The World Is Watching: Can WannaCry's Creators Cash Out Their Bitcoin Ransom?
Bitcoins amassed by those behind the huge malware attack are being watched by the authorities. Can they retrieve the funds and not get caught?
The hackers behind the infamous WannaCry ransomware have had a lucrative week. So far, they have racked up almost $80,000 in bitcoins. But their next step may be more difficult – they still have to figure out how to move that money, without giving themselves away to authorities.
The well-publicized cyber-attack, which began in Asia, has locked up hundreds of thousands of computers in more than 150 countries. Once a computer gets infected, a tab pops up demanding a $300 payment in bitcoin to unfreeze the data.
Shockingly, despite no clear evidence that anyone who pays the ransom actually receives the promised decryption keys to unlock their encrypted files, some people have been putting up the funds, sending their bitcoin off to one of the hacker's three bitcoin wallet addresses.
But now, with the world's cybercrime teams watching those bitcoin addresses, the question is: Will the hackers be able to launder that money and spend it? Or, is the money tainted, traceable, and therefore worthless to the thieves?
Follow the coins
Originally bitcoin was touted as an anonymous payment vehicle. But over the years it has become clear that bitcoin is pseudonymous rather than truly anonymous.
Bitcoin addresses, payments and transactions are all visible on the blockchain. And by analyzing transaction patterns, it is possible to trace money and find the actual parties behind the public keys – strings of numbers bitcoin uses to identify its participants.
As WannaCry is the most widespread bitcoin ransomware attack in history, the criminals behind it have garnered a lot of attention. So, if they want to actually spend their funds, they will have to find a clever way to remove all links from the original bitcoin addresses.
As of right now, though, the bitcoins are still sitting untouched, and the trail is cold.
Hiding their tracks
So what are the options for the bad actor(s) behind the ransomware attack?
Laundering bitcoin is a little different from laundering fiat money, but is just a matter of applying the right tools, according to Emin Gün Sirer, a professor at Cornell University. According to him, technologies already exist for shedding so called ‘tainted’ bitcoins – they just require a little technical know-how.
One of the simplest processes is ‘chain hopping', where bitcoins are converted into other digital currencies, usually at offshore exchanges. “Following the trail gets quite difficult as the coins cross jurisdictions and change shape,” Sirer told CoinDesk.
Another technique known as ‘tumbling’ would allow the hackers to pool their ill-begotten bitcoins with other people's coins.
In a bitcoin tumbling service, coins from different sources are mixed together and then re-disbursed. Conceivably, the hackers could repeatedly mix their coins until the coins were diluted enough to throw law officials off their path.
But Ethan Heilman, the Boston University researcher behind TumbleBit, a proposed bitcoin tumbler, indicated that mixing bitcoin is risky business, especially when dealing with larger sums of money. As he pointed out, one of the problems the hackers may run into is finding a large enough number of bitcoins to adequately mix with.
"Even if they mix the coins such that they will be hard to follow, if the WannaCry hackers make a mistake and join the coins back together, those coins could become vulnerable to clustering and other blockchain analysis techniques," he said.
Further, it is unclear how effective most mixers actually are, Heilman added.
Notably, the fact that the hackers used only three bitcoin addresses to collect their money suggests they don't know much about bitcoin privacy. Had they used a unique bitcoin address for each computer WannaCry infected, the money would have been a lot more difficult to trace.
In a LinkedIn post, Neil Walsh, the UN’s head of global cybercrime, pointed to that and other shortcomings in the ransomware to suggest the hackers are likely in over their heads.
However, as Sirer pointed out, hacking is a rich, stratified ecosystem, and the people who put together the exploit may now be looking for an expert at laundering coins. Or, they may simply be biding their time before attempting to retrieve the funds.
Hacker image via Shutterstock
The leader in news and information on cryptocurrency, digital assets and the future of money, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups. As part of their compensation, certain CoinDesk employees, including editorial employees, may receive exposure to DCG equity in the form of stock appreciation rights, which vest over a multi-year period. CoinDesk journalists are not allowed to purchase stock outright in DCG.
Learn more about Consensus 2023, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.