Bitcoin Money Laundering and Mueller’s 12

A Blockchain Analysis of the July 13th Mueller Indictment

This article gives an overview of how indicted Russian spies used Bitcoin to purchase services, such as BitVPN, to support hacking the Democratic National Committee (DNC) during the 2016 U.S. presidential election. It contains a simple reconstruction of the most obvious Bitcoin transactions associated with the evidence documented in the Grand Jury indictment of July 13th, 2018.

On July 13th, 2018 the Grand Jury for the District of Columbia indicted 12 operatives from the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU) on eleven counts related to the hacking of the Democratic National Committee (DNC).

This indictment was a direct result of Special Counsel Mueller’s investigation into Russian interference in the 2016 U.S. election and in one of the most notable cases of blockchain technology being referenced in an international criminal case, features an entire section (Count Ten) dedicated to money-laundering using Bitcoin in order to pay for hacking related services.

PBS has shared the document on their website and provided a direct link here: https://d3i6fh83elv35t.cloudfront.net/static/2018/07/Muellerindictment.pdf

PBS: Read Mueller’s full indictment against 12 Russian officers for election interference

Bitcoin was used to obfuscate money trails, purchase domains, host webservers, and for “otherwise making payments in furtherance of hacking activity.”

Count Ten: Conspiracy to Launder Money

More incredibly, the indictment demonstrates sample cases of the Bitcoin activity, including a reference to a unique transaction on February 1st, 2016 for 0.026043 BTC in Block #396123.

The Smoking Gun: Caliber 0.026043

Paragraph 60 of the indictment specifically calls out that the “gfadel47” account was instructed to “[p]lease send exactly 0.026043 bitcoin” to “a certain thirty-four character bitcoin address.”

An analysis of the Bitcoin blockchain during that February 1st, 2016 time-frame (and including one day before and after) shows that only a single transaction matches the 0.026043 amount:

In short, we can be confident that the bitcoin address used in the alleged conspiracy was 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR. Further, we can identify other addresses related to this one and, to some degree, the various spends made by the Russian operatives in pursuit of hacking the DNC.

Everything is Public on Bitcoin

The Bitcoin blockchain does not anonymize or hide details about its users like alternative blockchains like Monero. Additionally, the entire history of the blockchain, including empty or fully spent addresses, is retained by the mining nodes unlike newer cryptocurrencies like Mochimo (which uses the ChainCrunch™ technology to summarize the ledger state at intervals).

Thus, all Bitcoin transactions are permanently documented and there are various means of linking IP addresses with the transactions being broadcast to the network. In fact, it’s quite possible to associate IP addresses with Bitcoin addresses simply by connecting to enough of the active nodes in the Bitcoin network and “listening in.”

It’s important to understand that the Bitcoin blockchain itself doesn’t store IP addresses, but the Bitcoin node architecture doesn’t make any special effort to obfuscate or hide the IP addresses sending transactions to the mining nodes. Various organizations and intelligence agencies no doubt run enough nodes on popular blockchain networks to maintain private repositories of user IP addresses and their associated Bitcoin addresses.

Can’t IP addresses be hidden through proxies or Virtual Private Networks? That sort of protection only shields a certain amount of activity. As an example, Special Counsel Mueller’s indictment specifically addresses the use of Virtual Private Networks (VPNs) and the mistakes made by the operatives allowing the identification of personas such as “Guccifer 2.0” and their associated Bitcoin usage.

A Brief Review: Mueller’s 12

GRU

The Main Intelligence Directorate (Главное разведывательное управление), or GRU (ГРУ) for short, is the foreign military intelligence agency of the Russian Federation.

The indictment specifically lists two internal units, Unit 26165 and 74455, as being involved in cyber operations to interfere with the 2016 U.S. presidential election.

The 12 Russian Operatives

The Grand Jury has indicted twelve Russian operatives: Viktor Borisovich Netyksho, Boris Alekseyevich Antonov, Dmitriy Sergeyevich Badin, Ivan Sergeyevich Yermakov, Aleksey Viktorovich Lukashev, Sergey Aleksandrovich Morgachev, Nikolay Yuryevich Kozachek, Pavel Vyacheslavovich Yershov, Artem Andreyevich Malyshev, Aleksandr Vladimirovich Osadchuk, and Aleksey Aleksandrovich Potemkin.

They are accused of gaining unauthorized access to the computers of people involved in the 2016 U.S. presidential election, as well as stealing documents from those computers and arranging their release through other organizations.

The 11 Counts

Count One and Eleven: Conspiracy to Commit an Offense Against the United States

The first and last counts detail, in depth, how the Russian military intelligence officers involved in the hacking compromised the computer systems and networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic Nation Convention (DNC).

Spearphishing compaigns were used to compromise email accounts, network analysis and security probes were performed to identify weaknesses, malware was installed on routers, Russian intelligence-specific hacking software like X-Agent was deployed (and persisted despite removal attempts), and documents stolen en masse.

Further, the operatives conspired with other organizations to release the documents publicly.

Counts Two through Nine: Aggravated Identity Theft

The identity theft accounts are generally concerned with the phishing and hacking of email accounts, including credential-based identity impersonation.

Counts 2 through 9: Compromised Email Accounts

Note that the approximate compromise dates were in the March — July time-frame while the Bitcoin transaction referenced at the beginning of the article (for an unnamed resource, such as registering a domain name or making a monthly web-hosting payment) was on February 1st: well in advance.

Count Ten: Conspiracy to Launder Money

The meat of our article is concerned with Count Ten; wherein the usage of Bitcoin (amongst other cryptocurrencies) is identified as a method the operatives used to procure equipment and resources used in the hacking and information dissemination campaigns.

$95,000 Spent in Cryptocurrencies in 2016

It’s of note that the U.S. federal government considers the usage of cryptocurrency to circumvent transaction identification or the attempt to buy resources anonymously as evidence towards money laundering.

Bitcoin Value in February of 2016

On February 1st the opening price for Bitcoin was approximately $369.35 according to CoinMarketCap.

With the example transaction https://www.blockchain.com/en/btc/tx/3c4c026ce8a285ddc281f78e5f9d00df2c19d627904165696faf8263a6f34761 containing a spend of 0.026043 bitcoin the value at the time would’ve been equivalent to approximately $9.62.