A Tale of Two Indictments (and One Report)

On July 13th, 2018 the U.S. Department of Justice indicted twelve Russian members of the GRU (the Russian Federation’s Main Intelligence Directorate of the General Staff) on charges of hacking the Democratic National Convention.

On October 3rd, 2018 the D.O.J. further indicted seven Russian members of the GRU on charges of hacking anti-doping agencies and leaking the drug-testing results of Olympic athletes.

Finally, the 2019 Mueller Report summarizes the charges of the earlier indictments, and while redacting Investigative Techniques, specifically mentions CEX.io (footnote #113) as a source of withdrawn Bitcoin funds for their operations.

As the reader will soon see, the links to CEX.io and BTC-e.com are discoverable without special tools simply by traversing the blockchain history of Bitcoin, as opposed to the whatever redacted method of seizing emails that the Mueller Investigation itself employed.

Overview of Indictments

The first indictment (a.k.a. the Netyksho indictment) specifically revealed that the two GRU Units involved, 26165 and 74455 (a.k.a. the Fancy Bear hacking group), had been involved in alleged interference with the 2016 U.S. Presidential Election.

US Department of Justice Indictments of GRU Operatives

The second indictment, while unrelated to the election interference charges, focused instead on Russia’s retaliation for being banned from the 2018 Winter Olympics in South Korea. The indictment describes the same methodologies used to influence the U.S. Presidential Election in swaying public opinion in Russia’s favor by employing cyberattacks against U.S. anti-doping agencies and selectively leaking Olympic drug-testing results.

The connection between the two indictments is obvious: two members of the GRU — Artem Andreyevich Malyshev and Ivan Sergeyevich Yermakov — were listed as defendants in both.

But another link between the indictments is the curiously similar phrasing that they both employ to describe the Bitcoin payments referenced in funding their cyberattacks.

“A Certain Thirty-Four Character Bitcoin Address”

Bitcoin Addresses are, most of the time, composed of thirty-four characters — a combination of numbers and letters. When a user wants to send some of their Bitcoin to a receiver, such as making a payment, the receiver usually generates a new address to receive the funds and tells the sender where to send the funds to.

The sender then pays the receiver and deposits any remaining change in a new “change address” rather than reusing their own original address. This helps preserve the security (but not the anonymity) of Bitcoin transactions. Most of the time this is an automated process handled by the Bitcoin user’s “wallet software.” A full explanation can be found here: An Overview of Bitcoin Transaction Types.

In each of these two indictments regarding the GRU’s alleged hacking and related funding methods they reference the phrase:

a certain thirty-four character bitcoin address

Incidentally, a quick Google search of the phrase quoted above demonstrates that the only two source documents containing those exact words are the two indictments described herein.

The first, for an amount of 0.026043 Bitcoin being sent on or about February 1st, 2016, was referenced in Count Ten of the Mueller Indictment of the twelve Russian hackers.

The second, for an amount of 0.012864 Bitcoin being sent on or about August 8th, 2016, was referenced also in Count Ten of the Olympic hacking indictment.

Both of those counts were for money laundering.

Thus, based on this specific amounts referenced we now have two starting points to search the Bitcoin blockchain for the GRU’s payment history; even if this data is redacted in official findings it’s simply a matter of following the payment history.

Following the Two Trails

Before we begin it’s important to understand that Bitcoin is not anonymous.

Every payment or transfer of funds made on the Bitcoin network is registered, publicly, on the blockchain. The blockchain, in this case, is the equivalent of an accountant’s ledger showing receipts and payments, but shared between hundreds of thousands of people — a permanent, easily searchable, unchangeable history.

While things like names and IP addresses aren’t stored directly in the Bitcoin blockchain, the ultimate source of funds and their destinations are. Thus, tracing back where funds came from or where they’re going isn’t just easy, it’s trivial, unless specifically obfuscated through mixing services or proper use of VPNs.

Publicly available websites like https://www.blockchain.com/explorer and https://www.walletexplorer.com make any such search easy: anyone can do it just by clicking around and putting two and two together.

When I originally wrote my article “Bitcoin Money Laundering and Mueller’s 12” following the original July, 2018 Netyksho indictment I had only had a chance to follow the first trail a limited distance. Since then, however, I’ve had a chance to expand and correlate that search data, revealing detail after detail about where the funds came from and their ultimate disposition.

Trail #1: Netyksho Reference

It should be stressed that every point of data I’m going to reference is searchable with free, public tools on the web. Anyone reading this article, given a basic introduction to how Bitcoin works, could replicate these results.

So let’s follow the initial trail indirectly referenced by the first Mueller indictment.

The Magic Transaction Amount: 0.026043

First, the referenced amount of Bitcoin, 0.026043, is an incredibly specific number. Coupled with the date of February 1st, 2016, there are no other transactions on the entire Bitcoin blockchain in the 24 hour window around that date besides this one:

This is the transaction in which the Bitcoin address “1LQv8aKtQoiY5M5zkaG8RWL7L” paid “1NZ4MSeYcDKFiPRt8h7VK6XMhShwzhCzCp” the 0.026043 Bitcoin.

To review, the most basic usage of Bitcoin employs software “wallets” that take away the difficulty in figuring out how to make payments. If you spend some Bitcoin, it automatically sends the specified amount, and puts your remaining balance (the change) in a new “address” it generates for you. You don’t need to pay attention to the addresses, because the software acts like a “wallet” that links them together automatically.

Since the blockchain keeps track of those amounts being sent to the “change address” it doesn’t matter if the Bitcoin owner’s original address has changed one, ten, or a hundred times: there’s still an unbroken chain showing where the remaining funds are going.

The GRU’s wallets and associated addresses, in these case, are no exception, and by moving backwards through the payment history we can see that the original address that the GRU started with was:

This occurred on December 15th, 2015 with a withdrawn amount of 11.8445 BTC ($5,386.29) and was funded by multiple addresses belonging to CEX.io, a London-based cryptocurrency exchange started by Oleksandr Lutskevych.

This is a common way for cryptocurrency exchanges to give funds to people who are making withdrawals from their services. The exchanges themselves may be storing Bitcoin in many separate addresses on the Bitcoin network, but hold a paper balance amount for each account holder on their own internal servers. When they receive a withdrawal request they simply send the funds from a random list of their own Bitcoin addresses to the destination address of the receiver.

In the case of the “1KgUc…” address it looked like this:

GRU Funding to the “A” Chain From CEX.io

Note: CEX.io originally began as a “Bitcoin cloud mining” service, in which a user could pay to rent a segment of CEX.io’s total “Bitcoin mining hashpower” as a speculative venture to earn Bitcoin over time. They withdrew this plan once it became unprofitable, rebranding themselves as a cryptocurrency exchange. It is conceivable that the indictments’ references to the GRU mining of Bitcoin meant this sort of pooled Bitcoin mining (paying for the service) rather than a hardware-based Bitcoin mining farm owned by Russian government operatives, but this is speculative. Converting cash to Bitcoin in this manner makes money laundering relatively easy, to be sure.

Chain A: From Indictment to CEX.io

This payment chain will be referred to as “Chain A” in the rest of the article, and was initially funded by the CEX.io withdrawal on December 15th, 2015.

The profile of “Chain A” is very straightforward: payments are made one after another until funds run low. Some payments are made to identifiable services like BitVPN or third-party payment gateways like BitPay.com. The latter is a service that lets anyone accept Bitcoin payments on their website — a middle-man — who converts the funds to cash or forwards the Bitcoin on to their customers.

Various payments are made on Chain A until a split occurs where 5 BTC is moved to a new address where payments continue in the same pattern (referred to as Chain B).

Chain A Payments

In the diagram below the reader can see that immediately after a payment to BitVPN the GRU wallet holder decided to move 5 BTC into a new address (Chain B), where the payment pattern continues.

Chain A Split to Chain B (w/ 5 BTC)

Consolidation and Discovery

At some point the trail for Chain A ends with a merger of Bitcoin with other addresses in the same transaction: a consolidation of leftover funds from other GRU wallets.

This is where things become interesting: we can now see other GRU wallets that are directly connected to the original Chain A because they deposit their leftover funds into the same destination addresses in the same transaction.

In the transaction above the Chain A address (1HvWT…) moves funds in the same transaction with an input address not found anywhere else in Chain A. This second address, (16xyGa…), is part of some new chain we haven’t seen so far, which we’ll call Chain C.

This sort of transaction has multiple inputs, which requires that both address owners sign each input with their private key — implying commonality of either ownership or mutual interest.

Chain A Merging With Chain C, with New Chains D and F

Visually, this particular transaction may look complex but is actually easy to decipher: both incoming addresses are depositing funds to the same destinations, splitting it into an exact 2.5 BTC in one and 0.20223736 BTC of uneven change in the other.

Each of those destination addresses become a new payment chain, thankfully with short histories, which I’ve marked as Chain D and Chain F respective to the aforementioned amounts.

We’ll return to those new chains soon, but first let’s finish the original connection with Chain C and see where it originates.

Chain C: More Money

By tracing back the path of payments along Chain C it becomes clear that these funds also originated with the CEX.io exchange.

Chain C Funding From CEX.IO Withdrawal

This occurred on January 11th, 2016, with a deposit of 5.4644 BTC ($2,422.75) into the Russian controlled Bitcoin address:

Now that we know how much money flowed between Chain A and Chain C, we can see what happened to the leftover amounts.

Chain D: SpectroCoin.com

What happened to the 2.5 BTC?

A little more than half (1.50168541 BTC or $633.26) was deposited into an online Bitcoin wallet called SpectroCoin, run by a Lithuanian financial services company, which, like CEX.io, has a presence in the United Kingdom — London, again.

Chain D Deposits Into SpectroCoin.com Controlled Wallets

This occurred on April 8th, 2016 in the following transaction:

The second address in Chain D is associated with many other addresses owned by SpectroCoin.com, and was used to deposit the GRU’s ~1.5 BTC.

Any transactions performed using a SpectroCoin.com online wallet would be mixed with other users’ transactions; however, given the website requires registration and the deposits in question are clearly marked, it would be trivial for law enforcement to continue the trail once the funds were used or withdrawn.

What about the other ~1 BTC?

Chain D: The Abandoned Bitcoin?

It turns out that the other 0.99805659 BTC, currently worth $5,216.84 at the time of writing, has been left completely alone.

Indeed, it may become one of the loneliest Bitcoin in the world if the GRU operatives destroyed their records and abandoned the private key for that address after their work was compromised by the indictments.

The Loneliest Russian Bitcoin

Currently this address, 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB, has been left untouched since April, 2016.

Is there anything else we can learn by examining these other blockchain trails?

Chain F: The Flipside

Chain D started as part of a merger transaction between Chain A and Chain C. Curiously, both outputs for this event, the destination and change addresses, appear to have been controlled by the GRU operatives.

Since we’ve just finished exploring the very short Chain D, let’s look at the very short Chain F.

Chain F is the Second Result From Chain A and Chain C, Leading to Chain E

As you can see in the bottom right portion of the diagram above Chain F only lasts for a single node before outputting its funds (0.20223736 BTC or $85.36) into the same addresses as a completely different payment chain, marked Chain E, in the same transaction.

Just like Chain C, we’ve suddenly found yet another GRU series of payments being consolidated as the funds began running low.

Chain E: Even More Money

Chain E, Funded by Another CEX.io Withdrawal

Using the same traceback methodology employed for Chain C we can find that a withdrawal from CEX.io on February 2, 2016 for 4.1721 BTC ($1,585.61) was sent to the following Bitcoin address:

The Diamond Pattern

The merger of Chains E and F resemble a diamond, in the sense that on one side an address splits into two destination addresses, and on the other side, yet another address splits into those same two destination addresses.

Chain E and F Merger / Diamond Pattern

In other words, there are two source addresses, 1DqYi… and 1BP6c…, and each one outputs to the same two destinations:

Once again this occurred in the same transaction, so we know the signature for the transaction was authorized by the same (or mutually agreeing) party: the GRU operatives.

At this point the payments from those addresses quickly spiral into larger wallets that are obviously not under the GRU operatives’ control, such as payments that end up in transactions linked with MercadoBitcoin.com.br.

These latter sort of loose transaction links are very tangential and not at all hard evidence, unlike the earlier payment chains. Yet, curiously, a few of the payments from the second indictment also lead towards MercardoBitcoin.com.br in a transaction sharing a change address.

Trail #2: Olympic Hacking Indictment

Another Magical Amount: 0.012684 Bitcoin

The second indictment has a very familiar paragraph about linking a given Bitcoin payment address to the emails that the federal investigators had in their possession, exposing the web of Bitcoin payments the GRU operatives were making to help fund their cyberattacks and disinformation campaigns.

And, just as in the first indictment, only one transaction in the 24 hour timeframe around August 8th, 2016 matches that 0.012684 amount exactly:

Paying for a Domain

Sure enough, this payment for 0.012684 BTC ($7.50) was sent to 1JcpHK5JAyfXYP16LrZmRbbSUL151h6ATG and this address is actually a Bitcoin payment address for https://bitcoin-dns.hosting (currently linked to: https://www.domains4bitcoins.com/).

Based on the preceding paragraph in the indictment we could confidently conclude that this was a payment for a one-year registration for either wada-arna.org (the indictment may incorrectly list it as wada.arna.org ) or tas-cass.org .

Public DNS records show that, indeed, wada-arna.org was registered using BITCOIN-DNS.HOSTING in August, 2016.

HosterStats.com Historical DNS Entries

The evidence that this new payment chain was also owned by the GRU is mounting up. I refer to this new chain as Chain L, as I had given myself some room in my data-sets for exploring other side-chains from the first indictment.

Chain L: Funded by BTC-e.com

Following the funding and payments backwards over times shows that Chain L was funded by a withdrawal from the BTC-e.com exchange on May 30th, 2016 with 2.079 BTC ($1,101.87).

That transaction is listed below:

And the originating address, 1PDaa… was a pass-through address linked to the BTC-e.com cryptocurrency exchange wallet.

About BTC-e.com and Fancy Bear

It’s worth noting some historical information about the now defunct BTC-e.com cryptocurrency exchange.

It was shut down and seized by the U.S. government on July 26th, 2017. Its suspected administrator, Alexander Vinnick, a Russian national and alleged hacker, was indicted on 21 counts of money laundering. The indictments accuse Alexander Vinnick of controlling stolen funds from the infamous Mt. Gox hack. Tom Robinson of Elliptic, in an article by Bloomberg news, referenced the original 0.026043 BTC payment chains from the first indictment and found strong indications, but not a direct link, between the GRU operatives (as the Fancy Bear hacking group) and BTC-e.com during software-assisted analysis of the blockchain. Based on Chain L and the 0.012684 BTC payment chains we can now link the two.

Incredibly, Sputnik News reported on an attempted assassination plot on Alexander Vinnick in October of 2018.

Another Diamond Pattern

After a series of payments Chain L enters a diamond pattern and merges funds with a new chain, Chain M.

This occurs at the following transaction:

This time the merger destination addresses’ purposes are simpler, with the eventual proceed of the payment going to BITCOIN-DNS.HOSTING once again, while the change goes to a Xapo.com wallet.

At this point of the merger the leftover funds, 0.22955723 BTC ($132.02), are no longer in an easily searchable blockchain payment chain, instead, like the other chain that deposited into a SpectroCoin.com wallet, having been sent to Xapo.com.

Let’s continue tracing back Chain M to find the funding source.

Chain M: Funded by CEX.io

And it turns out that Chain M was funded on August 5th, 2016 in the amount of 1.0945 BTC ($625.86) through a withdrawal from CEX.io.

The originating transaction can be found below:

The initial deposit address that starts Chain M is:

A Tangential Connection Between the Indictments

While the two major networks of payments (A-F and L-M) never directly merge, it is possible to find a tangential link based on their payments to various vendors.

For instance, looking at the shortest path between one of the merger points, such as 1FnFRMpgvkUNGuxpsqDS69JtLKGqc5pQTs from the first indictment payment network, and the address indirectly referenced in the second indictment, 1EcjtXVtxsHvAkageYaYdnHVpxfkBng1jh, show an incredibly short path through the blockchain that doesn’t pass through any major exchanges or mixers first.

What’s happening here is that the service that received payment from the first indictment Bitcoin wallets tangentially dealt with a transaction where payment was received from the second indictment wallets.

This address, and its associated addresses, is held by MercadoBitcoin.com.br.

While the link is through a change address (1LZQo…) that appears to be a BitPay.com forwarding address, it’s clear that the GRU team had a penchant for depositing leftover funds in online wallet services once they were done making payments on the Bitcoin blockchain itself.

Conclusion

The U.S. Department of Justice indictments and the Mueller Report all provide indirect reference to Bitcoin payment histories by the GRU team (a.k.a. Fancy Bear).

This research demonstrates that due to the specific wording of the indictments and the amounts chosen for inclusion, despite any redaction of investigative methods, that it is possible to reconstruct the Bitcoin payment histories of the GRU team as well as reveal where their funds were originally withdrawn from.

This payment history, combined with online resources like www.walletexplorer.com by Aleš Janda, demonstrate who was being paid and for what: such as registering domains for disinformation campaigns or buying VPN services.

This article provided starting and ending points for all known chains associated with this payments.

CEX.io

It is equally clear that for the majority of their funding the GRU team had Bitcoin available in an account with CEX.io, most likely through their early “rent our mining pool” plan on which the company was first founded.

The payment chain source withdrawals from CEX.io line up with what we know from the redacted Mueller Report (footnote #113).

Q: How early did the GRU team begin using CEX.io to launder money into Bitcoin?

BTC-e.com

Additionally, the data now clearly shows that the GRU team drew on funds from the now shut down (seized by the U.S. government) cryptocurrency exchange: BTC-e.com.

The purported admin of BTC-e.com (Vinnick) is wanted on charges of money laundering and involvement in the infamous Mt. Gox hack.

Q: Is there a direct link between BTC-e.com, Vinnick/Mt. Gox funds, and the GRU hacking team?

Q: Did the GRU team use stolen Mt. Gox funds?

Q: Did the GRU assist in the original Mt. Gox hack?

Disposition of Remaining Funds

Further targets for subpoenas or law enforcement questioning would involve companies that received the consolidated leftover funds, such as SpectroCoin.com and Xapo.com.

Also, payment vendors, such as:

BitPay.com

Coinpayments.net

BitVPN

bitcoin-dns.hosting

…and numerous others.

Finally, there exists quite possibly the loneliest Bitcoin in the world, a left behind single bitcoin, ready to be used as long as the GRU team still owns the private key associated with the wallet holding it.

All by itself, sitting, silently, since April, 2016:

Further Avenues of Research

The actual vendor payments have only been touched on lightly in this article, which focused mostly on the funding sources and disposition methods employed by the GRU.

We know that the Fancy Bear team paid for domains and VPN, but what else? By carefully following the vendor payment side-chains we may be able to find out what else the GRU paid for even if the answers are never released directly by the Mueller investigation team.

Resources Used

All of the resources used to follow these trails are public and freely available.

Investigative Methodology

To be clear: the Mueller team did not discover this data in the same manner described in the article.

Rather, while we may not know the details about their investigative techniques (redacted in the report), the indictments themselves reveal that they had the vendor payment receipt emails available to them: a much higher quality source of information.

This article and research simply reconstructed the GRU bitcoin payment history, as best possible, based on the exact dates and exact amounts referenced within the indictments.

No doubt the U.S. government, as the owners of the seized BTC-e.com, have much more data than could ever be hoped to be gleaned by a simple blockchain analysis about what funds were used where, when, and by who.

Maybe one day we’ll learn everything that the Mueller investigation uncovered. Until then, at least we can follow the crumbs left behind on the blockchain.

About the Author

Tim Cotten is a software and blockchain developer with an interest in security research. As the CTO of Agilla Pro he works on modernizing e-commerce ecosystems with distributed ledger technology. He is also a core developer of Mochimo, the post-quantum cryptocurrency, and maintainer of the Trinsicoin.com project.