The grand jury indictment filed in Washington Friday by the Mueller team claims multiple units of Russian spies used bitcoins in, “large-scale cyber operations to interfere with the 2016 U.S. presidential election.”
Although cybersecurity experts recently warned the US Senate Subcommittee on Crime and Terrorism that cryptocurrencies comprise “an emerging threat” to the integrity of the US political process, this is the first time bitcoins have been implicated to such an extent. The Mueller indictment reads:
“Although the Conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity.”
According to the indictment, from around February 2016 until the November 2016 election, the accused Russian conspirators:
- hacked the email accounts of volunteers and employees of the Hilary Clinton U.S. presidential campaign
- stole 50 000 emails from the Clinton Campaign chairperson
- hacked into the computer networks of the Democratic Congressional Campaign Committee (DCCC) and the Democratic National Committee (DNC) and stole emails
- covertly installed malware on and monitored the computers of dozens of DCCC and DNC employees
- published anti-Clinton content on social media accounts operated by the GRU (Russian secret service, under military directive)
- transferred 2.5 gigabytes of data stolen from the DCCC to a then-registered state lobbyist and online source of political news, including the donor records and personal identifying information for more than 2,000 Democratic donors
- released tens of thousands of stolen emails and documents…using fictitious online persona, including the Twitter handle @Guccifer_2
- created the “dcleaks.com” website under the pretence that the site started by “American hacktivists,” and there released stolen emails. (The indictment claims the site received more than million hits before it was shut down.)
- etc.
Notably, the indictment also states, “the conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using cryptocurrency.”
Particularly, accused conspirators used bitcoins, “to purchase a virtual private network (VPN) account and to lease a server in Malaysia,” then used the Malaysian server to host the “dcleaks.com” website through the “@Guccifer_2” Twitter account.
The indictment also connects that VPN account to the registering of, “malicious domains for the hacking of the DCCC and DNC networks.”
Perhaps unsurprisingly, the indictment claims, “Many of these payments were processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars, and other vendors both international and domestic.”
Although the Bitcoin network has a transparent ledger that can be inspected by law enforcement and others, until recently, many cryptocurrency exchange services did not use exhaustive KYC/AML (know-your customer/anti-money laundering) customer identification processes, meaning people could set up pseudonymous accounts for crypto trading:
“The conspirators acquired bitcoin through a variety of means designed to obscure the origin of the funds. This included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.”
In other words, Bitcoin and crypto networks seem to have provided a relatively relaxed means of funding covert action in this case:
“The use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”
In testimony given before the US Congress Subcommittee on Crime and Terrorism in late June, David Murray, President of the Washington-based Financial Integrity Network, told Senators Graham and Whitehouse, “Covert influence requires dark funding in order to remain covert…(and) the absence of a financial intermediary makes it easier for a foreign adversary to conceal its location outside the US.”
Murray also said that cryptocurrencies help, “thwart US election laws…because they promote anonymity and ireversible settlement, two traits…attractive to criminals.”
According to the Mueller indictment, the accused 12 conspirators further obscured their campaigns by channeling related purchases through hundreds of different email accounts:
“To further avoid creating a centralized paper trail of all of their purchases, the Conspirators purchased infrastructure using hundreds of different email accounts, in some cases using a new account for each purchase…(they) used fictitious names and addresses in order to obscure their identities and their links to Russia and the Russian government. For example, the dcleaks.com domain was registered and paid for using the fictitious name ‘Carrie Feehan’ and an address in New York…(and) Conspirators provided vendors with nonsensical addresses such as ‘usa Denver AZ,” “gfhgh ghfhgfh fdgfdg WA,’ and ‘1 2 dwd District of Columbia.'”
Nevertheless, the indictment claims investigators were able to trace bitcoins back to several “dedicated email accounts,” and to, “the same computers that they used to conduct their hacking activity, including to create and send test spearphishing emails.”
The indictment also claims the accused conspirators “mined” bitcoins to pay for their efforts:
“The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States.”
At the June hearing into at the Senate Subcommittee on Crime and Terrorism, David Murray said the Russian “covert influence campaign” to corrupt the 2016 US presidential election was, “the boldest yet…(and) presented a significant escalation…compared to previous operations.”
[scribd id=383844891 key=key-joIoTLq9KKv83uxrg2Tp mode=scroll]