The FBI sees the anonymous Bitcoin payment network as an alarming haven for money laundering and other criminal activity — including as a tool for hackers to rip off fellow Bitcoin users.
That’s according to a new FBI internal report that leaked to the internet this week, which expresses concern about the difficulty of tracking the identify of anonymous Bitcoin users, while also unintentionally providing tips for Bitcoin users to remain more anonymous.
The report titled “Bitcoin Virtual Currency: Unique Features Present Distinct Challenges for Deterring Illicit Activity,” (.pdf) was published April 24 and is marked For Official Use Only (not actually classified), but was leaked to the internet on Wednesday.
In the document, the FBI notes that because Bitcoin combines cryptography and a peer-to-peer architecture to avoid a central authority, contrary to how digital currencies such as eGold and WebMoney operated, law enforcement agencies have more difficulty identifying suspicious users and obtaining transaction records.
Though the Bureau expresses confidence that authorities can still snag some suspects who use third-party Bitcoin services that require customers to submit valid identification or banking information in order to convert their bitcoins into real-world currencies, it notes that using offshore services that don’t require valid IDs can thwart tracking by law enforcement.
Bitcoin is an online currency that allows buyers and sellers to exchange money anonymously. To “cash out,” the recipient has to convert the digital cash into U.S. dollars, British pounds or another established currency. Bitcoin is used as a legitimate form of payment by numerous online retailers selling traditional consumer goods, such as clothing and music. But it’s also used by underground sites, such as Silk Road, for the sale of illegal narcotics.
To generate bitcoins, users have to download and install a free Bitcoin software client to their computers. The software generates Bitcoin addresses or accounts — a unique 36-character string of numbers and letters — to receive Bitcoin payments. The currency is stored on the user’s computer in a virtual “wallet.” Users can create as many addresses or accounts that they want.
To send bitcoins, the sender enters the recipient’s address as well as the number of bitcoins she wants to transfer to the address. The sender’s computer digitally signs the transaction and sends the information to the peer-to-peer Bitcoin network, which validates the transaction in a matter of minutes and releases the coins for the receiver to spend or convert.
The conversion value fluctuates with supply and demand and the trust in the currency. As of last month, there were more than 8.8 million bitcoins in circulation, according to Bitcoin, with a value of about $4 and $5 per bitcoin. The FBI estimates in its report that the Bitcoin economy was worth between $35 million and $44 million.
It’s easy to see the attraction for criminals.
“If Bitcoin stabilizes and grows in popularity, it will become an increasingly useful tool for various illegal activities beyond the cyber realm,” the FBI writes in the report. “For instance, child pornography and Internet gambling are illegal activities already taking place on the Internet which require simple payment transfers. Bitcoin might logically attract money launderers, human traffickers, terrorists, and other criminals who avoid traditional financial systems by using the Internet to conduct global monetary transfers.”
Bitcoin transactions are published online, but the only information that identifies a Bitcoin user is a Bitcoin address, making the transaction anonymous. Or at least somewhat anonymous. As the FBI points out in its report, the anonymity depends on the actions of the user.
Since the IP address of the user is published online with bitcoin transactions, a user who doesn’t use a proxy to anonymize his or her IP address is at risk of being identified by authorities who are able to trace the address to a physical location or specific user.
And a report published by researchers in Ireland last year showed how, by analyzing publicly available Bitcoin information, such as transaction records and user postings of public-private keys, and combining that with less public information that might be available to law enforcement agencies, such as bank account information or shipping addresses, the real identity of users might be ascertained.
But the FBI helpfully lists several ways that Bitcoin users can protect their anonymity.
- Create and use a new Bitcoin address for each incoming payment.
- Route all Bitcoin traffic through an anonymizer.
- Combine the balance of old Bitcoin addresses into a new address to make new payments.
- Use a specialized money-laundering service.
- Use a third-party eWallet service to consolidate addresses. Some third-party services offer the option of creating an eWallet that allows users to consolidate many bitcoin address and store and easily access their bitcoins from any device.
- Individuals can create Bitcoin clients to seamlessly increase anonymity (such as allowing users to choose which Bitcoin addresses to make payments from), making it easier for non-technically savvy users to anonymize their Bitcoin transactions.
There have been several cases of hackers using malware to steal the currency in the virtual wallet stored on a user’s machine.
Last year, computer security researchers discovered malware called “Infostealer.Coinbit” that was designed specifically to steal bitcoins from virtual Bitcoin wallets and transfer them to a server in Poland.
One Bitcoin user complained in a Bitcoin forum that 25,000 bitcoins had been stolen from an unencrypted Bitcoin wallet on his computer. Since the exchange rate for bitcoins at the time was about $20 per bitcoin, the value of his loss at the time was about $500,000. A popular web hosting company called Linode was also infiltrated by an attacker looking to pilfer bitcoins.
And there have also been cases of hackers attempting to use “botnets” to generate bitcoins on compromised machines.
According to the FBI, quoting an anonymous “reliable source,” last May someone compromised a cluster of machines at an unidentified Midwestern university in an attempt to manufacture bitcoins. The report doesn’t provide any additional details about the incident.