I'm All Up in Your Blockchain - Hunting Down the Nazis

John Bambenek
VP, Security Research and Intelligence, ThreatSTOP
I'm All Up in your Blockchain, Hunting
Down the Nazis

About me
• VP of Security Research and Intelligence at ThreatSTOP
• Lecturer at the University of Illinois at Urbana-Champaign
• Producer of open-source threat feeds
• Assist international cybercrime investigations

Why people like bitcoin…
• No centralized authority
• Ease of discrete movement of assets
• Can “mine” money out of nothing
• Anonymity of finances (NOT the same as privacy)

Why neonazis like bitcoin
• No centralized authority and can’t be blacklisted from the system*
• Ease of discrete movement of assets
• Can “mine” money out of nothing
• Anonymity of finances

Why I like bitcoin
• I get to follow people’s money without bribing bankers
• The public ledger means I can see all transactions for all of time
• Relationships between wallets are easily seen
• Privacy-enabled cryptocurrencies post a problem (monero, etc)

Bitcoin “can” be very secure

Security vs Usability
• Users are lazy… and to be fair we aren’t much better…
• Who here regularly uses GPG for e-mail?
• People use the same wallet for everything.
• People use online services because ”this company” will do the “hard”
stuff for me.

Interesting bitcoin facts we will come back to
• Question for the crowd: What’s the value of bitcoin?
• If you took top 10 transactional banks in the US, they hold 55% of all
assets.
• If you took the top 10 cryptocurrency exchanges, they have 70% of
the market share.
• (Yes, that’s not an apples to oranges comparison)

Why does that matter?
• Cryptocurrency has value because I can get money or get things that
take money with it.
• The places where I can turn cryptocurrency into cash and vice-versa
are radically few (~200 or so).
• Those institutions have a wealth of information about who is using
them.
• Even when they don’t keep info, that comes with other advantages.

Some of these names are familiar
• Weev, in a sense, is “one of us”. He self-identifies as a security
researcher.
• Many in our community supported him against a CFAA case from
exposing Apple data.

The Great Printer Troll of 2016

A couple of notes….
• There is a persistent rumor that some of these groups are funded
directly or indirectly by the Russian government.
• It is a line of agitation they use in their own propaganda directed at us and
Europe.
• There are some ”connections” between some of them and Russia.
• To what extent is it true?
• Many of the mass shootings in the past 3 or so years have had ”some
connection” to these groups.

Bitcoin attribution
• Between forums, social media, and just plain ole websites, lots of
bitcoin wallets are self-attributed by the owner.
• This reduces attribution in some case to a Google/Bing/DuckDuckGo
problem. (Like the above cases).
• Sometimes this can identify donors too if they are sloppy.
• Most of them are.

There is even a helpful list out there..
• Those random strings don’t identify you (hence
anonymous), but I can still see everything they do.
• However, if you let the world know who is behind a
wallet because you post it to the web, you no longer
have anonymity either.
• They really have no choice here, you can’t donate if
you don’t know where to send the money.

There’s good money in being a racist…

People starting taking services away
• After Charlottesville, Google suspended Daily Stormer website,
Cloudflare kicked them off.
• They moved to a tor hidden service, but their “fans” didn’t know how to use
tor.
• There are only a couple tech savvy fascists, most are the opposite.
• Payment providers were also suspending them: GoFundMe, Paypal,
Stripe…
• Hatreon was created in part to help them raise money, but traditional
systems were more or less closed to them.

What if we could disrupt their bitcoin funding
• During Wannacry, another researcher created a twitter bot that
posted every ransom payment made to DPRK (who also moved their
money into Monero).
• Had thought of why not do the same here to highlight exactly what
they have, and how much they are getting.
• https://github.com/bambenek/bitcoin_tracker (NodeJS, easily
adaptable to any wallet(s) you want to track)

Not all twitter bots are bad
• @neonaziwallets

For some reason, this made them mad

But it also hindered their fundraising
• The various wallets used by neo-Nazis were given to “friendly”
cryptocurrency exchanges who agreed to blacklist them.
• You could always donate via multiple hops, but most of their donors and fans
are not sophisticated.
• They could donate in monero, but that requires multiple steps and was “too
complicated” for their smaller donors and fans.
• Other donors were afraid of being “outed” by researchers now that
the data was made public.

Weev’s history
• Has been in bitcoin and cryptocurrency a long time.
• He has had “some” donations, but he has had bitcoin prior to the
surge and prior to the alt-right becoming a problem.
• He gets paid doing tech work (sometimes for other alt-right groups).
• Also makes money “day-trading” cryptocurrencies.

High-level wallet relationships

There are ways to follow them into monero
A PARTIAL listing of all deposits to weev's monero account. Some may involve him
moving money to himself.
{ "timestamp": "2017-09-12 02:57:08", "withdraw":
"48qaHU2UZELTgDcAqk4WS3CS84wr6GkuyBnuzovpwUUJeTvSGiAzF5TFLQSPoXU8q
Ue33hwVsR7HW7nzmsyP9jzXAUhXjry", "deposit Coin": "0.14880000", "deposit
Type": "XMR", }
Type": "XMR", }
Type": "XMR", } …

Cross-currency Database
• ”Soon” I’ll have a database online mapping relationships between
bitcoin wallets and various altcoins (and vice versa).
• Broader use case than just neo-Nazis, but I was able to see other
groups paying Weev via a cryptocurrency exchange otherwise
invisible to the blockchain.

They didn’t like it when I pointed that out

There was a large funder of Daily Stormer
• Just after Daily Stormer was taken offline by Google and when Anglin
was hustling to “keep the lights on”, this donation appeared…
• This was about $60,000 at the time. That donor is likely sitting on
$28.8M in bitcoin in today’s dollars.

That money has an interesting backstory…
• Ultimately the bitcoin can be traced by an oldtime bitcoin user who
was selling bitcoins on forums way back in 2010/2011.
• Likely the donor bought from this person (interestingly enough a
bilingual English/Russian speaker) and has rode bitcoin from
essentially nothing to where it is today.
• I get asked a lot if “Russian” money is behind the alt-right, I haven’t
been able to substantiate that yet.

1488
• 14 words: We must secure the existence of our people and a future
for white children. – David Lane
• 88, either:
• 88 precepts (also by David Lane)
• 8th letter in alphabet is H. HH for Heil Hitler.

Searching by transaction attributes

Over 4500 transactions were found (and
counting)

The end game…
• Many of the ones with actual cryptocurrency wealth are facing
lawsuits and in varying forms “in hiding”.
• Can their be adversarial seizing of bitcoin (given a legal judgement)?

Questions?
John Bambenek / @bambenek
jbambenek@threatstop.com

I'm All Up in Your Blockchain - Hunting Down the Nazis

More Related Content

Similar to I'm All Up in Your Blockchain - Hunting Down the Nazis (20)

More from John Bambenek (19)

Recently uploaded (20)

I'm All Up in Your Blockchain - Hunting Down the Nazis