Bitcoin Money Laundering and Mueller’s 12

By Tim Cotten

This article gives an overview of how indicted Russian spies used Bitcoin to purchase services, such as BitVPN, to support hacking the Democratic National Committee (DNC) during the 2016 U.S. presidential election. It contains a simple reconstruction of the most obvious Bitcoin transactions associated with the evidence documented in the Grand Jury indictment of July 13th, 2018.

On July 13th, 2018 the Grand Jury for the District of Columbia indicted 12 operatives from the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) on eleven counts related to the hacking of the Democratic National Committee (DNC).

This indictment was a direct result of Special Counsel Mueller’s investigation into Russian interference in the 2016 U.S. election and in one of the most notable cases of blockchain technology being referenced in an international criminal case, features an entire section (Count Ten) dedicated to money-laundering using Bitcoin in order to pay for hacking related services.

PBS has shared the document on their website and provided a direct link here: https://d3i6fh83elv35t.cloudfront.net/static/2018/07/Muellerindictment.pdf

PBS: Read Mueller’s full indictment against 12 Russian officers for election interference

Bitcoin was used to obfuscate money trails, purchase domains, host webservers, and for “otherwise making payments in furtherance of hacking activity.”

Count Ten: Conspiracy to Launder Money

More incredibly, the indictment demonstrates sample cases of the Bitcoin activity, including a reference to a unique transaction on February 1st, 2016 for 0.026043 BTC in Block #396123.

The Smoking Gun: Caliber 0.026043

Paragraph 60 of the indictment specifically calls out that the “gfadel47” account was instructed to “[p]lease send exactly 0.026043 bitcoin” to “a certain thirty-four character bitcoin address.”

An analysis of the Bitcoin blockchain during that February 1st, 2016 time-frame (and including one day before and after) shows that only a single transaction matches the 0.026043 amount:

In short, we can be confident that the bitcoin address used in the alleged conspiracy was 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR. Further, we can identify other addresses related to this one and, to some degree, the various spends made by the Russian operatives in pursuit of hacking the DNC.

The Bitcoin blockchain does not anonymize or hide details about its users like alternative blockchains like Monero. Additionally, the entire history of the blockchain, including empty or fully spent addresses, is retained by the mining nodes unlike newer cryptocurrencies like Mochimo (which uses the ChainCrunch™ technology to summarize the ledger state at intervals).

Thus, all Bitcoin transactions are permanently documented and there are various means of linking IP addresses with the transactions being broadcast to the network. In fact, it’s quite possible to associate IP addresses with Bitcoin addresses simply by connecting to enough of the active nodes in the Bitcoin network and “listening in.”

It’s important to understand that the Bitcoin blockchain itself doesn’t store IP addresses, but the Bitcoin node architecture doesn’t make any special effort to obfuscate or hide the IP addresses sending transactions to the mining nodes. Various organizations and intelligence agencies no doubt run enough nodes on popular blockchain networks to maintain private repositories of user IP addresses and their associated Bitcoin addresses.

Can’t IP addresses be hidden through proxies or Virtual Private Networks? That sort of protection only shields a certain amount of activity. As an example, Special Counsel Mueller’s indictment specifically addresses the use of Virtual Private Networks (VPNs) and the mistakes made by the operatives allowing the identification of personas such as “Guccifer 2.0” and their associated Bitcoin usage.

The Main Intelligence Directorate (Главное разведывательное управление), or GRU (ГРУ) for short, is the foreign military intelligence agency of the Russian Federation.

The indictment specifically lists two internal units, Unit 26165 and 74455, as being involved in cyber operations to interfere with the 2016 U.S. presidential election.

The Grand Jury has indicted twelve Russian operatives: Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, and Aleksey Aleksandrovich Potemkin.

They are accused of gaining unauthorized access to the computers of people involved in the 2016 U.S. presidential election, as well as stealing documents from those computers and arranging their release through other organizations.

Count One and Eleven: Conspiracy to Commit an Offense Against the United States

The first and last counts detail, in depth, how the Russian military intelligence officers involved in the hacking compromised the computer systems and networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic Nation Convention (DNC).

Spearphishing compaigns were used to compromise email accounts, network analysis and security probes were performed to identify weaknesses, malware was installed on routers, Russian intelligence-specific hacking software like X-Agent was deployed (and persisted despite removal attempts), and documents stolen en masse.

Further, the operatives conspired with other organizations to release the documents publicly.

Counts Two through Nine: Aggravated Identity Theft

The identity theft accounts are generally concerned with the phishing and hacking of email accounts, including credential-based identity impersonation.

Counts 2 through 9: Compromised Email Accounts

Note that the approximate compromise dates were in the March — July time-frame while the Bitcoin transaction referenced at the beginning of the article (for an unnamed resource, such as registering a domain name or making a monthly web-hosting payment) was on February 1st: well in advance.

Count Ten: Conspiracy to Launder Money

The meat of our article is concerned with Count Ten; wherein the usage of Bitcoin (amongst other cryptocurrencies) is identified as a method the operatives used to procure equipment and resources used in the hacking and information dissemination campaigns.

$95,000 Spent in Cryptocurrencies in 2016

It’s of note that the U.S. federal government considers the usage of cryptocurrency to circumvent transaction identification or the attempt to buy resources anonymously as evidence towards money laundering.

On February 1st the opening price for Bitcoin was approximately $369.35 according to CoinMarketCap.

With the example transaction https://www.blockchain.com/en/btc/tx/3c4c026ce8a285ddc281f78e5f9d00df2c19d627904165696faf8263a6f34761 containing a spend of 0.026043 bitcoin the value at the time would’ve been equivalent to approximately $9.62.

The Only 0.026043 BTC Spend On or About 2016-02-01

Additionally, the transaction demonstrates a remaining balance transferred to a new address https://www.blockchain.com/en/btc/address/1AK79g9gpvZ8jn2C9MsWQpijMFA5JaTdqP of 4.54325747 bitcoin, or approximately $1,678.05.

In other words, this transaction was one of many in a longer series of discretionary spending for services needed for the operations of the group. They would send an amount for some external service (like a domain registrar), and then forward the remaining balance to, in most cases, a single “change address”.

This allows us to, in part, reconstruct an activity and payment history simply by following the incoming and outgoing transactions related to this address.

It appears that many of the transactions from these addresses had only two outputs: a service provider of some sort needing payment, and a change address to store the new, lower balance of the “account.”

By moving backwards through the blockchain we can see that the top-most useful address following this pattern is: 1KgUcHDuWLVzFxVnwp3u5jZw3FmorjG1jD

The Top-Most Useful Address

This address (1KgUcHDuWLVzFxVnwp3u5jZw3FmorjG1jD) contained, at the start, 11.8445 BTC as of December 16th, 2015 before 0.8 BTC was spent. In total, at a price of $465.21, the account held a value of $5,510.18 at the time.

The 11.8445 was deposited to this address by four other addresses that will be discussed in the section following this initial analysis. For now, let’s follow the initial trail and watch the behavior of this address.

In general we’ll be following the “Change Addresses” where leftover funds from each transaction were sent while documenting what the receiver addresses seem to be doing with funds if possible.

Note: All U.S. dollar amounts are estimated from that day’s historical Bitcoin trading value (opening).

Chain A: 2015-12-16

Reading the transaction and subsequent history it appears that the receiving address is owned by the same group, as it begins demonstrating the spending behavior of the original address in our story of sending smaller amounts and forwarding the change, rather, say, than be collected into a larger account (like a service provider aggregating their smaller received amounts into larger wallets).

Note that such a clean amount of 0.8 BTC generally follows an “owner preference” about how much they’re depositing into an account (like transferring an even $500 into a savings account rather than paying an exact $512.32 credit card bill).

Chain A: 2015-12-18

The receiving address in this case forwards the 0.388493 BTC within 7 hours to another address where the outputs mix in with greater and greater accumulating amounts of Bitcoin. It’s likely this receiver was a service provider or a coin mixer.

Chain A: 2015-12-21

The pattern continues with another possible service provider receiving $207.92 before letting those funds accumulate with others into a much larger wallet.

Chain A: 2015–12–23

The receiving address in this case forwards the amount during a larger transaction to BitVPN: a provider of Virtual Private Network access that accepts payment in Bitcoin. (13ov4UBJYJQBC1Tv5vEvijShn2vWS3vPrJ to 1BitVPNqCdyG4LEbP7EQE1mvyMvBNWuEtE)

The Internet Archive Wayback Machine shows that the price in 2015 through 2016 for one year of VPN service was $39.95 — an amount nearly equivalent to the transaction above when daily trading activity and the ups and downs of Bitcoin’s price is taken into account.

BitVPN: Consistently a $39.95 Annual Subscription

(Corrected: the initial version of this article used an incorrect Bitcoin price to calculate the spent amount)

5 Bitcoin to the Left, 5.3 Bitcoin to the Right

During this transaction the total funds for the address are split nearly in half, to 5 BTC on one hand and ~5.3 BTC on the other. The address containing the ~5.3 BTC eventually leads, after several transactions, to the address alluded to in the indictment.

A portion of this amount seems to move towards a large wallet that transacted more than a hundred thousand Bitcoin, most likely a cryptocurrency exchange.

Many of the amounts in the following transactions appear to mix and merge with other addresses in a way that seems artificial: such as in the case of using coin mixers to obfuscate ownership of funds.

And here we are, where our story began: the transaction with the mysterious 0.026043 BTC amount.

The pattern continues until the simple payments end and the Bitcoin remixes with other addresses in this transaction:

At this point we’ve completed a simple review by hand of one aspect of the blockchain relationship with the indictment. More avenues of research include the original four addresses that deposited into the “top-most” address, the various “whole number” amounts that split off, and the ultimate disposition of funds.

First, we know with certainty that the 0.026043 BTC amount referenced in the indictment has no other entries in the Bitcoin blockchain in the 24 hours before and after February 1st, 2016 EXCEPT the transaction we already identified.

Second, we can demonstrate that at least one payment was made to BitVPN, demonstrating evidence for the indictment’s claim about the usage of Virtual Private Networks to aid in the operatives’ work to hack the DCCC and DNC.

We can also show a flow of the value through probably coin mixers and also towards probable cryptocurrency exchange deposit addresses, lending credence to the charges of money laundering.

Additionally, we can conclude, given the early funding in 2015 of the Bitcoin addresses and the methodical payments in amounts matching at least one useful service, that the GRU operatives had pieces in place for months before taking actions referenced in the other counts.

Other items we can take away:

  • Bitcoin transactions are NOT anonymous
  • IP addresses can be correlated with Bitcoin addresses
  • Anonymous verification schemes that involve sending “random” amounts of BTC for account creation actually make payment histories easier to identify on blockchains (0.026043, for instance).

Ultimately a simple analysis by hand can reveal only a little of the overall picture, but the picture revealed is compelling: the Special Counsel’s team has access to years of data that documents criminal acts as they happened, all on the blockchain.