DO
WE
REALLY
NEED
A
NEW
“WAR
AGAINST
CRYPTOGRAPHY”?
We
talk
to
renowned
cybersecurity
author
Andy
Greenberg
about
his
tremendous
new
book,
Tracers
in
the
Dark.
Hear
Andy’s
thoughtful
commentary
on
cybercrime,
law
enforcement,
anonymity,
privacy,
and
whether
we
really
need
a
“war
against
cryptography”
–
codes
and
ciphers
that
the
government
can
easily
crack
if
it
thinks
there’s
an
emergency
–
to
cement
our
collective
online
security.
Click-and-drag
on
the
soundwaves
below
to
skip
to
any
point.
You
can
also
listen
directly
on
Soundcloud.
Intro
and
outro
music
by
Edith
Mudge.
You
can
listen
to
us
on
Soundcloud,
Apple
Podcasts,
Google
Podcasts,
Spotify,
Stitcher
and
anywhere
that
good
podcasts
are
found.
Or
just
drop
the
URL
of
our
RSS
feed
into
your
favourite
podcatcher.
MODEM]
PAUL
DUCKLIN.
Hello,
everybody.
Welcome
to
this
very,
very
special
episode
of
the
Naked
Security
podcast,
where
we
have
the
most
amazing
guest:
Mr.
Andy
Greenberg,
from
New
York
City.
Andy
is
the
author
of
a
book
I
can
very
greatly
recommend,
with
the
fascinating
title
Tracers
in
the
Dark:
The
Global
Hunt
for
the
Crime
Lords
of
Cryptocurrency.
So,
Andy,
let’s
start
off…
..what
made
you
write
this
book
in
the
first
place?
It
seems
fascinatingly
complicated!
ANDY.GREENBERG. Yes,
well,
thank
you,
Paul.
I
guess
[LAUGHS]…
I’m
not
sure
if
that’s
a
compliment?
DUCK. Oh,
it
is,
it
is!
ANDY. Thank
you.
So,
I’ve
covered
this
world
of
hackers,
and
cybersecurity,
and
encryption
for
about
15
years
now.
And
around,
let’s
see
–
I
guess
2010
–
I
started
working
on
a
book,
a
different
book,
that
was
about
the
cypherpunk
movement
in
the
1990s…
…and
the
ways
that
it
gave
rise
to
the
modern
internet,
but
also
to
things
like
WikiLeaks,
and
other
kinds
of
encryption,
anonymity
tools,
and
ultimately
what
we
now
call
the
dark
web,
I
suppose.
And
I’ve
always
been
fascinated
with
the
ways,
on
this
beat,
that
anonymity
can
play
this
fascinating,
dramatic
role
–
and
allow
people
to
become
someone
else,
or
to
reveal
to
you
in
secret
to
who
they
truly
are.
And
as
I
dug
into
this
cypherpunk
world,
around
2010
and
2011,
I
came
upon
this
thing
that
seemed
to
be
a
new
phenomenon
in
that
world
of
online
anonymity
–
which
was
Bitcoin.
I
wrote,
I
think,
the
first
print
magazine
piece
about
Bitcoin
for
Forbes
magazine
in
2011.
I
interviewed
one
of
the
first
Bitcoin
developers,
Gavin
Andresen,
for
that
piece.
And
Gavin
and
many
others
at
the
time
were
describing
Bitcoin
as
a
kind-of
anonymous
digital
cash
for
the
internet.
You
could
actually
use
this
new
invention,
Bitcoin,
to
put
unmarked
bills
in
a
briefcase,
basically,
and
send
it
across
the
internet
to
anyone
in
the
world.
And,
being
the
kind
of
reporter
I
am,
I’m
interested
in
the
subversive
and
sometimes
criminal,
sometimes
politically
motivated…
I
don’t
know,
the
underhanded
and
dark
corners
of
the
internet.
I
just
saw
how
this
would
enable
a
new
world
of…
yes,
people
seeking
financial
privacy,
but
also
money
laundering,
and
drug
dealing
online,
and
all
of
this
that
would
come
to
pass
in
the
next
few
years.
But
what
I
didn’t
foresee
is
that,
ten
years
later
or
so,
it
would
be
by
then
apparent
that
Bitcoin
is
actually
the
*opposite*
of
anonymous.
I
mean,
that
is
the
big
surprise,
and
the
big
reveal.
For
me,
it
was
a
kind
of
slow-motion
epiphany
to
realise
that
cryptocurrency
was
actually
*extremely*
traceable.
It
was
the
opposite
of
this
“anonymous
cash
for
the
internet”
that
many
people
once
thought
it
was.
And
the
result,
I
think,
was
that
it
served
as
a
kind
of
trap
for
many
people
seeking
financial
privacy…
and
criminals,
over
that
decade.
And
as
I
realised
the
extent
of
this…
I
fully
realised
it
in
2020
or
so.
I
began,
at
the
same
time,
to
see
that
this
one
company,
Chainalysis,
a
blockchain-analysis
Bitcoin
cryptocurrency
tracing
firm,
was
being
venked
in
one
US
Department
of
Justice
announcement
after
another
in
all
of
these
major
busts.
And
so
I
started
talking
to
Chainalysis,
and
then
to
their
customers
and
law
enforcement,
and
slowly
realised
that
there
had
been
this
one
small
group
of
detectives
that
had
figured
this
out
much
earlier
than
me.
They
had
started
actually
tracing
Bitcoins
years
earlier,
and
had
used
this
incredibly
powerful
investigative
technique
to
go
on
this
spree
of
one
massive
cybercriminal
bust
after
another…
…using
cryptocurrency
as
this
surprise
trap
that
had
been
laid
for
so
many
people
on
the
dark
web,
and
in
the
cybercriminal
world
as
a
whole.
DUCK. Now,
I
suppose
we
shouldn’t
really
be
surprised
at
that,
should
we,
as
you
explain
in
the
book?
Because
the
whole
idea,
at
least
of
the
Bitcoin
blockchain,
is
that
it
is,
by
design,
entirely
and
utterly
public
and
irrevocable.
That’s
how
it
can
work
as
a
ledger
that
is
equivalent
to
something
that
would
normally
be
held
privately
and
individually
by
your
bank.
It
doesn’t
actually
have
your
name
on
it,
but
it
has
a
magic
identifier
that,
once
tied
to
you,
can’t
really
be
cut
loose…
…if
there’s
other
evidence
to
say,
“Yes,
long-hexadecimal-string-of-stuff
is
Andy
Greenberg,
and
here’s
why.”
Now
try
denying
it!
So,
I
think
you’re
right.
This
idea
that
it’s
*possible*
to
trade
anonymously
with
Bitcoin
–
I
think
was
taken
by
very
many
people
to
mean
that
it
is
fundamentally
anonymous
and
ever-untraceable.
But
the
world
is
not
like
that,
is
it?
ANDY. I
sometimes
look
back
on
my
2011
self,
and
in
that
piece
for
Forbes,
I
*did*
write
that
Bitcoin
was
potentially
untraceable.
And
I
sort
of
scold
myself,
“How
could
you
be
such
an
idiot?”
The
whole
idea
of
Bitcoin
is
that
there’s
a
blockchain
that
records
every
transaction.
But
then
I
remind
myself
that
even
Satoshi
Nakamoto,
the
mysterious
creator
of
Bitcoin
(whoever
he,
she
or
they
are),
in
their
first
email
to
a
cryptography
mailing
list
introducing
the
idea
of
Bitcoin…
…listed
among
its
features
that
participants
can
be
anonymous.
That
was
a
feature
of
Bitcoin
as
Satoshi
described
it.
So
I
think
there’s
always
been
this
idea
that
Bitcoin,
if
it’s
not
anonymous,
at
least
is
pseudonymous,
that
you
can
hide
behind
the
pseudonym
of
your
Bitcoin
address,
and
that
if
you
can’t
figure
out
somebody’s
address,
you
can’t
figure
out
their
transactions.
I
guess
we
all
should
have
known…
I
should
have
known,
and
maybe
even
Satoshi
should
have
known,
that,
given
this
massive
corpus
of
data,
there
would
be
patterns
in
it
that
allow
people
to
identify
clusters
of
addresses
that
all
belong
to
one
person
or
service.
Or
to
follow
the
money
from
one
address
to
another
to
find
interesting
giveaways
in
this
massive
collection
of
data,
that
allow
you
to
follow
the
money.
The
biggest
giveaway
of
all
is
when
you
cash
in
or
cash
out
at
a
cryptocurrency
exchange
that
has
Know-Your-Customer
[KYC]
requirements,
as
almost
all
of
them
do
now.
They
have
your
identity,
so
if
somebody
can
just
subpoena
that
exchange,
then
they
have
your
actual
driver’s
licence
in
hand.
And
any
illusion
of
anonymity
just
completely
backfires.
So
that
is
the
story,
I
think,
of
how
Bitcoin’s
anonymity
turned
out
to
be
the
opposite.
DUCK. Andy,
do
you
think,
perhaps,
though,
that
there’s
nothing
wrong
with
Satoshi
Nakamoto
saying,
“You
*can*
be
anonymous
when
you
use
Bitcoin?”
I
think
what’s
wrong
is
that
lots
of
people
assume
that
because
technology
*can*
let
you
do
something
that
is
desirable
for
your
privacy,
therefore,
*however
you
use
it*,
it
always
will.
And
the
original
idea
of
Bitcoin
didn’t
include
exchanges,
did
it?
And
so
there
wouldn’t
be
any
exchanges
that
would
take
a
copy
of
your
driving
licence
if
Bitcoin
were
used
in
its
original
sort
of
cypherpunk
way,
as
far
as
I
can
see…
ANDY. Well,
I
certainly
don’t
blame
Satoshi
for
not
predicting
the
entire
cryptocurrency
economy,
including
the
ways
that
exchanges
would
interface
with
the
traditional
finance
world.
It’s
all
incredibly
complex
economics;
Bitcoin
was
brilliant
enough
as
it
is.
But
I
do
think
that
it’s
more
than
just,
“You
*can*
be
anonymous
with
Bitcoin
if
you’re
careful,
but
most
people
are
not
careful.”
It
turns
out,
I
think,
that
the
possibility,
no
matter
how
smart
you
are,
of
using
Bitcoin
anonymously
is
vanishingly
small.
Also,
there
is
the
property
of
blockchain
*that
it
is
forever*.
So,
if
you
use
the
kind
of
smartest
ideas
of
the
day
to
try
to
avoid
any
of
these
patterns
that
reveal
your
transactions
on
the
blockchain,
but
then
someone
years
later
figures
out
a
new
trick
to
identify
transactions…
…then
you’re
still
screwed.
They
can
go
back
in
time,
and
use
their
new
ideas
to
foil
your
cutting-edge
anonymity
tricks
from
years
earlier.
DUCK. Absolutely.
With
a
bank
fraud
you
can
imagine
you
*could*
get
lucky,
couldn’t
you?
That
just
when
you’re
about
to
be
investigated,
years
later,
you
find
the
bank’s
had
a
data
security
disaster,
and
they’ve
lost
all
their
backups
and,
oh,
they
can’t
recover
the
data…
With
the
blockchain,
that
ain’t
never
going
to
happen!
[LAUGHS]
Because
everybody’s
got
a
copy,
and
that’s
a
requirement
for
the
system
to
work
as
it
does.
So,
once
locked
in,
always
locked
in:
it
can
never
be
lost.
ANDY. That’s
the
thing!
To
be
anonymous
with
cryptocurrency,
you
truly
have
to
be
perfect
–
perfect
for
all
time.
And
to
catch
someone
who’s
trying
to
be
anonymous
with
cryptocurrency
slipping
up,
you
just
have
to
be
smart,
and
persistent,
and
work
on
it
for
years,
which
is
what,
first,
Chainalysis…
…actually,
first
was
academic
researchers
like
Sarah
Meiklejohn
at
the
University
of
California
at
San
Diego,
who,
as
I
document
the
book,
came
up
with
a
lot
of
these
techniques.
But
then
Chainalysis,
this
startup
that’s
now
almost
a
nine-billion-dollar
unicorn,
selling
polished
cryptocurrency
tracing
tools
to
law
enforcement
agencies.
And
now,
all
of
these
law
enforcement
agencies
that
have
professional
Bitcoin
tracers
–
their
savvy,
their
know-how
in
doing
this,
is
just
growing
by
leaps
and
bounds.
And
I
think
it’s
almost
just
a
better
rule
to
say,
“No,
you
cannot
be
anonymous
with
cryptocurrency,”
that
it
is
fully
transparent.
That’s
a
safer
way
to
operate,
almost.
To
be
fair,
Satoshi
Nakamoto
said
participants
*can*
be
anonymous…
but
it
turns
out
that
the
only
participant
who
has
*remained*
anonymous
is
Satoshi
Nakamoto.
And
that
is,
in
part,
because
very
few
people
have
that
other-worldly
restraint
that
Satoshi
had
to
amass
a
million
Bitcoins
and
then
never
spend
them
or
move
them.
If
you
do
that…
yes,
I
think
you
can
perhaps
be
anonymous.
But
if
you
ever
want
to
use
your
cryptocurrency,
or
to
put
it
in
a
liquid
form
where
you
can
spend
it,
then
I
think
you’re
toast.
DUCK. Yes,
because
there
are
some
amazing
things
that
have
happened,
one
of
which
you
allude
to
because
it
was
in
the
works
just
at
the
end
of
the
book…
…[LAUGHS]
what
I
call
the
Crocodile
Lady
and
her
husband:
Heather
Morgan
and
Ilya
Liechtenstein.
Self-styled
“Crocodile
of
Wall
Street”
arrested
with
husband
over
Bitcoin
megaheist
They’re
alleged
to
have
somehow
received
a
whole
load
of
cryptocoins
from
a
cryptocurrency
bank
robbery
against
Bitfinex.
In
their
cases,
they
received
stolen
cryptocurrencies
in
vast
quantities,
so
that
they
could
quite
literally
have
been
billionaires
*if
they
could
have
cashed
it
out*.
But
when
bust,
they
still
had
the
vast
majority
of
that
stuff
sitting
around.
So
it
seems
that,
in
a
lot
of
cryptocurrency
crimes,
your
eyes
can
be
a
lot
bigger
than
your
stomach.
You
may
live
the
high
life
a
little
bit…
the
Crocodile
Lady
and
her
husband,
it
does
seem
they
were
living
quite
a
flash
lifestyle.
But
when
they
were
bust,
what
was
the
amount?
It
was
more
than
$3
billions’
worth
of
Bitcoins
that
they
had,
but
couldn’t
cash
out.
ANDY. The
Department
of
Justice
said
that
they
seized
$3.6
billion
from
them.
That
was
the
biggest
seizure
not
just
of
cryptocurrency
in
history,
but
of
money
in
the
history
of
the
Department
of
Justice.
In
fact,
as
I
document
in
the
book…
actually,
one
of
these
happened
after
the
book,
but
the
IRS
criminal
investigators,
who
are
the
main
subjects
of
this
book,
have
now
pulled
off
the
first,
second,
and
third-biggest
seizures
of
money
in
American
criminal
justice
history,
by
following
cryptocurrency
and
seizing
Bitcoins.
Your
point
is
absolutely
right,
which
is
that
cryptocurrency
is
easy
to
steal,
it
turns
out…
that
is,
I
think,
one
of
its
big
drawbacks
for
the
businesses,
like
exchanges,
that
have
to
hold
sometimes
billions
of
dollars
in
a
kind
of
digital
safe.
But
then
if
you
do
steal
it,
if
you
pull
off
one
of
these
massive
heists
–
and
two
of
the
three
of
the
cases
that
we’re
discussing
are
actually
people
who
stole
money
from
the
Silk
Road
dark
web
drug
market…
DUCK. Yes
[LAUGHS]…
when
you
steal
from
a
crook,
it’s
still
a
crime,
eh?
ANDY. [LAUGHS]
Yes,
unfortunately
–
for
those
crooks,
anyway.
DUCK. One
of
the
most
intriguing
bits
for
me
in
the
book
was
somebody
that
you
identify
as
“Individual
X”,
only
because
that’s
the
way
they
were
identified
by
the
court.
This
individual
had
stolen
70,000
Bitcoins,
and
was
busted,
and
basically
gave
them
back…
sort-of
in
return
for
getting
let
off.
They
didn’t
get
prosecuted,
they
didn’t
go
to
prison,
they
didn’t
–
I
imagine
–
even
get
a
criminal
record.
And
they
were
never
named.
ANDY. That’s
right.
DUCK. So
that
seems
like
an
almost
unreadable
mystery,
doesn’t
it?
If
we
look
forward
a
few
years,
now
that
Bitcoin’s…
what,
in
the
last
year,
it’s
gone
down
to
about
a
third
of
its
value;
Ether
is
down
to
about
a
third;
Monero
is
about
half.
Do
you
think
that
that
gambit
of
saying,
“I’ll
give
the
money
back,
let
me
off”
would
have
worked
if
the
prices
were
reversed,
and
what
they
were
handing
back
was
now
worth
a
fraction
of
what
it
was
when
it
was
stolen?
Or
do
you
think
that
Individual
X
was
lucky
because
what
they
had
to
hand
back
was
actually
worth
much
more
than
when
they
stole
it?
ANDY. I
think
it’s
the
latter.
Individual
X
stole
that
money
while
the
Silk
Road
was
still
online…
DUCK. Wow!
So
that
would
have
been
when
BTC
was,
what,
hundreds
[of
dollars]
then?
ANDY. Yes,
probably,
or
thousands
at
most
–
Silk
road
went
offline
in
2013,
when
Bitcoin
had
just
broken
through
$1000,
if
I
remember.
So,
this
person
(I
don’t
want
to
say
“guy”
–
who
knows
who
Individual
X
is?)
sat
on
these
70,000
Bitcoins
for
seven
years,
ultimately…
…probably,
exactly
as
you
said,
just
terrified
to
move
them
or
cash
them
out
for
fear
of
being
caught.
DUCK. Yes,
can
you
imagine?
“Hey,
I’m
a
millionaire!”
“Hey,
I’m
a
*billionaire*!”
“Oh,
golly,
but
where
am
I
going
to
get
my
rent
money?”
[LAUGHS]
Shouldn’t
laugh….
ANDY. As
you
say
–
like
the
hand
stuck
in
the
cookie
jar!
The
hand
just
gets
bigger
and
bigger
until
it’s
all-consuming,
and
you
cannot
move
it,
you
can’t
get
it
out.
In
fact,
even
without
trying
to
get
it
out,
IRS
criminal
investigators
found
it
through
other
means,
including
the
seizure
of
the
BTC-e
exchange,
which
was
a
kind-of
money-laundering,
criminal
Bitcoin
exchange.
DUCK. That
was
a
rogue
exchange
that
basically
did
as
little
as
is
humanly
possible
along
the
Know
Your
Customer
front?
“Ask
no
questions,
tell
no
lies,”
that
kind
of
thing?
Is
that
right?
ANDY. Yes,
exactly.
That
was
another
surprise
for
many
users
who
believed
that,
“Maybe
I
can
use
BTC-e
a
little
bit
and
not
get
caught,
because
that
doesn’t
have
Know
Your
Customer,
that
doesn’t
co-operate
with
law
enforcement.”
But,
nonetheless,
when
that
exchange
was
busted
and
its
servers
seized,
that
provided
more
clues
to
the
IRS.
That
helped,
in
fact,
to
figure
out
who
Individual
X
was…
I
don’t
know
who
they
are,
but
the
government
does.
And
to
knock
on
his
or
her
door
and
say,
“Hey,
hand
over
a
billion
dollars
or
you’re
going
to
jail,”
and
that’s
exactly
what
happened.
Now,
poor
James
Zhong
is
a
very
similar
case.
Silk
Road
drugs
market
hacker
pleads
guilty,
faces
20
years
inside
He
seems
to
have
taken
50,000
Bitcoins
from
the
Silk
Road,
probably
around
the
same
time,
and
then
held
onto
them
for
even
longer.
And
then,
a
year
after
Individual
X,
Zhong
got
a
knock
on
his
door…
Similarly,
they
had
traced
the
money,
even
though
he
had
just
left
it
sitting
on
a
USB
drive
in
a
popcorn
tin
under
the
floorboards
of
his
closet.
In
his
case,
he
did
not
manage
to
make
a
deal
somehow,
and
he’s
being
criminally
charged.
DUCK. *And*
he
has
given
the
money
back,
obviously?
[WRY
LAUGH]
Aaaargh!
ANDY. He
was
a
Bitcoin
billionaire,
and
now
is
facing
criminal
charges…
and
never
got
to
even
spend
his
loot.
The
Bitfinex
case,
I
don’t
know…
I
have
less
sympathy
for
them
because
they
truly
were
trying
to
launder
a
massive
theft
from
a
legitimate
business.
And
they
did,
I
think,
launder
some
of
it.
They
tried
several
different
clever
techniques.
They
put
the
money
through….
I
mean,
this
is
all
alleged,
I
should
say;
they’re
still
innocent
until
proven
guilty,
this
couple
in
New
York.
But
they
tried
to
put
the
money
through
the
AlphaBay
dark
web
market
as
a
kind
of
laundering
technique,
thinking
that
would
be
a
black
box
that
law
enforcement
would
not
be
able
to
see
through.
But
then
AlphaBay
was
busted
and
seized.
That’s
perhaps
the
biggest
story
I
tell
in
the
book,
the
most
exciting
cloak-and-dagger
story:
how
they
tracked
down
the
kingpin
of
AlphaBay
in
Bangkok
and
arrested
him.
DUCK. Yes…
spoiler
alert,
that’s
where
the
helicopter
gunships
come
in!
ANDY. lLAUGHS]
Yes!
Yes,
and
much
more!
I
mean,
that
story
is
one
of
the
craziest
that
I
will
probably
tell
in
my
career…
But
then,
also,
this
New
York
money-laundering
couple
tried
to
put
some
of
the
money
through
Monero,
a
cryptocurrency
that
is
advertised
as
a
privacy
coin,
as
people
say,
a
potentially
truly
untraceable
cryptocurrency.
And
yet,
in
the
IRS
documents
where
they
describe
how
they
caught
this
couple
in
New
York,
they
show
how
they
continued
to
follow
the
money,
even
after
it’s
exchanged
for
Monero.
So
that
was
a
sign
to
me
that
perhaps
even
Monero
–
this
newer,
“untraceable”
cryptocurrency
–
is
a
bit
traceable
too,
to
some
degree.
And
perhaps
this
trap
persists…
that
even
coins
that
are
designed
to
outstrip
Bitcoin
in
terms
of
their
anonymity
are
not
all
they’re
cracked
up
to
be.
Although
I
should
say
that
Monero
people
hate
it
when
I
even
say
this
out
loud,
and
I
don’t
know
how
that
worked…
…all
I
can
say
is
that
it
looks
very
possible
that
Monero
tracing
was
used
in
that
case.
DUCK. Well,
there
could
be
some
operational
security
blunders
that
the
Crocodile
Lady
and
her
husband
made
as
well,
that
kind
of
tied
it
all
together.
So,
Andy,
I’d
like
to
ask
you,
if
I
may…
Thinking
of
cryptocurrency
tokens
like
Monero,
which
as
you
say,
is
meant
to
be
more
privacy
focused
than
Bitcoin
because
it
inherently,
if
you
like,
joins
transactions
together.
And
then
there’s
also
Zcash,
designed
by
cryptography
experts
specifically
using
technology
known
in
the
jargon
as
zero-knowledge
proofs,
which
is
at
least
supposed
to
work
so
that
neither
side
can
tell
who
the
other
is,
yet
it’s
still
impossible
to
double-spend…
With
all
eyes
on
these
much
more
privacy-focused
tokens,
plus
the
idea
that
you
may
still
get
these
tumbling
services
that
try
and
mix
even
already
very
pseudoanonymous
tokens
together
to
make
them
more
and
more
pseudoanonymous,
where
do
you
think
the
future
is
going?
Not
just
for
law
enforcement,
but
where
do
you
think
it
might
drag
our
legislators?
There’s
certainly
been
a
fascination
for
decades,
amongst
sometimes
very
influential
parliamentarians,
to
say,
“You
know
what,
this
encryption
thing,
it’s
actually
a
really,
really
bad
idea!”
“We
need
backdoors;
we
need
to
be
able
to
break
it;
somebody
has
to
‘think
of
the
children’;
et
cetera,
et
cetera.”
ANDY. Well,
it’s
interesting
to
talk
about
crypto
backdoors
and
the
legal
debate
over
encryption
that
even
law
enforcement
can’t
crack.
I
think
that,
in
some
ways,
the
story
of
this
book
shows
that
that
is
often
not
necessary.
I
mean,
the
criminals
in
this
book
were
using
traditional
encryption
–
they
were
using
Tor
and
the
dark
web,
and
none
of
that
was
cracked
to
bust
them.
Instead,
investigators
followed
the
money
and
*that*
turned
out
to
be
the
backdoor.
It’s
an
interesting
parable,
and
a
good
example
of
how,
very
often,
there
is
a
side-channel
in
criminal
operations,
as
we
say
in
cybersecurity,
this
“other
leak”
of
information
that,
without
cracking
the
main
communications,
offers
a
way
in…
…and
doesn’t
necessitate
any
kind
of
backdoor
in
Tor,
or
the
dark
web,
or
Signal,
or
hard
disk
encryption,
or
whatever.
In
fact,
speaking
of
‘thinking
of
the
children’,
one
of
the
last
major
stories
that
I
dig
deeply
into
in
the
book
is
the
bust
of
the
Welcome
To
Video
market
for
child
sexual
abuse
videos
that
accepted
cryptocurrency.
And
as
a
result,
the
IRS
investigators
at
the
centre
of
the
book
were
able
to
track
down
and
arrest
337
people
around
the
world
who
used
that
market.
It
was
the
biggest
bust
of
what
we
call
child
sexual
abuse
materials,
by
some
measures,
in
history…
…all
based
on
cryptocurrency
tracing.
DUCK. And
they
didn’t
need
to
do
anything
that
you
would
really
consider
privacy-violating,
did
they?
They
quite
literally
followed
the
money,
in
a
trail
of
evidence
that
was
public
by
design.
And
in
conjunction,
admittedly,
with
warrants
and
subpoenas
from
places
where
the
money
popped
out,
and
where
internet
connections
were
made,
they
were
able
to
identify
the
people
involved…
…and
largely
to
avoid
trampling
on
millions
of
people
who
had
absolutely
no
connection
with
the
case
whatsoever.
ANDY. Yes!
I
think
that
it
is
an
example
of
a
way
to
do…
it
is,
in
some
ways,
mass
surveillance
–
but
mass
surveillance
in
a
way
that
nonetheless
does
not
require
weakening
anybody’s
security.
I
guess
that
cryptocurrency
users,
and
people
who
believe
in
the
power
of
cryptocurrency
for
enabling
activists,
and
dissidents,
and
journalists,
and
money
transmissions
to
countries
like
Ukraine,
that
need
injections
of
money
for
survival,
around
the
world…
They
would
argue
that,
nonetheless,
we
need
to
fix
cryptocurrency
to
make
it
as
untraceable
as
we
once
thought
it
might
be.
And
that’s
where
we
get
into
the
new,
I
would
say
*a*
new,
crypto-war
over
cryptocurrency.
We’re
just
starting
to
see
the
beginning
of
that
with
tools
like
Monero
and
Zcash,
as
you
said.
I
do
think
that
there
will
probably
still
be
surprises
about
the
ways
that
Monero
can
be
traced.
I’ve
seen
a
leaked
Chainalysis
document
where
they
told
Italian
law
enforcement…
it’s
a
presentation
in
Italian
to
the
Italian
police
from
Chainalysis,
where
they
say
that
they
can
trace
Monero,
in
the
majority
of
cases,
to
find
a
usable
lead.
I
don’t
know
how
they
do
that,
but
it
does
seem
like
it’s
probabilistic
more
than
definitive.
Now
I
don’t
think
a
lot
of
people
understand
–
that
is
often
enough
for
law
enforcement
to
get
a
subpoena,
to
start
subpoenaing
cryptocurrency
exchanges,
just
based
on
a
probabilistic
guess.
They
can
just
check
every
possibility,
if
there
are
a
few
enough
of
them.
DUCK. Andy,
I’m
conscious
of
time,
so
I’d
like
to
finish
up
now
by
just
asking
you
one
final
question,
and
that
is…
In
ten
years’
time,
do
you
see
yourself
being
in
a
position
where
you’ll
be
able
to
write
a
book
like
this
one,
but
where
the
“unravelling”
parts
are
even
more
fascinating,
complicated,
exciting,
and
amazing?
ANDY. I
tried,
with
this
book,
*not*
to
make
too
many
predictions.
And,
in
fact,
the
book
begins
with
this
“mea
culpa”
that
ten
years
ago
I
believed
exactly
the
wrong
thing
about
Bitcoin.
So
nobody
should
listen
to
any
ten-year
prediction
that
I
have!
[LAUGHTER]
But
the
simplest
prediction
to
make,
that
*has*
to
be
true,
is
that
this
cat-and-mouse
game
will
still
be
going
on
in
ten
years.
People
will
still
be
using
cryptocurrency
thinking
that
they
have
outsmarted
the
tracers…
…and
the
tracers
will
still
be
coming
up
with
new
tricks
to
prove
them
wrong.
The
stories,
as
you
say,
will,
I
think,
be
much
more
convoluted
because
they’ll
be
dealing
with
these
cryptocurrencies
like
Monero,
that
build
in
vast
mix-networks,
and
Zcash,
that
have
zero-knowledge
proofs.
But
it
does
seem
that
there
will
always
be
some
way
–
and
maybe
not
even
cryptocurrency,
but
in
some
other
side
channel…
as
I
was
saying,
there
will
be
a
new
one
that
unravels
the
whole
thing.
But
there’s
no
question
that
this
cat-and-mouse
game
will
go
on.
DUCK. And
I’m
sure
there’ll
be
another
Tigran
Gambaryan
sometime
in
the
future
for
you
to
interview?
ANDY. Well,
I
do
think
the
game
of
anonymity…
…it
does
favour
the
Tigran
Gambaryans
of
the
world.
They,
as
I
said,
just
have
to
be
persistent
and
smart.
But
the
mice
in
this
cat-and-mouse
game
have
to
be
perfect.
And
no
one
is
perfect.
DUCK. Absolutely.
ANDY. So,
if
I
do
have
to
make
a
prediction…
…then
I
would
just
place
my
bet
on
the
cats,
on
the
Tigran
Gambaryans
of
the
world.
DUCK. [LAUGHS]
Andy,
thank
you
so
much.
Before
we
go,
why
don’t
you
tell
our
listeners
where
they
can
get
your
book?
ANDY. Yes,
thanks,
Paul!
The
book
is
called
“Tracers
in
the
Dark:
The
Global
Hunt
for
the
Crime
Lords
of
Cryptocurrency.”
[ISBN
978-0-385-54809-0]
And
it’s
available
at
all
the
normal
places
books
are
sold.
But
if
you
go
to
https://andygreenberg.net/,
then
you
can
just
find
links
to
a
bunch
of
places.
DUCK. Andy,
thank
you
so
much
for
your
time.
It
was
as
fascinating
talking
to
you
and
listening
to
you
as
it
was
reading
your
book.
I
recommend
it
to
anybody
who
wants
a
galloping
read
that
is
nevertheless
detailed
and
insightful
about
how
law
enforcement
works…
…and,
importantly,
why
criminal
convictions
for
cybercrimes
often
only
happen
years
after
the
crime
occurred.
The
devil
really
is
in
the
details.
ANDY. Thank
you,
Paul.
It’s
been
a
super-fun
conversation.
I’m
just
glad
you
enjoyed
the
book!
DUCK. Excellent!
Thanks
to
everybody
who
listened.
And,
as
always:
Until
next
time,
stay
secure!
[MUSICAL
MODEM]
About Author
