Turns out, going after someone’s Bitcoin transactions is much easier than you might think. After all, as the saying goes, once you’re pwned, you’re pwned.

After Hacking Team, the Italian spyware vendor, was hacked earlier this month, and 400GB of its internal data was released, Ars reviewed many internal e-mails from the company. These documents clearly illustrate how simply Hacking Team's "Money Module" worked, and they provide a small glimpse into which customers were particularly interested in it.

In general, the Italian spyware company sold (and hopes to continue to sell) software that allowed targets to be surreptitiously surveilled as they used computers or smartphones, and its clientele included law enforcement agencies worldwide. Back in January 2014, Hacking Team internally announced a new feature as part of its version 9.2 upgrade to its Remote Control System suite, and the new iteration would include a way to "track cryptocurrencies, such as BitCoin [sic], and all the related information."

The Money Module also included support for Bitcoin alternatives including Litecoin, Feathercoin, and Namecoin.

Nicholas Weaver, a researcher at the International Computer Science Institute in Berkeley, California, went through the same e-mails. He says that such a feature "shouldn’t be surprising."

"It is straightforward to grab the wallet.dat and related files and for malcode to get the password for this file when the user accesses their bitcoins," he told Ars by e-mail. "Similarly, one can also search for Bitcoin-related keywords in e-mail messages and other content on their computer. And once you have a copy of the wallet.dat file, you have the entire transaction history (as Ross Ulbricht can attest to)."

The wallet.dat file contains a user’s private keys, so when combined with the public transactions posted to the blockchain, Bitcoin’s shroud of secrecy is removed. In short, the attacker gets the keys to the kingdom.

That’s very close to what American federal authorities did to prove that Ross Ulbricht’s Bitcoin transactions were the same as Dread Pirate Roberts’ transactions. The biggest difference is that the FBI didn’t need to digitally infiltrate a computer in that case—they had physically seized Ulbricht's device, still running, during an infamous raid at the San Francisco library.

Using Hacking Team's solution, it wouldn’t matter if a target had encrypted wallet.dat, nor if he or she was using an online wallet (such as Coinbase.com). The company's embedded keylogger would surely capture the relevant password. And as one leaked company e-mail explained, the Money Module feature automatically exported this data to the "evidence" portion of the Remote Control System software.

A job well done

Hacking Team's Alberto Ornaghi, a software architect, e-mailed his colleagues in Italian with a few more details:

Hi all, from the 9.2 backend will support the new module MONEY for all platforms. We keep track of transactions in crypto-currencies targets (see history of silk-road) and in the demo we can also make a bitcoin transaction to buy drugs and see in the form of correlation to those who got that money (DEA: anyone interested? : P) the information we can get are: addressbook (list of all contacts and local accounts of the target), files (the wallet itself, containing the money and spend it for private keys), transactions (transaction history in/out of the target , useful for making correlations).

A few days later, Daniele Milan, the company’s operations manager, wrote:

I’m sure all of you heard about BitCoin, however here is some relevant context to position them in your pitch: cryptocurrencies are a way to make untraceable transactions, and we all know that criminals love to easily launder, move, and invest black money. [Law enforcement agencies], by using our Intelligence module combined with this new capability, can correlate the usage of cryptocurrencies, defeating the financial opacity they provide.

Hours later, CEO David Vincenzetti responded: "Well done!!!"

Egyptian, Saudi authorities interested in Bitcoin tracking

At the moment, no one knows the comprehensive list of who installed or used Money Module Version 9.2 in early 2014. But leaked e-mails show that both the Egyptian Ministry of Defense and the Saudi Ministry of the Interior e-mailed Hacking Team with support questions. Both countries rank quite low on Freedom House’s 2014 "Freedom on the Net" list.

Hacking Team e-mails also reveal that Vincenzetti himself was quite skeptical on the entire concept of Bitcoin even before his company’s introduction of Money Module. He wrote:

A currency offering close to total anonymity is obviously the currency of choice for ransoms of all kinds. This is just one of the reasons for Bitcoin should never become a monetary standard.

In February 2014, he also told his e-mail list:

Bitcoin as it is now has no future. But this does not imply that virtual currencies don’t have a future. That is, a modification of the actual Bitcoiin [sic], something different, fully traceable and supported by clearing houses and the global financial system as a whole might have a future.

In May 2015, after Ross Ulbricht was sentenced to life in prison as a result of being convicted of running Silk Road, Vincenzetti again opined on Bitcoin: