there is also a number of online money laundering schemes currently being used by criminal enterprises to pass illegally received funds through legitimate accounts, and new ones are popping up all the time. Some of the most widespread schemes are detailed in this article.

Methodology

Ostensibly, conducting quantitative research on underground laundering activity poses an inherent challenge: Bad guys and their banks don’t share information on criminal pursuits. Our approach utilizes an online ethnography, observing large online hacker forums and communities and researching topics related to money laundering on their databases. We used a large variety of keywords, from those linked with payment solutions to those associated with black markets. After a first review, we filtered our data, and discarded irrelevant forum threads. We then analyzed the content of these threads and synthesize our findings into categories that will be explained in following blog posts.

References:

Richet, J.L. (2012). “How to Become a Black Hat Hacker? An Exploratory Study of Barriers to Entry Into Cybercrime.” 17th AIM Symposium.

Richet, J. L. (2013). Laundering Money Online: a review of cybercriminals methods. arXiv preprint arXiv:1310.2368.

***

Download this article: “Laundering Money Online_an Overview”