Cybercriminals are using blockchain to improve security. Should you?

At its height, the AlphaBay dark web market had 40,000 vendors, more than 400,000 users, and was facilitating more than $600,000 worth of illegal transactions daily. July 2017 saw both AlphaBay and rival marketplace Hansa taken down by law enforcement agencies as part of Operation Bayonet.

In the same way the takedown of Silk Road in 2013 didn’t stop the illegal activity going on online, the removal of AlphaBay and Hansa has failed to halt criminal activity. They’ve simply moved on and changed tactics.

“The shift away from marketplaces was happening before, but once the takedowns [of Alphabay and Hansa] happened, that was a big wake-up call” says Rafael Amado, strategy and research analyst at Digital Shadows. “Cybercriminals are very flexible and creative, and what they’re doing is using a mixture of old techniques and some newer techniques to stay alive and to continue operating.”

While the chief fallout has been a big increase in the use of encrypted messaging services such as Discord and Telegram, a small but growing number of criminals are using blockchain-based technologies to help secure their operations. Are cybercriminals ahead of the pack when it comes to getting value from blockchain?

How cyber criminals use blockchain to stay secure

While still a nascent technology, there are security-based use cases for blockchain including  authentication for IoT and edge devices, ensuring data integrity, and around identity and access management. Swiss backup company Acronis, for example, uses it to identity whether files have been tampered with.

Late last year RSA claimed blockchain is becoming “a new crutch for fraud,” while in June Digital Shadows published a report looking at how criminal marketplaces have changed post-AlphaBay and Hansa and found a small but growing use for decentralized technologies.

“Blockchain is still reserved to a few exclusive stores and forums which are more advanced and more sought after by law enforcement,” says Dan Cohen, director of product management, Fraud and Risk Intelligence, RSA, “But we anticipate seeing more and more fraud schemes taking advantage of the blockchain features. It protects not only against law enforcement but also fraudster competitors who are trying to sabotage others websites through DDoS, for example.”

Though still a niche technology, the idea of criminals using this new technology to evade law enforcement was enough to prompt Interpol to launch a €5 million ($5.8 million) project last year dedicated to countering blockchain-based evasion techniques.

According to both RSA’s and Digital Shadows’ reports, most cyber-criminal use cases involve using it for resiliency; either making centralized sites harder to take down via blockchain-based DNS or decentralizing the entire commerce platform completely.

Traditionally, criminal marketplaces use Tor-based .onion web address. A few marketplaces are looking to shift toward blockchain-based domains. Where traditional DNS addresses are managed by central authorities such as ICANN or Nominet in the UK – which host a registry of IP addresses and web domains and who owns them – decentralized DNS have no such oversight. Every node plugged into blockchain DNS owns an anonymized copy of the DNS registry – usually a .bazar, .bit, .coin, .emc, or .lib address, as well as other OpenNIC TLDs – making the likes of DNS spoofing or blocking by ISPs harder.

One site using blockchain-based DNS is Joker‘s Stash; an automated vending cart (AVC) site that sells stolen customer payment information and has hosted data from breaches of Saks Fifth Avenue, Hilton Hotels, Whole Foods, Chipotle and more. The Money Team is another site using a .bazar domain.

Digital Shadows’ Amado says Joker’s Stash is still running it’s normal Tor .onion domain, but it has developed a blockchain DNS site to run alongside it. “They’re still experimenting with it, and I don’t think they’ll want to take down the old one until enough people know how to use the new one.”

Some operators are trying to disrupt the entire criminal market model using decentralized ecommerce sites. These sites store the entire marketplace on blockchain platforms. This makes takedowns harder – although transaction history is all recorded, which has the benefit of easily resolving disputes, but the drawback of being easily referenced if caught.

Tralfamadore, named after the alien planet in Kurt Vonnegut’s Slaughterhouse-Five, is one such example. Databases and code to support front-end user interfaces are stored on the Ethereum blockchain, while transactions are made using cryptocurrency and recorded through smart contracts. “Even in the non-criminal world, people are experimenting with blockchain for marketplaces and sites. It’s happening on both sides,” says Amado.

Another example is OpenBazaar; a decentralized ecommerce platform Fortune once labeled as “America’s most dangerous tech startup.” Europol previously highlighted it as a potential future threat. The company has raised over $4 million from BlueYard Capital and Union Square Ventures, while its creators have been focused on promoting the benefits of selling legitimate goods without middlemen. It has however, been found to be hosting ads for illegal goods in the past, while current postings include a small number of offerings for credentials and hacking tools.

While the number of users coming to such as Tralfamadore and OpenBazaar still pale in comparison to AlphaBay in its heyday, Digital Shadows reports more than 4,000 users joining the latter in the first half of 2018, with around 1,000 more joining since its original report was published.

Can enterprises learn from criminals’ use of blockchain?

Criminal operations are now run like proper businesses; they have customer reviews, customer service offerings, and reputation scores. In the same way bad opsec can sink legitimate companies, it can sink criminal operations.

With that in mind, should enterprises be looking at how criminals are using blockchain with an eye to emulate them? Depending on the situation, Blockchain DNS may have some benefis for legitimate business.

“Fraudsters are obviously utilizing blockchain to defend against takedown of their website. If we compare this to its parallel in the legitimate world, blockchain can also help protect against DDoS attacks which many entities experience,” explains RSA’s Cohen.

It can also help prevent DNS spoofing, where attackers inject corrupt DNS data into a request redirect to another IP address likely filled with malware, as the DNS registry is shared with everyone connected to it and therefore requires consensus amongst the peers. It can also help companies with operations in locations with authoritarian governments. In a country with a high level of censorship, governments can order all internet service providers to stop redirecting domains to a particular IP address. Wikipedia, for example, has been blocked in Turkey for over a year. Blockchain DNS prevents governments from blocking sites in this way.

“If a company is worried about pressure from above, that is a type of approach you could take,” says Amado, “but I wouldn’t recommend blanket adoption of that approach because you’re going to open yourself up to other problems with a particular state or authorities that you’re dealing with.”

Adoption of blockchain by criminals and their customers has been slow, according to Amado, largely because they are still wary of the technology and what it can and can’t do; a good lesson when adopting any new technology, including blockchain. “The majority of cyber-criminals don’t understand blockchain themselves. There’s still a lot of uncertainty, confusion, and mistrust around it. People want to interrogate and find out exactly why this technology runs the way it does and how secure it is,” he says.

“For an organization looking to incorporate blockchain in some sort of capacity, don’t just assume that it is going to be a panacea and it’s going to solve everything,” Amado adds. “Don’t be overconfident and be aware of the limitations of the technologies. If you do implement, is it as secure as it could be? What are the potential vulnerabilities and flaws that it might have?”