Congrats. You've just pulled off a global ransomware attack.

Now comes the hard part: Accessing your money.

WannaCry ransomware is believed to have infected more than 200,000 systems in over 150 countries since it was first reported on May 12 — encrypting computers and demanding Bitcoin payments from unlucky victims in the process.

Although the attack has mostly stopped spreading, the ransom continues to pile up in three Bitcoin addresses presumably controlled by those responsible. But with the eyes of the world's law enforcement locked in on those very addresses, will the perps ever see a millibit of their ill-gotten gains?

It's complicated

Bitcoin crashed into public view with the 2013 downfall of the dark web marketplace the Silk Road. The cryptocurrency isn't explicitly tied to a person's real-world name, thus making it well suited for the type of illegal online transactions that made the Silk Road famous.

However, that doesn't mean Bitcoin transactions can't be tracked.

"Assuming the criminals are sophisticated, they have quite a range of options."

Transactions are public and recorded in the blockchain by design. In the case of WannaCry ransom payments, there's even a Twitter bot set to monitor both the balance of the three Bitcoin addresses in question and whether or not anything is withdrawn or transferred out.

Which brings us back to the person or persons responsible for the recent attack. How can they manage to turn their Bitcoin into cash — be that euro, dollar, or renminbi — without being identified and apprehended in the process?

According to one expert, Adam Gibson, the answer is not likely to please anyone seeking justice.

"Assuming the criminals are sophisticated, they have quite a range of options, although I suppose none are without risk," Gibson, who is one of the main contributors to the Bitcoin anonymizing service JoinMarket, explained.

That the options are risky will likely not slow down the culprits behind what is being described as the largest ransomware attack ever. It will, however, force those responsible to go to unusual lengths to obscure the source of their ransomed Bitcoin — or chance losing their freedom along with their BTCs.

Laundering Bitcoin

Let's assume the attacker wants his or her hard-earned cryptocurrency, but doesn't want to give away identifying information while converting it into cash. Hiding the source of the funds would be a good start, but how do you launder Bitcoin?

There are quite a few ways, it turns out, though all offer varying degrees of reliability. People looking for some anonymity in their Bitcoin — not just criminals — can use services known as mixers or tumblers. These allow people to essentially throw their BTC into a virtual pot and get new BTC out (minus a service fee).

Another play would be to use a service like ShapeShift to swap tumbled BTC for a more privacy-focused cryptocurrency like Monero. ShapeShift allows for account-free transactions of digital currencies, and exchanging tumbled BTC for Monero, and then Monero back to BTC, and then tumbling that again would make the gains from WannaCry incredibly hard to track.

This is not what Bitcoin actually looks like. Image: George Frey/Getty Images

The problem with all of this is that the Bitcoin addresses used by the WannaCry attackers have a huge target painted on them by law enforcement, and tumbling services or exchanges like ShapeShift may decline the transactions as a result.

In that case, the attackers would be right back where they started — staring at BTC just out of their reach.

But all is not lost. The aforementioned JoinMarket, which is a decentralized method of making joint payments (called "CoinJoin") and thus confusing third parties as to the source of Bitcoin, has no centralized authority that would decline a potentially blacklisted address like the ones used by the WannaCray attackers.

Gibson confirmed that JoinMarket is one of numerous possible ways an individual could theoretically hide the source of BTC — even pointing to a recent case where it appears someone moved almost $800,000 worth of stolen Bitcoin through JoinMarket.

"I suspect, although for sure don't know, that this mixing effort was successful in allowing them to move and trade the coins elsewhere," he explained.

As to the legality of these services? Basically, it's a gray area.

"[It's] difficult to even begin to work it out," Gibson noted. "[Any] bitcoin transaction with more than 1 input and more than 1 output could be a coinjoin, so it's kinda hard to see exactly how it would be decided what kind of transaction is 'illegal.'"

Cash is king

But what if you just want to take the money and run? The idea of quickly turning the ransomed Bitcoin into dollar bills and then disappearing certainly has some appeal, and there are ways to sell troubled BTC for cash.

Doing it anonymously, on the other hand, is tricky.

While companies like CoinSource offer what they refer to as a Bitcoin ATM Network — allowing people to buy or sell BTC at 109 machines around the U.S. — there are restrictions in place that mean selling large amounts of criminally-tainted Bitcoin through these machines would not be the smartest idea.

Hitting up a Bitcoin ATM. Image: David Ryder/Getty Images

In the case of WannaCry, even if the attackers were in the U.S. and near these machines they would run into problems. A CoinSource spokesperson confirmed that their ATMs have a daily limit of $3,000, and that any transaction over $800 requires an ID.

What's more, CoinSource reports to the United States Financial Crime Enforcement Network and the United States Office of Foreign Assets Control — two organizations you're looking to steer clear of if you're behind WannaCry.

One method around these roadblocks would be to sell the Bitcoin via a local peer-to-peer exchange like LocalBitcoins. LocalBitcoins operates in 248 countries and lets you set your own terms for transactions — including requiring cash — and meet in person to conduct them.

This would be a straightforward way to swap the ransomed BTC for cash, but you'd still need to break the total into smaller amounts to avoid detection and find enough people looking to quickly score cryptocurrency.

Oh, and it would help if those people were not undercover cops.

Walking away

There is another option.

The amount of ransom hanging out in those three Bitcoin addresses is actually not that much when you consider the scale of the attack. That's because despite WannaCry's success in spreading, thanks in part to the leaked NSA exploit EternalBlue, only a fraction of victims have paid up. We know this because, again, Bitcoin transactions are public.

At the time of this writing, the combined addresses show a total of just around 41 BTC in ransom payments. That equals approximately $72,000. And while that amount will certainly increase, it may not go up all that much.

Word appears to have gotten out that the attackers are not providing decryption keys — even in cases where people have paid. And without those keys, victims aren't going to regain access to their digital stuff.

A lot of reports that people have paid the ransom and not gotten decryption keys. The system looks manual which is impossible to scale. — MalwareTech (@MalwareTechBlog) May 15, 2017

For victims, the calculus of determining whether or not to pay changes dramatically when they can be reasonably sure that they won't be given the decryption keys either way. Why pay if your data is lost regardless of what you do?

DO NOT PAY the ransom for WCRY, a manual human operator must activate decryption from the Tor C2. See screenshots, I’ve tried to hack it… pic.twitter.com/xzbK8eqw3Q — Hacker Fantastic (@hackerfantastic) May 14, 2017

And so with law enforcement agencies from around the world on the hunt for the perpetrator, whoever released WannaCry may simply decide to cut their losses and walk away — leaving the ransom untouched and inaccessible in the process.

Home Free

In the end, though, why go to all this trouble just to leave the money sitting on the proverbial table?

Especially if you can get away with it.

Gibson believes that it's technically feasible for the attackers to escape with their loot in tow. Whether or not they actually pull that off, however, all comes down to their level of sophistication.

"[What] I've seen (I've only followed the story a bit) is anything but sophisticated, with only 3 receiving addresses, which seems amateurish to say the least," wrote Gibson. "Alternatively, it's a deliberate attempt to *look* amateurish, who knows :)"

And that's the thing about ransomware and cryptocurrency: It's almost impossible to know who's doing what until someone slips up. And you better believe the actors behind WannaCry are doing their best to make sure that never happens.



