Intro
Scott Helme: Hey, everyone, you're joining me, Scott Helme. I'm here at GOTO Copenhagen, and you are joining me on this episode of GOTO Unscripted with Andy Greenberg. Do you wanna give a quick intro?
Andy Greenberg: Sure. I'm a senior writer for "WIRED" magazine and I write about hackers and cyber security and surveillance and I guess most recently I'm the author of this book, "Tracers in the Dark" that's about...well, the subtitle is "The Global Hunt for the Crime Lords of Cryptocurrency," and it's about the ways that people once believed that cryptocurrency was untraceable, the kind of perfect internet crime coin as some people thought, including me when I first wrote about it in 2011, I have to admit. And then how over the decade that followed, I don't know, we kind of were all, or at least I and many cyber criminals, many criminals of all kinds, were quite surprised that it turned out to be the opposite, extremely traceable and how this one small group of detectives used cryptocurrency tracing to take down one massive cybercriminal operation after another over half a decade or so. Yeah, but please tell me about you, Scott, and what you work on as well.
Scott Helme: I'm mostly independent. I work in the cyber security space, typically on kind of like application website security. All of the little projects that I started have kind of grown into companies, including the one that I'm branded with, and they're all focused on how to help people improve their cybersecurity on their websites. So to avoid, you know, nowadays data breaches are a common thing. But we've also seen like digital skimming attacks where attackers will find ways to steal card data out of the page or going back, you know, even a few years before that, and hopefully, we can touch on this later, you can mine cryptocurrencies on a website. So when you visit a website, your machine is enslaved to mining cryptocurrencies. And we refer to that as cryptojacking.
Are Cryptocurrencies Anonymous?
Scott Helme: Going back into kind of 2014 through to 2018, that was quite a popular trend. So I'm interested in asking you actually about the anonymousness of these cryptocurrencies. Because I think if I was to, you know, speak to people, certainly over the years, everyone kind of does think that cryptocurrency is anonymous, right? It's almost like a default belief, isn't it?
Andy Greenberg: It's interesting for you. I thought you might say the opposite because so many people in our world think, "Andy, how could you be so dumb as to ever have thought that Bitcoin was anonymous?"
Scott Helme: Within the tech bubble?
Andy Greenberg: Right, exactly.
Scott Helme: Like, for sure.
Andy Greenberg: Within this bubble that we live in. Yeah. You know, like Bitcoin was...initially, even Satoshi Nakamoto wrote in this initial email to a cryptography mailing list that participants can be anonymous. And a lot of people took that very seriously.
Scott Helme: Can be.
Andy Greenberg: Can be, exactly. It turns out the only person who's managed that is Satoshi, pretty much.
Scott Helme: He's the original person.
Andy Greenberg: Because everybody else, like, eventually cashes out their coins or, you know, uses them and they don't leave a billion bitcoins, a billion dollars anyway, untouched as he or she or they have. So it has turned out that the larger, I think, community of even, like, people seeking privacy with cryptocurrency, there was a whole kind of cypherpunk movement that thought this was the kind of holy grail of secret money for the internet. And I think they were all quite surprised when around 2013 or so, the first big paper came out that showed, no, you can start to find patterns in this blockchain thing that is a record of every single Bitcoin transaction. So now we look back like a decade later, and it seems almost ridiculous. How could you even think that this cryptocurrency underpinned by a blockchain that lists every transaction could have any anonymity properties, but, you know, they are just transactions between addresses, these pseudonyms.
So if it's not anonymous, it's at least pseudonymous. It just turns out that it's easier than we thought to find kinds of threads through those pseudonyms and clusters of lots of different addresses that belong to single pseudonyms. Then they often kind of pierce the veil between someone's pseudonyms, their addresses, and their real identity. And that turned out to be incredibly powerful for law enforcement. The story of my book is really about how these detectives use this as a kind of, you know, incredibly powerful tool to take down dark web drug markets, to trace stolen coins, like the Mt. Gox heist. That was cracked with cryptocurrency tracing. Let me say that again, that was cracked with cryptocurrency tracing. And it was, you know, 650,000 Bitcoins, which almost is like a mind-boggling sum today.
Recommended talk: Shaping Language in Cybersecurity For People • Ceri Jones • GOTO 2023
Scott Helme: What was that worth back then? I was gonna say, because that's quite a different sum from then until now, right?
Andy Greenberg: Well, yeah, it was half a billion dollars then, and at the time it was discovered anyway, it turns out it had been stolen years earlier and sold for like pennies on the dollar, of course. But then, yeah, it's still...those people who thought that they had money in Mt. Gox, they lost half a billion dollars that they believed that they had in 2014. And it's funny to kind of see history repeating itself with FTX today, which not only has gone bankrupt but has lost half a billion dollars to hackers. I'm not sure people have, like, paid attention to this story within the meltdown of FTX, but thieves stole on the day of their bankruptcy, another half billion dollars of their money. So yeah, but you have also like...it's interesting that…
Cryptojacking
Andy Greenberg: One thing that I don't cover at all in the book is cryptojacking. And it sounds like you have done a major kind of investigation on this. Please, yeah, tell the story.
Scott Helme: It's a really kind of bizarre story in that I didn't set out to be involved in it. And it all kind of came around by accident. But I'll give, like, the brief backstory and then I actually have a few questions that I wanna ask you about this story based on what you've just said already. So my focus, as I mentioned earlier, is kind of on securing websites and, you know, how organizations can protect essentially their customers data, because most websites are people putting their data in. And then if there's some kind of breach, it's always like my data. So we've seen loads of attacks over the years where attackers will wanna steal my username and password or, you know, all of my identity information to then apply for loans or credit cards in my name and do your traditional identity theft.
And then it became really popular kind of in the 2014 era, this thing called cryptojacking. And what the attackers realized was it's like, well, look, if we can get our malicious code into somebody's website, and normally customers would go there and will steal their username and password or their name and address. They're like, well, we're running code in the customer's browser. And like, if we're running code, we can mine cryptocurrency because that's all that's required, right? Like, you just have a crypto miner. And one of the most popular ones back then was from an organization called Coinhive. They had a legitimate pitch for their product, which was you go to a website, and they subject you to adverts because they need to make revenue and adverts sometimes impact performance and they impact privacy. So what you could do is you could load the Coinhive mining library and when visitors come to your website, you would borrow some of their device power to mine a little bit of cryptocurrency as a substitute for advertisements. So that was their kind of legitimate, you know, pitch if you will. And unfortunately, that's not often what happened because what people realized was if I can set up, you know, Coinhive, but then install it on your website maliciously, all of your visitors will mine the cryptocurrency, but then they'll send it to me instead of you. And this is what became known as cryptojacking, this hijacking of people's devices to try and mine currency and steal it.
Andy Greenberg: And did Coinhive take a commission on this? What was their business model?
Scott Helme: So I don't know the...I never used Coinhive officially and I was kind of a little bit against it from the outset.
Andy Greenberg: It's a bit of a sketchy idea.
Scott Helme: I struggled with my comfort with the idea. And I'm sure that there's probably a way that you could have conveyed that and done it appropriately, but I'm not sure.
Andy Greenberg: I think most people when they visit a website don't expect their, like, GPU to start, you know, heating up.
Scott Helme: Exactly this. So I always kind of struggled with that component of it. And Coinhive specifically is one of the players who were also a bit of a flash in the pan because I think they shot to fame too fast, and became used for cryptojacking very, very quickly.
Andy Greenberg: Of course, you know.
Scott Helme: That brought all the wrong kind of attention in really large quantities. But these, you know, organizations, groups, I mean, heck, maybe they were individuals that did this, realized, you know if we can get the mining library onto somebody's website, onto a big enough website, then they have lots of traffic, we make lots of...and it was Monero that they were mining...we make lots of money. So they realized, you know if we breach and attack an individual site, we get all of that site's visitors. So if we breach this individual site, we get all of the visitors to that site. But then I guess they also realized if we breach a dependency and that dependency is used by hundreds of sites or thousands of sites, then we breach the one dependency and then a thousand websites load it, we've now breached a thousand sites and we've got the visitors.
And this particular one was a text-to-speech plugin. So it's a little JavaScript-like widget that you put on your page and if you have a visually impaired visitor, it will read components of the page. They compromised this company's servers and injected their malicious code into the dependency, and unfortunately, because it was text-to-speech and it was very much around accessibility, government websites have very high accessibility requirements. So we found over 5,000 government sites that were loading this text-to-speech...
Andy Greenberg: So this is a kind of like supply chain cryptojacking case pretty much.
Scott Helme: Exactly that. So it's like the two things together. You've got a super traditional supply chain attack, and then the fact that they were going after cryptocurrency.
Andy Greenberg: But it's sort of like a supply chain web attack too, which is like such an interesting...I don't know. It's like a, just a wonderful, like, terrible series of events.
Scott Helme: And this is the thing, right? It's a wonderful, terrible series of events. I like that.
Andy Greenberg: Well, my thought about cryptojacking...yeah, I mean, it's like, well, I guess the scary thing is they had access to thousands of websites. What could they have done if they weren't just interested in mining something narrow, right?
Scott Helme: And this got loads of media attention, especially in the UK, because I was notified about this issue from a friend of mine. He's like, you know, "I've gone to this website and it's running slow. And then like later on my antivirus popped up this thing," And he's like, "Could you take a look?" And that's actually how I started the investigation process totally by accident on a Sunday morning. And eventually, of course, in the following days, we realized the scale of the attack, and then different governments started getting involved in the remediation. And inevitably, you know, I spoke to the press, and we did a really big story with the BBC. And one of the questions the journalists at the time said was, you know, like, "Okay, so they've mined this Monero, we're still trying to figure out how much, and maybe you can help me with that in a moment, but," they were like, "what could they have done?" And at this point, it's like, well, I don't know, like, if you can think of it, then we can do it. Like, once you can just inject arbitrary code into the page, I was like, you think of it, and I will do it.
Andy Greenberg: Well, the one that...I don't know, maybe the most disruptive thing would have been ransomware, right? I mean, I almost...like, I look at, that's the thing, like, crypto mining is a nasty business, I mean, cryptojacking, rather. Mining, you know, I won't talk about the effects or whatever. But I do sometimes think like, well, that was a nice, like, peaceful era before it became more profitable just to hold these sites hostage instead, right? Like, it's, if you if I'm gonna choose between, like, having everybody visits my site, spin up their GPUs and, you know, and, like, get annoyed.
Scott Helme: Give me 4 cents in Monero.
Andy Greenberg: Right. Versus taking my website and server hostage and demanding, I don't know, whatever it is, hundreds of thousands of dollars.
Scott Helme: Well, the even bigger scale thing here would be the visitors to those sites, you know, because, you know, we only managed to find around 5,000 government sites that were impacted by this. But then I guess, like, the even larger scale thing was like, what if they then turn that around and targeted the visitors to those sites? Because how many people go to, you know, government sites on a day-to-day basis? They must be a lot.
Andy Greenberg: Well, it's kind of a difficult attack to find this one plugin, is that what it is?
Scott Helme: Yeah.
Andy Greenberg: A plugin that then gives you thousands of sites, which gives you millions of visitors, right?
Scott Helme: And it has to be millions, right? It's got to be. I have in the blog post in the talk that I'm giving tomorrow, I cover the investigation into this. I've got samples of all of the largest government sites from different countries and it's like, you know, the UK, the U.S., Australia, New Zealand, you know, like, really populous countries. So then they must have had lots of visitors, you know, to their website. So we're very lucky that all they chose to do was mine some cryptocurrency, I guess because it's a very short-lived attack. It doesn't have any lasting impact. You go to the website for five minutes, you know, your computer's busy for five minutes, but then when you leave, really all trace is gone.
From Cryptojacking to Ransomware
Scott Helme: Whereas if they decided to download some malware onto my device or, you know, try and ransomware my device, and then just charge me like, you know, even $10 multiplied by the millions of people that would have impacted, that would have been significant.
Recommended talk: Lessons From Billions of Breached Records • Troy Hunt • GOTO 2022
Andy Greenberg: It is stealthy as well. Like when ransomware groups have done, you know, large-scale worms or WannaCry or something, then they make way too much noise. You know, it often doesn't even serve them that well. They end up with, like, FBI-wanted posters with their names on them.
Scott Helme: I wonder if that's kind of what happened to some of the people involved in, like, cryptojacking because it was such a flash in the pan. I always wonder, you know, they kind of achieved the notoriety, but then didn't have, you know, the plateau of success for some time. It seemed to be like a flash in the pan and then gone. I wonder if they...
Andy Greenberg: I think it seems like some of them may be moved on to ransomware, which is a more, probably a more profitable, much more malicious in a way, sort of business I do. You know, I am sometimes working on, like, stories about more of like the low-level teen hacker community. And I have recently heard a story about one guy who made enormous amounts of money through cryptojacking and was never identified, never charged. I think he was probably even a minor at the time. So, like, not a minor with an O, like, he was under the age of 18. So, I think that some people probably just got away with it too, because it is a relatively subtle, you know, profit model compared to ransomware or something like that.
Scott Helme: All of these attacks go back to, isn't it? Ultimately, they're here to make money, whoever these people are. Like, I've not seen any scenarios where there is an alternative objective other than how do we make some money, you know? So it's like, well, what can we do? And I guess the idea with the crypto-jacking thing was, you know, this was found like we believe based on...obviously it's very difficult to look back after the fact, but we believe based on all of the evidence that it wasn't there for that long. But I guess, as you say, with it being, like, so subtle and, you know, essentially kind of undetectable to most normal people, you know, if they were there for days or weeks or months, I presume was probably their objective. You know, if you're getting millions of people to mine you a few cents here and there in Monero every day, then, you know, that starts to sound attractive.
Andy Greenberg: But I guess you weren't able to, like, put together, like, an estimate of their profits. I guess the Monero is designed to prevent that, right?
Scott Helme: Yeah. So this is one of the things that I did wanna loop back to you on actually. So cryptocurrencies, you know, I understand the basic operation, and that's as far as my knowledge goes. And so obviously within the miner, we could see the address and throughout the entire attack where the money was being sent was consistent. So any of those, you know, would you call it a transaction when you mine it and then send it to the Monero wallet, they would have all gone to, like, this one consistent address. But that's not my area of expertise, so I never tried to look into where the money go. Or even if you could look, where did the money go?
Andy Greenberg: Well, certainly, if it had been Bitcoin, you could very easily. And if it was all going to one address, you could just see how much money had accumulated at that address. It's all sitting right there on the blockchain, you know. But I think, of course, like, the whole idea of them using Monero probably was to prevent that because Monero tangles up its blockchain and all kinds of clever ways that I think obscures the amounts of transactions. It creates like...
Scott Helme: Kind of transparent.
Andy Greenberg: It includes a kind of mixed network. I don't even know all of the features of Monero today. It combines...it has kept adding them, in fact, over time. I'm not sure where things stood in 2017. At one point, Monero was more traceable than it is now. Some, like, serious vulnerabilities were found in it, but they were fixed. They might have even been fixed by the time of this, you know, campaign. But it's still super interesting to me to kind of, like, try to figure out how, I mean, because I've written an old book about cryptocurrency tracers, you know, I have seen a leaked Chainalysis being, like, you know, the $9 billion crypto tracing startup. I've seen a leaked document that they presented to the Italian police, it was in Italian, in which they claimed that they could trace Monero and in 65% of cases, they could get a usable lead and then in another 15%, they could find the sender, but not the recipient. But you know, nobody knows how they do that. It is almost certainly probabilistic rather than, you know, deterministic.
With Bitcoin, you can easily just, you know, find out whose addresses they are, find, you know, a cluster, and then just start, you know, adding up the values of the coins of those addresses. I think with Monero is far harder, but it does seem like there have been breakthroughs in Monero tracing in recent years, although Monero people do not like me talking about that and to get quite mad when I point this out. But there was a...in 2022, this case came to light. There was this $4.5 billion theft from the Bitfinex exchange, which you might remember.
Scott Helme: I remember the headlines.
Andy Greenberg: The story broke, like, just as I was finishing the book, I kind of just mentioned it in the epilogue, but it's a crazy story in part because, like, the woman in this money laundering couple in New York, they're not just money launderers, they've now pled guilty to the theft itself, too, but they were charged initially with money laundering. But the woman in this, you know, husband-wife couple had posted these, like, incredibly embarrassing rap videos to YouTube. Do you remember this?
Scott Helme: Oh, no.
Andy Greenberg: Anyway, she called herself the crocodile of Wall Street. You should maybe not check these out, I don't know. But, at one point, they did some, like, clever things to try to cover their tracks, including taking a big tranche of the money and exchanging it for Monero. You can see this in the IRS criminal investigations document that was published with their indictments. And yet you can see that, like, after its exchange for Monero, the IRS just continues to draw the chart, like, the money goes here and here, like, so that seems to be kind of a giveaway that IRS can somehow trace Monero. We know that they have a relationship with Chainalysis that they use Chainalysis, they have in some of the biggest cases in simply, like, the history of cybercrime. They use Chainalysis to bust, for instance, the first, second, and third biggest...to make the biggest seizures of not just cryptocurrency, but of money of any kind in law enforcement history in those years. So it seems very likely that the IRS has access to this Chainalysis secret Monero tracing capability. But it's still kind of frustrating that for people like you and me, we can't access that or figure out, or see anything in the Monero blockchain. It's only the kind of people who can afford those five-figure chain analysis licenses, I guess, who can do that.
Scott Helme: And is it down to, like, what we call the OpSec, the operational security of the person using the currency in terms of, like, how anonymous you are? Like, I assume there are things that you can do to improve your anonymity.
Andy Greenberg: I'm sure that you could, like, layer something else on top of Monero so that when you cash it out and at an exchange, even if the exchange has your know your customer identity, you know, exchanges have to collect identifying information on their users. So the idea is that you use a coin or a laundry system so that, like, once you cash it out, you're not connected to whatever criminal thing you did with the money because your identity is at the exchange. But I imagine the people who use Monero think that it's safe to just cash it out directly at an exchange because it is itself a kind of money, you know, I don't want to say it's a money laundering system, but it is a coin that, like, is designed to mix up everybody's coins together and make them harder to trace so that you could safely cash out your coins without any sort of connection to a criminal event. It just seems like there is nonetheless some way to trace those coins.
And that is kind of like the whole story of cryptocurrency to me, is it, like, sets this trap? People once believed that Bitcoin was anonymous and therefore it kind of like seduced all of these people seeking privacy and cybercriminals of all kinds for a decade, pulling in, like, all sorts of nasty businesses from drug dealing to child sexual abuse materials networks. And then all of it was exposed by the fact that the blockchain records every single transaction and is quite transparent. So it seems like in some ways the same thing may be happening, I don't know, to some degree with Monero too. We'll just have to see what cases come out of it. I remember seeing, like, when I wrote about the use of Monero in that Bitfinex theft case and the fact that it seemed to me that the IRS had traced it, some Monero people, you know, on Twitter got very mad at me. And then others responded, "Well, we'll just see who gets arrested," and that's how we'll find out how true this is. So I don't know, personally, I would not want to use a privacy tool where the way I find out if it works or not is if I'm arrested. That seems like that's where Monero's, you know, kind of, capabilities are at today.
Blockchains are Forever
Scott Helme: It'd be interesting to see if...because I'm sure I'll have the address somewhere in my notes and to my recollection, I don't think I published it, but it would be really interesting to see if there's any way to look back at that. Even now, I assume nothing would change over time. We either can or cannot.
Andy Greenberg: Right. I mean, blockchains are forever. That's like part of the problem with using them for a crime is that when somebody develops a new capability years later, they can go back in time and excavate evidence from that blockchain, and the criminal cannot go back and erase it. It's out there forever. So that's true of Monero too, I'm pretty sure. So it will be interesting. Maybe, like, you know, I can put you in touch with some Chainalysis people who might be willing to do this.
Scott Helme: That would be interesting because we've never...from the original breach, obviously through to the remediation steps and then the long-term solutions that were implemented as well, I've never seen anything come back to the headlines, I've never heard of any even kind of criminal investigation that might have looked at who was responsible for this. And there was this one Monero address sat there on the page about this whole breach and it was on all of the government sites.
Andy Greenberg: That's fascinating. It would be fascinating to just know how much they made with this, but then also to identify who was behind it would be, you know, kind of a criminal coup.
Scott Helme: That's the one that I'm curious about because we had a lot of discussions around that at the time and given the nature of the attack and how the attack was done and then also once they had this capability to do anything that they wanted and they chose to mine Monero, it was either, you know, the two guesses were somebody quite sophisticated that just wanted to remain undetected for a long time or perhaps even a miner as you said earlier, someone that just stumbled across this and thought, oh, this would be cool. It was really hard to pin exactly which angle it was coming from. But if it had been someone truly with, like, malicious intentions, there are a thousand other things that they would have done.
Recommended talk: Demystifying Blockchain: Infrastructures, Smart Contracts & Apps • Olivier Rikken • GOTO 2023
Andy Greenberg: Although the use of the plugins against so many sites, does like seem somewhat pro to me, I don't know. For all of these ransomware cases too, cryptocurrency tracing usually is capable of identifying who pulled off these terrible crimes with kind of amazing exactitude. As you can see Chainalysis anyway seems able to see every layer of these organizations based on their cryptocurrency transactions. But the problem is they're in Russia and what do you do with that information? You can help to, I don't know, indict these guys in absentia or sanction them in some cases, but if they're kind of beyond the political border, then it doesn't really matter if you can identify them. It would still be fascinating. And I kind of imagine that your person in this Coinhive thing as well is most likely not in a Western country or an extradition country, but it'd be really interesting to see who did it if you could do that tracing to pull it off.
Scott Helme: I'll dig out the address because it will be in all of the...because, like, throughout the event, we were recording the payloads to see if there was any involvement in the attack.
Andy Greenberg: And then the question will be like, would Chainalysis or somebody else want to show that they have a Monero tracing capability? There might have to be some parallel construction involved for anybody to give us an answer.
Scott Helme: Anything useful on that? But it would be fascinating. The kind of the weird thing as well, obviously Coinhive fell off the map a little bit because obviously speculation from the outside, but, you know, maybe they were a bit of a flash in the pan because they brought a lot of attention and this whole kind of cryptojacking thing, I guess, was ultimately really damaging for their proposed brand and product. And we did see, like, other minor variants of that, but now the attackers have just moved on to things that are even more profitable. I assume they weren't making huge amounts of money mining Monero in a browser. It can't have been enormous amounts. I bet the play was long-term, you know, a few cents multiplied by a million a day or something.
Andy Greenberg: Right, right. I just wonder if, like, the curve of, like, processing power necessary to mine any significant amount of cryptocurrency has moved to the point where cryptojacking doesn't work anymore. Is that the deal?
Scott Helme: There's also that. I think that might have been one of the big reasons for Monero as well because it's much more friendly to be mined in that environment, which is CPU-based mining. And back then you couldn't do GPU-based mining in a browser like that. So I think that was possibly...again, speculation, but I think that was possibly one of the reasons they went for Monero because it was more friendly to the circumstances that they found themselves in. So yeah, I think nowadays you're probably absolutely right. It would be irrelevant. You know, the amount of money that you could yield with that, it just wouldn't be worth the risk.
The Cyber Crime Organizations
Andy Greenberg: This may be part of why we've seen all these criminals switch to ransomware instead, which is sadly like a much more disruptive thing for society and schools and hospitals and governments.
Scott Helme: It has been fascinating to watch it evolve, there's this criminal empire, how we want to refer to it, whatever, these people, or do we call them organizations, people? You know, it's...
Andy Greenberg: I think that they're organizations. I mean, they have org charts and bosses and office hours, it seems like. Yeah, I don't cover ransomware too closely. My colleagues at "WIRED" do and have broken some great stories based on the leaks of internal communications of groups like Conti and Trickbot. And they complain about their, like, kind of working conditions and just, like, talk about what they're gonna do on the weekend. It seems like just, you know, in an extremely, like, kind of organized and boring work-life way. Yeah, they're really...I think they're, like, practically corporations.
Scott Helme: Well, if you get ransomware now, you can just jump on and speak to support, can't you, you know, to help you decrypt your files after you paid the ransom. I was quite surprised to see that. I forget which group it was, but yeah, basically life support. It's like, okay, you paid the ransom, you need some help decrypting all your stuff, you know, jump on with a support agent. It's like, wow, yeah, this feels, like you say, more like a criminal empire than, you know, some small group of people or something like that. Now we're far beyond that, aren't we?
Andy Greenberg: It really just doesn't seem to kind of be an end in sight. I mean, it's been depressing for me having, like, written a book about this incredible power of cryptocurrency tracing to see that it, you know, really cannot solve this problem. You know, I think that even Chainalysis is very clear about that. You can use it to try to find the kind of off-ramps to where these criminals are trying to cash out to liquidate their profits. And those exchanges are being sanctioned and shut down. But speaking of mining, there's, like...we've even seen, like, some of these criminals now feeding their coins into services where you can rent mining rigs and then mine clean coins. They mine clean coins with the dirty coins as a means of laundering. There always seems to be one more laundering trick that's available in this kind of cat-and-mouse game that enables this ransomware epidemic to continue.
Scott Helme: And they must have the amount of, you know, resources, money, essentially, at their disposal now. I remember a talk recently by a chap called Mikko Hypponen.
Andy Greenberg: Of course.
Recommended talk: Listening In: Cyber Security in an Insecure Age • Susan Landau • GOTO 2017
Scott Helme: It literally just sprang into my mind then. And I'm sure that they were looking and saying like basically, you know, how far away are we from, like, a billion-dollar criminal enterprise? And he kind of did some analysis and he was like, if the attackers and the groups that pulled off these heists did nothing and then just held the currency for this many years, they already have a billion dollars just because of the phenomenal growth in the value of Bitcoin since some of these earlier attacks.We're not talking, you know, criminal organizations with millions of dollars or tens or hundreds of millions, he's like, you know, we could have a criminal organization out there with a billion dollars at its disposal.
Andy Greenberg: I guess that's a crazy thought, but I, you know, as I said, like, the IRS pulled off these three cases, one of which was two people in New York City who had stolen, I think it was 120,000 bitcoins at the time that they stole them. By the time that the money was taken back by IRS, or about like 80% of it was, it was $4.5 billion. So that is a two-person operation that was a separate criminal unicorn, you know, several times over. You know, the second and third biggest cases that the IRS pulled off, I mean, the second and third biggest seizures of money in law enforcement history, one... both of them were hackers who had stolen money from the Silk Road, the dark web drug markets early on.
Scott Helme: That's a big story when that got busted, I remember that.
Andy Greenberg: There were two, in fact, of these hackers who, before the Silk Road was taken down, had found perhaps the same vulnerability in the site where you could, I think it was maybe as simple as just, like, entering negative values, you could, like, increase your balance and pull, you know, bitcoins out of the site.
Scott Helme: So, like, buy a negative quantity of an item and essentially get a refund.
Andy Greenberg: I think so. Or maybe as a vendor...I don't remember what the actual vulnerability was. I'm not sure it's ever been fully made public, but each of them amassed tens of thousands of bitcoins this way. And I think they were both smart enough to know that if they tried to cash out these giant sums, they were more likely to be identified. So both of them sat on these coins for years and years until each of them had billions of dollars worth of bitcoins at the exchange rate at the time in 2020 and 2021 when they were caught. I mean, IRS criminal investigations traced their coins, even though they didn't spend them. These poor guys, you know, they sat on these coins for years and years...
Scott Helme: And you're never making interest on Bitcoin, aren't you?
Andy Greenberg: Exactly. One of them, like, had, I think, 70,000 coins in a popcorn tin under the floorboards of his closet, you know. And that's billions of dollars. I think he did maybe cash out, like, just enough of it to kind of live large.
Scott Helme: He didn't buy a green Lamborghini and get himself caught that way, did he?
Andy Greenberg: I think there are photos of him, you know, in saunas or, like, hot tubs on yachts and things. But this poor guy, he then has his whole stash seized and he's now facing prison as well for hacking the Silk Road itself, a criminal site. It's just a bizarre story. But those guys, each of them were essentially like one-man billion-dollar cybercriminal operations. I mean, the world of crypto is just numbers that are so bizarre that, yeah, it doesn't surprise me at all that Mikko did that math and found...I mean, I'm sure ransomware groups, some of them, if they held on to like a few tens of thousands of the bitcoins that they were making early on, are billion-dollar operations.
Scott Helme: It's just so much money...
Andy Greenberg: It is.
Scott Helme ...for an organization like that to have at their disposal. It makes them unstoppable.
Andy Greenberg: It makes them...they could bribe anyone.
Scott Helme: Anything, yeah, anyone.
Andy Greenberg: It's very scary.
Longterm Prospects for Bitcoin
Scott Helme: Do you think that...because I've seen a lot of kind of speculation around the long-term prospects for cryptocurrency as a whole? And I used to play around with mining, like, back in the early days when it was viable to mine on a GPU. I've always been a gamer. I had to play around with my GPU and, you know, back in the days when bitcoins were 5 cents, you know, less than a dollar. And now, and I don't know the present-day value, but I saw a peak of like $34,000 U.S. per bitcoin. Was that...
Andy Greenberg: Oh, it was much bigger than that at the peak.
Scott Helme: So we've gone higher?
Andy Greenberg: It was like $75,000. Now it's at $25,000 or so. I don't hold any Bitcoin. I'm not, like, interested in speculating, but I did. I don't know. I track it in part just so that I can like, I don't know, keep up with what...you know, do the math to talk about like, so this many bitcoins were seized, which is worth this much. When I first wrote about Bitcoin in 2011, it was worth a dollar. And I tried to buy about 40 bitcoins for $40 at the time. And I put in this, like, transaction on Mt. Gox, the only exchange that existed back then and it didn't go through because, like, Mt. Gox was so buggy and terrible. And I just gave up and I try not to think too often about, like, you know, I guess what I'm doing right now, but it'd be like a million dollars today, right, 40 bitcoins. Wait, is that right? Forty...I know, we'll do the math later, but it's a lot of money. And I yeah, I regret my lack of persistence in just doing that, like, simple transaction.
Scott Helme: I always see kind of the famous tale of buying a pizza for 10,000 bitcoins and I think...
Andy Greenberg: Right. But you were there, you're saying when you were mining them, and they were worth cents.
Scott Helme: I have like distinct memories of, like, 5 cents and 8 cents apiece and...
Andy Greenberg: And what did you do with those coins?
Scott Helme: S I used to hold Bitcoin. So, and I hate talking about this, and I don't talk about it, but I sold out when they hit $100. Because, you know, it was like...
Andy Greenberg: I would have done the same. You probably thought that you were brilliant. I mean, you were, like, you made a huge return on your investment.
Scott Helme: And then you look and think...you know, you never look back, right? Never look back. Never, like, sit there and do the kind of, you know, 20/20 hindsight thing. But yeah, I was like, this is crazy, this is wild, you know, these things, or some of them, you know, we're getting up to, like, the single dollar value per coin. But yeah, I was pretty much out of everything at like $100 a Bitcoin. And then I've only dabbled and played since then. There was another coin that got released called Sheba, think it was called.
Andy Greenberg: Oh? Not Dogecoin. But another Sheba-related coin.
Scott Helme: I was like, I'll buy like $100 and sell it 3 days later for, like, $400 or something. It was just like a bit of fun at that time, because I was still kind of...
Andy Greenberg: Sheba coin is actually worth like $75,000 today. Did you know that?
Scott Helme: Wow. No.
Andy Greenberg: I'm just joking.
Scott Helme: I was about to start crying. But is it here for the long term now? Like, is cryptocurrency now...you know, has it got over its kind of crazy fluctuation period and we now have like a bit of, you know, like, long-term stability there?
Andy Greenberg: I've never, like, been interested in, like, whether Bitcoin is going up or down. Although everybody's interest in my writing about it is, like, completely directly correlated to the price of Bitcoin sometimes, I noticed.
Scott Helme: But that's just because the criminals want the valuable thing, right?
Andy Greenberg: I think that for them, they don't care terribly much whether the cryptocurrency is going up or down in value, they just probably wanna cash it out pretty quickly. For them, it is this, if not the untraceability, it's the uncensorability of cryptocurrency that it's very difficult to...in some cases, you know, it is untraceability they're seeking, whether or not that is makes any sense at all. Very often, it doesn't, you know, they have this illusion of its untraceability still. But I think in many other cases, it's just like the same thing that makes Bitcoin helpful for like sending remittances. You can send money to Ukraine very easily with crypto which makes it easy.
Scott Helme: Versus the traditional banking system, it has to be much more flexible, surely.
Andy Greenberg: Right. When the Ukraine war broke out, we saw like, I don't know, hundreds of millions of dollars sent to Ukraine with crypto. And at the same time, donations were being, like, frozen and seized in people's PayPal accounts. So it did show its purpose there, in some ways. But that is also I think often why criminals like it too because when the ransom is sent, can't be recovered, you know, even if you can trace it to its destination. So I think that they don't...you know, for them, it's just like a means of transaction. It's one of the very few people who use crypto for that purpose. Most other people I think are still buying it as, like, a store value, right?
The Daily Value of Bitcoin/ The Daily Traded Value
Scott Helme: If we analyze given, like, the public ledger nature of Bitcoin, you know, is there that transaction volume there that suggests day-to-day consumer use? Or, you know, like, is there a...?
Andy Greenberg: I'm not sure I...you know, crypto boosters like to say that it's there. But I mean, when was the last time you saw anybody spend crypto on anything?
Scott Helme: Well, so this was the thought that was going through my mind then, you know, is we were promised, you know, Bitcoin payment cards and ATMs and everything else.
Andy Greenberg: That didn't work out. Neither has the anonymous money thing, you know, it's not digital cash in either of those respects. It might be digital gold.
Scott Helme: And aren't the transaction fees now mega-significant? Again, I don't follow the kind of day-to-day.
Andy Greenberg: It seems like they are, yeah, it seems like it is...
Scott Helme: It sounds very expensive to pay.
Andy Greenberg: People talk about it as like, you know, perhaps it's a layer one and you do these, like, different kinds of transactions on top of that that are lower transaction fees, but it doesn't...certainly it's not like what I remember, like, going into a cafe in Berlin and, like, you can buy a beer with Bitcoin, that's not happening as far as I can tell, anywhere.
Scott Helme: I do a good bit of travel, you know, we're sat here right now in, like, Copenhagen, I get around, certainly around Europe a lot. And I have to say, and usually in capital cities, which is probably the best chance of seeing a Bitcoin ATM or a bar that accepts Bitcoin for a beer, and I can't say I've ever noticed it or seen it, you know?
Andy Greenberg: It's now at $25,000. Like, I think most of the media would say that that's low, which is shocking, probably to you and me. I've seen it at a dollar, you've seen it at 8 cents or whatever. And to us, that's like, oh, you know, that's so many orders of magnitude larger than I ever thought it could be. You know, that, as a reality check, it's like, wow, it's been incredibly successful. But then everybody covering, like, the FTX trial, or Sam Bankman Fried's trial, which is just starting this week, they see us as being in a kind of like, you know, FTX-inflicted crypto winter where Bitcoin lost two-thirds of its value, but two-thirds of $75,000. Whereas, you know, the numbers, I think to people have been around, like, since, you know, you and I started looking at crypto, it's still, you know, just shocking. And it doesn't feel like winter if you start at 8 cents and end at $25,000.
Scott Helme: I think I'm gonna have to go and dig some photos and things out now because I've never really, you know, paid too much thought back to those days and I like to try and forget about the fact that I sold it all.
Andy Greenberg: Are you sure that you didn't...? Like, I would just be almost scared that I left a wallet out there.
Scott Helme: How many times I've been through my hard drives? Yeah, I was just literally thinking the same thought pattern as you then. It's like the amount of times that I've dug out like my old wallets and I'm like, I'm just going to double-check I didn't leave three bitcoins...
Andy Greenberg: Exactly, right.
Scott Helme: ...you know, in some forsaken corner. But I remember back in the day, as well, when you could make, like, cool Bitcoin addresses with your name at the beginning. So like my Bitcoin address is, like, 1scott, and then all of the usual, because you could...there was like a little tool that would make a Bitcoin address for you with your name or some other string in it. But yeah, that was a long time ago. And I remember the rig I was mining on was super, you know, basic. It had a, like, RTX 10 series card in it back in whatever they were called back then. God, it must have been like the late 2000s, I'm sure. I have a feeling in my mind, it was like pre-2010.
Andy Greenberg: 2009, I guess.
Scott Helme: So maybe a little after. I don't know when...because there was a period when it was just worth nothing, you know, for a good time there before it even got into like the tens of cents in the dollar. So it was early on. And I should have stuck in it.
Andy Greenberg: I've interviewed Hal Finney, who was the second-ever user of Bitcoin after Satoshi, you know. And he was dying of Lou Gehrig's, of ALS at the time. He was fully paralyzed, and could only respond to me with, like, eye movements, his eyebrows even. He could not even use his, like, eye movement-based keyboard very easily at that time. But I interviewed his family too. The poor family, like, they sold, like, most of their coins pretty early, but then they also...He was mining so early, I mean, ridiculously early, like, before anyone but almost like him and a few other people, and Satoshi knew what Bitcoin was. His wife was like, "Why is the computer making so much noise? Can we just turn this thing off? Are you just doing this as an open-source project? Just turn it off." You know, and just imagine the value, like the wealth that they generated and then, like, you know, stops generating. But I don't know, that's probably everyone's story in the early days of Bitcoin. You can't...like, his poor son was, like, quite, you know, kind of caught up in this feeling of, like, what could have been and, you know, how much money they could have had. But Hal Finney was an incredible guy, and he left an amazing legacy just by being there so early on and writing a lot of the early code of Bitcoin wallets and things too. So, yeah, sorry, we've gone a long way from...
Scott Helme: Yeah, I know. But it was interesting. You know, I'm kind of fascinated by the story almost, but I think we're probably pushing close to time there. So we should look to start wrapping up. You're gonna be speaking soon.
Scott Helme: I've read many of your stories online over the years, obviously, the cybersecurity world that we overlap a lot. So awesome to meet you in person.
Andy Greenberg: The next time you like to come across a crazy thing happening on a Sunday, call me instead of the BBC, all right?
Scott Helme: You got it.
Andy Greenberg: Thanks.
CONTENT
Machine Learning For Web3: Realizing The Potential and The Challenge of Censorship Resistance
Building a Blockchain in Erlang
Why you don't see Blockchain in your Everyday Life... yet
