Tracking Bitcoin Transactions on the Blockchain – SANS DFIR Summit 2017


(ethereal music) (clapping) – Thank you very much, Phil. So, the black eye actually
came from a hockey injury. It was not ransomware
related I’m happy to say. But here, if you want
to see what I look like without the black eye,
it’s right here for you in full high definition. So, my name is Kevin Perlow, I currently work at
Booz Allen Hamilton, and I’m a malware analyst. I do cyber threat intelligence along with some threat hunting, some host forensics,
a nice mix of things. I went to school at
Georgetown University actually for business and just sort of worked my
way into this industry. Thought it was a little
bit more interesting. So, what we have here is
we’re gonna be talking about transactions on the blockchain, but we’re not just
gonna be talking about Bitcoin transactions. That’s gonna be
our primary focus. A little later on
we’re gonna talk about Namecoin transactions as well ’cause that’s something
you’re gonna start to see a little more nowadays. So the first thing is,
well what is a blockchain? A lot of time people talk
about the blockchain, and when they do that mean
the Bitcoin blockchain. But a blockchain
itself, it’s just a series of recorded
transactions on a public ledger that’s decentralized. So, a way to think about this, and using Bitcoin as an example, if I wanted, so my brother’s
here in the audience, if I wanted to pay him
a dollar right now, all of you would
watch me do that and so you would all
agree that it happened, we would record it to a database and that transaction, no one could ever dispute
that it took place. With a blockchain,
what you do is when you have enough of these
new transactions and new data, you put it on a
block and from there you take a hash of the
previous block of data, and you put it in this new
block and you store it. And that’s how it
builds on itself. That’s all a blockchain is. If you’re interested in the
cryptography behind a blockchain go to the RSA conference, we’re not gonna
talk about it here. But, if you wanna talk about
some other things you can do besides from monetary
transactions, we have medical records, you could potentially use
blockchain technology for this, although I think after
this presentation you’ll agree that
that’s a horrible idea. You can do currency,
which we mentioned, and you can do DNS,
domain name system, where you have a decentralized
domain name system and so you have some
resiliency behind your domain. So, Bitcoins have become
the defacto currency for really any sort of illegal
activity on the internet, but it was designed to
just be an anonymous, or pseudo anonymous, way
to conduct transactions. So, Bitcoins are built around something called Bitcoin
wallets and Bitcoin addresses. You can think of
a Bitcoin wallet as something that holds a
lot of prepaid debit cards, which would be the
Bitcoin addresses. And there is something
very interesting here. If you go to a store,
when you purchase a good or product
from that store you might only turn over, if you have $20 on one of
these prepaid debit cards, you might only turn over
15 of those dollars. But with Bitcoins, you
turn over the whole 20, and then it sends part of
it back to you as change. And so the way that it
goes back as change, it can either be
to the same address that sent it to the
recipient address, or it could go to a
different address. And that all just depends on how your Bitcoin wallet
is configured and which Bitcoin wallet
system you’re using. That particular nuance
is gonna be important for tracking some of
these things down. And so I have that
captured here. Two different examples,
the one on the top, lets assume you’re buying a
banned book for a Bitcoin. You might send 20 Bitcoins over, one would come back to
the same Bitcoin address. Alternatively, you have
the example on the bottom where you send 20 Bitcoins over, 19 go back to the … Sorry, I misspoke
on the first one, 19 go back to the
first Bitcoin address. On the second one, 19 go back
to the second Bitcoin address, it’s a totally
different address. And, you know, the
theory behind this is that it makes it a
little harder to tell who received verus who gave
the money in a transaction. So, that’s what we’re
gonna jump into here is how do we track
these transactions. There are really
only two resources that we’re gonna need. The first is Blockchain.info. It has an API, it’s very useful. It tracks all
Bitcoin transactions, and it records the
timestamps for them, it records the addresses
that were sending money, addresses receiving money. And what we can do with that is, anytime you have an address
from a ransom payment you can just throw it in there and see what you find. The other tool is going
to be Wallet Explorer. It does the same thing, but the purpose behind
Wallet Explorer, and the interface
behind Wallet Explorer, is instead to correlate the
addresses into certain wallets, and in some cases to
identify those wallets with Bitcoin exchanges, or
other major Bitcoin entities. So, they do two
different things, they work very well in tandem. The person that
made Wallet Explorer actually now works
for Chainanalysis, which you can think of as
the premium version of this. So we’re gonna be using
both of those tools. So we’re gonna start simple. We’re gonna use something
called the Globe Ransomware. This is not a major
ransomware family, but it illustrates what
we’re doing pretty well. So I did redact
the personal key, but you can imagine having
one of these messages show up on your screen, and I think most of
the people in this room have either handled an incident, or you do malware analysis,
you’re familiar with these. There’s also … What this message says, it says to go email
[email protected] and if you email him and you
tell him you’ve been infected, and you give him your id,
which we redacted here. He’ll go ahead and he’ll
give you a Bitcoin address. And you can also see
that there’s a price for point five Bitcoins that
you’re gonna have to pay. The first thing if you’re
handling one of these incidents, just to kind of, as
a bit of a side note, you wanna look up
that email address because you wanna see,
you wanna get a sense of has this guy been around
doing anything else. Has he used other ransomware
families – and he has. Do we know any other
TTP’s associated with him because we ultimately don’t
want to just decrypt our files, we want to prevent this
from happening again. This person, we suspect, is
primarily associated with RDP group force attacks, maybe even PS exact
remote, reports, attacks. So we got that address
from him, it’s at the top, right under the title
here, the 1Hyas, and we throw it
in Blockchain.info and this is what you get,
and this isn’t a full list, I snipped some
out of the middle. But you can see that
there were other people who paid 0.5 Bitcoins. So the good news is other
people are paying this person, you’re probably gonna
get your files back if you were to make a
payment and get the decrypter it’ll probably work. The bad news is other
people are paying this guy, I believe it’s 1.5
Bitcoins sorry, other people are
paying this guy and, so you probably do
also need to pay him to get your files back, there probably isn’t a
free decrypter out there otherwise who would bother. The next thing you wanna do is you wanna post this
on Wallet Explorer. So on this screen you can
see that total received, but on Wallet Explorer
you get a whole list of all the transactions
that this persons had, and so the output
from Wallet Explorer is on the left
part of the slide. You can dump it as a CSV, which shows up on the
right part of the slide. And what we can do here is take, take inventory of what
he’s been receiving. So, we’re interested in
probable ransom income, that’s gonna be ransom, or
that’s gonna be payments to this Bitcoin wallet where the amount was exactly
the same as in the ransom note, and we come up with 24 of those. Another metric I had, because we’re really
just estimating here, is what about possible
ransom income? The possible ransom
income is the, the metric I came up with was anything that was
four digits or fewer. So, if someone paid 1.75 that
might be a ransom payment, that’s a pretty specific amount. In the cyber
criminal underground, even though they use Bitcoins
for these transactions, they typically peg the Bitcoin to some sort of currency
value, often USD. And so what you’re
gonna see instead for more of a business
like transaction that’s not ransomware
transaction, you’ll see something
like 1.7829, some longer number like that. So that’s where we came
up with the other number. Now you might say this
is a pretty wide range, it’s a factor of two, but what I find,
and what we’ll see when we go into the Locky
example coming up in a second, is it’s really an
order of magnitude that we’re concerned about. So, this guy, we’re talking in
the 10s of 1000s of dollars, maybe up to $50,000
is what he’s received over the many months that
he’s been doing this, about six months,
a year to date. So, so that’s good. I mean this doesn’t
tell us a whole lot, but it illustrates the point
in how to use these tools. What we’re a little
more interested in is gonna be this Locky
ransomware example. This is one of my favorite ones. So, what’s interesting here is we’re gonna see
a sense of scale. So, Locky ransomware came out
in January, February 2016, it was famous for
hitting a hospital. And a hospital has to
stay in operations, so they had no choice
but to pay the ransom. And this Locky example,
what we’re gonna find is they’re not alone, a lot
of people have paid this. So on the bottom
right of this screen is gonna be the
Bitcoin address that you would have to pay for this
particular Locky instance. But what I have to point out is that for the
Locky ransomware, and for a lot of other
sophisticated cyber crime, or cyber crime group
affiliated ransomware, where it’s not just one actor, these are generated server side and they’re generated unique
to each instance of Locky. So, what that means is when
you first get this address it’s gonna be blank. I should also say, this
was one provided by another security analyst, I do just wanna thank them
for contributing this. They didn’t want me
to say who they were. But it is, we couldn’t
do this type of analysis without having this happen. So, because it’s a unique
Locky Bitcoin address, in order for us to get
any data out of this someone has to pay it. And, so that, once
someone pays it the criminal then
has to move the money because otherwise they
wouldn’t be able to use it, they wouldn’t be
able to cash it out, and it would be a totally
worthless exercise for everybody involved. And it happens here. On the bottom left
we have our victim, on the bottom right we
have that money being paid. Then it, this is just
the default interface for Blockchain.info, on the top left the
money moves again, and it moves as part
of a much larger, I think 80 Bitcoin transaction. And what that means is there were other Bitcoin
addresses involved in this. So our next step here is where things start
to get interesting. We wanna map out the blockchain. That might seem like
a daunting task, and it is, but here you go. So, on the left there’s
a script that’s on Github that you can use to do this, you plug in an address and it’ll map this out
in graphviz format. But we some very interesting,
just looking at this, and I know you can’t read them, we’ll get to that in a
second, we’ll zoom in. But, on the left, the
circles on the left, or the ovals on the left,
are gonna be people paying, those are gonna be the victims. In the middle those are
those intermediate addresses, and then on the right,
if we go back here, there we go, on the
right are gonna be those two addresses
that received the money, it turns out other
addresses are also funneling money into these two points. So, we’re interested in those, and that’s where we’re
gonna do our exploration. But first, someone earlier
had an enhance button, so do I and mines
better, it has a red box. So we have, this is one of the
other sections on that graph, and we’ve identified just by throwing this into
Blockchain.info, we’ve identified another
possible ransom payment because we have two Bitcoins that’s around the right
amount for, or three Bitcoins, whatever, it’s around
the right amount for a ransomware payment. And if you go and you
look at the other ones you’ll find the same thing
over and over and over again. So we do wanna dive into
where this money’s going. So we throw it into
wallet explorer and what do we have? Well, we have that this, one
of these receiving addresses is part of a much larger list and it’s received 81
pages on wallet explorer worth of transactions. This is a lot. In fact this is a very
very very very large number for a non Bitcoin exchange. You can also see, it’s a
little hard to read the numbers on there, but you can see a
lot of single digit numbers, those are gonna be
three, four, two, five, those are about the right
amount for a ransomware payment. And so if you go through
all 80 pages of this, that’s what you find
over and over again is that these guys
since January 2016, conveniently when
Locky came out, all the way through
October 2016, and then they took
a bit of a break, and then in January 2017, were receiving these
ransom payments. So our next question here is well what, you know,
what does this all mean? Like what can we do this data? The first thing I wanna do is come up with some
estimate, excuse me, some estimate of how
much money they’ve made. There are, there’s a
couple different ways, there’s a conservative one, so only transactions by .25, the one from before, the
four characters in length, and then one where we
just add them all up and we can do that. They’ve never even received
any increment over 10 Bitcoins. So it’s entirely possible everything here was
a ransom payment. And so you can see
the numbers there, I tend to think we’re talking somewhere between 13 and
14,000 Bitcoins on this. I’m sure other people have
paid them for other things, but the point stands, even back in 2016
Bitcoin currency value, we were looking at
over $10,000,000 from January through October. That’s crazy, and when
you do the victim count you’re looking at 6,000,
8,000 victims that have paid. That’s not even the people that
were just infected with it, and couldn’t figure
out how to pay, or just said I’m not gonna pay. That number, they have
targets on the cyber criminal underground for these things, but that number could easily
be 5% of the total infections. It could be even less than that. We, that part we
just don’t know. The point is this is
such a huge scale. So how does this help as
an incident responder? Well, the main thing for
an incident responder is to figure out, or
one of the main things, who targeted us, or was
this even a targeted attack? Probably not if you’re getting
hit by something like this where there are 81 other
pages of ransom transactions. I mean maybe they targeted
your industry, maybe not, but when we think back
to the globe example where we thought, OK,
that was more of an RDP group force attack. The after, you know, you wanna, you wanna do a
complete investigation, but the priority you’re gonna
take into certain actions after this are
gonna be different. You’re not gonna be necessarily
worried about closing down an open RDP port that
shouldn’t be there. Instead you’re gonna
be worried about well we probably have to
fix our email filtering and upgrade some detection logic and stop this from happening. But they’re two
different approaches, the main point being at
least you’re not concerned that you were targeted,
everyone was targeted, you’re just concerned
that you were infected. The last point I want to
take here is the cash outs. So, here you can see
them actually moving 220, 100, 150 Bitcoins to
an exchange called BTC-e. They did use a couple
of other exchanges, you can see some
other cash outs here that weren’t identified
by Wallet Explorer, but that’s just what
these guys tend to do, the tend to put about 50 to
100 to 200 Bitcoins at a time and they cash it out. And because there’s no
way to subpoena BTC-e, unless their database
ever gets leaked, or unless law
enforcement finds a way to compel them to
turn over that data, out the money goes and we
don’t know who’s getting it. If they ever do get that data, then we’ll be able to find out. So, the third thing we wanna
talk about is attribution. There’s sort of a
myth behind Bitcoins that you can never do
any sort of attribution. This is, not a totally
unique example, it’s a little rarer,
but I did wanna show it because it’s interesting. There is a way to do
some deductive reasoning and come up with an attribution, at least in this
particular instance. So this is a Shark
and Atom ransomware. It kind of hit the news in Oct, I wanna say around
October 2016 actually, around the same time frame as when that Locky
activity was happening when we started
focusing in on that. The idea behind the
Shark ransomware was hey we’ll give you a portal,
or we’ll give you a tool, and you can use that tool to
build your own ransomware. You put in your Bitcoin address, we’re just gonna
take 20% of the cut. The source advertised
on a Russian website, so were these people Russian? It would be a reasonable guess, but we would like a
second data point on that. And so here on the bottom
you can see the panel. You can see the ransom note. But more interestingly,
you can watch on the blockchain, or you
could watch at the time when this was in service, the money go to
a payment address that was specified
by the attacker, and then at the top you can
see an 80 20 split happen for when it was making the
payment on the blockchain, going, the 20% going
to the authors, the 80% going to the attacker. As far as network forensics go it’s kind of exciting
to watch this happen on the blockchain and then
watch it happen in a PCAP as it’s coming back
to the infected host. It’s kind of cool. But what’s even more cool is they use that same address for, they didn’t generate
a new 20% address, they used the same one for a host of other transactions
and at one point they might have
even paid themselves through a chain of events, possibly testing their
own infrastructure. It’s not entirely clear if
they were running a test, or if they were just paying a
different address of theirs, or a different wallet of theirs. But you can see the graph here, it looks similar to
the other graphs. And in red is gonna
be this 1FzW Address, which is where they’re
receiving these 20%s. And that’s gonna be
the main pivot point for what we’re gonna do next. So we throw it in
Wallet Explorer, we’ve got one other address
there, it starts with 16q3. And, the other way to
correlate these two is if we look at the
transactions on there we can also say well 1FzW
had an address put money, and I’m gonna graph these, so if it’s just
rattling off numbers don’t panic there’s
a graph coming. But the 1FzW, the first
address to fund that, to fund this part
of the ransomware Bitcoin infrastructure, starts with 16qCm, and the first one to ever
fun that starts with 16q3 And that was also paid by 1FzW. So the deductive logic
there creates this loop, and so you would at least
be able to determine that, if you didn’t know
from Wallet Explorer, you could do some
deductive reasoning and say well these are
owned by the same person. Given the timeframe
of these transactions, given what was happening, you could say that
pretty comfortably. What we’re gonna do then is we’re gonna
use this graph and we’re gonna pivot
off of this graph. We’re gonna add to
it a little bit. So, what’s the
first to fund 16q3? Well this address
starting with 17N4mi. That’s therefore likely also
owned by the Atom author. And when we talk
about, you know, mapping these out we’re curious well where else did
that one send money? So in the same transaction
that it funded this, it also sent money to another,
to another Bitcoin address. And when we talk about
change, from earlier on, that’s what we meant. And this is an example where it becomes
particularly relevant. So here’s our new graph. We’ve added a little
section at the bottom. We still have that
triangle relationship from the ones we found before. So lets keep going. So we’ve branched
off, in one spot we’re funding part of our
ransomware infrastructure. What are we doing
in the other spot? Well we can follow
these a little bit more. It sends money to
another address, that address sends money
to two more addresses. Those last two addresses are
tagged on Wallet Explorer as something called matbea.com, and I’ll show you
that momentarily, but here’s the graph. We can see our overlap
from the infrastructure, what funded the infrastructure, what did the
simultaneous paying, and where the money all
goes on the bottom right. So I mentioned matbea.com. If you, if you map this all out using the script from before, it’ll look something like this, it just depends on
which address you use as the baseline for the script. But we have a couple
others at the bottom right that are also matbea.com. Well here’s matbea.com, you can
see the cyrillic text there. So we’re looking at a
Russian Bitcoin exchange. So here’s our second data
point that I mentioned earlier that we were
trying to get to. Originally we were talking just hey these guys posted on
a Russian language forum, a lot of people do
that and a lot of people do it in
really awful Russian, but these guys might
actually be Russian, and we have that nice
little extra data point. And so this was a cool
piece of attribution, now it’s important
to point of course, it could be a false flag, but given that this was
pretty unsophisticated and given the other
things we know about ransomware and about
these guys in general, we’re, we’re pretty comfortable
with this assessment and with this data point. So, I do have a bonus
example on here. I don’t have time to
go through it today, and I wasn’t planning on
going through it today, but if you ever wanna
look at something with the spora ransomware, it’s on Cyber4Sight’s blog, which is the group I
work at, at Booz Allen. And you can, you
can go through this and see how spora is
an affiliate program, and how you can come
up with that deduction just based off of
blockchain analysis. And that’s not a grand
proclamation at this point, but when this was new, and
when this was three days old, it was pretty interesting data to see the first spora
affiliates get paid. And so that’s something you can, you can look at when the
slides are posted online later. So the last thing I
wanted to talk about is the Namecoin blockchain. The Namecoin blockchain
is pretty interesting, it’s another use of
blockchain technology, and the idea behind it is to decentralize
domain name systems. Allegedly, for the purpose
of anti censorship, but you can use it
for your malware because no one can
take down your domain if it’s sitting on a blockchain. Instead they have to
take down the actual, they have to retake
the actual IP address that your domain
would resolve to. So, a little bit
more about this. Namecoin domains are
gonna be .bit domains. They’re not an official ICANN
domain, top level domain. So what you have to do is you have to do a DNS
query to an OpenNIC server, or you have to do a DNS query to a dedicated
Namecoin DNS server. That’s two interesting
things to look at in your network logs. I’ve seen some misconfigurations
do those before, but I’ve also seen just straight
up malware do it before. There’s really no good reason
this should ever happen. Now domain, this
blockchain can work as a regular
cryptocurrency blockchain. The currency isn’t worth
a whole lot right now, but the other part of this is the domain names sit on special
coins on this blockchain, so that you can’t
accidentally, you know, buy bread with
whatever website .bit. Like that would be weird, and so they don’t want
that to happen by accident, and the, that special coin
has a special property in how these things get updated that it tends to flatten out
the blockchain for analysis. The consequence of that,
and I’ll show what, I’ll show what I mean
by that visually, but the consequence of
that is it’s really easy to track and map out
Namecoin infrastructure. So that’s what we’re gonna do with this example of the
Shifu banking Trojan. On January 6th, 2017
Palo Alto’s unit 42 came out with a
really really good reverse engineering
report on this. And part of it was
they noted that hey this banking Trojan
started using these two .bit domains at
some point in 2016. The picture up here is
actually a newer version of it, a newer, an updated version
of this information, because at the time there were only a
couple IP’s associated with each of these
two domains on there. And the question I had was well, what other infrastructure, there’s no way these
actors were only using two domains and a
couple of IP addresses. And a few other
things happened too. A couple days after
that report came out I have it in a little box here, you can see that they
zeroed out the IP address. So by looking at
the Namecoin system you already know hey
these guys are reading open source
intelligence reports, just like we all are, and they zeroed out
their infrastructure, and we’re gonna see that
happen in a couple other pieces of this as well. So what we wanna do, there’s no API for this, so you’re gonna be on your own for the script we go for later, but what you wanna do is you wanna take
the first transaction from one of these domains because that’s when
it was created. So, here’s the
first transaction. There’s a lot on this
screen and I know that. I’m gonna talk
through all of it. But the first transaction
on the name chain website will show that, it’ll show
when this was first created, so you can see the
operation is OP_NAME_NEW that means a new
domain being made. You can see a change
address happening, so a certain amount
of Namecoin currency was used to perform
this operation, but then another
amount went to change. That, like 23 or
24 Namecoin change, was later used to register the
second domain that was listed in the, in the Palo Alto report. So we already know those
two were associated just with a couple of clicks. Now the, the next thing here is that we wanna kind of go
backwards a little bit more. So we, so this, this
Namecoin address was generated somewhere,
so when we go to the first transaction involving it, like so, we’ll see that it actually
was part of change from another Namecoin operation
from another domain called healthshop.bit. And this had a
different IP address, but what we can do is we can look at the
overlapping IP addresses for this infrastructure now. We can look at just
all of the data from the healthshop domain,
all of the data from the one we were looking
at, the slavaukraine domain, and we can say hey there
was a shared relationship on the blockchain,
but there was also a shared infrastructure
relationship. These things were resolving
to the same IP addresses at different points in time. And so that’s what
we have right here. If you compare them side by side you’ll see in the blue you’ll see some of
the same IP addresses, you’ll see that they were
zeroed out on the 11th at the same time. So, those are some
pretty good date points. We would say with
almost near certainty that the same people were
operating these domains. So, good, we found
an extra domain, that’s good for out
incident responders, that’s good for our stock. We also know when
these IP addresses were relevant because
when they switched the IP’s they’re no longer
true indicators of compromise. I mean they might still
own the infrastructure, but they might not. So what we wanna do next is what else can we find? And, and in going the
same way that we went with mapping out the
Bitcoin infrastructure, we can do the same thing here, we can go to each
transaction that happened, look at the addresses, go to
each transaction of those, and so on and so forth, and, and, and so what we do is we get a graph here and I
tried to zoom in as best I can, but it illustrates a
point I’m about to make. This is a much
flatter blockchain. And you can even see that
I included the scroll bar in the picture so you can
see how wide this goes. But in doing this, you get
a nice little visualization, you can see that these addresses that these domains, that these IP addresses
are truly related. It’s just not enough
to have a graph though. You would never be
able to constantly be scrolling left and right, so the other thing you wanna do is if you, if you go to
do something like this you wanna dump a
nice little CSV file, which, or actually
two CSV files, one with just just
the infrastructure, and one with the days
that this happens. And I did my best to show
the relationship here. So you’ll see that they have similar IP space in some cases, you’ll see shared IP addresses. The next thing
you would wanna do is either in graphviz
or in analysts notebook, you wanna take, you wanna
take all these data points and you wanna
correlate them together and show that they
are truly all linked. Before I go to that
picture on the right, you can also see some
interesting TTP’s
from these actors. You can see that
they tend to name their domains in
some similar ways. So you’ve got like
foreveryoung and foreverone. You have a couple that
have the term data in them, a few others like that. A couple with references
to Russia, Ukraine. So it’s some other
interesting TTP’s, and it gives you
even more confidence that these are related. And when you map it all out,
here’s what you wind up with. And so remember, we started
with only two domains, and when we ended
this we wound up with over a dozen domains that
these guys were using as part of this campaign. We also, just to
go back real quick, it’s a little cut
off at the top, but you can see that
they’ve been doing this since March of 2016. So we have a nice
firm start point for this activity as well. And that gives you some
really good actionable intelligence that
you can use for this. And it’s just a nice
little example of, well the, well the
Namecoin watching is a little bit esoteric, and while it
provides some sort of resiliency for these actors, we can actually use
it against them. And so that’s, that’s
kind of where we are for doing some of this
blockchain analysis. So just a quick recap. The blockchain stores
an awful lot of data, and if you’re good with just
some basic deductive logic, and maybe a little
bit of scripting, you can find out a whole host
of historical information just by navigating
through it properly. I do have two items in
here in question marks. They’re things we
should think about. Given what I just showed you where we can map out
Namecoin domains, do we really want
to be in a situation where someones medical records
are stored on a blockchain, and that’s one of
the common ones that’s listed for
blockchain technology. My argument personally would be well probably not
because as soon as, if someone, if there’s an
OPSEC failure of some form, or a database gets leaked, and someones personal
medical blockchain address were to be paired
with their name, you would have all
of their history. And so I think that’s something we have to think about. With property titles it
would be a similar situation. On the other hand it
does provide resiliency and it does provide
nice data storage, and it can be used
to prevent fraud. So, we do have to consider
both sides of that. (tribal drum music)

10 thoughts on “Tracking Bitcoin Transactions on the Blockchain – SANS DFIR Summit 2017”

  1. I wish people would stop explaining concepts that the audience members should already know, if you do not have a basic understanding of what bitcoin is – you're at the wrong talk.

    Google it, then attend.

  2. I got defrauded out of $3800 USD. They used my Bitstamp to purchase BTC. What steps should I take to report/catch the criminals ? Local PD says they can’t do anything.

  3. one thing is mistaken here. one recipient can have a ton of hexadecimal addresses on ONE place, not to mention how many there can be on MULTIPLE places. you'll need to invent a new Turing machine for this new kind of Enigma Problem.

  4. I got a scam porn blackmail demanding funds be sent to bit coin account
    1E5XMWQtyYnCY4LkLnjMtqBMQNnC1KS3m3 anyway to track down or better yet
    hack the sob?

  5. Gday Kevin , your expertise is refreshing to see how the block chain works , I am currently investing in bitcoin and sourced an expert company to assist me ,
    Unfortunately it appears that I am in the process of being scammed by an elaborate website call etc-markets.com
    I have taken all accounts history of the dealings with this company and spoken to all possible authorities to check this company with no valid verification,
    If you or your company can assist it would be much appreciated,
    Darryl

Leave a Reply

Your email address will not be published. Required fields are marked *