Nick Bax demonstrates how XMR transactions related to WannaCry 2.0 were traced
Blockchain analyst Nick Bax1 published a detailed post2 where he demonstrates how Chainalysis3 was able to trace XMR transactions related to the WannaCry 2.04 malware:
Wannacry 2.0: funds tracked from BTC to XMR and back to BTC and BCH after 3 months.
- [12-15 May 2017] - WannaCry 2.0 ransomware initial outbreak (300K+ Windows machines infected5)
- [12 May 2017 at 07:44] - Marcus Hutchins discovers a kill-switch which prevented already infected machines from being encrypted6
- [3 Aug 2017] - BTC converted to 820.79942522 XMR via ShapeShift
- [17 Aug 2017] - Shapeshift-received XMR consolidated in 3 transactions
- [Sep 2017] - Neutrino research team publish article on tracing Shapeshift BTC > XMR transactions7
- [2 Nov 2017] - 536 XMR converted to BCH using ShapeShift in 9 transactions
- [19 Dec 2017] - Cyberattack blamed8 on Lazarus Group9
In an attempt to obfuscate the source or destination of the funds, an attempted to convert them to a privacy-focused cryptocurrency has been made (BTC > XMR > BTC/BCH). Shapeshift and Changelly were used for some of the transactions.
Nick shares the info that he used to complete the trace:
Additional data can be found in the associated Github repository12.
- the existence of long payment IDs (which have been deprecated13 and replaced with subaddresses in 2019)
- the user could select a low number of decoys per transaction (today it’s fixed at 10, which increase privacy considerably)
- Monero CLI wallet users were isolated/profiled based on the number of allowed transaction outputs (currently not possible as both Monero GUI & Cake Wallet both allow multiple > 2 TXOs/tx)
- the use of centralized exchanges
- failed attempt at churning14
The post concludes with a summary and some interesting things to consider:
Nevertheless, this example shows that probabilistic analysis can lead to very high certainties in Monero tracing. It shows that even state-sponsored actors can be traced if improperly using Monero.
The information from this leak can also potentially be used alongside other Monero attacks, such as the recently-described flood attack, to increase the reliability of EAE attacks.15
- Use XMR peer-to-peer (as it was intedended to be used) whenever you can, don’t go through a centralized exchange if you can help it.
- Use Tor with GNU/Linux/Whonix/Qubes/Tails (deny metadata collection). Don’t use Windows.
- Reassess your treat model and revise your OPSEC accordingly.
https://www.neutrino.nu/Research_WannaShift_to_Monero.html ↩ ↩2