I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security. But this kinda shows the response I was referencing to.
A lot of people like to think of ransomware attacks as the ultimate stress test as far as security goes, and thus a good thing - but let's not get too blinded by our professions (most probably in tech), these kinds of attacks can have serious consequences: Imagine if some foreign state agency (masquerading as hackers) launches a multiheaded attack on, say, utilities plants - in the middle of the winter. The victims/targets will pay whatever us necessary.
With that said, I understand that many people will recoil at such things - we saw what the patriot act did, and how easy it is to overstep and abuse such laws, in the name of "national security". But it is a serious problem, in the same way actual piracy thrived in the gulf of Aden, as soon as the shipping companies started paying.
Maybe people didn't like your use of the term "terrorism" for national security threats?
A common understanding is that terrorism is intended to frighten people or make them feel unsafe, while various official definitions of terrorism include the idea that it's intended to coercively achieve some particular political goal.
If attackers just intend to get money, they're probably well-described as extortionists (or in some cases, as you said, akin to pirates). If they just intend to damage a particular society without demanding anything from it or getting it to change its behavior, they might be saboteurs.
Attacks with these motives or that pretend to have these motives could still be considered national security threats (and taken very seriously), but maybe shouldn't be described specifically as terrorism.
FWIW in June of 2011 the Pentagon issued a report that defined how 'cyber attacks' can be classified as an act of war. Part of the defense department review of threats against the US. However, they have to be plausibly tied to a state actor such as Russia or North Korea (to give two examples) The net result was that the Pentagon considers military response (both kinetic and cyber) as legal and sanctioned ways to respond to cyber attacks.
Generally though, the Justice department defines terrorism to be "the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives"
These ransomware attacks fall in the middle. They are 'deniable' by state actors as just crooks who happen to be within their borders. They certainly don't push any social objective other than to enrich the criminals. So that leaves them under the jurisdiction of law enforcement.
I have read anecdotal evidence that there are the equivalent to "Letters of Marque"[1] for Russian criminals who attack enemies of the Kremlin. They wouldn't completely qualify as the Russians aren't actually in a declared state of war (this works fine for North Korea) but conceptually if you accept that criminals are gonna crim, then pointing them at people you don't like at least keeps the damage outside of your area of concern.
In this particular case, the fairly rapid take down of these guys gives me pause. One wonders if the FBI and Interpol had Colonial pay with Bitcoin that they then traced to the destination wallets. And then working backward from there to the server infrastructure. That would be an interesting capability if it exists.
I'd like to lean towards keeping terrorism defined essentially by intent--namely, the intent to use asymmetrical, threateningly or actually destructive, and emotionally activating ("terrorizing") means to manipulate a body politic or society towards a desired change.
If serious ransomware attacks are being conducted by state actors with the sole intent of causing damage, and we want to use powerful terminologies to describe them, "acts of war" seems a reasonable start.
Yes, this is semantics--but some of my concern here is that just freely tossing around "terrorism" gives cover for organizations not to be diligent in at least attempting to secure their networks and digital assets.
You could treat ransomware attacks with the same seriousness as terrorism since the practical effects are similar, but the key point of terrorism is that it is politically motivated. So a terrorist group could launch a ransomware attack, but not all ransomware campaigns are terrorism.
The meanings of words is important; rational discussion is impossible when people shift commonly-accepted meanings and definitions to suit their agenda. It's an extremely common strategy in politics. And the word "terrorism" already received more than its fair share of this treatment quite thoroughly in the decade following 9/11.
IMO terrorism is a "waffle word" that doesn't really have any meaning anymore. Originally a use of violence and intimidation against civilians in pursuit of political ideology, it's come to mean "people we don't like, who aren't state actors and don't fit conventional organized crime narratives."
I don't think it's necessary to staple the term to the action in order to take it seriously. It should, however, be taken seriously as the national security threat it is. For instance, climate change is a national security issue but oil executives, while distasteful, aren't terrorists.
I agree that many folks in the tech community (and especially here, though I don't know if they're overrepresented here) treat technology as platonic. That's not going to cut it moving forward. Technology that enables bad things in the world should be curtailed even if its "neat."
That reasoning is really dumb. It's like saying school shootings are the ultimate stress test on a local police department. They sure are, but nobody in their right mind should ever argue that getting real world experience with one is ever a good thing.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security.
A precise definition of terrorism tends to be difficult to pin down (mostly due to the difficulty of considering what is a legitimate asymmetrical warfare tactic by a nascent liberation movement versus an illegitimate terrorist act). But a general rule of thumb is that terrorism is a) violence b) directed at civilian populations c) to effect policy.
However, there are threats to national security that are not terrorist in nature; gang warfare in Mexico and Central America would be an example of such a threat.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security.
Well... yes? That isn't a sense of the word "terrorism".
As far as I'm concerned, ransomware attacks essentially fall into the same classification as highwaymen, bandits, and pirates. We tend to take those pretty seriously. Or at least, we did once they've robbed the wrong people.
Sounds like the ransomeware people finally robbed the wrong people.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security. But this kinda shows the response I was referencing to.
Terrorism has a legal definition, and something affecting national security is not the determining factor in calling something terrorism.
"Terrorism includes the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives." [1]
I'd say ransomware is much closer to "piracy" than terrorism, but totally agree that this incident shows there's not much distance between this and cyber terrorism. (Even if it's just criminals accidentally throwing themselves into the spotlight.)
For say a nation engaging in cyber war, this could be flipped around: attacking basic infrastructure but disguising it as smaller groups of criminals trying to make a buck. Not sure how effective the disguise would be, but it could obviously do some serious damage.
The definition of terrorism isn't a "threat to national security". For example, your country could do something evil and wrong, grievously and unjustifiably violating the interests of an entity with a military, and be deservedly subject to military action, constituting a threat to national security. That wouldn't be "terrorism", it would just be "military action".
Treating more and more attacks "as terrorism" has it's limits. The US may have awesome offensive cyber attack abilities but stopping widespread ransom wear requires systematic security, not threatening the bad guys, since there will always be more bad guys.
> I got downvoted for saying that maybe it's time to treat serious ransomware attacks (infrastructure, security, health, etc.) as terrorism - as in the sense that they're a threat to the national security
Um. Terrorism is basically never a threat to national security.
Serious side effects, yes. I am homeless and live in my van in North Carolina and having to ration my gasoline waiting for the idiots to stop hoarding.
These people thought they were sticking it to the man but they were actually sticking it to people like me.
The fact that their coins were apparently easily stolen also debunks another favourite talking point of the crypto people that it secures your money from government access. Clearly, ways and means have been developed to do just that if necessary.
Or one of the members of the criminal gang ran off with all the cryptocurrency and then made a public post claiming some form of law enforcement seized the crypto.
> debunks another favourite talking point of the crypto people that it secures your money from government access
In order to seize someone's cryptocurrency, the government has to literally seize the private keys used to sign transactions. This could be as easy as seizing computers containing the key but it could also be as hard as torturing people until they reveal their seed phrase.
They can't simply order the banks to freeze people's assets. They have to physically go there and try to seize them. This puts a limit on the scope of their operations. It's just like surveillance: encryption makes dragnet espionage harder but it's still perfectly possible for a target to be attacked directly.
I don't see anywhere that the coins where stolen by the government. It could have been done by an insider from the group who had access to the wallet and 1. transferred to himself or 2. the damage and attention was to much for one of them and some ethics kicked in and ratted out the group to government. gave them his access. 3. the group got scared from the attention and stopped their operation and lying about the seizure, because at this point we don't even know if anything was seized at all, that info comes from the criminals which is hard to trust and wasn't confirmed by official reports yet.
This is the most puzzling part of the story. These guys were evidently pretty skilled. I can see their servers being seized but I am struggling to figure out how they lost their currency. Did the Kremlin put a gun to their head and say “unlock the wallet”? This seems especially fishy.
That's the point that got me thinking about the likelihood of a very different real story that might be going on. What if some individual or subgroup just ran away with the hoard? Some subcontractors/mid-level data henchmen could have tried to press compensation by threatening to release victim keys, and then a combination of disbelief, unwillingness to accept having gotten fooled by a peer and dreams of spy story grandeur conjuring up a fantasy about state involvement that they eventually believe themselves. Or at least like better than the alternative.
I don't consider that the most likely scenario, but something in the willingness to declare defeat got me into "what if" mode.
As the old xkcd comic notes, no amount of mathematically-proven security protects your encrypted data if the private keys can be beaten out of you with a lead pipe (or, the cleaner version of that, "If you can be incentivized to hand them over given the alternative of jail time that lasts until you divulge your computer's password to the authorities").
The more cynical part of me thinks the key is not which side of the company was attacked, rather the fact that it was an OIL company. The US has basically an unlimited budget and resources to go after organizations that mess with its oil supply.
I think the question is, how come an attack on a hospital does not have the optics of an attack on infrastructure?
(It almost seems oil does not require infrastructure - you can, theoretically, prep for an oil infrastructure outage by storing it containers, same as you do with water and food. But you can't really prep for a medical infrastructure outage. Is it just that, as a result, there were no photos of people hoarding medical care and so there was less political will?)
> I think the question is, how come an attack on a hospital does not have the optics of an attack on infrastructure?
An attack on a hospital affects someone if they work there or are using that hospital. A pipeline attack affects people who drive cars places and need gas. The latter group is much larger than the former.
Oil is flowing constantly and continuously into every corner of the country. The storage capacity is negligible and the need is critical. Unlike a single hospital there is very little room to shift excess capacity relative to usage and the knock on effects are potentially catastrophic (we lose power to every hospital in 500 miles and nobody can run the generator).
Destroying logistic infrastructure is how you defeat a country. Petroleum is critical to the functioning of modern economies, if you cut that off things go badly. They really kicked the hornets nest on this one.
I think the point people are missing is that hospitals don't just stop providing services when they are hit by ransomware, at least not in my admittedly limited experience. There's a ton of paper involved even today and life could move on with ballpoint pens and forms.
The game was changed when Colonial closed the valves and services were impacted.
Hospitals themselves aren't really "infrastructure." All hospitals can operate independently from each other, so holding one for ransom only affects the one. If you can actually shut down a pipeline, you affect everywhere it ships to.
Hospitals obviously do rely on infrastructure, so you'd see much more panic if someone could disrupt a national supply of blood plasma or insulin or something.
In addition to the other comments, there's a difference in scale here. Shutting down _a_ hospital would be like shutting down, say, several dozen gas stations in one part of a city. That would not have a lot of national visibility either. If they simultaneously shut down every hospital between Texas and New Jersey, it would have national optics.
I agree with you that an attack on a hospital is an attack on infrastructure, though I disagree with your arguments regarding oil infrastructure.
The difference is response is a matter of impact scale. Usually, the infrastructure of a small group of hospitals is at stake. This time an entire state is hoarding gasoline. Both are infrastructure but the latter is causing nationwide effects.
A single hospital is not major infrastructure. We can operate medical services out of tents if necessary.
Oil pipelines that serve everything from energy to transportation to manufacturing are far more integral to keeping all aspects of society running for magnitudes more people.
Implicit in your question is the idea that the reason there was a stronger response here was because of optics—because a large mass of US citizens demanded it.
I think a more likely answer is that optics had little to do with it. Attack a hospital and you've got angry hospital administrators mad at you. Attack an oil pipeline and you've got billionaire oil executives and shareholders who have much of the US government in their pocket mad at you.
You really don't want to anger people who can buy US elections.
Because when you attack oil it will be considered as an act of war and they will counter with their war powers. Which they did. No civilian police action against Sergey followed, but military style seizures, bitmix closure and Bitcoin retrieval. This was not the FBI, but their criminal higher ups. Military style, with no civilian oversight.
Which is somewhat disturbing, because first the industry is still considered more important than civil services (city councils, hospitals). And second they will still continue using Windows services in their backbones. I have nothing against using Windows as frontends, but in the backbone of a critical company it's criminal negligence. Easy to hack, no backups, untrained admins with no idea about security. Wasting billions on money on theatre, and not working servers, groupware and email.
It was an attack on infrastructure. Motives don't matter. This is no different than physically breaking the pipeline and saying you were just testing the material strength, it's the same outcome and will have similar consequences.
I think parent may mean infrastructure side. If it had just attacked the office side of things, it would be the usual 'company infected with ransomware' story without affecting the public.
Yup. This falls under the idea of “optics”. Often HN tends to dismiss it in favor of logics “well, the problem is actually quite small”. What matters is the perception of the problem.
Just like with The Silk Road. Once it became large enough and Ross started to taunt the authorities to find him, the police had no choice. It’s continuing existence chipped away the legitimacy of the authorities, they had to shut it down just to maintain appearances.
Just like this ransom ware. Keep it small, it’s not worth going after. Start screwing with the economy and the govt goes from 0 to 10 very quickly.
There’s a huge network of financial controls to prevent and detect this sort of thing, it’s one of the foundations of the fields of accounting. Often there are departments looking for fraud regularly.
I suspect small or medium organizations rather then megacorps would be easier targets if they haven’t invested money in accounting controls.
The hacker group attacked resources considered "critical infrastructure"; this was closer to an act of war than any other cyber attack has come. The US Cyber Command responded swiftly.
> "governments take advantage of crises to gain power"
Please, elaborate? I fail to see how the US Govt is taking advantage of this crisis for more power.
Russia allows their FSB operatives to moonlight on the side. Darkside hackers could be government operatives and an attack on critical infrastructure is an act of war. It is the same as bombing the pipeline if infrastructure is disabled. I am sure the cyber insurance provider won’t pay and say it was an act of war by a foreign government. It always a grey area.
> The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.
Statements like this seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
If a market correction occurs (ransomware becomes a real fear, organisations rapidly start to value security skills more and pay "megabucks" for the skills and hire them at-scale), the risk/reward of being caught starts to mean access brokers reduce in number, and the compensation reaches a free market equilibrium (accounting for the "getting caught" risk of criminal activity).
A lot of the time I still see people trying to hire entry-level people into live/ operational security roles, without the experience they'd need. I wonder if this is partly due to a desire to cut costs, rather than accept the need to pay rock-star compensation?
> seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
This is a business that actually provides better support than a regular business.
From conversations with friends in the Infragard side of this, and the agencies that collaborate, they have 24/7 English support available before and after payment, as well as decryption remote support if you can't get your files decrypted... there are also instances of refunds if they can't decrypt your files due to technical issues.
Unlike regular businesses, support is a sales channel since it's the way to ensure you get paid so a lot of resources go to support activities in these "organizations".
> This is a business that actually provides better support than a regular business.
The thing I find fascinating from a sociology perspective about ransomware is that they have to. To be a successful ransomware company, you have to simultaneously be:
1. Completely immoral enough to attack companies, hold their data ransom and potentially put them out of business and reveal the private details of thousands of people.
2. Create enough trust in the company you attacked that they believe you will give the data back once you pay them.
It is crazy that they are psychologically savvy enough to simultaneously attain those directly conflicting goals.
Yeah apparently in addition to their white label ransomware software, if you licensed their software you could also have DarkSide handle negotiations for you. 10%-25% of the ransom and in exchange you get people who have real experience handling the negotiations and have the infra in place already to remain anonymous while supporting 24/7 English language service.
I can tell you that on the same day I opened a support case with both a ransomware operator and Microsoft premier support. One of those vendors took my money went dark. Guess which one?
> there are also instances of refunds if they can't decrypt your files due to technical issues.
I would like to hear more about this, that sounds kind of hilarious.
"Ah, apologies, we'll get that back to you within 3 business days. Have a nice day, I hope you had backups"
Yeah. If you're dealing with a ransomware org with a reputation, you can pretty much be assured you're getting your files back minutes after paying, or a refund and apology.
Maybe with Darkside, but they account for a very small amount of activity. Back in the Gandcrab days, anyone with a credit card could fire up their own tenancy, and they mostly sucked at it. They would lose the decryption keys or send non functional decryptors. They were not interested in talking and just thought the RaaS platform would be a passive income for them.
I mostly dont do ransomware housecalls anymore, but my teammates tell me the situation has mostly not improved.
That's not support. You're not a customer. They're not providing any value. This isn't some glorified version of business, it's just organized crime.
They're available for their interests, not yours. They're actively robbing you and will be highly available to keep things moving efficiently, the same way physical bank robbers used to make sure staff were comfortable enough to open the safe and provide cover.
When I heard that this pipeline company started advertising a job opening for CyberSecurity Advisor in the last few days, and heard today the ransom of about $5 million was paid, my first reaction was to say "I bet the salary for that position is a lot less than $5 million, and I bet the budget for that department will be less, too..."
I think you're spot-on here - the ransom is seen as a "cost of doing business", and until recently security was seen as "a problem that happens to other people".
Sadly my experience is that organisations like this will take their $5m ransom (or other remediation cost), assume it's a one-off, then divide it by their number of ransom-free years, and proclaim it was better value for money than hiring 2 or 3 senior security gurus on $300k /yr with 60 vacation days, and letting them bring in a team to deliver meaningful security.
Beyond taking security out of the hands of bean-counters though, I'm not sure how you address this. Pursuing organisations that pay ransoms and prosecuting senior CEO/CFO-type executives for conspiracy to commit money laundering (and pushing for criminal convictions) could discourage paying ransoms. If it's left to businesses as something they can write down as a "cost", I don't see it getting better - there has to be a risk to the liberty of the CEO/CFO before they'll take security seriously in my experience. 90 days in federal prison would certainly sharpen their focus in future.
The cost of shutting down this pipeline for a week is a lot more than 5 million. At 3 million barrels per day going through it, in 6 days that's 18 million barrels. At $65/barrel that's 195 million worth of oil that didn't transit and it probably has huge knock-on effects throughout the affected regions (things that didn't ship, trips not taken, etc).
> “We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government and look for other our motives [sic],” reads an update to the DarkSide Leaks blog. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”[1]
Sounds like they're about to get rolled up by law enforcement as well. As someone who's had the full force of a three letter agency come down on me, this is not something you want to deal with on any level. I was lucky. I was young and dumb and got a slap on the wrist.
Times have changed and when govt agencies see this as an attack on critical infrastructure, you're looking at some serious jail time. I would say its only a matter of time until they're tracked down. When you're being hunted like that, the govt works 24/7 and never stops. People on the run don't have that luxury.
> I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
Sure. In the same way the mugging people is a response to undervaluing “beating the crap out of people and taking their money” skills.
"When the system fails you, you create your own system."
Which relates to what you're saying. When clever, intelligent people are ostracized and marginalized, they then use those skills to get illegally what society has prevented them from getting legally.
At some point, the idea of getting caught doesn't even register anymore.
I thought privateers were state sponsored (i thought that was the distinction from piracy?). Which sort of makes the comparison to ransom ware potentially more apt/thought provoking?
In anycase disparity of oppourtunity is what breaks trust and therefor collaboration. The world needs to universally operate in the ballpark of fairness or we are all at risk in the long term. (This comment is also influenced by the under valued tech resources thought).
Edit (sorry some more thought while fixing typos):
When the disparity of oppourtunity is at state level there are privateers and wars, when at a personal level there are muggings and burglaries etc.
*this is all probably stupidly obvious.. but as its against uncontrolled capitalism or classist segregation we dont seem to want to say it too much maybe?
I think you're on to something in the context of globalization. There are many incredibly talented tech workers globally who can't get paid what they're worth because they lack access to employment with the wealthiest employers (because of strict border policies and the lack of visa sponsorship). If they had the freedom to migrate, then they might choose to seek employment in another country with a supply shortage, rather than enter the black market.
I was thinking replacing hacker with scammer. After all, Scammers scamming old folks are just showing a gap in online education and regulations.
Ransomware gangs aren't the vigilante heroes/embodiment of the undervalued IT security worker. They're a group of people looking to make a quick buck and don't give a damn about the harm they cause or who they cause it to.
>I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
Almost all crime syndicates work this way. There is a balancing point where the crime you do does enough damage to make you money, but not so much money that the government dedicates elites to come knocking on your door. What DarkSide did was veer too far in the wrong direction.
> Statements like this seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
They only don’t get credit for that in mainstream media. In the Cyber Security world, Ransomware as a Service (and various other malware-aaS) groups have been discussed as well organized, customer-focused entities for quite some time.
I swear this is the first time it seems the world is hearing about RaaS, which feels weird since it’s a pretty dominant model today.
> “There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”
I am... flabbergasted. What? Ransomware has always been a brand of extortion; it's right there in the name. Extortion has become dangerous and toxic? You have got to be kidding me. I wonder what's next for these folks. A life of simple, honest, pleasant and non-toxic crime?
I'm interpreting the statement to mean that ransomware very rapidly lost its reputation as a nuisance-crime this week.
Misplaced ransomware runs a far more substantial risk of triggering enforcement action now. Or at least that's the perception I'm deriving from the quote.
Others seem to suspect that this is a ploy. It does kinda fit the melodrama on display...
Otoh, as a kid I was into small-time mischief (pilfering candy from teacher's desk kinda stuff). I had a good sense of what would go unnoticed, but I was a bit too trusting of my friends. They'd go overboard, get caught, and I'd take the blame. So, I can sympathise with this a bit
Without external proof, I wouldn't hazard a guess as to which it is
> The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.
If so, this is either:
1. one heckuva Mickey Mouse operation
2. a smokescreen
The statement never mentions Bitcoin, but let's assume that this is the "cryptocurrency" being referred to.
That Bitcoin private keys were being stored on a "server" strains credulity. There's very little reason to do so, and every reason not to.
Payments can be received and orders fulfilled by a server - without private keys. Multiple addresses can be watched in read-only mode.
The only reason for a server to hold private keys is if that server is capable of making automated payments, and that capability is a crucial part of the operation.
Bitcoin's history is littered with the corpses of people who messed up the management of their own cryptographic keys. Any reasonably competent operator would know about them and would never, under any circumstances hold private keys on a server.
Which leaves Option 2. Smokescreen. Make it look like all the loot was lost, try to throw investigators off the trail.
If so, it's a lame attempt.
One other possibility comes to mind. The ransom itself was the smokescreen.
The amount of the ransom was nothing for a company the size of Colonial. And it's about 1/10 of the annual salary of some developers. Why risk the prospect of life in prison for such as small payoff?
The reason is, of course, to make this operation look like something it's not. A Mickey Mouse band of idiots who can't manage their own private keys or servers. Lots of reasons to do this, starting with the notion that the attackers are trying to conceal their identities. And maybe that this was a test operation. Throw in the trinkets of ransom to make it look believable to the public.
Once I had the fortune of seeing the three cups and a ball scam live, on the street. One guy does the trick, another encourages the victim, and a third one watches the crowd disguised as a random onlooker. If something makes the onlooker nervous, he will signal the others and they will grab their things and disappear in less seconds than your hand has fingers.
This sudden quit seems similar, specially with the withdrawal of funds to an "unknown address", as if they closed shop and disappeared.
Ball gets placed under one of three cups. Cups get mixed around and people guess where the ball is for money. The ball isn’t under any of them though. The scammer palmed it.
They know that they can and will be found, and are running scared. In general ransomware works because it takes a lot of resources to find the criminals behind it. And generally there's not enough resources to do this. But once it hits a level where it creates a widespread national problem, it becomes more of an act of war. Then you get people involved that aren't just law enforcement and have tools that aren't available to law enforcement with large budgets.
Not to mention diplomatic channels to apply pressure on local governments that may have previously lacked the impetus to do anything about these groups.
Running scared though? I see this as the dash from 2nd plate to 3rd. If you're going to ditch your servers and wash your coins you might as well make it seem like you were compromised. I don't think there's any fear here as they surely must have anticipated the consequences.
I don’t understand how ransom ware works at all. The address is known well in advance, so a miner knows they might face sanction of their own coins for including it in their block. Not worth it.
It's plausible that this is all a scheme to evade capture. Disband the current organization, (get rid of a few people who you've wanted to jettison anyway), and then set up shop afresh elsewhere. It sends the message to whoever's looking for you that the whole thing has been burned to the ground and there's nothing to raid or seize or shut down.
Possible, but there is too much a chance that the cops already know who you are and just need to gather evidence in a form they can take to court. By shutting down they ensure that no more evidence is gathered. By starting a new organization they can't be sure that they aren't still being watched.
I’m skeptical as well. They know they built up a little too much notoriety and want to exit the game, is my guess. A core set of people can live pretty comfortably off of the ransom here, though they’ll have a hard time laundering it.
Agreed, except why bother pop up again? They just got a big fat payment of $5m. Plenty to split with a small team. It's a good time to cash out and disappear.
Seriously! It's FIVE MILLION. That's "I don't ever have to work again" money. What is wrong with people! Probably they want Mercedes, and Rolexes, and Mont Blanc pens and all that showy consumer garbage.
Since they aren't in the US, it is probably more of a proactive step by the DOJ to build a case for sanctions. Assuming they know what country the perps are from, which doesn't seem all that clear.
Just like the mob there are some targets that just aren't worth it because they bring too much heat. They are learning this is bad for business all around so they are stepping back and encouraging others to do the same.
One thing that impressed me about this situation was the speed at which this was dealt with. A few hours after the attack, an executive order was signed reducing regulations around truck transport of fuel. But the next day, service was being restored. And by the end of the week, the attackers were disbanded and their assets seized.
There's a pretty clear message here that the US isn't fucking around.
If I'd just collected enough ransom to retire and never work again, I'd also put out a press release announcing I was out of business and someone seized all my shit and etc.
This is it. Governments have cyber abilities that far outstrip individual organizations. And when cyber fails, there are still other diplomatic and less diplomatic tools.
I wouldn't be surprised if the US Government here reached out to foreign governments for assistance in dismantling their infrastructure (it almost certainly was not on US soil).
An individual hospital probably couldn't garner that kind of backing, but oil pipelines? The US would probably be willing to use military strikes to keep the oil flowing. A small country would be very willing to help out to maintain good will.
Small countries routinely help out for cases like this. I expect the US has reached out to whatever ones were involved long ago - it is just that until now things were still in the evidence gathering stage. While the police are sometimes willing to make an example of the wrong guy - that is the exception - most of the time they try to be right which means long investigations over many attacks.
Exactly. Also not sure why everyone says Bitcoin is anonymous. It's as anonymous as how deep someone is willing to spend to uncover your address. If we are talking multiple nation states who are interested in tracking you down you are pretty much screwed.
Can crypto actually be non-traceable? I remember currencies like Monero or ZCash advertising privacy from the last crypto craze.
I mean if you have 100M in some account, can you actually run it trough "private" currencies to remove traces? BTC, ETH etc. all seems super traceable, even more so than in regular banking.
Also how are criminals getting their money out with no one noticing, does Panama/Malta etc. have Kraken/Bittrex equivalents with no questions asked?
It's super trivial to withdraw, say, 1M. You can use https://tornado.cash/ to mix 100 ETH, there's currently around 10k such deposits, so you could do that 2-3 times to move 1M in ETH to an address that can't be tied to your previous addresses.
It's possible but no longer trivial to withdraw 10M. You could use the above method over a period of time, and some other methods.
It becomes much more difficult at much higher values. You could probably get 100M out disguised as trading profits or something. If I spent a few days thinking about it I could probably figure out ways to mix that much money on ETH, filter through DeFi apps, etc. Seems doable.
You could also just work with large exchanges that don't care. I don't know which ones are like that now, probably fewer than years ago.
You don't need to. You can send the ETH to tornado.cash. Their anonymity set is such that 100 million would take a long time, but on the order of months to withdraw. Tornado.cash has millions in total locked value in different ETH denominated pools.
You dont do it that way. Just drop it in Tornado.cash and a few days later withdraw to a virgin crypto address. The virgin crypto address just pumps a token that you bought in another clean address with clean money prior.
You sell the token in the clean address at a massive profit and cash out under your real name and ID and even pay taxes.
Go look at any highly pumped token on Uniswap/Sushiswap/Pancakeswap and you’ll find plenty of addresses that either bought or added to the liquidity pool using funds that begin with Tornado.cash, there is no way to distinguish the nature of the transaction from simple observation. All blockchain technology is heading to parity with the privacy afforded by traditional banking, without the financial intermediary to question anything for the state.
One (of many) ways: Monero -> bitcoin -> localbitcoins with stolen identity.
Each localbitcoins account can trade up to $200k a year without any kind of in-person verification.
Also a lot of exchanges let you cash out via western union so... you could theorically send yourself say 10k or 20k a a month with that, there's no need to just withdraw it all at once.
Crypto currency itself can be completely anonymous, but the difficulty is in the on-ramp and off-ramps to and from state fiat money.
For example, I want to buy ZCash that is untraceable to me. I need to exchange ownership of a hardware wallet (like a physical USB device) for a pre-determined amount of state fiat, lets say USD in this case. In order to facilitate this I need to find a trusted seller, arrange a meeting, verify the actual value of the physical wallet, and make the exchange. There are non-physical means of making it harder to trace state fiat back to you, but not impossible. The state has simply had too much influence over these places of transaction for too long for anybody to be truly un-findable given a long enough period of time.
Assuming I can find someone willing to on-ramp me like this I will need to take steps to ensure that our communications are encrypted and untraceable. This means not only do I need a decentralized encrypted messaging service, I also need to conduct this communication in a way that does not give away my geographical location and is not vulnerable to security logs (say by checking the cafe's video feed from the time I was messaging my seller). Then I need to go to the meet, exchange the physical wallet for cash, and verify the amount in it is accurate (and also preferably not stolen). I need to do this without revealing my identity to my seller and avoiding security logs once again. This is all now possible whereas before Satoshi it was impossible, but it is still difficult.
Alternatively, I could just sell some kind of digital asset in exchange for ZCash to begin with. Now I do not have to worry about an on-ramp. If I control my distribution server then I can erase or encrypt my sales logs in order to prevent any estimation of my total sales for the year.
Off-ramping is much harder. I either need to become a seller of a physical wallet which has all the same problems that plagued me before, or I need to live in an economy where off-ramping is not required. This would be a physical location where all transactions are conducted in secure, anonymize, cyrpto-currency transactions. Similar to my earlier problem, this is now possible but extremely difficult. An individual or a group of individuals is going to have to bootstrap an entire local economy.
Being localized is also an issue since there is nothing preventing the USG from simply rolling in the tanks to break up this localized tax haven.
it can be harder to trace, but the bigger problem is trying to turn it into cash, which is hard to do anonymously regardless of the currency used (BTc, XMR, etc). THe FBI,Secret Service, are mostly focused on the conversion of crypto to cash, not the intermediary steps.
Is there a technical reason that makes use of a tumbler legally safe? My concern would be that putting in a clean bitcoin would result in me getting a fraction of a stolen bitcoin and I would be receiving stolen property. The fact that they are fully traceable means that it would be easy for someone innocent to be caught up in something like that.
Yeah Zcash provides good privacy for the most part, as long as you use it correctly. Once you cash out, it's a typical money laundering problem. How do you get money into circulation without raising suspicions of where it came from?
Plenty of solutions. Mules using exchanges, buying NFTs from yourself, "lucky" investment picks in low liquidity alts, etc
One way I've seen discussed on HN is by sending varying amounts to N different accounts, where some are owned by you / affiliates and others are not. In a sense, paying for obfuscation of which accounts are actually owned by you.
Until one of those people buys a Tesla with bitcoin (yeah, I know they just stopped doing that) from a wallet that can be traced to that payment, and then its just the authorities following up the chain.
People like to seem like all these crypto's are totally anonymous, but every transaction ends up in some sort of public blockchain. So unless you have air-tight OPSEC and people that will never talk, no matter what kind of jail time they are facing, its always going to be traceable with enough interest.
I think it's still just pseudo-anonymity, even for monero. Which means, practically, that I don't think it would have done more for these guys than just delay the seizure.
Monero, ZCash, and mimblewimble-based cryptos (grin, beam) are certainly not pseudo-anonymous, and tracking is darn near impossible if the users don't do anything stupid.
Readit News
As a result, the ransom had the optics of an attack on infrastructure. As evidenced by the coverage of Americans desperately filling up containers.
This created the impetus for the US to treat this as an incident far and above the ambient ransomware activities leading up to this.
It also gave the US an opportunity to show how effective it could be when it had the political cover to do so.
A lot of people like to think of ransomware attacks as the ultimate stress test as far as security goes, and thus a good thing - but let's not get too blinded by our professions (most probably in tech), these kinds of attacks can have serious consequences: Imagine if some foreign state agency (masquerading as hackers) launches a multiheaded attack on, say, utilities plants - in the middle of the winter. The victims/targets will pay whatever us necessary.
With that said, I understand that many people will recoil at such things - we saw what the patriot act did, and how easy it is to overstep and abuse such laws, in the name of "national security". But it is a serious problem, in the same way actual piracy thrived in the gulf of Aden, as soon as the shipping companies started paying.
A common understanding is that terrorism is intended to frighten people or make them feel unsafe, while various official definitions of terrorism include the idea that it's intended to coercively achieve some particular political goal.
If attackers just intend to get money, they're probably well-described as extortionists (or in some cases, as you said, akin to pirates). If they just intend to damage a particular society without demanding anything from it or getting it to change its behavior, they might be saboteurs.
Attacks with these motives or that pretend to have these motives could still be considered national security threats (and taken very seriously), but maybe shouldn't be described specifically as terrorism.
Generally though, the Justice department defines terrorism to be "the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives"
These ransomware attacks fall in the middle. They are 'deniable' by state actors as just crooks who happen to be within their borders. They certainly don't push any social objective other than to enrich the criminals. So that leaves them under the jurisdiction of law enforcement.
I have read anecdotal evidence that there are the equivalent to "Letters of Marque"[1] for Russian criminals who attack enemies of the Kremlin. They wouldn't completely qualify as the Russians aren't actually in a declared state of war (this works fine for North Korea) but conceptually if you accept that criminals are gonna crim, then pointing them at people you don't like at least keeps the damage outside of your area of concern.
In this particular case, the fairly rapid take down of these guys gives me pause. One wonders if the FBI and Interpol had Colonial pay with Bitcoin that they then traced to the destination wallets. And then working backward from there to the server infrastructure. That would be an interesting capability if it exists.
[1] https://en.wikipedia.org/wiki/Letter_of_marque
If serious ransomware attacks are being conducted by state actors with the sole intent of causing damage, and we want to use powerful terminologies to describe them, "acts of war" seems a reasonable start.
Yes, this is semantics--but some of my concern here is that just freely tossing around "terrorism" gives cover for organizations not to be diligent in at least attempting to secure their networks and digital assets.
The meanings of words is important; rational discussion is impossible when people shift commonly-accepted meanings and definitions to suit their agenda. It's an extremely common strategy in politics. And the word "terrorism" already received more than its fair share of this treatment quite thoroughly in the decade following 9/11.
I don't think it's necessary to staple the term to the action in order to take it seriously. It should, however, be taken seriously as the national security threat it is. For instance, climate change is a national security issue but oil executives, while distasteful, aren't terrorists.
I agree that many folks in the tech community (and especially here, though I don't know if they're overrepresented here) treat technology as platonic. That's not going to cut it moving forward. Technology that enables bad things in the world should be curtailed even if its "neat."
A precise definition of terrorism tends to be difficult to pin down (mostly due to the difficulty of considering what is a legitimate asymmetrical warfare tactic by a nascent liberation movement versus an illegitimate terrorist act). But a general rule of thumb is that terrorism is a) violence b) directed at civilian populations c) to effect policy.
However, there are threats to national security that are not terrorist in nature; gang warfare in Mexico and Central America would be an example of such a threat.
Well... yes? That isn't a sense of the word "terrorism".
Sounds like the ransomeware people finally robbed the wrong people.
Terrorism has a legal definition, and something affecting national security is not the determining factor in calling something terrorism.
"Terrorism includes the unlawful use of force and violence against persons or property to intimidate or coerce a government, the civilian population, or any segment thereof, in furtherance of political or social objectives." [1]
[1] https://www.law.cornell.edu/cfr/text/28/0.85
For say a nation engaging in cyber war, this could be flipped around: attacking basic infrastructure but disguising it as smaller groups of criminals trying to make a buck. Not sure how effective the disguise would be, but it could obviously do some serious damage.
Um. Terrorism is basically never a threat to national security.
These people thought they were sticking it to the man but they were actually sticking it to people like me.
Dead Comment
Dead Comment
Ransomware is non-state, not violent, and is done for economic, not political aims.
In order to seize someone's cryptocurrency, the government has to literally seize the private keys used to sign transactions. This could be as easy as seizing computers containing the key but it could also be as hard as torturing people until they reveal their seed phrase.
They can't simply order the banks to freeze people's assets. They have to physically go there and try to seize them. This puts a limit on the scope of their operations. It's just like surveillance: encryption makes dragnet espionage harder but it's still perfectly possible for a target to be attacked directly.
So which of the following is most likely:
- the government has a tool that can break private key encryption and used it to confiscate a hacker groups funds
OR
- whoever controls the groups wallet transferred it out and is on the run
Credibly threatening repeated 51% attacks against Bitcoin is well within any G7 member’s budget.
I don't consider that the most likely scenario, but something in the willingness to declare defeat got me into "what if" mode.
"BTC is bad cause it can be used by drug dealers to launder money"
"BTC is not even secure from government access"
Surely someone will point out both can be true but the point is the anti-btc folks seem to be talking out both sides of the mouth
It just demonstrates that they're incompetent.
(It almost seems oil does not require infrastructure - you can, theoretically, prep for an oil infrastructure outage by storing it containers, same as you do with water and food. But you can't really prep for a medical infrastructure outage. Is it just that, as a result, there were no photos of people hoarding medical care and so there was less political will?)
An attack on a hospital affects someone if they work there or are using that hospital. A pipeline attack affects people who drive cars places and need gas. The latter group is much larger than the former.
The game was changed when Colonial closed the valves and services were impacted.
Hospitals obviously do rely on infrastructure, so you'd see much more panic if someone could disrupt a national supply of blood plasma or insulin or something.
https://www.cisa.gov/critical-infrastructure-sectors
The difference is response is a matter of impact scale. Usually, the infrastructure of a small group of hospitals is at stake. This time an entire state is hoarding gasoline. Both are infrastructure but the latter is causing nationwide effects.
Oil pipelines that serve everything from energy to transportation to manufacturing are far more integral to keeping all aspects of society running for magnitudes more people.
Deleted Comment
I think a more likely answer is that optics had little to do with it. Attack a hospital and you've got angry hospital administrators mad at you. Attack an oil pipeline and you've got billionaire oil executives and shareholders who have much of the US government in their pocket mad at you.
You really don't want to anger people who can buy US elections.
Which is somewhat disturbing, because first the industry is still considered more important than civil services (city councils, hospitals). And second they will still continue using Windows services in their backbones. I have nothing against using Windows as frontends, but in the backbone of a critical company it's criminal negligence. Easy to hack, no backups, untrained admins with no idea about security. Wasting billions on money on theatre, and not working servers, groupware and email.
What are the sides of any company other than "business"?
Operations side performs whatever services the business side has committed to.
Deleted Comment
Just like with The Silk Road. Once it became large enough and Ross started to taunt the authorities to find him, the police had no choice. It’s continuing existence chipped away the legitimacy of the authorities, they had to shut it down just to maintain appearances.
Just like this ransom ware. Keep it small, it’s not worth going after. Start screwing with the economy and the govt goes from 0 to 10 very quickly.
I'm pretty sure it's actually happening we just don't hear about it.
I suspect small or medium organizations rather then megacorps would be easier targets if they haven’t invested money in accounting controls.
>gave the US an opportunity to show how effective it could be
unless you know something we don't, that's quite a conclusion to jump to
Not sure what you mean, what did the US do exactly?
https://mobile.twitter.com/TheRecord_Media/status/1393192862...
And why would you say this is desirable to the US? Just general "governments take advantage of crises to gain power" reasons?
The hacker group attacked resources considered "critical infrastructure"; this was closer to an act of war than any other cyber attack has come. The US Cyber Command responded swiftly.
> "governments take advantage of crises to gain power"
Please, elaborate? I fail to see how the US Govt is taking advantage of this crisis for more power.
Statements like this seem to point to ransomware activities being far more coordinated and "business-like" than they often get credit for.
I do wonder if ransomware is (in a strange way) a(n illegal) free-market response to what is perceived to be an under-valuation of tech skills - aggrieved people who can carry out attacks and gain access to deploy ransomware are likely to be able to earn more through this route, even factoring in their "risk of being caught".
If a market correction occurs (ransomware becomes a real fear, organisations rapidly start to value security skills more and pay "megabucks" for the skills and hire them at-scale), the risk/reward of being caught starts to mean access brokers reduce in number, and the compensation reaches a free market equilibrium (accounting for the "getting caught" risk of criminal activity).
A lot of the time I still see people trying to hire entry-level people into live/ operational security roles, without the experience they'd need. I wonder if this is partly due to a desire to cut costs, rather than accept the need to pay rock-star compensation?
This is a business that actually provides better support than a regular business.
From conversations with friends in the Infragard side of this, and the agencies that collaborate, they have 24/7 English support available before and after payment, as well as decryption remote support if you can't get your files decrypted... there are also instances of refunds if they can't decrypt your files due to technical issues.
Unlike regular businesses, support is a sales channel since it's the way to ensure you get paid so a lot of resources go to support activities in these "organizations".
The thing I find fascinating from a sociology perspective about ransomware is that they have to. To be a successful ransomware company, you have to simultaneously be:
1. Completely immoral enough to attack companies, hold their data ransom and potentially put them out of business and reveal the private details of thousands of people.
2. Create enough trust in the company you attacked that they believe you will give the data back once you pay them.
It is crazy that they are psychologically savvy enough to simultaneously attain those directly conflicting goals.
I would like to hear more about this, that sounds kind of hilarious. "Ah, apologies, we'll get that back to you within 3 business days. Have a nice day, I hope you had backups"
I mostly dont do ransomware housecalls anymore, but my teammates tell me the situation has mostly not improved.
They're available for their interests, not yours. They're actively robbing you and will be highly available to keep things moving efficiently, the same way physical bank robbers used to make sure staff were comfortable enough to open the safe and provide cover.
Sadly my experience is that organisations like this will take their $5m ransom (or other remediation cost), assume it's a one-off, then divide it by their number of ransom-free years, and proclaim it was better value for money than hiring 2 or 3 senior security gurus on $300k /yr with 60 vacation days, and letting them bring in a team to deliver meaningful security.
Beyond taking security out of the hands of bean-counters though, I'm not sure how you address this. Pursuing organisations that pay ransoms and prosecuting senior CEO/CFO-type executives for conspiracy to commit money laundering (and pushing for criminal convictions) could discourage paying ransoms. If it's left to businesses as something they can write down as a "cost", I don't see it getting better - there has to be a risk to the liberty of the CEO/CFO before they'll take security seriously in my experience. 90 days in federal prison would certainly sharpen their focus in future.
Deleted Comment
[1] https://krebsonsecurity.com/2021/05/a-closer-look-at-the-dar...
Yeah, just dirtbags making money.
Times have changed and when govt agencies see this as an attack on critical infrastructure, you're looking at some serious jail time. I would say its only a matter of time until they're tracked down. When you're being hunted like that, the govt works 24/7 and never stops. People on the run don't have that luxury.
Sure. In the same way the mugging people is a response to undervaluing “beating the crap out of people and taking their money” skills.
"When the system fails you, you create your own system."
Which relates to what you're saying. When clever, intelligent people are ostracized and marginalized, they then use those skills to get illegally what society has prevented them from getting legally.
At some point, the idea of getting caught doesn't even register anymore.
It's just digital Privateering - Francis Drake with a laptop.
> If a market correction occurs...
The English solved it by expanding their Navy and enlisting those who would otherwise pirate. Seems like as good a solution as any here.
In anycase disparity of oppourtunity is what breaks trust and therefor collaboration. The world needs to universally operate in the ballpark of fairness or we are all at risk in the long term. (This comment is also influenced by the under valued tech resources thought).
Edit (sorry some more thought while fixing typos): When the disparity of oppourtunity is at state level there are privateers and wars, when at a personal level there are muggings and burglaries etc.
*this is all probably stupidly obvious.. but as its against uncontrolled capitalism or classist segregation we dont seem to want to say it too much maybe?
This is the "organized" in organized crime. It's not lone bored teenagers doing this stuff.
Ransomware gangs aren't the vigilante heroes/embodiment of the undervalued IT security worker. They're a group of people looking to make a quick buck and don't give a damn about the harm they cause or who they cause it to.
Most ransomware hackers are not so amoral enough to go around murdering people or calling hits. Some are, but most ain't.
Almost all crime syndicates work this way. There is a balancing point where the crime you do does enough damage to make you money, but not so much money that the government dedicates elites to come knocking on your door. What DarkSide did was veer too far in the wrong direction.
They only don’t get credit for that in mainstream media. In the Cyber Security world, Ransomware as a Service (and various other malware-aaS) groups have been discussed as well organized, customer-focused entities for quite some time.
I swear this is the first time it seems the world is hearing about RaaS, which feels weird since it’s a pretty dominant model today.
Reminds me of this negotiation: https://www.reuters.com/article/us-cyber-cwt-ransom/payment-...
Previously discussed here: https://news.ycombinator.com/item?id=24032779
Dead Comment
I am... flabbergasted. What? Ransomware has always been a brand of extortion; it's right there in the name. Extortion has become dangerous and toxic? You have got to be kidding me. I wonder what's next for these folks. A life of simple, honest, pleasant and non-toxic crime?
Misplaced ransomware runs a far more substantial risk of triggering enforcement action now. Or at least that's the perception I'm deriving from the quote.
Otoh, as a kid I was into small-time mischief (pilfering candy from teacher's desk kinda stuff). I had a good sense of what would go unnoticed, but I was a bit too trusting of my friends. They'd go overboard, get caught, and I'd take the blame. So, I can sympathise with this a bit
Without external proof, I wouldn't hazard a guess as to which it is
If so, this is either:
1. one heckuva Mickey Mouse operation
2. a smokescreen
The statement never mentions Bitcoin, but let's assume that this is the "cryptocurrency" being referred to.
That Bitcoin private keys were being stored on a "server" strains credulity. There's very little reason to do so, and every reason not to.
Payments can be received and orders fulfilled by a server - without private keys. Multiple addresses can be watched in read-only mode.
The only reason for a server to hold private keys is if that server is capable of making automated payments, and that capability is a crucial part of the operation.
Bitcoin's history is littered with the corpses of people who messed up the management of their own cryptographic keys. Any reasonably competent operator would know about them and would never, under any circumstances hold private keys on a server.
Which leaves Option 2. Smokescreen. Make it look like all the loot was lost, try to throw investigators off the trail.
If so, it's a lame attempt.
One other possibility comes to mind. The ransom itself was the smokescreen.
The amount of the ransom was nothing for a company the size of Colonial. And it's about 1/10 of the annual salary of some developers. Why risk the prospect of life in prison for such as small payoff?
The reason is, of course, to make this operation look like something it's not. A Mickey Mouse band of idiots who can't manage their own private keys or servers. Lots of reasons to do this, starting with the notion that the attackers are trying to conceal their identities. And maybe that this was a test operation. Throw in the trinkets of ransom to make it look believable to the public.
Deleted Comment
The DOJ could bolster credibility of itself to the ignorant by saying “thats right criminals you cant hide” even if the DOJ never got anything.
This sudden quit seems similar, specially with the withdrawal of funds to an "unknown address", as if they closed shop and disappeared.
And if you notice the trick? Well, they out number you. You probably won't win in a fight either.
There's a pretty clear message here that the US isn't fucking around.
I wouldn't be surprised if the US Government here reached out to foreign governments for assistance in dismantling their infrastructure (it almost certainly was not on US soil).
An individual hospital probably couldn't garner that kind of backing, but oil pipelines? The US would probably be willing to use military strikes to keep the oil flowing. A small country would be very willing to help out to maintain good will.
Dead Comment
Deleted Comment
I mean if you have 100M in some account, can you actually run it trough "private" currencies to remove traces? BTC, ETH etc. all seems super traceable, even more so than in regular banking.
Also how are criminals getting their money out with no one noticing, does Panama/Malta etc. have Kraken/Bittrex equivalents with no questions asked?
It's super trivial to withdraw, say, 1M. You can use https://tornado.cash/ to mix 100 ETH, there's currently around 10k such deposits, so you could do that 2-3 times to move 1M in ETH to an address that can't be tied to your previous addresses.
It's possible but no longer trivial to withdraw 10M. You could use the above method over a period of time, and some other methods.
It becomes much more difficult at much higher values. You could probably get 100M out disguised as trading profits or something. If I spent a few days thinking about it I could probably figure out ways to mix that much money on ETH, filter through DeFi apps, etc. Seems doable.
You could also just work with large exchanges that don't care. I don't know which ones are like that now, probably fewer than years ago.
You sell the token in the clean address at a massive profit and cash out under your real name and ID and even pay taxes.
Go look at any highly pumped token on Uniswap/Sushiswap/Pancakeswap and you’ll find plenty of addresses that either bought or added to the liquidity pool using funds that begin with Tornado.cash, there is no way to distinguish the nature of the transaction from simple observation. All blockchain technology is heading to parity with the privacy afforded by traditional banking, without the financial intermediary to question anything for the state.
Each localbitcoins account can trade up to $200k a year without any kind of in-person verification.
Also a lot of exchanges let you cash out via western union so... you could theorically send yourself say 10k or 20k a a month with that, there's no need to just withdraw it all at once.
For example, I want to buy ZCash that is untraceable to me. I need to exchange ownership of a hardware wallet (like a physical USB device) for a pre-determined amount of state fiat, lets say USD in this case. In order to facilitate this I need to find a trusted seller, arrange a meeting, verify the actual value of the physical wallet, and make the exchange. There are non-physical means of making it harder to trace state fiat back to you, but not impossible. The state has simply had too much influence over these places of transaction for too long for anybody to be truly un-findable given a long enough period of time.
Assuming I can find someone willing to on-ramp me like this I will need to take steps to ensure that our communications are encrypted and untraceable. This means not only do I need a decentralized encrypted messaging service, I also need to conduct this communication in a way that does not give away my geographical location and is not vulnerable to security logs (say by checking the cafe's video feed from the time I was messaging my seller). Then I need to go to the meet, exchange the physical wallet for cash, and verify the amount in it is accurate (and also preferably not stolen). I need to do this without revealing my identity to my seller and avoiding security logs once again. This is all now possible whereas before Satoshi it was impossible, but it is still difficult.
Alternatively, I could just sell some kind of digital asset in exchange for ZCash to begin with. Now I do not have to worry about an on-ramp. If I control my distribution server then I can erase or encrypt my sales logs in order to prevent any estimation of my total sales for the year.
Off-ramping is much harder. I either need to become a seller of a physical wallet which has all the same problems that plagued me before, or I need to live in an economy where off-ramping is not required. This would be a physical location where all transactions are conducted in secure, anonymize, cyrpto-currency transactions. Similar to my earlier problem, this is now possible but extremely difficult. An individual or a group of individuals is going to have to bootstrap an entire local economy.
Being localized is also an issue since there is nothing preventing the USG from simply rolling in the tanks to break up this localized tax haven.
Plenty of solutions. Mules using exchanges, buying NFTs from yourself, "lucky" investment picks in low liquidity alts, etc
People like to seem like all these crypto's are totally anonymous, but every transaction ends up in some sort of public blockchain. So unless you have air-tight OPSEC and people that will never talk, no matter what kind of jail time they are facing, its always going to be traceable with enough interest.
Nope.
Monero, ZCash, and mimblewimble-based cryptos (grin, beam) are certainly not pseudo-anonymous, and tracking is darn near impossible if the users don't do anything stupid.