Last week, U.S. Marshals sold off another 50,000 Bitcoins that used to belong to Silk Road founder Ross Ulbricht -- a.k.a. "Dream Pirate Roberts." Ulbricht was found guilty on all accounts last month, and faces up to life in prison.
The Silk Road was an online marketplace notorious for using Bitcoin to facilitate the trading of drugs, stolen credit card numbers, fake IDs, counterfeit money, hacking tools and other illegal goods.
But, as the criminals learned to their disadvantage, Bitcoin's security only goes so far -- and they're now starting to look at other, more anonymous payment systems.
"Bitcoin and the other cryptocurrencies create a ledger, a mechanism for recording every transaction that happens across this distributed network," said Carol Van Cleef, partner at the Los Angeles-based lawfirm Manatt, Phelps & Phillips, LLP, co-chair of the firm’s global payments group, and an expert in virtual currencies.
Every transaction is recorded and can be tracked. All law enforcement has to do is find a loose end, tug on it, and the entire chain comes unraveled.
In taking down Silk Road, for example, those loose ends were the physical locations that illegal goods were delivered to, and face-to-face meetings between participants. Law enforcement agents posed as customers, as drug buyers and sellers, and, in one instance, even staged torture and murder.
"There's a recognition that every transaction that hits the blockchain could ultimately be traced," said Van Cleef.
The process was helped along because authorities were able to grab Silk Road servers and Ulbricht's personal computer -- they waited until he had logged in before coming in and arresting him, so they were able to get easy access to his data.
It turns out, even criminal masterminds make plenty of mistakes.
Criminals using Bitcoin to collect ransoms -- such as the folks behind the latest cryptoransomware -- will also get caught, said Van Cleef.
"I think it's one of those situations where it's just a matter of time," she said. "If investigators stay with it long enough, they will discover the identity or the location of the people behind it."
However, she admitted that the process does take time, and the perpetrators might be gone by then.
And, in fact, when CrytoLocker was shut down last summer, its mastermind, Evgeniy Bogachev, had already retired and was able to evade capture. He is still on the FBI's Cyber's Most Wanted list. But his successor Sasha Panin, developer of the SpyEye malware tool kit, was arrested last spring.
To plug the digital security holes, cryptocurrency developers have been working on two main fronts. On the one hand, they've been trying to add layers of security to Bitcoin itself. The second, they've been developing alternative cryptocurrencies that are structured in such a way that transactions are more completely anonymous.
Adding security to Bitcoin
Silk Road itself attempted to confuse the trail by passing transactions through dummy intermediate accounts.
Bitcoin users can also set up a new address for each transaction. One tool for that is Dark Wallet, a project which held a successful crowfunding campaign on IndieGoGo in late 2013.
There are also places to create a Bitcoin wallet without any link to a physical user.
Another approach mixes Bitcoins from many different people together into one digital wallet, and then redistributes them or passes them on to the destination account.
Another approach is stealth payments, a technique that uses public and private key pairs to hide the identity of a transaction's participants, in a way similar to the way that online communications are encrypted.
More recently, some Bitcoin users have been combining both approaches -- combining the rings of multiple addresses with stealth payments to make Bitcoin payments completely anonymous.
CryptoNote, Darkcoin and Cloakcoin
Other developers have moved away from Bitcoin and started from scratch.
CryptoNote, for example, is an alternative approach to creating cryptocurrencies. Here, each transaction is signed with keys from multiple users. There's still a ledger, but no way to tell which of the users was the actual sender of the money.