Bitcoin, Silk Road, and Lulzsec oh my!

by on June 3, 2011 · 25 comments

Earlier this week, Adrian Chen wrote a great exclusive for Gawker about the online market for illicit drugs Silk Road. I strongly commend the piece to you. The site is only accessible via the anonymizing router network TOR, although it is viewable using tor2web. Transactions are made using bitcoins, the virtual digital currency I’ve previously written about, and which I explain in a new video for Reason.tv (below), also out this week.

After his piece was published, Chen added the following addendum:

Update: Jeff Garzik, a member of the Bitcoin core development team, says in an email that bitcoin is not as anonymous as the denizens of Silk Road would like to believe. He explains that because all Bitcoin transactions are recorded in a public log, though the identities of all the parties are anonymous, law enforcement could use sophisticated network analysis techniques to parse the transaction flow and track down individual Bitcoin users.

“Attempting major illicit transactions with bitcoin, given existing statistical analysis techniques deployed in the field by law enforcement, is pretty damned dumb,” he says.

I’ve been asked by several folks about this: just how anonymous is bitcoin? My answer is that we don’t exactly know yet. Yes, all transactions are recorded in the public ledger that is the bitcoin network, but all that means is that you can see how many bitcoins were transferred from one account on the network to another account. This tells you nothing about the identity of the persons behind the accounts. Theoretically, you could identify just one person on the network and ask them (or coerce them) to identify the persons from whom they received payments, then go to those persons in turn and ask them who they accepted payment from, etc., until you’ve identified everyone, or just a person of interest. But you can imagine all the reasons this is impractical. More likely, a bitcoin user will be revealed through identifying information inadvertently revealed in the course of a transaction.

That all said, it seems that this week has also brought us a “natural experiment” that might settle the issue. LulzSec, the hacker group responsible for the recent PBS hack, this week announced that it has compromised the personal information of over a million Sony user accounts and has released a batch of 150,000. Here’s the thing: LulzSec is accepting donations via Bitcoin and say they have received over $100 so far. The group’s bitcoin receiving address is 176LRX4WRWD5LWDMbhr94ptb2MW9varCZP. Also, while in control of PBS.org, the group offered vanity subdomains (e.g. techliberation.pbs.org) for 2 BTC each.

So, here’s a high-profile group the FBI and Secret Service are no doubt itching to get their hands on. A bitcoin receiving address for them is public. I guess we’ll find out how anonymous it is.

SHARE: 25 comments

About Jerry Brito

Jerry Brito is a senior research fellow at the Mercatus Center at George Mason University, and director of its Technology Policy Program. He also serves as adjunct professor of law at GMU. His research focuses on technology and telecommunications policy, government transparency and accountability, and the regulatory process. Jerry is also a regular contributor to TIME.com's Techland. His personal web site is jerrybrito.com. You can follow him on Twitter and on Google+.

Read more articles by Jerry Brito.

  • http://profiles.google.com/gavinandresen Gavin Andresen

    Even if the FBI or Secret Service (or Interpol or…) manages to catch Lulzsec, we might never know HOW they caught them.  If they are able to track criminals via bitcoin transactions, it seems to me they’d want to keep that secret for as long as they could.

  • happyrobot

    Any financial analysts mind taking a break from your games of financial chaos and give us a few thoughts on bitcoin, this new form of user powered financial chaos?

    Kthx =)

  • http://overtonsarrow.wordpress.com/2011/06/03/links-for-2011-06-03/ links for 2011-06-03 « Overton’s Arrow

    [...] Bitcoin, Silk Road, and Lulzsec oh my! (tags: bitcoin money online internet distributed currency)   LikeBe the first to like this post. [...]

  • http://hammeroftruth.com/2011/bitcoin-silk-road-and-lulzsec-oh-my/ Bitcoin, Silk Road, and Lulzsec oh my! · Hammer of Truth

    [...] Bitcoin, Silk Road, and Lulzsec oh my! BE PAUL REVERE:ShareEmail [...]

  • Johndoe

    Gavin, I see where you and the author are coming from, but you’re very wrong to say ‘every’ transaction leaks some info. In fact, there’s a single, but very important exception: resending money to other accounts you control.

    So say I am Bob, accepting BTC from Alice. Each of her ‘wallets’ has an address that is unique in the network, as do each of mine. Using short addresses for the sake of brevity, let’s say that Alice transfers her BTC from her wallet 45 to my wallet 67, and that when I pay her she sees my real name on her paypal record/other payment record. So far, this is working as you and the author have said. Alice knows that wallet 67 is controlled by Bob; if someone leans hard enough on her she can tell on me.

    But next, I transfer the BTC from wallet 67 to a combination of wallets 85, 39 and 37, which I also own. The public ledger records those transactions, so if Mr. Nice FBI comes to my house, I can prove that the coins were not in account 67 when they got donated to LulzSec. Because the wallet addresses are generated on my computer, there is nothing linking me to wallets 85, 39 and 37. As far as the ledger is concerned, there’s simply no way to tell who has those wallets without asking me. And it’s entirely possible that I actually don’t know who controls them. That’s a pretty big plausible deniability gap that no one seems to have recognized here.

    As with all other kinds of security, I’m sure the actual risk is somewhere in between these two scenarios. Many people will probably not be paranoid or sophisticated enough to do the anonymizing transactions they need between their own wallets. There may also be vulnerabilities if multiple wallet addresses are generated by the same secret key which is later compromised; for instance, the scenario I described would fall apart if Mr. Nice FBI could definitively prove that the secret key used to generate address 67 was also used to generate addresses 85, 39, and 37.

     So there are some pitfalls, but it’s a lot more complicated than this article acknowledges. If a lot of anonymizing transactions are going on at different places in the network, the signal-to-noise ratio could very quickly become prohibitive.

  • http://twitter.com/jaraparilla Gary Lord

    Could Lulzboat be a govt fake setup? Could BitCoin be the target, plus eager young hackers who jump on board? Who knows…

  • http://jerrybrito.com Jerry Brito

    Gavin, you’re of course right, but I think that if they are caught because they used bitcoin, we will eventually find out–even if it’s in a few years when Steven Levy or Kevin Poulsen write the book. Also, if they are caught, it will tell us something if it takes days, weeks, months, or years.

  • http://elidourado.com/blog/can-the-war-on-drugs-bootstrap-bitcoin/ Can the War on Drugs Bootstrap Bitcoin? // Eli Dourado

    [...] to keep the Feds from being able to shut down Silk Road or to make it unsafe to use the site. As Jerry Brito points out, we are now observing a natural experiment on the anonymity of Bitcoin. The hacker group LulzSec [...]

  • http://www.stanislausgop.org/2011/06/04/tech-at-night-amazon-taxes-march-on-fcc-colludes-with-marxist-activists/ Tech at Night: Amazon Taxes march on, FCC colludes with Marxist activists

    [...] the hacks go on: Anonymous attacks.. Iran?, its apparent offshoot lulzsec attacked PBS and Sony, but leaves itself open to law enforcement actio…? And yet, somehow, our elected officials think the victims are the people to be grilling. I [...]

  • http://twitter.com/bitcoinmedia Bitcoin

    https://blindbitcoin.com/index.html   is an interesting anonomysing site in progress using david Chaum’s blind signing protocol. If you donate to lulzsec use that just to be safer . Even if the fbi leans on the site there is nothing they can recover that reveals the bitcoin user :)

  • http://twitter.com/jonmatonis Jon Matonis

    Anonymous transactions are not as complicated as Gavin and Jeff make them out to be.  At least for now, it is a series of technicalities that the casual user may not deploy. However, as bitcoin matures, practicing ‘safe bitcoin’ will be like practicing ‘safe sex’. In conjunction with Tor and i2p, online services such as https://www.blindbitcoin.com and http://www.bitcoinlaundry.com will become more seamlessly integrated into the routine payment transfer operation of certain merchants.

  • Gavin

    There is a neat tool called CoinHandle which allows you to have a “pretty” URL for your Bitcoin address (instead of the big ugly ones) - http://coinhandle.com

  • http://www.facebook.com/people/Manoj-Khandelwal/1072994204 Manoj Khandelwal

    I’m reading on paper and have the urge to want to click on a phrase in the middle of a sentence where I imagine a hyperlink pointing to more information would be. medical billing

  • http://www.facebook.com/people/Manoj-Khandelwal/1072994204 Manoj Khandelwal

    I’m reading on paper and have the urge to want to click on a phrase in the middle of a sentence where I imagine a hyperlink pointing to more information would be. medical billing

  • http://techliberation.com/2011/06/08/schumer-to-doj-shut-down-silk-road-and-bitcoin/ Schumer to DOJ: Shut down Silk Road and bitcoin

    [...] is no doubt going to go after Silk Road. This sets up another “natural experiment” like the one presented by LulzSec taking bitcoin donations. Given that the site exists as a .onion an anonymous hidden service via TOR, will the feds be able [...]

  • http://www.redstate.com/blog/2011/06/09/tech-at-night-a-lot-of-tech-legislation-i-hate-and-a-big-win-against-the-fairness-doctrine/ Tech at Night: A lot of tech legislation I hate, and a big win against the Fairness Doctrine | RedState

    [...] Now, Schumer may be targeting drugs with his plans to go after Bitcoin, but as I previously covered cyberterror groups like Lulzsec also use the currency to fund their operations. Remove some financial incentives to break the law, and only good can come [...]

  • Skythra

    Here’s my thoughts: nA person doesn’t send bitcoins to random people completely randomly. They are motivated to. Even when someone asks for “donations” you can already reduce the number of people to those who knew about the donations. Timeframes give you a good picture for example. It’s the information before the transaction that can narrow down from anyone with a bitcoin account to a few people who have one. For example: lets say for some reason someone was hacking proprietary code, and I found that and I wanted to encourage them. nFirst even though there are probably thousands or more hits on a webpage, only some of those people are going to have bitcoin accounts. nSecondly, you can narrow down the accounts, because I wouldn’t look at that page, and then think “Oh i should wait at least 72 hours before donating” it’s likely if i did, i’d already have lost my motivation to donate. So you can already consider that you can make a timeline that donations within a few hour time period probably came from an IP address pool who accessed that web page of even just a few hours. nThirdly, it would be likely that these things often happen behind closed doors, and as such, a normal practice would be to sign up using email addresses. Even if I link no information to my email addresses, it would take a lot of work to anonymize my IP to that email server. Far more than what a person would do normally.nFourth, if it is obvious that my IP has been anonymized by some sort of proxy, that in itself will already narrow down the pool of potential people. As the proxy themselves unless has also been run through a fair few other proxies (allowing divergance at any proxy point), then i’ve limited myself to the IP addresses that would access that proxy.nData mining for who sent and received data (bitcoins) is limited by the networks that it uses. Those networks hold information. Then, in the end it’s a game of numbers. By cross checking even just a few of these information technologies you can reduce yourself to only being in a pool of a few hundred people (if that). Then by manually (instead of automatically) researching the few IP’s left, you could find a portfolio about each of those people, by reverse searching their other interests via any other forms of information they’ve left around. By searching beginning with finding all email addresses that may be linked, you may find their other browsing habits, login sites, and even worse, a social networking account (even if you want to be anonymous, humans inherintly hold a need for affinty with its own kind) they may be able to profile the likely person, who then may be questioned. nOf coure, the easiest thing here is, in my opinion, instead of being totally anonymous, try instead being good.

  • Nicholaz

    It’s rather simple: nHere’s the stuff LulzSec has received:nhttp://blockexplorer.com/q/getreceivedbyaddress/176LRX4WRWD5LWDMbhr94ptb2MW9varCZP

  • http://techliberation.com/2011/06/21/eff-gone-wobbly-on-bitcoin/ EFF Gone Wobbly on Bitcoin

    [...] digital currency that is inflation-, surveillance-, and confiscation-resistant, has been getting a lot of attention. EFF announced yesterday, though, that it would reverse course and stop accepting [...]

  • http://myindigolives.wordpress.com/ Ellie K

    Like bit.ly but for bitcoins instead!

  • http://myindigolives.wordpress.com/ Ellie K

    If you want thoughts about bitcoin from someone credible, read through comments made by u00a0@jonmatonis:twitteru00a0 He might have some bias in favor of bitcoin (or maybe not, it isn’t consistently obvious), just like the rest of us. But he does have years of relevant work experience. He doesn’t say things that can be picked apart due to basic errors about electronic payment technology, foreign currency trading, the role of the Federal Reserve Bank etc.u00a0nnThat is a big problem with the bitcoin topic. Few people know enough about economics, security, transactions processing (and more) to be able to assess realistically.

  • http://www.federaljack.com/?p=37587 EFF Gone Wobbly on Bitcoin : Federal Jack

    [...] currency that is inflation-, surveillance-, and confiscation-resistant, has been getting a lot of attention. EFF announced yesterday, though, that it wouldreverse course and stop accepting [...]

  • http://stuartclassified.com/2011/09/technology-is-testing-privacy-invasion-expectations-4th-amendment-and-rights/ Technology is Testing Privacy – Invasion, Expectations, 4th Amendment and Rights. | My Classifieds Stuart Florida | Stuart Classified

    [...] 10/2/2011 Bitcoin, Silk Road, and Lulzsec oh my! Source [...]

  • http://teamflyingcircus.com/forum/f47/political-crap-here-2004/index1619.html#post166021 Political crap here. – Page 1619 – TeamFlyingCircus – Giant RC Plane Forum

    [...] but have you guys been paying attention to Bitcoins? Bitcoin – Wikipedia, the free encyclopedia Bitcoin, Silk Road, and Lulzsec oh my! The Underground Website Where You Can Buy Any Drug Imaginable Everyone Wants Bitcoins After [...]

  • http://www.redstate.com/2011/06/04/tech-at-night-amazon-taxes-march-on-fcc-colludes-with-marxist-activists/ Tech at Night: Amazon Taxes march on, FCC colludes with Marxist activists | RedState

    [...] the hacks go on: Anonymous attacks.. Iran?, its apparent offshoot lulzsec attacked PBS and Sony, but leaves itself open to law enforcement actio…? And yet, somehow, our elected officials think the victims are the people to be grilling. I [...]

Previous post:

Next post: