FBI Fears Bitcoin’s Popularity with Criminals

A 3-D model of a bitcoin – not an actual bitcoin, which is purely digital. Photo: Trader Tim/Flickr

The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity — including as a tool for hackers to rip off fellow Bitcoin users.

That’s according to a new FBI internal report that leaked to the internet this week, which expresses concern about the difficulty of tracking the identify of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous.

The report titled “Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity,” (.pdf) was published April 24 and is marked For Official Use Only (not actually classified), but was leaked to the internet on Wednesday.

In the document, the FBI notes that because Bitcoin combines cryptography and a peer-to-peer architecture to avoid a central authority, contrary to how digital currencies such as eGold and WebMoney operated, law enforcement agencies have more difficulty identifying suspicious users and obtaining transaction records.

Though the Bureau expresses confidence that authorities can still snag some suspects who use third-party Bitcoin services that require customers to submit valid identification or banking information in order to convert their bitcoins into real-world currencies, it notes that using offshore services that don’t require valid IDs can thwart tracking by law enforcement.

Bitcoin is an online currency that allows buyers and sellers to exchange money anonymously. To “cash out,” the recipient has to convert the digital cash into U.S. dollars, British pounds or another established currency. Bitcoin is used as a legitimate form of payment by numerous online retailers selling traditional consumer goods, such as clothing and music. But it’s also used by underground sites, such as Silk Road, for the sale of illegal narcotics.

To generate bitcoins, users have to download and install a free Bitcoin software client to their computers. The software generates Bitcoin addresses or accounts — a unique 36-character string of numbers and letters — to receive Bitcoin payments. The currency is stored on the user’s computer in a virtual “wallet.” Users can create as many addresses or accounts that they want.

To send bitcoins, the sender enters the recipient’s address as well as the number of bitcoins she wants to transfer to the address. The sender’s computer digitally signs the transaction and sends the information to the peer-to-peer Bitcoin network, which validates the transaction in a matter of minutes and releases the coins for the receiver to spend or convert.

The conversion value fluctuates with supply and demand  and the trust in the currency. As of last month, there were more than 8.8 million bitcoins in circulation, according to Bitcoin, with a value of about $4 and $5 per bitcoin. The FBI estimates in its report that the Bitcoin economy was worth between $35 million and $44 million.

It’s easy to see the attraction for criminals.

“If Bitcoin stabilizes and grows in popularity, it will become an increasingly useful tool for various illegal activities beyond the cyber realm,” the FBI writes in the report. “For instance, child pornography and Internet gambling are illegal activities already taking place on the Internet which require simple payment transfers. Bitcoin might logically attract money launderers, human traffickers, terrorists, and other criminals who avoid traditional financial systems by using the Internet to conduct global monetary transfers.”

Bitcoin transactions are published online, but the only information that identifies a Bitcoin user is a Bitcoin address, making the transaction anonymous. Or at least somewhat anonymous. As the FBI points out in its report, the anonymity depends on the actions of the user.

Since the IP address of the user is published online with bitcoin transactions, a user who doesn’t use a proxy to anonymize his or her IP address is at risk of being identified by authorities who are able to trace the address to a physical location or specific user.

And a report published by researchers in Ireland last year showed how, by analyzing publicly available Bitcoin information, such as transaction records and user postings of public-private keys, and combining that with less public information that might be available to law enforcement agencies, such as bank account information or shipping addresses, the real identity of users might be ascertained.

But the FBI helpfully lists several ways that Bitcoin users can protect their anonymity.

  • Create and use a new Bitcoin address for each incoming payment.
  • Route all Bitcoin traffic through an anonymizer.
  • Combine the balance of old Bitcoin addresses into a new address to make new payments.
  • Use a specialized money-laundering service.
  • Use a third-party eWallet service to consolidate addresses. Some third-party services offer the option of creating an eWallet that allows users to consolidate many bitcoin address and store and easily access their bitcoins from any device.
  • Individuals can create Bitcoin clients to seamlessly increase anonymity (such as allowing users to choose which Bitcoin addresses to make payments from), making it easier for non-technically savvy users to anonymize their Bitcoin transactions.

But the bigger risk for crooks and others who use bitcoin might not come from law enforcement identifying them, but from hackers who are out to rob their virtual Bitcoin wallets dry.

There have been several cases of hackers using malware to steal the currency in the virtual wallet stored on a user’s machine.

Last year, computer security researchers discovered malware called “Infostealer.Coinbit” that was designed specifically to steal bitcoins from virtual Bitcoin wallets and transfer them to a server in Poland.

One Bitcoin user complained in a Bitcoin forum that 25,000 bitcoins had been stolen from an unencrypted Bitcoin wallet on his computer. Since the exchange rate for bitcoins at the time was about $20 per bitcoin, the value of his loss at the time was about $500,000. A popular web hosting company called Linode was also infiltrated by an attacker looking to pilfer bitcoins.

And there have also been cases of hackers attempting to use “botnets” to generate bitcoins on compromised machines.

According to the FBI, quoting an anonymous “reliable source,” last May someone compromised a cluster of machines at an unidentified Midwestern university in an attempt to manufacture bitcoins. The report doesn’t provide any additional details about the incident.

Illinois Barred From Enforcing Police Eavesdropping Law

Citing First Amendment issues, a federal appeals court is barring Illinois from enforcing a law prohibiting the audio-recording of police officers.

The decision Tuesday by the 7th U.S. Circuit Court of Appeals comes two weeks ahead of a NATO summit in Chicago that is likely to draw throngs of protesters May 20-21.

The American Civil Liberties Union challenged the 1961 eavesdropping law that makes it a felony to audio-record a conversation unless everybody in that conversation consents. Violators faced a maximum 15-year prison term if a police officer is recorded.

“The Illinois eavesdropping statute restricts far more speech than necessary to protect legitimate privacy interests,” the Chicago-based appeals court wrote (.pdf).

The ACLU brought the case in 2010, arguing its staff had a First Amendment right to record police officers on the job. The case wasn’t merely theoretical — among those who have been prosecuted for recording conversations with police is Chicago artist Christopher Drew, who recorded an expected encounter with police over selling art in a public park without a permit. He then got hit with a felony eavesdropping charge.

“In order to make the rights of free expression and petition effective, individuals and organizations must be able to freely gather and record information about the conduct of government and their agents — especially the police,” Harvey Grossman, the ACLU’s legal director in Illinois, said in a statement. “The advent and widespread accessibility of new technologies make the recording and dissemination of pictures and sound inexpensive, efficient and easy to accomplish.”

A state Senate bill that allows police recording without consent is awaiting a House vote.

Photo: afsart/Flickr

Search Results Protected by First Amendment, Google-Funded Analysis Says

Google and other search engines have a First Amendment right to sort or even censor search rankings as they like, according to a legal analysis Google commissioned from a law professor.

Search engine companies are no different from traditional news media outlets such as The New York Times, CNN or the Drudge Report and therefore merit the same constitutional protections, according to UCLA law professor Eugene Volokh in a recent report.

“[S]earch engines select and sort the results in a way that is aimed at giving users what the search engine companies see as the most helpful and useful information…. In this respect, each search engine’s editorial judgment is much like many other familiar editorial judgments,” Volokh writes.

In the report, titled “First Amendment Protection for Search Engine Results,” the libertarian-leaning Volokh, who runs the popular Volokh Conspiracy group blog, argues that search engine results that Google and others produce are a form of opinion. Therefore they have the right to choose what goes into that opinion – whether this means excluding certain links entirely or ranking them in a manner that the search engine deems is most relevant to users.

What this means in practice is that Google should be protected from claims others have made that the search engine giant is abusing its power by excluding certain links altogether or ranking results in a way that can harm the business of others.

Google has been fighting off accusations that it rigs its search results. In 2003 an Oklahoma advertiser accused Google of burying a link to the company in search results, but a judge rejected the case, citing First Amendment protections. In 2007, a California company accused Google of violating its own First Amendment rights because it also was banished to a low ranking in search results. Reader review site, Yelp, has also accused Google of abusing its power by preferring its own content over Yelp’s.

The timing of the report is likely not coincidental. Google is currently the target of a federal investigation over charges of unfair competition. Google is likely to make the argument that even if it is found to be a monopoly, its choices in regards to search rankings and display are protected First Amendment activities.

Google has always threaded a fine line on the issue. The company maintains that it does not have the ability to manipulate individual results. While at the same time, the company regularly punishes sites that it thinks use underhanded tactics to game search results or that sell paid links by reducing or even banishing them from search results.

At a congressional hearing last year, Nextag Chief Executive Jeff Katz testified that Google’s search results for products favor its own sites over those of competitors.

Yelp chief executive and co-founder Jeremy Stoppelman echoed the criticism when he told lawmakers that Google prefers “to send consumers to the most profitable sites on the Web: their own.”

Volokh First Amendment Paper Copy

Save the Date: ISTR 17 Twitter Chat

Join Symantec security experts on Twitter (using the #ISTR hashtag) on Tuesday, May 15, at 10 a.m. PT / 1 p.m. ET to chat about the key trends highlighted in Symantec’s recently released Internet Security Threat Report, Volume 17.

This year’s report, which covers the major threat trends observed by Symantec in 2011, highlights several troubling developments. For example:

  • Symantec blocked more than 5.5 billion malicious attacks in 2011, an increase of 81 percent over the previous year.
  • The number of unique malware variants increased to 403 million and the number of Web attacks blocked per day increased by 36 percent.
  • Targeted attacks are growing, with the number of daily targeted attacks increasing from 77 per day to 82 per day by the end of 2011. The targets of these attacks are also becoming more diverse, with SMBs being targeted in addition to large enterprises.

The news isn’t all bad, however, with several positive trends also being called out; though these trends do demonstrate there are two sides to every coin. For instance:

  • Spam levels have fallen by 13 percent, though this is likely a result of attackers turning more of their attention to social networks as attack vectors.
  • Overall, new vulnerabilities discovered in 2011 decreased by 20 percent. However, new mobile device-related vulnerabilities discovered during the year increased by 93 percent.

The report is based on data from the Global Intelligence Network, which Symantec's analysts use to identify, analyze, and provide commentary on emerging trends in attacks, malicious code activity, phishing, and spam.

So, mark your calendars now:

Symantec ISTR Twitter Chat

Date: Tuesday, May 15, 2012
Time: Starts at 10 a.m. PT / 1 p.m. ET
Length: 1 hour
Where: On Twitter.com; follow the hashtag #ISTR

Expert participants:

  • Paul Wood, Senior Intelligence Analyst, Symantec (@paulowoody)
  • Kevin Haley, Director of Product Management, Security Technology and Response, Symantec (@KPHaley)