On March 3, 2020, just before lunchtime in Washington, DC, Stephen Ryan sent someone at the US Treasury Department a note of thanks with a curious detail.
COO and co-founder of cryptocurrency detection firm CipherTrace, Ryan was one of 16 executives who attended an industry summit the day before alongside then-Treasury Secretary Steven Mnuchin. Along with thanking him for the meeting, Ryan attached a series of slides presenting CipherTrace's strategy for demystifying crypto wallets. Among these methods: the “honeypots”.
This article is part of CoinDesk's Privacy Week series.
Ryan's note was part of a 250-page trove of emails from Mnuchin obtained by CoinDesk through a Freedom of Information Act (FOIA) request. Parts of your slide deck look a lot like CipherTrace's public promotional material. These have also referred to "honeypots" or the rhyming "crypto money pots" since at least 2018.
What did CipherTrace mean by these terms? The cybersecurity community uses the phrase "honeypot" to describe a decoy target that collects information about unsuspecting attackers. In other words: a trap.
CipherTrace, which payments giant Mastercard bought last fall for an undisclosed price, is part of a cottage industry that polices the €14bn-a-year crossroads of cryptocurrency and crime. Examining millions of daily transactions recorded on blockchains or public ledgers, companies like Chainalysis, TRM Labs and Elliptic look for red flags and illicit moves, flagging suspicious addresses as they go.
The companies see their service as essential to normalizing cryptocurrencies and eradicating crime. Critics castigate these tracking companies as chain drug dealers, even though they work primarily with public information.
CipherTrace would not be the first company in this niche to set traps in hopes of capturing untraceable information on the chain. Chainalysis, the leading cryptocurrency tracking provider, has had a wallet mining site for years that captures the IP addresses of visitors and links them to the blockchain addresses they searched for. The company only acknowledged the practice last October, a month after CoinDesk published an article drawing attention to it.
More than half a dozen cryptocurrency industry veterans told CoinDesk that they had no idea what CipherTrace meant by "honeypots." In a statement provided to CoinDesk, the Los Gatos, California-based company gave the basic definition of computer security without explaining what it meant in the context of blockchain analysis.
"A 'crypto jar' or 'honeypot' is a security term that refers to a mechanism that creates a virtual trap to lure in potential attackers," CipherTrace said, adding that documents mentioning such tactics are old. . "CipherTrace no longer uses 'crypto money jars,'" he said (although the company's website touts both money and honeypots as of Thursday).
CoinDesk asked CipherTrace: "Does your company collect IP address data for the purpose of linking it to wallet addresses?"
A CipherTrace representative responded: "As a privacy-focused company, CipherTrace does not assign IP data to individuals."
Didn't answer CoinDesk's question: Does CipherTrace assign IP addresses to wallets? CoinDesk asked a second time if CipherTrace maps IP addresses to wallet addresses. CipherTrace did not reply.
Such mistrust "is a common problem in the privacy space, when we talk about network identifiers like IP addresses," said cybersecurity researcher Sean O'Brien. “Companies are trying to distance themselves from what they traditionally call personally identifiable information by saying that IP addresses are something else. In fact, they are incredibly useful for identifying homes, businesses, and individuals.
For example, "if you need to investigate a bitcoin transaction linked to a suspected cybercrime, IP addresses are exactly the type of information you're looking for," O'Brien said. "Early internet and law enforcement cases relied on IP addresses as evidence, for good reason. And they are just as useful for harassing and stalking people as they are for prosecuting them.
following the money
Tracking firms have long been a major, if underrecognized, force in the institutional crypto march. Fighting against the tired perception that bitcoin is primarily a criminal financial tool, they analyze the data to identify which part is really scarce.
Chainalysis recently estimated that 0,15% of crypto transactions in 2021 were illicit, by far the lowest percentage on record. ('Illicit' wallets amassed a record €14 billion last year, a seemingly paradoxical statistic that Chainalysis attributed to the meteoric growth of cryptocurrency.)
CipherTrace states that its mission is to “grow the cryptocurrency economy by giving it the trust of governments, securing it for mass adoption, and protecting financial institutions from the risk of crypto money laundering.”
Taken from the presentation shared with Treasury, this description would likely be shared by all competing companies. It is at the center of the critics' concerns. Privacy maximalists believe that the radically transparent but pseudonymous nature of Bitcoin should be independent of the state, and see the work of these companies as a betrayal of that ideal.
"It's kind of an invasion of users' privacy, in the same way you might complain about centralized web analytics companies that collect IP addresses and place cookies on people's computers and track them 'site to site,' he said. John Light, longtime cryptographer, educator, writer, podcaster, and event organizer.
On-chain analytics is essentially a race for attribution.
In cybersecurity circles, attribution is about identifying the perpetrators of a hack. In the context of cryptography, this specifically refers to the practice of blockchain sleuths linking pseudonymous wallet addresses to identifiable actors. These actors could be custodians or licensed crypto exchanges; ransomware attackers; darknet markets; or sanctioned persons or entities.
For example: Anyone with an internet connection can see that, for example, the wallet abc123 transferred 0.5 BTC to zxy987; this information is pretty useless on its own. But a tracing database could document that the US Office of Foreign Assets Control has identified zxy987 as belonging to a sanctioned African warlord. Or it could show that abc123's bitcoin was stolen from an exchange.
This is valuable information for exchanges that want to reduce illicit activity, for users that want to keep their coins clean, for governments that want to follow the money. It binds through rigorous attribution.
With potentially millions of dollars in survey contracts at stake, these companies urgently need to mine new attribution data. CipherTrace, for example, has signed 20 contracts with federal agencies, worth up to €3.5 million, since 2018, the most recent being expert witness work, according to public records.
In an industry that rewards creators of nuanced and detailed attribution data sets, and a field where criminals are hungry for intelligence to help them evade attention, keeping the attribution sauce secret is paramount, two practitioners of crime have said. long time.
Nonetheless, in his email to the Treasury, Ryan gave some insight into "how cryptocurrency allocation is done." Honeypots have been listed as one of the "active" strategies in the slideshow.
Chain Analysis: The Ace of Blockchain Attribution
CipherTrace's biggest competitor started exploiting its own new technique three years ago.
Founded in 2014 and valued at $4200 billion last June, Chainalysis is the big kahuna of the tracking industry. He racked up tens of millions of dollars in federal software sales contracts that visualize chain activity. While anyone with an internet connection can navigate the blockchain's public records, they'd need a little help understanding what's down the rabbit hole.
But the tracer's real selling point is its attribution dataset, three industry experts said. No other company has amassed such detailed portfolio data as Chainalysis,” the sources said.
That's partly because no other tracker has such a massive commercial footprint. Chainalysis provides tracking software to 500 "virtual asset service providers," or VASPs, as regulators call them. It's a mutually beneficial relationship: the companies have powerful crypto compliance tools, and Chainalysis adds their wallet addresses to its global database. However, it does not ask customers for data about their customers.
“We cannot speak for all other providers. Other providers may request more information. But Chainalysis is only interested in service-level transaction data,” the company explained in a 2019 blog post. In other words, it only identifies companies whose control wallets it knows about, not people.
But that wasn't the whole story, and Chainalysis clients and public wallet information weren't the company's only sources of information.
In an undated slideshow for Italian police that was leaked last September, a Chainalysis business team described how the company's vast network of Bitcoin and Electrum wallet nodes capture valuable user data, such as the IP addresses of connected wallet. This helped investigators search for significant criminal leads, according to the filing.
The slideshow also shed new light on walletexplorer.com, a popular bitcoin block explorer run by Chainalysis since 2015. According to the documents, which CoinDesk has verified to be genuine, the website is "scraping" IP addresses suspected of users, linking their Internet. fingerprint to your wallet address. This data set provided "significant leads" for law enforcement.
"It was never a secret that Chainalysis owned and operated walletexplorer.com; since 2015 there is a statement at the bottom of the home page that the author of the site works at Chainalysis as an analyst and programmer," a...