"Boost Your Digital Presence: Partner with a Leading SEO Agency"
Post-Bitcoin Cryptocurrencies, Off-Chain Transaction Channels, and Cryptocurrency Analytics Techniques
1. TUTORIAL
Post-Bitcoin Cryptocurrencies, Off-Chain Transaction Channels,
and Cryptocurrency Analytics Techniques
Austrian Financial Market Authority (FMA)
2018-05-25
Dr. Bernhard Haslhofer
Senior Scientist, Center for Digital Safety & Security
2. 2
2014 20202017
BITCRIME
EU H2020 TITANIUM
Legal, Societal,
Ethical Aspects
Tool and Service
Ecosystem
Darknet
Marketplaces
Cross-ledger
Analytics
Mixing-Service
Detection
Information
Sharing
Post-Bitcoin
Cryptocurrencies
Blockchain-based
Electronic Markets
GRAPHSENSE
BACKGROUND | CRYPTOCURRENCY RESEARCH
BITCOIN
Introduction, Technical Aspects,
and Ongoing Developments
Bernhard Haslhofer, AIT
Aljosha Judmayer, SBA Research
Austrian Financial Market Authority (FMA)
2015-04-30
3. “A decentralized currency without central authorities
and trusted third parties”
BITCOIN | PROMISES AND EXPECTATIONS
3
4. “De-facto centralization and concentration among a small number of
intermediaries at various levels of the Bitcoin system”
[Böhme et al. 2015]
BITCOIN | REALITY
4
Currency
Exchanges
Digital Wallet
Providers
Mixing /
Tumbler
Services
Mining Pools
(Darknet)
Market Places
< 200 exchanges
Top 5 w. 50% market share
[e.g., coinhills.com]
”Top 4 Bitcoin miners have more than 53% of the average mining power.
61% of the weekly power was shared by only three Ethereum miners”
[Gencer et al, 2018].
7. “The use of pseudonymous addresses in Bitcoin does not provide any
meaningful level of anonymity”
[Kappos et al. 2018]
BITCOIN | REALITY
7
De-anonymization
Techniques
P2P Network
Analytics Blockchain
Network Analytics Clustering Heuristics
[e.g., Biryukov et al., 2014]
Multiple-Input Heuristics [Nakamoto, 2008]
Change Heuristics [Meiklejohn, 2013]
Temporal Behaviour [Ortega, 2013]
…
9. “Achieving VISA-like capacity on the
Bitcoin network is not possible today”
[Poon and Dryja 2016]
BITCOIN | REALITY
9
Bitcoin VISA
Avg. transactions / sec 3.5 2,000
Peak volume (txs/sec) 7 47,000
47,000 x avg. Bitcoin tx size (300 bytes) x 10 min = 8GB
… to be synchronized among peers every 10 min
10. BITCOIN | EXPECTATIONS VS. REALITY
10
Decentralization
De-facto centralization
Waste of energy resources
Anonymous Payments
Instant global transactions
Low transaction fees
No meaningful level of anonymity
Scalability problems
Relatively high transaction fees
New consensus protocols
(e.g., Proof of Stake)
Privacy-enhancing
Cryptocurrencies
(e.g., Monero, Zcash)
Off-Chain Transaction Channels
(e.g., Lightning Network)
11. • Cryptocurrency Recap
• Privacy-enhancing Cryptocurrencies
• Off-Chain Payment Channels
• Cryptocurrency Analytics
• Q & A
MY PLAN FOR TODAY
11
23. • One of the first and the most widely
adopted CryptoNote currency
• “An open source technology and
concepts for the cryptocurrencies of
the future”
• Untraceable payments
• Unlinkable transactions
• Egalitarian proof of work
• …
• https://cryptonote.org/coins
MONERO
23
25. • Stealth addresses: outside observers do not
know which addresses certain transaction
outputs are assigned to
• Ring signatures: hide spent output among
seemingly plausible ones
• Ring confidential transactions (Ring CTs): hide
transaction amount
MONERO | SECURITY FEATURES
25
Transaction X
value: ?
address: ?
Transaction Y
Transaction Z
???
26. Private spend key: for signing transactions
and spending funds
Private view key: view all transaction related
to account (can be shared to see balance)
Public spend key: part of Monero account
address
Public view key: part of Monero account
address
26
MONERO | KEYS
Monero Account
Monero Address
44AFFq5kSiGBoZ4NMDwYtN18obc8AemS33DB
LWs3H7otXft3XjrpDtQGv7SqSsaBYBb98uNbr2V
BBEt7f2wfn3RVGQBEP3
31. • A type of signature that can be performed by
any member of a group
• Each user has private / public key pairs
• Signature is created from a number of public
keys
• Message signed with ring signature is endorsed
by someone in a particular group of people
• Not possible to compute which of the group
members’ keys as used to produce signature
31
MONERO | RING SIGNATURES
32. 32
MONERO | RING SIGNATURES
New Transaction
Input Output
Prev. Transaction 1
Input Output
Prev. Transaction 2
Input Output
Prev. Transaction 3
Input Output
Bob’s Account
Public Spend Keys
Signer’s Private Spend Key
Ring signature
34. ZCASH
34
• Bitcoin fork with optional anonymity
• Two transaction types
• Transparent transactions (as in Bitcoin)
• Shielded transactions (encrypted)
• Shielded transactions hide the sender,
recipient, and the value on the blockchain
• Backed by highly regarded research
35. • t-to-t: visible quantities of ZEC move between
visible t addresses
• t-to-z: a visible amount of ZEC moves from a
visible t address to a hidden z address within the
shielded pool
• z-to-z: a hidden quantity of ZEC moves between
hidden z-addresses
• z-to-t: a hidden quantity of ZEC moves from a
hidden z address out of the shielded pool to a
visible t address
ZCASH | TRANSACTION TYPES
35
z-to-zt-to-zt-to-t
shielded pool
z-to-t
Figure 1: A simple diagram illustrating the different types of
Zcash transactions. All transaction types are depicted and de-
scribed with respect to a single input and output, but can be
generalized to handle multiple inputs and outputs. In a t-to-
t transaction, visible quantities of ZEC move between visible
t-addresses (tIn,tOut 6= /0). In a t-to-z transaction, a visible
amount of ZEC moves from a visible t-address into the shielded
pool, at which point it belongs to a hidden z-address (tOut = /0).
In a z-to-z transaction, a hidden quantity of ZEC moves be-
[Kappos et al. 2018]
36. ZCASH | ANATOMY OF A TRANSACTION
36https://blog.z.cash/anatomy-of-zcash/
39. • Cryptocurrency Recap
• Privacy-enhancing Cryptocurrencies
• Off-Chain Payment Channels
• Cryptocurrency Analytics
• Q & A
MY PLAN FOR TODAY
39
40. PAYMENT CHANNELS | MOTIVATION
40
Blockchain
Blocksize: 1 MB
ca. 1500 - 2000 transactions
ca 10 min
Maximum throughput: ca. 7 tx / sec
Major design issue:
All transactions are stored on the blockchain and replicated among peers.
41. • Move massive bulk of transactions off-chain
• Users
• carry out transactions off-chain between
each other
• rely on blockchain
• for settlement
• to resolve dispute in case of
disagreement
PAYMENT CHANNELS | BASIC IDEA
41
Blockchain
Off-chain transactions
Settlement
Resolve dispute
42. PAYMENT CHANNELS | PHASES
42
Inspired by R. Böhme “Prinzip von Off-Chain Zahlungskanälen”
Blockchain
Time
Funding Tx
Input Output
Input
Phase 1
“Open Payment
Channel”
Settlement Tx
Input Output
Phase 3
“Close Payment
Channel”
Output
Phase 2
“Off-Chain Transactions”
43. • A specific payment protocol operating on top
of a blockchain (Bitcoin)
• Status
• testing phase since January 2018
• 1st mainnet release: March 2018
• Implementation:
https://github.com/lightningnetwork/lnd
• Some (unreliable) statistics
• ~ 2000 nodes
• ~ 6000 channels
PAYMENT CHANNELS | LIGHTNING NETWORK
43
44. • Cryptocurrency Recap
• Privacy-enhancing Cryptocurrencies
• Off-Chain Payment Channels
• Cryptocurrency Analytics
• Q & A
MY PLAN FOR TODAY
44
46. Investigate and develop scalable quantitative methods, tools and services that
contribute to a better understanding of the structure and dynamics of
cryptocurrency ecosystems.
CRYPTOCURRENCY ANALYTICS | GOALS
46
Macroscopic AnalysisMicroscopic Analysis
47. CRYPTOCURRENCY ANALYTICS | APPROACH
47
A
A A
AA
C
T
BlockchainAddress
Graph
Address
Cluster
Tags
Enrichmentprocess
Statistics (as of Sept. 2017)
Transactions: 249,408,683
Addresses: 296,862,290
Clusters: 30,645,426
Address graph
- nodes (= addresses): 296,862,290
- edges (= aggregated transactions): 1,567,227,841
All data points are pre-computed and stored in
a de-normalized form
51. • Ransomware has become dominant
cybercrime threat
• Over 500 families
• Ransom payments almost exclusively in
Bitcoin
• More comprehensive, evidence-based
picture still missing
ANALYTICS EXAMPLE | RANSOMWARE
51
52. ANALYTICS EXAMPLE | RANSOMWARE
52
Family Addresses BTC USD
1 Locky 6,827 15,399.01 7,834,737
2 CryptXXX 1,304 3,339.68 1,878,696
3 DMALockerv3 147 1,505.78 1,500,630
4 SamSam 41 632.01 599,687
5 CryptoLocker 944 1,511.71 519,991
6 GlobeImposter 1 96.94 116,014
7 WannaCry 6 55.34 102,703
8 CryptoTorLocker2015 94 246.32 67,221
9 APT 2 36.07 31,971
10 NoobCrypt 17 54.34 25,080
11 Globe 49 33.03 24,319
12 Globev3 18 14.34 16,008
13 EDA2 23 7.1 15,111
14 NotPetya 1 4.39 11,458
15 Razy 1 10.75 8,073
Table 4: Received payments per ransom family (Top 15).
10 key addresses, with a few number of transactions and no tags,
received money from both the TowerWeb and Cryptohitman ad-
dresses. Intuitively, we can assume that these two families might
be related to the same real-world actors who may run two families
●
●
●
●
●
●
●
●
●
●
● ●
●
●
●
1031
593
480
36
4690
245
108
2698
534
1035
225 171
15
7713
278
$0
$2,500
$5,000
$7,500
APT
CryptXXX
CryptoLocker
CryptoTorLocker2015
DMALockerv3
EDA2
Globe
GlobeImposter
Globev3
Locky
NoobCrypt
NotPetya
Razy
SamSam
WannaCry
Figure 3: Mean payment per family with standard mean er-
Family Addresses BTC USD
1 Locky 6,827 15,399.01 7,834,737
2 CryptXXX 1,304 3,339.68 1,878,696
3 DMALockerv3 147 1,505.78 1,500,630
4 SamSam 41 632.01 599,687
5 CryptoLocker 944 1,511.71 519,991
6 GlobeImposter 1 96.94 116,014
7 WannaCry 6 55.34 102,703
8 CryptoTorLocker2015 94 246.32 67,221
9 APT 2 36.07 31,971
10 NoobCrypt 17 54.34 25,080
11 Globe 49 33.03 24,319
12 Globev3 18 14.34 16,008
13 EDA2 23 7.1 15,111
14 NotPetya 1 4.39 11,458
15 Razy 1 10.75 8,073
Table 4: Received payments per ransom family (Top 15).
10 key addresses, with a few number of transactions and no tags,
received money from both the TowerWeb and Cryptohitman ad-
dresses. Intuitively, we can assume that these two families might
be related to the same real-world actors who may run two families
of ransomware simultaneously or may launder money on behalf of
the two dierent groups.
●
●
●
●
●
●
●
●
●
●
● ●
●
●
●
1031
593
480
36
4690
245
108
2698
534
1035
225 171
15
7713
278
$0
$2,500
$5,000
$7,500
APT
CryptXXX
CryptoLocker
CryptoTorLocker2015
DMALockerv3
EDA2
Globe
GlobeImposter
Globev3
Locky
NoobCrypt
NotPetya
Razy
SamSam
WannaCry
Figure 3: Mean payment per family with standard mean er-
rors.
53. ANALYTICS EXAMPLE | RANSOMWARE
53
●● ●
●
●
●●●●●●
●●●
●
●
● ●
●
●
●
●
●●●
●
●●
●
●
●
●
●●
●
●
●
●
● ●
●●
●
●
●
●●
●
● ● ●
●
●
●
●
●
●
●●
●●●● ●●●●● ● ● ● ● ●● ●● ●● ●● ● ● ●● ● ● ●
●
● ● ●●
WannaCry
SamSam
05/2017 06/2017 07/2017 08/2017 09/2017 10/2017
01/2016 07/2016 01/2017 07/2017
$0
$200,000
$400,000
$600,000
$0
$25,000
$50,000
$75,000
$100,000
Figure 4: Longitudinal payment trend per family.
ows of ransomware payments and identify destinations, such as
Bitcoin exchanges or gambling services, when contextually related
information (tags) was available. Our method is reproducible and
could be repeated for additional families with an updated seed
dataset. Plus, computation of address clusters over the most recent
state of the Bitcoin blockchain, along with more identication of
clusters belonging to specic groups, could greatly increase the
knowledge on the dierent end routes of ransomware monetary
ows.
However, we are well aware that our approach has a number
of limitations. First, our methodology relies on a set of seed ad-
dresses manually collected and the eectiveness of the multiple-
input heuristics for uncovering previously unknown addresses
linked to this family. Thus, it misses other ransomware families as
well as other addresses that might belong to the same family, but
cannot be linked to the same cluster. Still, the more addresses from
various families become available, the more accurate the picture of
the overall market for ransom payments will become. We address
this limitation by constraining our analysis to lower bound direct
nancial impacts, to ensure we are not claiming to assess the total
impacts of a ransomware family or of the entire market for ransom
payments.
Second, our approach is limited by the extent and quality of the
attribution data (tags) available. Without this information, clusters
remain anonymous and inferences about their real-world nature are
impossible. Nevertheless, we believe that such data will increasingly
● ●●●●●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●
●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ● ●●●●●●●●●●●● ●● ●●● ● ●● ●● ●●●● ●● ●● ● ●
●● ●
●
●
●●●●●●
●●●
●
●
● ●
●
●
●
●
●●●
●
●●
●
●
●
●
●●
●
●
●
●
● ●
●●
●
●
●
●●
●
● ● ●
●
●
●
●
●
●
●●
●●●● ●●●●● ● ● ● ● ●● ●● ●● ●● ● ● ●● ● ● ●
●
● ● ●●
WannaCry
SamSam
Locky
01/2016 07/2016 01/2017 07/2017
04/2016 07/2016 10/2016 01/2017 04/2017
$0
$2,000,000
$4,000,000
$6,000,000
$8,000,000
$0
$200,000
$400,000
$600,000
$25,000
$50,000
$75,000
$100,000
th
5
O
to
ad
o
w
B
in
co
da
st
cl
k
o
d
in
li
w
ca
va
54. ANALYTICS EXAMPLE | RANSOMWARE
54
Ransomware Payments in the Bitcoin Ecosystem
Masarah Paquet-Clouston
GoSecure Research
Montreal, Canada
mcpc@gosecure.ca
Bernhard Haslhofer
Austrian Institute of Technology
Vienna, Austria
bernhard.haslhofer@ait.ac.at
Benoit Dupont
Université de Montréal
Montreal, Canada
benoit.dupont@umontreal.ca
ABSTRACT
Ransomware can prevent a user from accessing a device and its
les until a ransom is paid to the attacker, most frequently in Bit-
coin. With over 500 known ransomware families, it has become
one of the dominant cybercrime threats for law enforcement, secu-
rity professionals and the public. However, a more comprehensive,
evidence-based picture on the global direct nancial impact of
ransomware attacks is still missing. In this paper, we present a
data-driven method for identifying and gathering information on
Bitcoin transactions related to illicit activity based on footprints
left on the public Bitcoin blockchain. We implement this method
on-top-of the GraphSense open-source platform and apply it to
empirically analyze transactions related to 35 ransomware families.
We estimate the lower bound direct nancial impact of each ran-
somware family and nd that, from 2013 to mid-2017, the market
for ransomware payments has a minimum worth of USD 12,768,536
(22,967.54 BTC). We also nd that the market is highly skewed with
only a few number of players responsible for the majority of the
payments. Based on these research ndings, policy-makers and law
enforcement agencies can use the statistics provided to understand
the size of the illicit market and make informed decisions on how
best to address the threat.
KEYWORDS
the time of writing, there are 5051 known ransomware families
detected and almost all of them demand payments in Bitcoin [27],
which is the most prominent cryptocurrency.
Yet, global and reliable statistics on the impact of cybercrime
in general, and ransomware in particular, are missing, causing a
large misunderstanding regarding the severity of the threat and
the extent to which it fuels a large illicit business. Most of the
statistics available on cybercrime and ransomware are produced
by private corporations (cf. [29, 38, 39]) that do not disclose their
underlying methodologies and have incentives to over- or under-
report them since they sell cybersecurity products and services
that are supposed to protect their users against such threats [23].
Also, both cybercrime and ransomware attacks take place in many
regions of the world and reporting the prevalence of the threat on a
global level is dicult, especially when it involves a blend of fairly
sophisticated technologies that may not be familiar to a large num-
ber of law enforcement organizations [23, 37]. This is unfortunate
because the lack of reliable statistics prevents policy-makers and
practitioners from understanding the true scope of the problem,
the size of the illicit market it fuels and prevents them from being
able to make informed decisions on how best to address it, as well
as to determine what levels of resources is needed to control it.
But ransomware oers a unique opportunity to quantify at least
the direct nancial impact of such threat: ransomware payments
are transferred in Bitcoin, which is a peer-to-peer cryptocurrency
Preprint available at: https://arxiv.org/abs/1804.04080
55. • Cryptocurrency Recap
• Privacy-enhancing Cryptocurrencies
• Off-Chain Payment Channels
• Cryptocurrency Analytics
• Q A
MY PLAN FOR TODAY
55
57. • [Nakamoto, 2008]: Bitcoin: A peer-to-peer electronic cash system
• [Reid and Harrigan 2012]: An Analysis of Anonymity in the Bitcoin System
• [Meiklejohn, 2013]: A fistful of bitcoins: characterizing payments among men with no names
• [Ortega, 2013]: The bitcoin transaction graph—anonymity
• [Biryukov et al., 2014]: Deanonymisation of clients in Bitcoin P2P network
• [Fleder et. al, 2015]: Bitcoin Transaction Graph Analysis
• [Böhme et al., 2015]: Bitcoin: Economics, Technology, and Governance
• [Haslhofer et. al, 2016]: O Bitcoin Where Art Thou? Insight into Large-Scale Transaction Graphs.
• [Gencer et al. 2018]: Decentralization in Bitcoin and Ethereum Networks
• [Kappos et al., 2018]: An Empirical Analysis of Anonymity in Zcash
REFERENCES
57