Last week, U.S. Marshals sold off another 50,000 Bitcoins that used to belong to Silk Road founder Ross Ulbricht -- a.k.a. "Dream Pirate Roberts." Ulbricht was found guilty on all accounts last month, and faces up to life in prison.
The Silk Road was an online marketplace notorious for using Bitcoin to facilitate the trading of drugs, stolen credit card numbers, fake IDs, counterfeit money, hacking tools and other illegal goods.
But, as the criminals learned to their disadvantage, Bitcoin's security only goes so far -- and they're now starting to look at other, more anonymous payment systems.
"Bitcoin and the other cryptocurrencies create a ledger, a mechanism for recording every transaction that happens across this distributed network," said Carol Van Cleef, partner at the Albany-based lawfirm Manatt, Phelps & Phillips, LLP, co-chair of the firm's global payments group, and an expert in virtual currencies.
Every transaction is recorded and can be tracked. All law enforcement has to do is find a loose end, tug on it, and the entire chain comes unraveled.
In taking down Silk Road, for example, those loose ends were the physical locations that illegal goods were delivered to, and face-to-face meetings between participants. Law enforcement agents posed as customers, as drug buyers and sellers, and, in one instance, even staged torture and murder.
"There's a recognition that every transaction that hits the blockchain could ultimately be traced," said Van Cleef.
The process was helped along because authorities were able to grab Silk Road servers and Ulbricht's personal computer -- they waited until he had logged in before coming in and arresting him, so they were able to get easy access to his data.
It turns out, even criminal masterminds make plenty of mistakes.
Criminals using Bitcoin to collect ransoms -- such as the folks behind the latest cryptoransomware -- will also get caught, said Van Cleef.
"I think it's one of those situations where it's just a matter of time," she said. "If investigators stay with it long enough, they will discover the identity or the location of the people behind it."
However, she admitted that the process does take time, and the perpetrators might be gone by then.
And, in fact, when CrytoLocker was shut down last summer, its mastermind, Evgeniy Bogachev, had already retired and was able to evade capture. He is still on the FBI's Cyber's Most Wanted list. But his successor Sasha Panin, developer of the SpyEye malware tool kit, was arrested last spring.
To plug the digital security holes, cryptocurrency developers have been working on two main fronts. On the one hand, they've been trying to add layers of security to Bitcoin itself. The second, they've been developing alternative cryptocurrencies that are structured in such a way that transactions are more completely anonymous.
Adding security to Bitcoin
Silk Road itself attempted to confuse the trail by passing transactions through dummy intermediate accounts.
Bitcoin users can also set up a new address for each transaction. One tool for that is Dark Wallet, a project which held a successful crowfunding campaign on IndieGoGo in late 2013.
There are also places to create a Bitcoin wallet without any link to a physical user.
Another approach mixes Bitcoins from many different people together into one digital wallet, and then redistributes them or passes them on to the destination account.
Another approach is stealth payments, a technique that uses public and private key pairs to hide the identity of a transaction's participants, in a way similar to the way that online communications are encrypted.
More recently, some Bitcoin users have been combining both approaches -- combining the rings of multiple addresses with stealth payments to make Bitcoin payments completely anonymous.
CryptoNote, Darkcoin and Cloakcoin
Other developers have moved away from Bitcoin and started from scratch.
CryptoNote, for example, is an alternative approach to creating cryptocurrencies. Here, each transaction is signed with keys from multiple users. There's still a ledger, but no way to tell which of the users was the actual sender of the money.
To protect the identity of the recipient, there are multiple unique one-time addresses derived from the recipient's public key.
Several new cryptocurrencies have been developed based on the CryptoNote idea, including reference implementation CryptoNoteCoin, Bytecoin, DarkNote, DarkNetCoin, and Fantomcoin.
The software is open source, and the the CryptoNode site offers an "easy forking guide" to help people create their own version of the cryptocurrency.
Darkcoin attempts to solve the identity problem with a decentralized network of "Masternodes" servers that anonymize transactions by combining several transactions into one in the transaction record.
It's particularly popular with online gambling casinos.
Cloakcoin, launched last year, also promises anonymous sending and receiving of the currency.
"DarkCoins is like using cash which is basically untraceable," said Adam Kujawa, head of malware intelligence at Malwarebytes Corp. "And Cloakcoin is like paying for something by dropping a dollar into a pile of other money before having the recipient take out what they are meant to get."
Anonymity also a weakness
To a technologist, it might seem that the answer always lies with a better algorithm.
To a hacker, it might seem that secrecy and anonymity is synonymous with security.
Privacy advocates, money launderers, gamblers and criminals may be searching for bullet-proof anonymity, but if they do ever find it, that anonymity could be their own downfall.
After all, if the authorities don't know who you are, you don't know who they are, either.
Traditional criminal enterprises rely on networks of trust and personal relationships. Existing customers must vouch for new ones.
Criminals work their way up in a gang, or find new partners in prison, to be sure that they're working with people they can trust.
With fully anonymous online marketplaces, the person ordering the drugs could be a cop. The person offering to provide a list of stolen credit card numbers could be providing malware that broadcasts your location to the authorities.
If a seller has a history of successful transactions, or positive reviews -- there is no way to be sure that the counterparties of those transactions, and those reviewers, aren't also cops.
Another weakness of the cryptocurrencies, especially of the Bitcoin alternatives, is their low trading volumes, which makes them susceptible to manipulation.
"You can think of a fraction of the daily volume as a goal post for an attacker," said Tod Beardsley, engineering manager at security firm Rapid7 LLC. "Very roughly, if I can control about half of the value of a given coin, I can cause huge problems for everyone else when it comes to the short-term price and viability of the coin."
According to CoinMarketCap, Darkcoin had the fifth largest market capitalization on March 7, of more than $17 million, but a 24-hour trading volume of just $72,621 -- compared to $25 million for Bitcoin.
It doesn't take much of a bankroll to be able to manipulate Darkcoin -- $35,000 or so would be enough.
"I can engineer wild price swings, at will," said Beardsley. "After the booms and busts of dozens of altcoins from 2013 to 2014, the folks behind Darkcoin have a fairly large trust hurdle to surmount, and they're not making things easier on themselves by using terms like 'launder' that invite negative government interest. Bitcoin already has a money laundering image to shake off, but Darkcoin seems to be embracing it."
Still, Darkcoin is actually doing pretty well compared to some of the alternatives, and interest in it has been going up steadily since the start of the year, possibly because of the Silk Road trial.
CloakCoin's market capitalization has fallen dramatically since its first burst of interest last summer.
"Cloakcoin is laughably low," said Beardsley.
On March 7, its 24-hour trading volume was just $58. Not $58,000 -- just $58. And its market capitalization was $46,000.
So maybe not a threat to law enforcement authorities just yet.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.