
A 96 Bitcoin ransom payment ends up on Bitfinex - JumpCrisscross
http://jpkoning.blogspot.com/2020/01/what-happens-when-96-bitcoin-ransom.html
======
Canada
There already is such tracking going on, exchanges do freeze balances
sometimes. The problem is that if the stolen coin gets traded before exchanges
can freeze them you wind up with a lot of innocent people holding those coins
and it's not practical to freeze those later.

Consider these two scenarios: A stolen bike vs a stolen sack of coffee.

In the case of the bike, if you can find it you can take it back from someone
else who bought it. You can identify it distinctly as your bike, even if it
had been bought and sold multiple times.

Now imagine a stolen sack of coffee that the thief sells to a vendor at a
market. The vendor dumps it into a big bin full of more coffee. Other people
buy bags of it, some containing the stolen beans, some not, some a mix. Now
you can't identify your distinct stolen coffee anymore. It's not practical to
go after the coffee vendor or its customers.

Bitcoin works like the coffee example not the bike. Balances move around like
so many kilos of coffee. If you were to make the coffee vendors or their
customers liable for stolen beans they happen to touch then you can't have a
functioning coffee market at all.

Of course that isn't to say the coffee vendor can't do anything. If the stolen
coffee or money is still in the hands of the coffee vendor then they should
turn it over to the police when informed. If it's already gone they can tell
the police which way the thief went and how much money was paid. Hopefully the
police can find the thief and take the proceeds of his crime to make the
victim as whole as possible. Also, just because coffee beans can't practically
be identified distinctly doesn't mean a coffee vendor that is knowingly
trafficking in stolen coffee should get off the hook.

This is how it's done now with cryptocurrency and the biggest practical
problem seems to be that law enforcement doesn't move fast enough to contact
exchanges confirming that the claim of wrongdoing is bona fide.

~~~
rahimnathwani
You said "Bitcoin works like the coffee example not the bike." after "Now you
can't identify your distinct stolen coffee anymore."

But you _can_ identify distinct stolen/tainted Bitcoin. Just like you can
identify distinct stolen banknotes.

The difference (according to the article) is that banknotes have special legal
status meaning that they're effectively fungible after being spent.

~~~
pryce
We should also carefully distinguish:

* Bitcoin proponents _desire_ that bitcoin work like the earlier currency example, where an innocent actor who receives stolen currency at part of some transaction for a good or service is protected from having to return those bitcoin.

* Whether an innocent actor in that position is _in fact_ liable or protected in that scenario is fundamentally up to the state(s) involved and their legislative choices.

This (as with the centralization of mining, and exchange prominence) seems to
be another example where Bitcoin is -in practice- far more subject to the
powers of states than its proponents respresent.

I postulate that few if any states will see any advantage in granting that
kind of protection to bitcoin transactions, as states have incentives to
ensure their own currencies can be transacted without rigorous detective work,
and do not have these same incentives with bitcoin.

~~~
FDSGSG
You seem to be speculating about some future legislation. What about the
situation right now?

>I postulate that few if any states will see any advantage in granting that
kind of protection to bitcoin transactions, as states have incentives to
ensure their own currencies can be transacted without rigorous detective work,
and do not have these same incentives with bitcoin.

Usually these principles apply to all currency, not just the states "own"
currency. Why would states need to grant such protection to bitcoin
transactions, as opposed to taking away such protection?

------
Zenst
Fascinating and also good news IMHO as it starts to highlight that bitcoins
can be tracked and today a stolen mobile phone can be blocked and logged upon
a database as stolen, so could bitcoins.

I'm thinking that there is a need/opportunity to be able to register bitcoins
as stolen and if vendors used that database, the whole raft of bitcoins used
for nefarious activities and more so stolen ones, can be curtailed.
Counterpoint to that thinking would be that it would not curtail the criminal
activities such as ransom payments, only shift them into other forms.

Also interesting that the incident response team do not track or follow up
tracing and tracking the bitcoins used and that a separate company and process
was avenued. This shows that incident response is still a learning process,
though encouraging that such situations are within their remit of response and
as a service for companies - an important one.

Another take away from this is that law enforcement need to up there game, had
this been hard cash, they would be driving this and not the insurance company.
That shows how they are behind the times and most likely, budget/skill
shortages playing out. But a million dollars is a million dollars in any
currency, including crypto currency and again, had this been hard currency,
you know that they would of been more resource involved. Though please don't
take that as an indictment upon the police services, more an indictment of
their resource limitations and one that needs addressing and raised up the
flagpole.

~~~
newguy1234
Criminals will easily solve the problem by simply using privacy coins like
monero.

~~~
snarf21
Exactly. Additionally, not everyone wants to take their money to the off ramp.
This also creates a conundrum for exchanges. If they punish any user with a
descendant of any "dirty" coin, it hurts the market and people's willingness
to accept crypto at all. If no one is buying and selling crypto, they have no
business.

------
magnat
Here's the transaction:
[https://blockchair.com/bitcoin/transaction/6b7308c0ce185810a...](https://blockchair.com/bitcoin/transaction/6b7308c0ce185810a9bafa86e329fa2c432250730d187b852f7df83ee5323667)

------
conchy
The article brings up an interesting legal point as to whether bitcoin will be
afforded the special legal status of paper cash that protects innocent
recipients who accept stolen money ... but really paper cash has no such
protections when you're talking about millions of dollars of it, so the point
is entirely moot.

------
age_bronze
Is ransom payment even considered "stolen" in the usual sense? You have
willingly paid that, nobody took that from you without permission. I wouldn't
be surprised if ransom has it's own different definition.

Forcing an innocent to hand over bitcoins they had no clue they were tainted
will make everyone lose trust in bitcoin and cryptocurrencies in general.
What's the point of anonymity when trading when you're culpable for wherever
that currency came from.

~~~
nradov
Yes wrecking trust in cryptocurrencies would be an excellent outcome for
everyone. And there is no true anonymity (never has been).

~~~
nybble41
"Forcing an innocent to hand over bitcoins they had no clue they were tainted"
shouldn't wreck trust in cryptocurrencies, but rather in the organization
unjustly harming those innocents—i.e. the government. If anything the fact
that they had to track down each individual recipient and force _them_ to
transfer the funds, rather than simply pressuring some bank or other
intermediary, ought to _increase_ trust in cryptocurrencies.

~~~
lolc
The "but I didn't know" excuse of innocence is not universal. In some cases
one is required to do due diligence or risk catching some of the guilt in
one's trades. Whether Bitcoin traders should be held responsible for the
provenance of their coins is an interesting question. It really comes down to
whether we want to protect Bitcoin as a payment system. And few people even
care so it's not looking good.

~~~
nybble41
Due diligence is not _sufficient_ in the interesting cases. If exchanges
instituted a blacklist of known ransom payments, for example, ransomware
authors would just wait until the coins have been changed into some other
untraceable form before releasing their hostages. Blacklisting the transaction
in time to do any good would be the same as not paying the ransom. Reporting
the address after the fact can only harm innocents several stages removed from
the ransomers who could not possibly have known that the transaction was
tainted.

The only reasonable solution is to track down the actual ransomers and make
_them_ pay for the damage they caused. Dragging other parties into this can
only make things worse.

~~~
lolc
Making the receiving parties intent in covering losses can help a lot during
discovery. Dragging "innocents" into it might just get us to a system that
makes it hard for extortionists. And that system might not look like the
Bitcoin we know.

You can argue that we should suffer the extortionists for other benefits we
get out of Bitcoin. I'm not convinced at this point.

~~~
nybble41
> Dragging "innocents" into it might just get us to a system that makes it
> hard for extortionists.

If you're willing to harm innocents for the sake of your cause—even if the
goal is to make things harder for extortionists—then you're no better than
those you're fighting.

~~~
lolc
I see this as an example where the ends can justify the means. The maximum
loss those people could incur would be the sums exchanged. If those are
restored to the damaged party I don't see how there's a good reason to protect
the people who traded. They can still demand restoration from their partners
after all. If they traded with crooks, they might get nothing back. Such is
life.

To say this is the moral equivalence of extortion is a long shot.

------
londons_explore
An evildo-er wanting to hide bitcoins has many routes to do so:

* A Mixer

* gamble on one of many online casinos

* buy physical darknet goods with them

* Hack someones account on an exchange and use it.

* The above, but use the coins to 'pump-n-dump' a tiny altcoin. Be one of many 'investors' making money out of the change in altcoin price.

* Go margin trading with them, but make sure to loose them all in a margin call. Do it on a small altcoin so you can be on the other side of that margin call.

~~~
stanferder
What if governments define _every_ output to a mixer transaction to count as
receiving stolen goods if _any_ of the inputs are the result of criminal
activity?

Apart from that, every option you suggested just hands the problem off to the
next person. Eventually people won't want to transact at all because they
don't want to receive tainted bitcoins.

~~~
Jach
Thus the concept of 'tainted bitcoins' isn't likely to last very long, if
bitcoin is to continue to be used at all, especially when the creation of new
bitcoins keeps going down. This is similar to nearly all paper currency having
trace amounts of cocaine et al. on it.
([https://en.wikipedia.org/wiki/Contaminated_currency#In_the_U...](https://en.wikipedia.org/wiki/Contaminated_currency#In_the_United_States))
If people no longer did trades involving cash with such traces, cash payments
would go away very quickly.

~~~
PeterisP
If using mixers as such is made explicitly illegal (it's not yet anywhere as
far as I know, but it could change), there's no need to have some particular
BTC tainted forever because we can follow the money trail.

Let's suppose we see some nontrivial amount (so, not $100 but $100k) of BTC
being cashed out to dollars or by buying some legal goods, and we see that
this BTC recently passed through a mixer. KYC means that the exchange or
merchant will identify "oh, that's Bob". And we can ask Bob - well, where did
that money came from? And either he can provide some evidence that he got that
money in a legitimate transaction from Charlie (who can then be processed in
the same manner), or he can be convicted either of (a) using a mixer if he did
so himself; (b) violating money laundering laws by doing large anonymous
transactions if he did get money from some 'Charlie' that can't be identified;
or (c) violating money laundering laws by refusing to disclose the source of
these large cash-like payments.

It's not _as_ simple and some particular nuances of the existing laws would
need to be adjusted to make this process work, but that's something
governments could and would do.

Not for small amounts that can obviously be laundered easily and nobody cares
about that, but it would be quite plausible to ensure that no legit
organization would touch a million dollars worth of BTC without ensuring a
proper paper trail of how it got there; and anybody intentionally passing 100
BTC through a mixer would just make it difficult for themselves to spend those
100 BTC - because every recipient of large amounts will ask for a proper
source for your funds, and a mixer is not one.

------
ErikAugust
To think someone would take all this time to set up ransomware and
successfully get 96 BTC out of a ransom only to be using a Bitfinex account.

------
blakesterz
I know soooo very little about crypto currency, but his idea here makes sense,
at least to me, but what do I know. Is it possible to create a registry like
this, or is this never going to work?

"Given bitcoin traceability and the ease of getting an injunction, one can
imagine that it might make sense for insurers, bitcoin exchanges, and over-
the-counter traders to build some sort of private "ransom registry". The
moment that an insurer pays a ransom to a hacker, that insurer simultaneously
announces the offending address to the registry. A verified OTC trading desk
can now protect itself from potential bankruptcy by always checking the
registry to make sure that any bitcoins offered to it are "good" bitcoins.
Exchanges too would likewise cross-check incoming bitcoin deposits against the
registry."

~~~
aphextim
The thing is that 96 bitcoin could be thrown through a mixer of sorts.

Take the 96 bitcoin, split it into 96 different addresses with 1 bitcoin, then
mix those 96 individual addresses to multiple new addresses and then
reassemble them elsewhere. This is a horrible explanation, but explains the
general idea. You could also mix from Bitcoin to Monero or another currency
and back again through various pairs.

There are lots of things out there to attempt to trace the bitcoins back to
the source since every transaction is always logged, however if people keep
rearranging coins on various addresses it does make it harder.

Having a blacklist registry of all bad/stolen coins would be great if
implemented, however I don't know how feasible it would be.

~~~
michaelt
If we follow the stolen-property example, if a stolen car is broken up and
sold as parts, and I buy a widget from it, the fact the car was broken into 96
bits doesn't make the widget any less stolen, no matter how many hands it
passes through.

~~~
derefr
The analogy doesn’t hold.

A car with a stolen part does not, itself, become a stolen car, because
there’s a clear division between the part and the car itself. The only thing
the police would want to seize as stolen property from you is the stolen
part—they’d get you to take it out of your car, and be on their way.

Cryptocurrency is less like car parts, and more like gold: putting the crypto
through a mixer is like melting some (unknowingly) stolen gold jewellery into
a batch of non-stolen gold, forming new gold bars, and then selling those. Is
the whole batch of gold now “tainted” by the stolen gold? Does it all need to
be seized as stolen property? If not, then what _does_ need to be seized? An
equal shaving of gold from each buyer’s new bar?

If it were possible to figure out which mixer recipient was the original
jewellery thief, you could just seize _their_ mixed assets, since those assets
should be equal in value to the stolen input assets. But the whole point of a
mixer is to destroy that linkage, such that you have no idea who any of the
recipients are.

------
cesarb
An interesting (and sort of related) anecdote:

Some decades ago (unfortunately, so long ago that I can't easily find any
references to it - it was probably in the 1980s), there was a robbery of a
large number of bank notes in my country. For a while after that, all cashiers
at markets had a booklet with the serial numbers of the stolen bank notes, so
they would be rejected and/or reported to the police. That was possible
because the bank notes were newly issued (so they had blocks of consecutive
serial numbers), and had never actually entered circulation (IIRC, they were
stolen before arriving at the bank).

While the situation is not identical, there are some similarities: an innocent
person (who did not take care of checking the serial number when receiving a
bank note) could have their money rejected when trying to buy at a market (and
would probably also be questioned by the police).

(I don't recall whether the one(s) who stole the bank notes was/were actually
caught; are there other Brazilians here who remember about this case? I think
it's not the 2005 robbery, which stole only notes which had already entered
circulation.)

------
FDSGSG
>surely ransomed bitcoins qualify as stolen

Is this typically the case? As far as I understand, fraud losses for example
are often treated quite differently than stolen goods. Are ransom payments
really considered stolen?

This doesn't necessarily seem like the kind of a situation where the nemo dat
rule would be directly applicable, especially given that it doesn't typically
extend to money anyway.

------
mceoin
I wonder how this would go down in Australia. Precedent set from Gamer's vs
Natwest is that the buyer retains ownership rights, so long as they purchased
the product in good faith that the seller owned the original product or had
the right to sell it. So if I buy your stolen car without knowing it is
actually yours and was stolen, I retain ownership of the car and you have no
legal remedy to retrieve it from me.

[https://jade.io/article/67364](https://jade.io/article/67364)

~~~
rahimnathwani
"So if I buy your stolen car without knowing it is actually yours and was
stolen, I retain ownership of the car and you have no legal remedy to retrieve
it from me."

No, the relevant law doesn't apply to stolen goods. It only applies to goods
that were obtained by the seller with the consent of the original owner.

"Where a person having bought or agreed to buy goods obtains with the consent
of the seller possession of the goods or the documents of title to the goods,
the delivery or transfer by that person or by a mercantile agent acting for
him of the goods or documents of title under any sale pledge or other
disposition thereof to any person receiving the same in good faith and without
notice of any lien or other right of the original seller in respect of the
goods shall have the same effect as if the person making the delivery or
transfer were a mercantile agent intrusted by the owner with the goods or
documents of title."

------
lawn
This is why Bitcoin's traceability is a problem for it's money status. If
people are actively pursuing the stolen bitcoins, regardless of who's
currently holding them, then Bitcoin's fungibility will break as some coins
will be worth more than others.

The only cryptocurrency that comes close to solving this is Monero, which
isn't traceable.

If the attackers were smart, this is what they would've done: Send them to
Bitfinex, which is an unregulated and shady exchange, sell them for Monero and
withdraw them immediately. Congratulations, now you have a bunch of
untraceable cryptocurrency.

~~~
FDSGSG
You can write down the serial numbers of paper money you hold, but that's not
going to help you recover the money if someone steals the money and spends it
at a shop.

Traceability doesn't need to be a problem.

~~~
stanferder
Governments are unlikely to give cryptocurrencies the same legal privileges as
the currencies they issue.

As such, traceability will remain a risk for anyone receiving cryptocurrency
payments. If a chain analysis reveals an illegal transaction as a precursor,
it's going to be considered stolen goods, not money, as the article states.

~~~
FDSGSG
> Governments are unlikely to give cryptocurrencies the same legal privileges
> as the currencies they issue.

That's fine, but if the governments don't take action it'll be up for the
courts to decide that.

>it's going to be considered stolen goods, not money, as the article states.

This is not at all obvious. It's not even clear that the nemo dat rule would
apply to any kind of ransom payment.

------
GBiT
I think this year we will see the first international orders to miners do not
process some addresses and freeze that coins. I know a lot of here thinks,
that it's not possible, but bitcoin has only a few big miners. And if they
will get orders they will have to comply or fight it in courts. It's not
possible to mine anonymously, because you need hundreds of millions to invest
into miners and a lot of power.

~~~
allovernow
I imagine it isn't impossible to rent a warehouse under some shell company and
fill it with mining hardware in a random non-us country without anyone knowing
the owners' identities.

~~~
GBiT
You can, but don't forget, that you have to by miners, get cheap electricity
and if you want a result, you have to have major share of hash power. Other
way you will not be able to include transactions if majority pools will not
agree to include them too.

Don't forget, that this pool should be part of criminal organizacion because I
don't think any businessman will invest hundreds of millions of dollars and
risk his mining operations shut down.

------
ramraj07
If Bitcoin isn't granted money status, that would suck. We can't hold
downstream buyers accountable for the money.

However, I still see this as a good thing; if the hackers did sell 96 Bitcoin
to one single buyer, then we can now start a paper trail (or physical
evidence) on what the single buyer gave them in return (paper money transfer?)

~~~
samatman
"We" absolutely can.

If one were to sell a sports car in exchange for a pile of marked bills taken
from a bank robbery, one would rapidly find oneself in hot water. Receiving
stolen goods is a crime.

~~~
iguy
But where does this stop, legally? (Really asking, I don't know.) If you
immediately used these bills to buy a different car, then I imagine that could
be reversed. But if you (say) paid your laundromat repair-man his salary with
these bills, for the next few years, surely he (and his landlord, and his
local grocery store) would be in the clear?

Edit: after reading TFA, this is the crucial point (in English law, I guess):
"Banknotes, coins, and other highly-liquid paper instruments have a very
special legal status. ... was granted to banknotes centuries ago in order to
ensure that ... money remained highly liquid. If every merchant had to
verify...". Interesting case.

~~~
samatman
The limit is practical, not legal. (IANAL).

In practice, the law is not trying to 'get' people who innocently receive
stolen money or goods. In the example you gave, it would be up to
prosecutorial discretion what to do; trying to claw back one salary's worth of
already-spent money is probably not worthwhile.

But if someone shows up and tries to deposit a couple grand worth of marked
bills, they can expect to be taken into a police station for questioning, and
should fully cooperate: this makes it unlikely that the penalty will extend
further than confiscation of the stolen cash.

The important thing to realize is: if any of this goes to trial, the
prosecution only needs to prove that the money is stolen. It doesn't need to
prove the receiver _knew_ it was stolen; that's not what the crime is here,
that knowledge makes it a worse crime, accessory to robbery.

~~~
samatman
Apparently the actual answer (I did say I'm not a lawyer!) is "it depends".

[https://en.wikipedia.org/wiki/Possession_of_stolen_goods](https://en.wikipedia.org/wiki/Possession_of_stolen_goods)

The state-level standard appears to vary, the most common case is 'should have
known', rather than 'knew for a fact'.

With Bitcoin, where all transactions are a matter of public record, I'd hazard
that 'should have known' is baked-in. It will be interesting to see what case
law is established in this arena.

That said, my statement above is clearly stronger than reality, except in some
states where knowledge doesn't need to be proven.

~~~
protanopia
The transactions are public but the reasons for them are not. Usually
ransomware victims don't publicize the fact that they were attacked. Even if
they do, they additionally don't publish in which transaction they transferred
the ransom. There isn't a practical to determine whether a specific
transaction that a wallet received was from ransomware.

------
solotronics
The fungability/tainted coins/traceability problem is potentially solved with
the recent Taproot Schnorr signatures proposals. BIP340, BIP341, BIP342. You
guys don't seriously think we would sit around and let the man crush bitcoin
because of "tainted coins" do you :]

[https://github.com/bitcoin/bips/blob/master/bip-0341.mediawi...](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)

------
fnord77
is there a statute of limitation on ransom crimes such as these?

~~~
ascorbic
The UK doesn't have statutes of limitations for criminal offenses

