Quantifying cybercriminal bitcoin abuse

Doctoral thesis (2023)

Authors

K. Oosthoek Cyber Security - EEMCS
Research Group
Cyber Security (EEMCS) (TU Delft)
Copyright: © 2023 K. Oosthoek
DOI
help_outline
https://doi.org/10.4233/62782ffc-5958-4eff-b429-545c34405200b
Bitcoin Cybersecurity Cybercrime
More Info
expand_more

Published Date

2023

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Electrical Engineering, Mathematics and Computer Science

Department

Intelligent Systems

Research Group

Cyber Security

Abstract

Cybercrime is negatively impacting everybody. In recent years cybercriminal activity has directly affected individuals, companies, governments and critical infrastructure. It has led to significant financial damage, impeded critical infrastructure and harmed human lives. Defending against cybercrime is difficult, as persistent actors perpetually hunt for soft spots in Internet-connected systems, which exist due to either lax vulnerability management or for convenience, complicating adequate detection and mitigation. Cybercriminal actors are financially motivated and for their doings and dealings they rely on Bitcoin. Alternatives exist, but Bitcoin has proven to be the most liquid digital currency, meaning it is easy to swap and to conceal illicit transactions. The magnitude of many cybercriminal activities is largely unknown. However Bitcoin runs on a blockchain - an open, dentralized ledger, allowing virtually everyone to analyze financial transactions, as opposed to traditional banking. Furthermore, contrary to popular belief Bitcoin is pseudonymous, not anonymous and several techniques exist to identify illicit activity. In this thesis, we illuminate three cybercriminal ecosystems that did not receive significant prior research attention: Bitcoin exchange heists, ransomware and single-vendor shops in the Dark Web. For each of these, we gather datasets from open sources. We first focus on the technical behavior and financial impact of attacks on Bitcoin exchange platforms. We also highlight the ransomware ecosystem, showing how it moved from small to large-scale attacks with similar financial impact. We further focus on how small shops in the Dark Web generate significant revenue with niche illicit activity. To understand the financial impact within each of these ecosystems, we analyze associated financial transactions. We also apply heuristics to discover additional Bitcoin addresses controlled by the same actor. We observe that cybercriminal actors successfully extract millions of funds from Bitcoin exchanges through relatively low-level attack vectors. When compared with traditional financial institutions, the lack of sophistication of attacks and the accompanying financial impact is unprecedented. In our analysis of ransomware, we observe attackers have shifted from attacking individual users resulting in relatively small ransom amounts to targeting large organizations with significant financial resources, resulting in multimillion ransom payments. We also find that with this shift, attackers have also improved their operational security in address usage and money laundering. For Dark Web shops, we found that this relatively uncharted territory of the Dark Web as compared to the bigger marketplaces specializes into niches such as sexual abuse material and various forms of financial crime. To allow for future research in this area, we introduce a methodology to estimate illicit revenue based on web scrape results and cluster these on category.