Charles Finfrock has a self-proclaimed passion for cryptocurrency. In pursuit of what he refers to as his hobby, Finfrock became a Certified Bitcoin Professional (CBP) and a Certified Anti-Money Laundering Specialist (CAMS) which led to the founding of his company, Crypto Charles, LLC. During his recent presentation for the American Cyber League and the Cyber Bytes Foundation, Finfrock gave an overview of cryptocurrency, the threats it poses, and the specific lessons that can be learned from the Russian DNC Hacks in 2016.
Do you speak crypto?
Finfrock described cryptocurrency terminology in a bit of a tongue-in-cheek fashion: “One of my favorite things about this is it takes all the high falutin terms from international finance, mixes it in with all the high falutin terms from computer science, and then it takes a third leg from Klingon and words that people just made up.” He went on to say that it’s rare to find someone who speaks fluent crypto because “as soon as you think you do, there’s a made up word in there, or we repurpose a word, or we use the same word to mean two different things.”
Finfrock defined cryptocurrency as an encrypted digital currency that runs on blockchain technology using P2P or peer-to-peer verification. It’s also known as digital currency or virtual currency, which is what the government likes to call it.
“You hear it called a lot of stuff,” he said. “And it’s not real from the perspective of – it’s not physical. You can’t hold a bitcoin in your hand. But it’s real in terms of – you can trade it for goods and services.”
Finfrock acknowledged that the value of crypto can be confusing and it fluctuates. But the fact that it does have value is clearly reflected in the reality that people negotiate goods and services for it.
Bitcoin with a small “b” is “the daddy” of cryptocurrency, first invented in 2009 by Satoshi Nakamoto, whose identity remains unknown. Amongst 2000+ other currencies, bitcoin still has the largest market cap and is the most widely known. According to Finfrock, “it’s a flawed currency, but it’s generally what the Russians use, although according to the public indictment, they may have used a combination” of different types of cryptocurrencies, especially in their DNC attack.
While bitcoin with the little b represents the currency, Bitcoin with a big “B” is the blockchain. Finfrock compared this cutting-edge method of tracing crypto to the ancient banking practice found on clay tablets 5000 years ago in Mesopotamia. “It’s literally a ledger – a way to keep track of things,” Finfrock said.
Wallet is an example of a word that has been repurposed for crypto, and it can mean a variety of things. For example, a wallet can be a program on a phone or what’s called a “hardware wallet” which looks like a USB. A wallet is essentially what you keep your keys on to access your money.
A tumbler/mixer is a tool that can be used to make transactions more difficult to trace. “It’s a way money is laundered,” Finfrock said. “People say there’s also a legitimate reason for it, but I’m still not sure why that would be.” With a tumbler, it’s “same in; same out”. The form of cryptocurrency that you mix is same form you’ll receive back.
A shifter is something that takes one currency type and exchanges it for another (for example, changing ZCash money to LiteCoin). What that does forensically is it jumps off the chain, making it difficult to track.
“Develop blockchain forensic tools, please, for America,” Finfrock pleaded with the cyber experts in attendance.
Get the Bitcoin.
In terms of how “normal people” purchase Bitcoin, they usually do it through exchanges, which employee “KYC/AML.” or know your customer/anti-money laundering measures. Purchasing is done through exchanges or P2P or peer-to-peer purchases.
When it comes to mining, securing, and solving the transaction, it’s all about doing the math. “There are only ever going to be 21 million bitcoin. There are 100 million Satoshis in each bitcoin. That’s 100 million pieces of a bitcoin. So every 10 minutes, a new block is created. If you win the block, you get what’s called a ‘block reward’ and you get the bitcoin,” Finfrock explained.
According to the public indictment, one of the ways that the Russians, for example, have figuratively created money out of thin air is to utilize their nation-state resources with the highest speed computers to generate the coins which are then used to fund infrastructure for their hacking. This is called virgin coin because, as Finfrock explains, “It’s created mathematically, dumps in your wallet, it hasn’t been anywhere else, and you don’t have to launder it. The wallet you associate with that mining rig, maybe you put your name with it, maybe you don’t.”
Ransomware is another method of obtaining coin by using either faux or real threats to take over a computer. “From the perspective of needing currency to do illegal activity,” Finfrock said, “you can send out the notes and have the money come in.”
Lastly, cryptojacking is another way to generate cryptocurrency without actually having to pay for anything. When the Russians, for example, set up giant bot armies to target computers when they are not in use, all the resources on the computers were taken over and utilized. The result is getting all the benefits of mining without needing to pay for the computer or the energy to do so.
Use the Bitcoin.
Other than the exchange purchases and P2Ps, there is no money in it. When you quantify how much money the Russians actually paid for all of the hacks, it’s not much. According to the indictment, “The Defendants conspired to launder the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin.” They did this through peer-to-peer exchanges and mining to generate the coin. Then, they laundered it through the use of multiple wallets, mixers/tumblers, and the shifters called Shapeshift and Changelly.
What the FBI was able to track back: According to the public indictment, the Russians used the cryptocurrency to purchase the web domain DCLeaks.com, accountsqooqle.com and account-gooogle.com, as well as the VPNs used for spear phishing and logging into the Guccifer_2 twitter account that they used to leak information. They also purchased servers in Malaysia which were used to host the dcleaks.com website and leased a server to administer malware implanted on the DNC network and hack the DNC cloud network.
Follow the Bitcoin.
“I’ve got some good news and some other news for you,” Finfrock said. Bitcoin is pseudo-anonymous, meaning it can be traced, but you don’t always know who it belongs to. It avoids the use of regulated financial systems and it’s not physical so, in Finfrock’s words, “we can’t block it, freeze it, or seize it.” It’s also difficult to sanction it even after it’s found. With the ability to instantaneously move money anywhere at any time, criminals have a significant first-mover advantage. “They’ve developed the tactics, but the good guys are still building knowledge, still building the capabilities, and investigating cases,” Finfrock explained.
The reality is, it’s not actually anonymous. So, if it’s done improperly, a permanent record exists that does make it traceable. Another downside to crypto is that there are also limited goods and services that can be purchased with it.
Where do we go from here?
“Americans are the hardest to explain bitcoin to. Our money works. Our banks work,” Finfrock said. “But when you go to other countries, this all makes a lot of sense. And it’s not a fad. It’s not going anywhere.”
Finfrock believes that one of the most important next steps is to embrace crypto and get educated on it. He said we also need to develop clear regulation in terms of how is it characterized by the U.S. Government, property, commodity, security, and/or currency.
Part of the problem, according to Finfrock, is that “as a U.S. Government, we’ve not yet decided what we’re actually going to call it.” Crypto holds many definitions, depending on who you’re talking to. The Securities and Exchange Commission (SEC) view crypto from the perspective of a security. The Commodity Futures Trading Commission (CFTC) considers it a commodity. The Financial Crimes Enforcement Network (FINCEN) views it as a potential monetary instrument. And the Internal Revenue Service (IRS) defines crypto as property that can be taxed on its short-term and long-term capital gains.
How the U.S. defines crypto will ultimately impact how crypto moves forward. In the effort to not move quickly and to avoid bad regulation, Finfrock said that “ what’s happened is we’ve begun to retard the process of adoption because of the delay of getting clear regulation on it.”
For cyberwarriors who develop technology that will be useful for National Security, Finfrock said it’s all about “attribution, attribution, attribution”. Training and developing the blockchain attribution tools and blockchain explorers is vital. In April of last year, the International Standards Organization (ISO) met in Tokyo to establish international standards for the blockchain. It was at this meeting that Grigory Marshalko, FSB officer and head of Russian delegation, said coldly, “The internet belonged to America. The blockchain will belong to the Russians.”
Finfrock closed by imploring cyber experts, “We need the forensic tools to be able to track it and trace it. This technology is ahead of us and it’s real—you can buy goods and services with it, so it’s as real as any other currency we have.”
For more information on Charles Finfrock’s presentation or to register for American Cyber League Center of Excellence’s monthly Cyber Bytes networking event, please visit americancyberleague.org/networking-events.