Blockchain Threat Tracker 2018

Lauren Saine, Clashbit ~ lauren.saine@gmail.com


(See Regulatory Agencies Reference Document)


6.05   What about Network Layer 1?

Public blockchains, regardless of how decentralized or how masked, rely on the physical layer of the telecommunications infrastructure--the cables and poles and airwaves that envelop the globe. The physical layer, or Layer 1 of the internet, is privately-owned and easily controlled by state actors. This represents a vulnerability of public blockchains that may not be solvable by new technologies alone.

State actors are continuing to develop their own physical infrastructure, which makes control seamless, obviating the need to go through telecom multinationals. For example, the Chinese government is developing quantum key distribution satellites and a fiber link stretching over 2,000 km from Beijing to Shanghai.

Blockchain-related businesses can of course also be controlled through their users, owners, miners, or any other entity reachable by law enforcement. Chillingly, the Chinese government’s recent white paper asserts that ‘[Blockchain technology has] become an important support for the social credit system.” [Google translate]

Note: I have not been able to determine what methods Papua New Guinea used to shut down Facebook.

5.28   New FinCEN rules require identification of beneficial owners

FinCEN announced May 11 that covered financial institutions must verify the identities of natural persons who are the beneficial owners of accounts held by legal entities. The new CDD Rule amends FinCEN's Bank Secrecy Act rules, to "prevent criminals and terrorists from misusing companies to disguise their illicit activities and launder their ill-gotten gains." Covered institutions include U.S. banks, mutual funds brokers or securities dealers, futures merchants, and commodities brokers.

In related moves, South Korea is now requiring crypto traders to open “real name” accounts at the same banks as their exchanges in order to deposit money to trade cryptocurrencies. And the Japanese Financial Security Agency (FSA) has banned all cryptocurrencies that provide a degree of anonymity...In response, Japanese exchanges are pulling four major privacy coins—monero (XMR), dash, Augur's reputation (REP), and zcash (ZEC)—from their platforms.

5.18   If anyone still thinks bitcoin is anonymous and fungible...

DMG is pitching a surveillance tool for trading platforms to use on their own users. BitScore uses AI and machine learning to track cryptocurrency, detecting hops between transactions to determine the origin of funds, and using a weighting function to identify suspicious transactions. DMG says "understanding the provenance of source and destination addresses is imperative...for regulatory compliance.”

Meanwhile, Chainalysis continues its march to become the NSA of crypto. U.S. federal agency customers now include the SEC and CFTC as well as ICE, IRS, FBI, DEA, and BFS. Chainalysis is a member of the benignly-named Blockchain Alliance a “public-private forum” to assist law enforcement and regulatory agencies.

Another member of the Alliance, CipherTrace, claims it can trace the provenance of each bitcoin involved in a transaction and determine if it came from a money-laundering site like BitBlender, a dark web marketplace like DreamMarket, or from digital wallets belonging to known criminals; it can also enable exchanges to monitor "exits" when users exchange their funds into dollars.

Coindesk reports that OFAC’s Q&A about “virtual currency” now warns that they may list cryptocurrency addresses associated with blocked persons, which means financial institutions would have to screen crypto transactions.

Even mammoth, shadowy exchange Bitfinex says it may report personal ID data to US and OECD-member tax authorities.

4.24   Case against Coinbase for allowing money-laundering moves ahead

The 11th Circuit Court of Appeals has allowed a case against Coinbase to move forward. The plaintiffs are scammed customers of another exchange claiming Coinbase should have halted suspicious-looking trading by the founder of their exchange. In other private enforcement actions, Kraken was the target of a lawsuit last year claiming it should have halted trading while under a DDOS attack.

4.20   New blockchain surveillance tools are scraping the web

Regulator demand for blockchain surveillance tools is increasing, and the private sector is responding. U.S. government contractor Chainalysis recently announced a KYT tool, with Series A funding from Benchmark Capital, which links real-time data on the "underlying purpose" of transactions with exchanges’ transaction processing. Until now, Chainalysis software only allowed customers to analyze transactions retroactively, but the KYT tool provides transaction analysis in real time.

The Merkle reports that Bitfury’s Crystal "blockchain analysis tools successfully de-anonymized millions of transactions and their associated addresses...[using] Bitcoin address clustering, which exposes users by identifying addresses which may be linked to one and the same user...gathering information from nearly 100 different sources.... Twitter and Reddit contain a treasure trove of information when it comes to de-anonymizing Bitcoin users. Close to 16% of the entire Bitcoin blockchain has been identified as a result of the first major test conducted by BitFury Group."

Legacy players are entering the market as well. Amazon Technologies won a patent for a process that de-anonymizes “cryptographic tokens” by combining multiple real-time data streams--from online merchant payment transactions, tax filings (which are supposed to be confidential), and other sources--with cryptocurrency transactions. Finally, we have long known that data mining company Palantir counts many government clients; Forbes reported that the CIA was a seed investor.

3.26   U.S. asserts jurisdiction over data held outside the country

The Cloud Act, part of the Consolidated Appropriations Act of 2018 (page 2201 et seq), allows the U.S. government to seize data on servers outside U.S. territory, if it can find a U.S.-based entity that can access those servers. Conversely, it also allows "qualified" foreign governments to wiretap communications and seize personal data of U.S. citizens on U.S. territory and abroad, obviating the need to use the cumbersome Mutual Legal Assistance Treaty process.

The Cloud Act allows access to personal data held by communications-service providers for law enforcement purposes; the EU-US Privacy Shield allows access to commercial data by registered private companies (both probably inconformance with the GDPR).

FinCEN’s existing regulations under Section 314(a) of the Patriot Act allow federal, state, local, and EU law enforcement to demand information from more than 16,000 financial institutions to find accounts and transactions that might be involved in terrorism or money laundering. (This has been used to identify facilitators of high-level political corruption using shell companies, misappropriating state assets, and exploiting the real estate sector.)

In other surveillance news, Privacy International reports that, from the Joint Defence Facility Pine Gap in Alice Springs, Australia, the US controls a global satellite network which monitors wireless communications under the Five Eyes agreement.

3.21   The NSA is tracking token users

The Intercept reports that the Snowden documents reveal that the NSA has been “tracking down” coin holders on the bitcoin ledger and getting their passwords, internet activity, and MAC addresses. The NSA uses its XKeyScore search system and OAKSTAR, a system of covert partnerships with corporate owners of the global internet infrastructure.

Subprogram MONKEYROCKET taps into unspecified “foreign" fiber cable sites, and forwards that data to the NSA’s technical center in Germany. It's most controversial forms of surveillance, including warrantless bulk monitoring of emails and fiber optic cables from this and other programs, may have been used in court via "parallel construction."

We’ve long known that security company RSA incorporated compromised NSA algorithms into its products. Not to crush any remaining illusions, but we now also know that The Tor Project is largely funded by US government agencies RFA (BBG), DRL (State Department), and the NSF. See https://www.torproject.org/about/findoc/2015-TorProject-combined-Form990_PC_Audit_Results.pdf.

3.20   Section 702 v. Section 230

FISA Section 702 , as reauthorized, codifies government surveillance abuses. It allows the NSA to demand data without a warrant--online content platforms must turn over messages to and from certain identifiers, and ISPs must intercept traffic traversing their cables and servers.

CDA Section 230 protects online platforms from liability for good faith actions to restrict objectionable material. (April 14 update: SESTA/FOSTA may upend that protection.)

2.15   The IRS is tracking crypto transactions

Laura Shin: Chainalysis, with just $1.6 million in capital invested, already counts the IRS, FBI (and DEA), and Europol as users of its tools, which allow specific crypto transactions to be traced.