Understanding Bitcoin’s role in the Russia investigation
Permissionless networks, like Bitcoin or the internet, are unfortunately used by criminals, but are not the root cause of crime.
Last Friday, Special Counsel Robert Mueller announced the indictment of 12 Russian operatives, charged with criminally interfering in the 2016 Presidential election. The indictment indicated that the hackers used bitcoin to purchase domain names, server space, and VPN access that facilitated their attempt to unduly influence the election. In the aftermath of this indictment, we’ve seen some misconceptions spread surrounding Bitcoin’s usefulness to criminals and its relative importance to this and other cyber crimes like ransomware attacks. To set the record straight: As described in the indictment, Bitcoin was not an essential tool for the hackers. Those services can easily be purchased using a variety of other online payment methods and none of them are particularly exotic or expensive to obtain. If Bitcoin didn’t exist the hack and the dissemination of pilfered emails would still have happened.
When considering the role of Bitcoin in the context of the the Mueller indictment or cybercrime more generally, there are a few key points we would like to highlight:
- Bitcoin is far from an ideal tool for criminals, and many (including those recently indicted) are caught red-handed using it.
- Concern over Bitcoin’s use by criminals resembles concern over criminal use of the Internet back in the 1990s; both are permissionless networks which will inevitably be used for good and for bad purposes, but in the long term undoubtedly far more good than bad.
- The root cause of cybercrime is poor cybersecurity, not the mere existence of Bitcoin, cryptocurrency, or any other neutral tool or technology. Cryptocurrencies may, in fact, be part of the solution rather than the problem. Public interest in and use of these technologies increases awareness of privacy and security-enhancing cryptographic tools, strong passwords, and two factor identification, as well as good cyber hygiene generally.
It is not clear from the indictment precisely how the investigators linked the defendants to their bitcoin wallets. Perhaps the Special Counsel’s office identified the hackers first and then connected them to their digital wallets, or perhaps the investigators identified the digital wallets first and then linked them to the hackers. What is certain is that this indictment flies in the face of the popularly held belief that Bitcoin’s “anonymity” makes it a natural tool for criminal syndicates. These perpetrators were caught red-handed, digital wallets and all. Indeed, the indictment refers to the “the perceived anonymity of cryptocurrencies such as bitcoin” (italics added). What this tells us is that law enforcement is capable of meeting the challenge posed by criminal adoption of cryptocurrency just as it was up to the challenge posed by the adoption of email, pagers, and automobiles.
Permissionless Technology and Criminal Use
The concern about Bitcoin’s criminal applications is reminiscent of the early days of the consumer internet. The internet, then as now, was a permissionless tool that anyone could use for good or for ill.That permissionless nature unfortunately meant that bad actors could get a hold of the technology and use it for bad purposes, but it also meant that anyone could start a blog and share their perspective with the world (even a political dissident in a totalitarian state). It also meant that anyone could start a business and gain access to a global customer base, even if the business seemed ludicrous at first — like selling books over the mail or creating an informal person to person taxi service. Like our national highway system, the internet has evolved into the wealth and freedom-enhancing tool it is today precisely because it was free and open to all users without exception even if that meant that criminals could use it too. This is also true of cryptocurrency networks, and it has been true for most transformative new technologies.
The real root cause: poor cybersecurity
If we’re looking for a way to stop attacks like those outlined in the recent indictment, we need to target weaknesses in our privacy infrastructure and our cybersecurity habits, not the tools that some may use to exploit those weaknesses. We need to use https encryption by default; we need to understand and practice two factor authentication; we need to talk about password managers and what makes a strong password; and we need to think about payment systems that don’t consistently hemorrhage our personal identifying information.
Cryptocurrencies could even be a boon to efforts to harden our vulnerable cyber-infrastructure and imprecise cyber-habits. These technologies popularize cryptography and help people understand what they can do to keep their personal information secure. Holding cryptocurrency gives people skin-in-the-game with respect to their cyber hygiene practices. Folks might spend a few minutes on average learning how to secure their email from hackers, even less if they feel they’ve nothing to hide. When a bitcoin wallet secures hundreds or even thousands of dollars, however, folks tend to try harder and learn more. Today’s wallets and exchanges guide users through important best practices like two factor authentication and strong passwords, and that can have positive knock-on effects for all manner of cybersecurity challenges. Longer term, several developers are focused on replacing password-based login systems entirely, and blockchains--as trust anchors for identity credentials--are a big part of that effort. Additionally, dangerous holes within the critical infrastructure of the Internet itself (like DNS registries and certificate authorities) may soon be plugged using open blockchain technology.
Again, if Bitcoin did not exist, would the Russians still have been able to purchase the domains and VPN services they used to perpetrate these criminal acts? Of course they would have. In fact, there are many payment methods that are far more anonymous than Bitcoin. Prepaid cards, for example, are actually more anonymous because they can be mailed and then used or resold internationally with effectively no trace. Not to mention cash itself, which leaves no trace. Bitcoin transactions, however, leave a trail of pseudonymous breadcrumbs on the blockchain and if the hacker tries to cash out into local currency, she might inadvertently reveal a name or an IP address for those pseudonyms and give herself away. Blockchain transactions can reveal the structure of organized crime rings, and individual hackers are routinely caught and prosecuted.
All in all, yes, criminals are frequently early adopters of new technologies. They believe that law enforcement is slow and too technologically incompetent to catch them. But this has been proven false time and again—most recently, in Mr. Mueller’s indictment.