Monday, March 28, 2022

Why does crypto work for Russian ransomware, but it wasn't useful for the Ottawa truckers?

[This is a repost of my recent article for CoinDesk exploring why bitcoin has been demonstratively useful for certain illegal activities, like ransomware, but fails when it comes to others, like the Ottawa trucker convoy. Spoiler: bitcoin's usefulness for engaging in non-permitted transactions very much depends on the onramping and offramping processes, and whether these threshold points are tightly controlled or not.] 

 The Ramps Killing Bitcoin's Dissident Thesis

 Crypto is marketed by its fans as an unstoppable dissident technology and feared by governments for its subversiveness. But the many shortcomings of a recent bitcoin fundraiser to support an illegal Ottawa, Ontario, trucker convoy (more on that later) suggests that crypto isn't as unstoppable or subversive as it is often made out to be.

But if Ottawa contradicts the standard crypto narrative, we also have an example that confirms it. Waves of successful Russian ransomware attacks relying on the Bitcoin network to extract ransom payments suggest that crypto is an incredibly effective technology for evading rules.

So which is it: unstoppable or not? The short answer: It depends on the off-ramps and on-ramps. Let's explore why crypto was a dud in Canada, but is highly successful for Russian ransomware operators.

What crypto brings to the table is the ability for two people to make a digital peer-to-peer transfer that cannot be preempted by a third party. But a peer-to-peer crypto transfer is only the middle step in a three-step circuit that begins with on-ramping into crypto and ends with off-ramping out of crypto. If either the on-ramping or the off-ramping processes are closed or guarded, much of crypto's fabled ability to circumvent restrictions is neutered.

The Ottawa trucker convoy bitcoin fundraiser is a good example of the off-ramping process being leveraged by law enforcement to defang crypto. I described the convoy’s financing last month for CoinDesk. Over the last few weeks various Canadian parliamentary committees and court rulings have shed more light on the fate of the convoy’s finances.

By early February, the convoy of truckers blockading downtown Ottawa had transitioned from legal protest to illegal mischief. Sending donations through centralized fiat-based crowdfunding sites became impossible. The convoy’s main fundraising campaign, hosted on GoFundMe, was shut down on Feb. 4. A pivot by convoy organizers to rival crowdfunding platform GiveSendGo [which is powered by Stripe] was rendered useless by an Ontario court's restraint order a few days later.

That left a bitcoin fundraiser by the name of HonkHonk Hodl as the only way to connect with the rogue blockaders.

The on-ramping stage of the convoy’s bitcoin fundraiser proceeded unimpeded. Any American who wanted to donate to the illegal blockade could freely swap U.S. dollars for bitcoin via an exchange such as Coinbase. Once the cryptocurrency was acquired, no force on earth could stop that bitcoin from being transferred from an American’s personal wallet across the border to the Canadian organizers' bitcoin address.

The bitcoin fundraiser eventually raised $1.1 million in bitcoin. It was at the final stage, off-ramping back into Canadian dollars, that things fell apart.

From the outset, the identities of the people in control of the convoy’s bitcoin wallets had been broadcast across social media. Once the convoy was deemed illegal mischief, these public-facing organizers and their wallet addresses became easy targets of police investigations, freezing orders, injunctions and class-action suits, all of which prevented them from off-ramping out of donated bitcoins into spendable fiat.

The strategy of publicizing the identities of the organizers might seem like a mistake, but it wasn’t. A fundraiser can't gain any momentum if the people collecting the money aren't identified. Anonymous organizers could very well be scammers, and the whiff of fraud would doom fundraising.

Nicholas St. Louis, the lead organizer of the bitcoin fundraiser and a suspect in a criminal investigation, was forced to give up seed phrases for his fundraising wallets to the Royal Canadian Mounted Police, which is Canada’s version of the FBI. Parallel to that, a separate civil court injunction on behalf of an Ottawa class-action suit named hundreds of bitcoin addresses associated with the fundraiser. To comply with the order, St. Louis eventually forfeited $250,000 in undistributed bitcoins to a court-appointed escrow agent. That sum will potentially be used to compensate Ottawa citizens damaged by the convoy's actions.

Just hours before the court injunction fell, St. Louis managed to distribute two-thirds of the donated bitcoins to around 100 truckers. To prove they were honestly distributed, St. Louis recorded himself giving envelopes to each trucker and published the recordings on social media. That made it a cinch for the RCMP, litigators and aggrieved Ottawa citizens to determine the identities of the truckers who received the donations.

The transparency of bitcoin’s blockchain means that all of the distributed bitcoin has been flagged by law enforcement as well as being listed in the court’s freezing order. Anti-money laundering officers at exchanges are on guard, and any effort on the part of the 100 truckers to off-ramp their cryptocurrencies into spendable currency by selling marked bitcoin on an exchange will result in forfeiture. Worse, the truckers could run into potential legal trouble if they try, because ignoring the court’s freezing order is punishable by fine or imprisonment.

Truckers brave enough to risk contravening the court order might try to evade exchange blacklists by directly buying goods and services with bitcoin. (They would have to use retailers that don’t rely on compliant crypto payments processors like BitPay.) Given that bitcoin is so rarely accepted in trade, this is tantamount to barter, and bartering is inconvenient.

So the truckers have been left holding a bunch of mostly useless, even dangerous, injuncted crypto. As for the remaining undistributed donations, they have all been confiscated by the courts. What a mess.

If bitcoin failed the truckers, let's see why it has worked so well for ransomware operators. Ransomware is malicious software that takes control of a computer by encrypting files or threatening to publicly expose data. The ransomware operator, typically located in Russia, releases that control only after receiving a ransom payment, usually bitcoin. In one of the more notorious incidents, JBS USA, the world’s largest meat supplier, paid an $11 million bitcoin ransom to free its computers.

The ransom payment on-ramping process is completely fluid. That is, it is 100% legal for the U.S. victim of a ransomware attack – usually a corporation such as JBS, a school board or a government agency – to buy bitcoin on an exchange like Coinbase in order to pay the ransom. In fact, a new industry known as ransomware payments facilitation has emerged to service this need.

Whereas a wire payment to a Russian bank account might be frozen or clawed back, a bitcoin payment made to a Russian ransomware operator's wallet can't be. That's tremendously useful to ransomware operators.

Most importantly, Russian officials have made little attempt to inhibit the off-ramping process. As long as ransomware gangs don’t attack Russian companies, their ability to operate on Russian soil has been tolerated as has their access to Russian off-ramps. For instance, nested exchanges with Russian links such as Suex and Chatex have been used by Ryuk and Conti ransomware operators to convert bitcoin ransoms into useful currency.

And that's why ransomware has been so successful. The combination of 1) unimpeded U.S. on-ramping 2) a US-to-Russia bitcoin bridge and 3) unimpeded Russian off-ramping creates an unstoppable monetary circuit. By contrast, Canadians' closure of the off-ramping process crippled the convoy's bitcoin fundraising circuit.

(Incidentally, this is why one of the quickest ways to end the ransomware threat is to shut off the on-ramps: Make it illegal for U.S. entities to pay crypto ransoms. It also illustrates why Russians can’t rely on crypto to evade sanctions: the big off-ramps like Binance and Bitfinex can be controlled by U.S. sanctions policy.)

Governments, whether they be democracies or dictatorships, are often fearful of crypto's censorship-resistance, leading to calls for bans. The lesson from the Ottawa trucker convoy and Russian ransomware gangs is that as long as the on-ramping and off-ramping process are regulated, these fears are overblown.

As for advocates of bitcoin’s capacity to help dissidents, if the trucker convoy proves anything, it’s that these advocates have their work cut out for them.

2 comments:

  1. Useful posting that helps understand the process. It would seem only direct bilateral exchanges between ultimate provider and end user can avoid the on- off-ramping issue.

    I do take issue with your "illegal mischief" phrase regarding the truckers. Non-violent protest is a legal and a natural right, regardless of the police chief's statements. It is telling that the original police chief resigned early on, I'm guessing because he balked at being a political tool to quash a legitimate protest. The despicable lies about the truckers spouted by the Prime Minister on down to the Mayor are a permanent stain on Canada.

    ReplyDelete
    Replies
    1. " Non-violent protest is a legal and a natural right, regardless of the police chief's statements."

      Yes, protest is a right. Blocking streets is not a right. It denies people the lawful use, enjoyment and operation of their property. There's a tension between these two, since any protest involves a degree of blockading, and the police should try and find the right balance.

      Delete