Matt Lucas, IBM’s Enablement Lead for Blockchain, investigates the darker side of blockchain and how the same technology is being used to fix it.

Your important files are encrypted. We guarantee that you can recover all your files safely and easily. But if you want to decrypt all your files, you need to pay. Payment is accepted in Bitcoin only.

Introducing WannaCry

This is part of the chilling message that was displayed on machines that were infected with the WannaCry worm, which caused havoc to an estimated 200,000 computer systems in 2017. Major casualties of WannaCry included the NHS, for whom the attack is reported to have cost around £92M.

WannaCry is a type of software that has been dubbed ransomware, because of the way it extorts money from victims in exchange for the return of data, typically through the release of decryption keys.

Ransomware is an increasingly popular source of income for cybercriminals. Attacks grew 118% in the first quarter of 2019 alone and an estimated 1/3 of UK organisations have been affected. Individuals, businesses and even entire cities have been targeted. What’s more, the business model works: according to an IBM survey, a quarter of business executives would be willing to pay $20k - $50k (£15k - £38k) to get their data back.

A common feature of ransomware is the use of Bitcoin as the method of payment. Bitcoin dominates the ransomware space, with it being the cryptocurrency of choice for an estimated 99% of attacks.

What is it about Bitcoin that makes it so attractive to cybercriminals? How do these criminal transactions compare with transactions in the legitimate world? And can blockchain - the distributed ledger technology that underpins Bitcoin - be used to combat criminal activity?

Bitcoin

Bitcoin uses a public, anonymous ledger to record its transactions. This means that every Bitcoin transaction is visible to all, but the participants of each transaction cannot be identified. Take a look at www.blockchain.com/explorer; this website will show you the Bitcoin ledger in real time, but dive into an individual transaction and you’ll see that the participants are represented as meaningless sequences of numbers.

This is one of the main reasons why Bitcoin is often used in ransomware: payments using Bitcoin are largely untraceable, meaning that criminals can use it with relative impunity.

Ransom requests that use traceable currencies, such as digital fiat money, or alternative cryptocurrencies such as Dash, have been shown to be more expensive due to the additional costs in laundering the money. This anonymising operation usually involves exchanging the money into alternative currencies until its provenance has been obfuscated.

For criminals, moving money carries risk; this is why laundering is more expensive and also why we more correctly describe the Bitcoin ledger as pseudonymous: it is possible to identify transaction participants either by looking at currency exchanges (which can provide traceable exit points from the network), or through technological analysis of behaviour patterns. Both of these techniques have been used in the past to catch Bitcoin criminals, albeit with significant effort by law enforcement officers.

Business transactions

In the lawful enterprise world, businesses must conform to requirements such as anti money laundering (AML) and know your customer (KYC). These mandate that businesses know exactly who they are dealing with and the origin of any payment. Walk into a car dealership in the UK with a briefcase full of cash and you won’t be able to buy an expensive car and drive it off the forecourt; businesses must follow strict processes for cash transactions of €10,000 or more, which can include interviews with HMRC officers.

Businesses also require privacy and confidentiality. Transaction details are usually restricted to a limited set of participants: the buyer, the seller, a payments provider and often some kind of auditor. Disclosure of business transactions to others is rarely beneficial, particularly the seller; if I gave Alice a 20% discount and Bob a 10% discount, I probably don’t want Bob to know he got a much worse deal than Alice.

Blockchain is a ledger technology that allows network participants to share transaction details. For Bitcoin, this could be that an amount of money was transferred from sender to receiver. For a supermarket chain, it could be that a supplier has agreed to ship a container of mangoes to a distribution centre. Blockchain is powerful because it provides cryptographic proof that each participant is seeing identical information that cannot be tampered with.

How do the requirements of business transactions sit with public, anonymous ledgers like the blockchain used by Bitcoin?

To answer this question, contrast the requirements of anonymity and privacy; they are mutually exclusive. With anonymity you know something happened, but not who did it. With privacy, you know who you’re dealing with, but not necessarily the thing that occurred.

From this we can derive two relatively distinct types of blockchain: ones that prioritise anonymity, like Bitcoin, and others that prioritise privacy, like the Linux Foundation’s Hyperledger Fabric.

While the darker side of the web makes use of the former type, legitimate businesses generally need the latter. That’s not to say that anonymous ledgers don’t have lawful use-cases too, but regulated businesses must play by the rules of the operating environment in which they find themselves, which includes AML and KYC checks.

Blockchains for business

Privacy-oriented blockchains are being used to help businesses adhere to these kind of requirements. One of the characteristics of blockchain that enables this is provenance. Blockchains are append-only: much like your bank statement, transactions can only ever be added to the end of the ledger - once added, they cannot be deleted or modified.

This means that if a transaction refers to an asset, then (if privacy rules allow) you can search the ledger for all transactions that involve that asset and thus derive its history, or provenance.

This property has been used to great effect on many enterprise blockchains. IBM Food Trust can trace food as it passes through complex supply chains on its way to your plate. If your supermarket can identify the farm that supplied the meat for your lasagne, they can identify and contain a bad batch much more quickly.

Provenance of goods on blockchain has also been implemented for ocean cargo, diamonds, coffee and lots more besides.

In addition to tracking tangible assets like these, you can track intangible assets too, such as personal data and property rights. For example, Grammy award-winning composer Imogen Heap is behind the Mycelia network which tracks the rights to music to ensure that all those involved in its production are paid and acknowledged fully.

The provenance of money

Money is, of course, an asset too, and being able to track the flow of money as it moves around the world is an important tool in the fight against the financing of terrorism and other major crime.

There are numerous blockchain initiatives aimed at improving the provenance of money. According to Deloitte’s 2019 Global Blockchain Survey, 45% of financial services institutions are looking at blockchain for digital currency or payments and IBM has recently been awarded a patent for ‘self-aware tokens’: payments assets that can record their own transaction history.

Improved traceability is also leading to innovation that affects how money can be spent. Imagine being able to donate money on the condition that it was used for good rather than bad. For example, with corruption one of the biggest problems facing Afghanistan, being able to donate money with an enforceable condition that it was used for bettering the lives of its citizens could be critical in lifting millions of people out of poverty.

Such a scheme could one day be achieved through blockchain, and specifically smart contracts. These are the computer applications that describe the business rules for a blockchain transaction: in effect, the pre-requisites for the transaction to be valid.

A smart contract might simply restrict payments to known criminals, or it might use asset provenance and ongoing data points to direct assets and alert interested parties accordingly. As a standard piece of code, smart contracts can articulate any behaviour necessary to describe the underpinnings of a transaction.

In summary

Is this control desirable? Improvements to the transparency and traceability of assets need be balanced against the individual’s right to privacy. As we’re seeing with other aspects of our personal data, technological innovation usually outpaces the law and we’re only now starting to see policy makers respond to the threats and opportunities that ubiquitous data sharing brings.

Bitcoin is, in many ways, an antithesis to traceability. It was invented in 2008 in the wake of the financial crisis as a means of reducing our reliance on financial institutions. It allows online payments to be made between individuals without intermediaries, but also without the checks and oversight that our financial regulatory framework brings.

While Bitcoin has been a magnet for cybercriminals, it’s exciting to see the technical community respond with a plethora of innovations, which aim to both counter illegal activities and improve the efficiency and transparency of trade. As a consequence, we will need to be ready for the debate over how much oversight we are willing to accept over our day-to-day transactions.