Monero, in particular, is quickly becoming popular among the world's top ransomware criminals. "The more savvy criminals are using Monero," said Rick Holland, chief information security officer at Digital Shadows, a cyber threat intelligence company. "We've seen REvil give discounts or request payments in monero, just in the last few months."
REvil is a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months.
Monero was also a popular option on AlphaBay, a popular underground market until it closed in 2017.
"It's almost as if we're seeing, at least from a cybercriminal perspective, a resurgence in Monero, because it inherently has more privacy than some of the other currencies,” Holland said.
Released in 2014 by a consortium of developers, many of whom have chosen to remain anonymous, Monero offers anonymity features that allow cybercriminals greater freedom. It operates on its own blockchain, which hides virtually all transaction details. The identities of the sender and recipient, as well as the transaction amount itself, are disguised.
"On the bitcoin blockchain, you can see what wallet address transacted, how many bitcoin, where it came from, where it's going," explained Fred Thiel, former chairman of Ultimaco, one of Europe's largest cryptography companies, which has worked with Microsoft, Google and others on post-quantum encryption.
"With monero, [the blockchain] obfuscates the wallet address, the amount of the transactions, who the counter-party was, which is pretty much exactly what the bad actors want." (Related: Treasury to crack down on "illegal activities" in cryptocurrency markets and transactions, ignoring the fact that most crimes are carried out in DOLLARS.)
But Monero has its own limitations. It is not as liquid as other cryptocurrencies.
Many regulated exchanges have chosen not to list Monero due to regulatory concerns, explained Mati Greenspan, portfolio manager and founder of Quantum Economics. That means it is more difficult for cybercriminals to collect directly in the currency. "If you are a corporation and you want to acquire a lot of monero to pay someone, it is very difficult to do," said Thiel.
The digital currency could also be more vulnerable to regulation on its entry and exit ramps, which is the bridge between fiat cash and crypto tokens.
"I would bet to say that the United States and other regulators will shut them down [monero] very hard," Thiel said.
One way they could do it is by telling an exchange that if they list Monero, they risk losing their license.
Cyber ??insurance is a huge reason bitcoin remains the currency of choice for most ransomware attacks.
"Insurance is so important in this space, and insurers often refuse to refund a ransom payment if it has been in monero," said Peter Marta, a former case officer at Central Intelligence Agency. "One of the things that insurers will always ask is what type of due diligence the victim company carried out, before making the payment to try to minimize the possibility that the payment will go to an entity on the sanctions list."
Traceability is more easily achieved with bitcoin, since its blockchain shows the transaction amounts and the addresses of both the sender and the recipients participating in the exchange. There is also an infrastructure in place for officials to monitor these transactions. The authorities maintain lists of bitcoin wallets, which are linked to different sanctions regimes.
This traceability is how the FBI was able to retrieve the $2.3 million in bitcoin paid by Colonial Pipeline to cybercriminal gang DarkSide. Court documents indicated that investigators traced bitcoin transaction records to a digital wallet, which they subsequently seized under court order. Officials were then able to access that wallet with something called a "private key," or password.
That said, there are ways to make it difficult for researchers to trace transactions to their final destination.
Cybercriminals have mastered certain techniques to make anonymous bitcoin transactions in order to obscure the chain of custody. They often turn to a mixing or dumping service to combine illicit funds with clean crypto and essentially create a new type of bitcoin, at which point they turn to currency exchanges.
With these techniques, bitcoin will remain one of the main cryptocurrencies cybercriminals use for now.
Follow CryptoCult.news for more on how cryptocurrencies are enabling cybercrime.