Uncontrolled use of deanonymizing technologies, such as blockchain forensics and darknet monitoring tools can threaten long-term security and safety of digital ecosystems.
We need to start paying attention to the scientific evidence of their long-term effectiveness instead of anecdotal claims of their ability to solve today's KYC/AML and law enforcement problems.
One way to approach this problem is to rely on scientifically proven methods of malicious agent controls, heavily inspired by modern pest management techniques.
Lessons from agriculture
Pesticide resistance describes the decreasing susceptibility of a pest population to a pesticide that was previously effective at controlling the pest. The most resistant of the population survive and pass on their acquired traits to their offspring.
Efforts to control the transmission of malaria are an example. Recent studies have found that excessive use of pesticides, such as bendiocarb, has led to its resistance in Cameroon.
Generational changes in insects after insecticide treatment
Known resistance traits
Digital currency users have already developed a number of traits to protect themselves from peeling away their security and privacy. Some of them rely on encryption mechanisms, others on anonymizing technologies and various security-by-obscurity schemes.
All of them, however, were driven by external ecosystem pressure coming not only from malicious actors, but also from legislative and regulatory bodies, and law enforcement.
Efforts to attack malicious actors often led to unintended consequences and helped those malicious actors acquire security and privacy traits, as discussed below.
TOR
TOR is an internet privacy and anonymity enhancing protocol relying on several layers of encryption for any messages transmitted in the network. This underlying technology, called onion routing, was developed by the United States Naval Research Laboratory in the 90s.
The 2000s saw its proliferation among journalists in hostile environments. US government efforts to weaken the Tor protocol only led to a shift of the user base from intelligence officers and journalists, whose risk models mostly include well-funded state actors, to retail drug stores, which are mostly concerned about local police departments who have a hard time securing their own IT infrastructure.
Decentralized Encryption Key Management
Taking over darknet markets and allowing people to continue trading in order to collect their identities only helped people who know how to use PGP, and pushed the development of decentralized marketplaces. The details of the law enforcement operation against Alphabay users clearly sparked more interest in a then barely known peer-to-peer marketplace called OpenBazaar.
Alphabay and OpenBazaar Google searches before and after the Alphabay shutdown (July 13, 2017). The numbers on the graph show the search interest relative to the highest point on the chart, 100 being peak popularity for the term. NTerminal data in Splunk
Now fully-functional, OpenBazaar removed the weakest leak of any darknet market - centralized servers - making law enforcement investigations into the space much more difficult. The 70% increase in trade volumes on decentralized exchanges that happened over the past month coincided with a drop in the use of criminal funds on centralized exchanges.
In 2020, the amount of Bitcoins both sent to and received from darknet actors increased 380% and 340% respectively, compared to 2017. Another example of driving criminals away from one technology only to promote the use of another.
Privacy Coins
Developing technologies to deanonymize Bitcoin transactions led to an increased interest in privacy coins. Blueleaks’ dump of FBI databases revealed that law enforcement agencies are highly concerned about developments in the privacy coin ecosystem.
In its recent Request For Information, the IRS noted cryptocurrency users' resistance to blockchain forensics pesticides developed by Chainalysis, CipherTrace, Coinbase, and Elliptic. Immune to those tools, privacy coins lead to never before seen levels of protocol-level privacy for illicit trade participants.
NLP analysis of privacy coin mentions in surveillance context. Blockchain forensics tools (e.g. Chainalysis, CipherTrace, Elliptic) mentions are correlated with increased interest in privacy coins. The peak of activity is detected between March – April 2019. NTerminal data in Splunk
Mixers
Many illicit trade participants try to compensate for the low degree of anonymity that open ledger technologies provide by using cryptocurrency mixers. Their main purpose is to launder illicit funds in a way that makes it difficult to trace their origins.
Mixer users usually send their coins to the mixer’s common address, then it is broken down into many parts, which are blended with the coins that have been previously sent to the service by other users.
The initial amounts are then paid out, often in small installments to the original users according to their contributions. This breaks the connection between the sending and the receiving addresses, thus obfuscating the transaction trail.
Cryptocurrency mixers offer additional privacy and are often used for disguising malicious activity. Money laundering via coin mixing platforms is a common pattern used by criminals.
During the Bitfinex Hack 2016, hackers used coin mixers to obfuscate the trail of stolen funds. Four years later, law enforcement had little success recovering the stolen digital assets that went through mixers. This year alone, the use of the coin mixing services on the darknet rose 2,100%.
Emerging super-resistance
While all the above resistance traits are often successful in subverting existing digital pest control tools, we are also starting to see the emergence of a super-resistance that combines multiple technologies.
Many darknet marketplaces already integrate mixers into their platforms. Even the latest Twitter bitcoin scam used mixers built into the Wasabi cryptocurrency wallet.
The FBI also recently noticed growth in TOR-based privacy coin exchanges and marketplaces. Some of these super-resistance technologies, like Bisq and Openbazaar, take it a step further by eliminating third parties, relying on a combination of security deposits and dispute resolution providers to discourage dishonest behavior and creating a true peer-to-peer system.
Blockchain patterns
In order to show the complexity involved in blockchain transactions associated with darknet services, we can look at exchanged BTC to ZEC on Bisq and then back using XChange.me, both services are completely KYC-free.
The absence of third parties requires additional tools like security deposits for reducing the risks of both parties involved. Once the trade is completed, the money is unlocked and goes to the intended recipient. The security deposits are returned to the trading parties.
Sankey Diagram of cross-chain Bitcoin and ZCash transactions (all transactions values are presented in the original currency). NTerminal data in Splunk
The diagram above represents Bitcoin exchanged to ZCash and the reverse transaction where funds go from Bisq to Xchange.me. Complex record keeping models make tracing transaction flows and associating entities with blockchain addresses a more laborious task.
Existing forensics tools have limited capabilities when it comes to complex multi-signature transactions and usually lose their effectiveness after 7 transaction hops.
Sankey Diagram of incoming and outgoing transactions of XChange.me BTC address. NTerminal data in Splunk
Other similar KYC-free services have introduced new hurdles for law enforcement, especially in relation to Monero’s increased use on the dark web. A recent FBI investigation showed the link between a Panamanian instant crypto exchange, Morphtoken, and darknet markets called Cryptonia and Apollon.
It is important to keep in mind that using privacy coins and anonymous exchange services in itself is not illegal. Although the additional anonymity they provide is often associated with illicit trade, it is hard to meet the “beyond reasonable doubt” standard when bringing a case forward.
The natural deniability of pseudo-anonymous transactions that go through these money-laundering services is proving to be a high barrier for prosecutors. That said, RAND Institute report on the use of privacy coins pointed about the significant disagreement concerning the extent to which cryptocurrencies are used for criminal intent.
A recent study estimated that approximately 25% of Bitcoin users and 44% of Bitcoin transactions are involved in illicit activities. The proportion of illicit transactions for Monero on darknet marketplaces remains 4%, compared to 76% for Bitcoin.
Conclusion
Lessons from agriculture taught us to be careful with pesticide use and to rely on two or more pesticides with different modes of action to improve results, and delay or mitigate existing pest resistance.
Agricultural concepts, like Integrated Pest Management (IPM), have already proven their long-term effectiveness and can be applied to combating malicious actors using digital currency.
Overlapping financial, natural language, and technical surveillance tools should be used simultaneously to effectively monitor the entire ecosystem. Attempting to control all ecosystem participants with one approach will only lead to the unintended development of resilience.
Thanks to Sofia Sedlova, Christina Tkach, and Les Aker for contributing to this article. Illustration by Mihailo Tatic.