Behind the Curtain of Dark Web and Cybercrime Operations

Yeah, right now we have Alexander Wilshek and he's going to share with us behind the curtain of the dark web and cyber crime operations. >> Awesome. >> Thank you very much, Alexander. >> Thank you. >> Yeah, I second that sentiment. Thank you very much for coming. Um hopefully you didn't hit it too hard and hopefully my my voice will last this presentation. So yeah, for those who don't know me, I'm Alexander Vilchek. I've been 10 plus years in cyber security. um have a background in penetration testing. That's what I kind of got into in the industry with um passions research wise include dark web um web 3. So your blockchain kind of stuff is the security

around that. Um personally I passionate about privacy. Um so yeah um the proud founder of Riven and a little fun fact about myself. I've been living as a digital nomad for the last 2 and a half years and building Riven along the way. Um, so I have a little funny picture for you. Hopefully that this is place. So yeah, um, bit of outback hacking. Um, this been taken just north of Broom in WA. All righty. Um, before we get into the presentation, a little disclaimer. Um, so this presentation is intended solely for the for educational purposes. The information provided is general awareness only. This cond should not be construed as a guide instruction manual for legal activities. The presenter does

not condone or encourage any unlawful behavior discussed herein. Um, this is just to cover myself and yeah, you never know. Like I'm assuming most of you are like white heads, but so any gray heads or darker, please leave the room right now. Um, so yeah, here we go. This is the the present. It's behind the curtains of dark web and cyber chrome operations. Um, why this presentation? Um, so I want to do a deep dive into what happens after a hack like once the funds are being paid after ransomware, how this money gets moved and how it gets laundered and all these things. Um, this is a kind combination of my personal experiences in the space over

the last four years from both a blockchain and a kind of normal web to cyber security kind of background. Um, in the past I've seen lots of misleading information or inaccurate information by general media or even cyber security outlets just gets to referred as, oh yeah, 10 bitcoin got paid and then it just went through a Tumblr or a mixer and happy days. Um, it's a bit more nuanced than that. Um, so yeah, I would like to raise awareness, hopefully inspire some of you to dig in deeper into this kind of stuff as well. um as yeah as I feel like there hasn't been much like in-depth coverage and yeah and I guess because that's where all the

money is I think the better we understand that space the better we can combat that as you know like we've tried it with patching but ransomware still happens due to like silly vulnerabilities right so maybe if we hit them where it hurts the most um we we might stand a chance um so who here owns any crypto anyone on. Oh, not not too many. That's perfect. Okay, that's really good. Um, so we have no crypto bros because this is not a crypto bro presentation. Um, which is really important to me to just clarify because usually it's just like that investment BS, but I think there's huge value from a security point of view and I'll try to make the case with this

presentation. Um, anyway, as I mentioned before, it's all about crypto. So, ransomware attacks, info stealer, scams, it always that's like the preferred payment method for um the attackers and there's also blockchain hacks, but you're probably not too interested in that. But there's lots of money um that gets stolen through that. I think that's something that affects all of us because that money enters then criminal channels and that money is usually not used to build um hospitals or I don't know feed the poor, right? So, um it's it would be good if we can limit that. And also, it's the go-to kind of way to exchange um value in darknet marketplaces. Um so, we'll touch upon that as well.

All righty. So, first things first, um a quick note on operational security. Again, to try to get more people in the space. Um there's obviously different degrees of paranoia that you can have. Um I myself, I just want to balance it. convenience and um how paranoid I am. I use a separate laptop. I just resurrected an old 2015 MacBook Pro. I think um if you got one of those um Linux Mint is really good and easy to install. Usually when I do my research, I have it airgapped like air gapped in the sense that I don't connect it to my home or work Wi-Fi. So it just separately you can just use your phone to hotspot. Um that's how I like to do

this. heaps of alternatives. Lots of you familiar with like tails or cubes. Um if you want to just have a quick look, I think just spinning up I'll probably get a lot of um S star stuff for that. But like also VM is just another layer um just to quickly have have a look. Um then I keep my attack surface pretty low. Um so it just has to and a browser installed. Pick your poison with the browser. Um tool wise you don't really need much. Um it's just more about knowing where to look but and a blockchain explorer will do. So one of the most famous ones is Ether Scan for Ethereum blockchain. Um that's where a

lot of these funds get moved on. Um but basically you can just Google pick your blockchain name and then explore on Google and you'll find it right away. Um I like to do mostly passive research. I tend to not interact with anything um just to limit any um potential downsides. Um okay. So now we get into the the media part of things. So I picked I feel like slang or you can call it primitives or whatever things that we need to understand in the blockchain space to kind of understand how these funds get moved. First of all the more general one is just the the term web 3. So many people refer to that space as web 3. I won't go

into the historical web one, web two, web three, but basically just synonym for blockchain technology. Um so the first um primitive let's call it for for lack of better wording um wallet or address. So that's basically how you send the money, right? So um just imagine that you're driving in your car. You have an origin address and a destination. So A sends to B. That's simply as that. Um then what we refer to as chains. Chain is your blockchain. Basically it's just short for blockchain. And we have lots of different types of chains and they interacted and I'll just get into that shortly. Um then we have the major chains. We call them L1's layer ones. Um

instead of Bitcoin, your Ethereum like the big ones that you've heard, they were the first ones that kind of came out. And then we have L2s. Um, so these big chains had inefficiencies. Could be speed, could be throughput. So people invented L2s. They still [clears throat] are based off the L1s, but they kind of live underneath and they have certain um performance improvements um for one of those reasons that I mentioned smart contracts. Um this is a big one. Um I think the easiest way to understand it, it's simply the back end, right? Like you imagine your web app, you have your back end, right? So a smart contract is basically the same but for

the blockchain. So this is obviously an oversimplification but again um the aim here is just to have a basic understanding of these. So then we can understand how the funds get moved. Then token this is a very interesting concept. Um so we often get confused between coins and tokens. So you have the native ones. It's your bitcoin that's native to the L1, right? So that's what you use to use the L1. But you also have tokens. You see them everywhere like they call them meme coins whatever those are simply tokens within a smart contract. So imagine it's just simply an environment like a variable right like an integer um you can have token happy and then sorry it's

probably more like a vector but um to each person or address has a certain value but that just lives in the smart contract right which is kind of your backend server or backend application living on on the chain they can both live on L1's L2s we have also more than L2s but um for the purpose of this this is plenty And then obviously we have all these different layers and if you have two different L1's or two different L2s that are not part of the same L1, you need to bridge somehow so they can talk as well. So they developed these protocols called bridges. Heaps of problems with them security wise, but also heaps of problems tracing

them because they have different protocols, different ways of working. Um creates complexity which we'll see later. And now the the the crucial point of everything, exchanges. Um so the first one is the centralized exchanges, CXs. Um you probably heard from them of them. Binance, Coinbase, they do lots of marketing. So um they're fairly famous. What makes them relevant for security purposes is KYC. So know your customer. Um that's required by those exchanges to identify who the people are interacting with those exchanges. Um the centralized ones usually don't do much on the blockchain. They just help consumers get the normal money you call fiat your yazi dollars into crypto. Often nothing happens on the blockchain. They just are

a middleman like a kind of bank right. But then because this is decentralized technology we have decentralized exchanges like unis swap curve. There is a gazillion right over these we have no influence whatsoever. They have no requirements for KYC. So we don't know who makes a transaction. They don't need to know. They they just live on the blockchain. Um which makes it pretty tricky. We'll see. [snorts] Um so what happens after a hack, right? So this is kind of I just want to focus like we all understand ransomware what not the payment gets made 10 bitcoin let's say um what happens after that. So this is an oversimplification. This can be like crazy complex but it kind of like gives

the idea. Um so we have the first phase layering and the second phase integration. So in the layering we have two kind of subst strategies that you can use. Um the first part is just scattering uh funds around. Um it's more like an obfuscation kind of thing. Um it's reversible so you can figure it out but it can get very complex. So, for example, um many of you probably know Lazarus, the threat doctor. When they start, they spread the funds like 9,000 different wallets or addresses. So, imagine if you like investigating that. That's a big big headache. Um the sole purpose again is just slowing down the investigation. Um it doesn't anonymize the transactions. Um some of them are on the

same chain, some you bridge onto different chain, you swap tokens. Um and again very hard to follow. Then we have a subp part of just pure anonymization. Um there's a few tools um that can be used though that are well regarded within those spaces for anonymity. It's tornado cache. Um this is one of them. Um pretty famous because the two developers that put it together initially they got arrested um by the FBI I believe um for facilitating money laundering. Um, this is kind of like the first sign to show if they can't reverse it, they usually go after the people that did it because it's kind of like out of control now. Um, how that gets

governed, it just it's a smart contract that lives on the blockchain. It was initially for Ethereum. I think now they have it on many chains. And how it works is you have fixed amounts of funds that you get in like 01 Ethereum, one Ethereum, whatever. you leave it inside a smart contract and the longer the time you leave it in the more other transaction comes and you cannot determine on the other side what comes out. So basically you're breaking the trail and that's a very good way to um anonymize your funds. This has been used by Lazarus in the past. Um I think once the size of the hacks get too big um it probably doesn't have enough um volume

inside to to to yeah satisfy their needs. I think they did 1.5 billion hack recently. So, um that's quite a large amount of money. Um then we have Monero. Um also Monero has privacy kind of built in. Um so you cannot trace the transactions. This is the goto um L1 or chain used by dark web um and darknet marketplaces. Um it's kind of natively they go straight to that. Um this one interesting thing I often see with ransomware they ask for like um uh Bitcoin and things like that. I don't really understand why guess because people are more used to that but just since the victim buys it anyway they could just ask for Monero but they don't

really do it. Another strong case why Monero seems to work. I'm not a cryptographer so cannot testify or confirm how strong it is but the European Union has banned it or is trying to ban it. So, um, yeah, once the funds are there, pretty much impossible to, um, to trace back. And then last one, the ones we hear on the news, the mixers, the tumblers, and all that stuff, that gets my blood boiling because it's it's really not what's used by the professional ones. Um, usually that's like smaller groups that don't have the the expertise are just straight up noobs. Um, what happens, um, the funds are not really anonymized. So either someone manages to

reverse it. So you have law enforcement onto that, they reverse it and then they connect the trail or um they state up like hack it take it down. They maybe have logs. It's it's yeah it's it's a centralized group that runs those usually. So they just dismantle it from the inside. So h and that doesn't work. So every time you hear um a big fat doctor actor using mixes or tumblers, maybe they used it just to go through it, but it's not that that gives them the the anonymity or the the money laundering um capabilities. And now we get into the integration phase. As you remember the layering, so that's where we scatter around thousands

of transaction, give buyers time, make it hard um to follow what's happening. That gives us time then to prepare um the integration phase. Here we're going to divide it between threat actor size. So I'll call them small players and big players. Um small player small amounts of money maybe up to a million US. I think you can get away with something like that. Like don't quote me about that but if they get like really big they usually have a bigger infrastructure connected like to proper organized crime. And what they do to get away with this and they stay natively on blockchain or with crypto. So as you can see from the chart um money comes in they go through

tornado cash or monero pick your poison and they spend the money on chain and that equals profit basically. So you have jurisdictions in the world like um Argentina for example suffering from um hyperinflation. So they make big use of crypto just to not lose money. So lots of like smaller businesses just easier to spend that money. Um I think there's a little bit in Switzerland. There's like a few pockets in the world. So if you position yourself there, you can live off crypto. So that's one strategy they use and that that seems to work but again for smaller amounts, right? Um how do these guys also get caught as well is you can use toadocach or monero.

The problem is if you then use a centralized exchange and there's been many instances of this um first of all often there is KYC or they have law enforcement tapping into that earlier or they can see which bank account you extract the money. Um so basically you go right to jail. Um the blacklisting that I mentioned um you sometimes if a if a researcher or if a blockchain security company links a wallet to or an address to a hack, they can contact those centralized exchanges and they will then blacklist the funds. So again, less sophisticated threat actors could transfer to a centralized exchange thinking, "Oh, I'll quickly get it out. I have a compromised bank

account. I can just get them out." But as soon as they transfer that funds get blacklisted um and and they can recover that. So um that's that's pretty cool. Um but I've only seen it work mostly for smaller threat actors. And yeah, as I mentioned in the slides, um law enforcement can get in and what characterizes them is just they don't have the size and the connections I guess for like a proper international money laundering infrastructure. And here again, mixers straight to jail, guys. Um, this is pointless. Um, anyway, so now we get to the big players. As you can see, it's it's a much simpler setup. It's like money [laughter] don't care. Centralized exchange profit. Um, they

don't they don't care is a bit an oversimplification. It's not like they don't care. They scatter. They still don't want to be like with Lazarus. They often clean up their traces as well. I think it's more for like reputational um reasons like they don't want to have North Korea um like blatantly connected to this. So they are they're very clean when they operate and I mentioned them so many times because they've just been leading the way from a criminal side of things how you can get these funds move them through blockchains and just basically launder it um almost completely. And they are very good at scattering. So the layering phase, they go crazy. So that

stops the initial like the blacklisting things. It's very hard because they just expand expand expand. And whilst all the ones in the defending side, they're just trying to follow up. And probably hopefully by now you understand the complexity. So imagine you have all the L1s, they kind of speak the same protocols, the same languages, but between L1s there's big differences, right? So all the tools you have to kind of follow these are different or have like different nuances. Then you have bridges centralized sorry decentralized exchanges that you can interact with to move it somewhere else. So every of these steps just makes it harder to follow and they really take advantage of this complexity. So

what I want you hopefully to take home is yes sure everything on the blockchain is traceable but because of the little nuances and the spreading of these things it's so hard to follow back in like an timely manner and they could just move so fast. Um and also there's not many companies that have the resources to follow that and it's not much interest as well. It's such a global phenomenon. um yeah that unfortunately they they really succeed with this. So what they do is after they don't care phase which they do care as as we just said um they go into centralized exchanges surprise surprise. Um but these centralized exchanges are being spun up in jurisdictions often

that harbor these hackers or make a profit from them. Um so there's been instances in Russia, China, um you name it. the centralized exchanges up um they transfer the funds. Obviously like with Lazarus if you have like 1.5 billion that you're laundering like you don't go to just one exchange right you have a collection of them but just take one for as an example you send 10 100 million there and the exchange will come up with an excuse there been in the recent buy bit hack if if someone's been following that stuff um the exchange claimed they didn't know where the money was coming from they weren't sure so they let it go and they basically laundered the money

and the incentive for the countries hosting those exchanges because obviously they get fees from that right as a maybe two 3% commission. So if you loan that if you let them pass through 100 million you know and get 3% it's it's a good business and you probably have a few of those set up. Um so everyone makes money along the way and the western countries don't really have much influence as as you all know. We won't get into geopolitics now but um so so that happens the money gets converted into fiat no more money and then it enters um the the normal world let's call it and yeah unfortunately there's there's not much we can do um around that. So

but yeah surprise as soon as you have this size you go for centralized exchanges to to take out the money. Um interesting with dark web marketplaces they are mostly natively on Monero. Um so the don't care phase is just basically u monero and then they also enter um this this elaborate um international money laundering schemes and then then it goes from there. Um so what's next? Um this was hopefully just a representation of what's happening right now. Um I haven't come up with answers how we can stop this. Um my idea is just to yeah raise awareness of how this is working based on threat actor size. Um hopefully have a bit of understanding of how it really works. Um

I hope more research in the space will will help this um technical solutions. It's really hard because of the different chains, the nuances, um, and some of that stuff like Tonado Cash once it's it's an independent smart contract like you can't take it down. That's that's by design of of these chains, right? So, um, hard to do. I think we can crack down on centralized exchanges. I think having KYC, know your customer, um, really helps prevent um or or actually get these people. Um, political pressure potentially. Um, but yeah, it's a bit open-ended. Um, but yeah, thank you very much. I would love your feedback as well. If you're interested, have more questions, um, feel free to

connect with me. And thank you.

>> Thank you, Alexander. Uh, do we have any questions? >> I think that was one of them. Yeah. What's your opinion on stuff like what chain analysis is doing where they're undermining some of the security that's in Monero? What do you think with how that balances like normal users privacy versus the need to actually find these thread actors and potentially recover this large amount of money? [sighs and gasps] >> That's that's a $1 million question, right? So, it was built by these visioners, right, that wanted unlimited privacy. Um, to be honest, the real world use case for that is very limited. I don't know anyone that really uses apart from like a few paranoid mates,

you know, that just don't even have social media or anything. Um, it's it's mostly like for organized crime and gambling. Um, that's that's unfortunately how I see it. Um, even those big companies, they make very big claims. I had a look. I I often struggle to see the full collection on on their reports and stuff. Um there's been smaller researchers that done good stuff. Um yeah, I think you can trace it to a certain extent but as soon as you bridge like probably like Bitcoin, Ethereum, it's not too hard, but once you move into Monero and or like do lots of bridging, move through um decentralized exchanges. It's you have anonymity. So like if you

know what you're doing um you can be fairly anonymous. Yeah. Hope that answered your question. Thank you for your talk. Um I just have a very mundane but uh very prevalent question. Um from the recent specific spear fishing or mutated attacks that's been targeted to steal your private keys that is usually associated to wallet. So from your experiences um working in this space, what's that? From your experiences working in this space, do you consider that crypto attached to your normal blockchains or exchanges for instance like Binance or Coinbase, they would be more secure in terms of because there are no wallets that people are hosting onto their browser versus somebody who is just using a

digital wallet and being a part of these attack campaigns where their private keys compromise and then they lose access to large amount of crypto for instance. >> Um so just to rephrase your question so you're asking if using a centralized exchange is safer than self custody um just having your own keys. >> Yes. uh because of the recent uh thread campaigns we have seen for the largest uh corporate corporation. For instance, these are very specific design thread campaigns that will look for transition or man the middle where the addresses are being shifted. These seems more prone to specific attacks and very targeted because they are not like willy-nilly campaigns for credential compromise for instance. So I think that

goes like with everything in security, you got to do your threat model kind of like understand what your risks are. Um we had lots of centralized exchanges being hacked themselves. So it's kind of like do you want to assume that risk of managing your keys or you want to outsource that there's pros and cons. Um you've seen attacks on centralized exchanges same as what you're mentioning now. I feel like it's just it goes like in waves. Um there's a really cool tool um having multi-IG wallets. So you need multiple signatures to to let the transaction go. Um so even if one gets compromised um you still need at least one more signup to confirm the transaction. So

that's what they use like for kind of like bigger amounts of assets. Um but yeah, to answer your questions, it it depends. Um, yeah, it depends on, but I wouldn't have stuff in your browser while you do like security research or download all sorts of Chrome plugins, right? Um, >> appreciate that. Thank you. No worries. >> Excellent. Uh, let's give a round of applause to Alexander again. Thank you very much. Thank you.