fb-pixelHow Russian spies hid behind bitcoin in hacking campaign - The Boston Globe Skip to main content

How Russian spies hid behind bitcoin in hacking campaign

Deputy Attorney General Rod Rosenstein (center) announced indictments against 12 Russian intelligence agents for hacking computers used by the Democratic National Committee, the Hillary Clinton campaign, the Democratic Congressional Campaign Committee and other organizations. Chip Somodevilla/Getty Images

SAN FRANCISCO — In early 2016, Russian intelligence officers obtained a new pool of the virtual currency bitcoin. They quickly put the digital money to work.

The Russian spies used some of the bitcoins to pay for the registration of a website, dcleaks.com, where they would later post emails that had been stolen from Hillary Clinton’s presidential campaign. When the operatives needed a computer server to host the dcleaks site, they paid for that with bitcoins as well.

The transactions were detailed in an indictment Friday from the Justice Department, in which prosecutors accused 12 Russian operatives of interfering in the 2016 presidential campaign through a sophisticated hacking scheme.

Advertisement



The indictment provided one of the clearest illustrations to date of the inner workings of the Russian operation that carried out the hacking of the Democratic Party and other targets. It also showed how cryptocurrencies — and the anonymity they provide — have become both a tool and a challenge for intelligence agencies in the battles between nation states.

“This is the first clear example in court documents of cryptocurrency being used to purchase capabilities that could be leveraged in attacks on national security,” said Jonathan Levin, a co-founder of Chainalysis, a firm that helps governments track cryptocurrency payments.

Financial transactions have been one of the trickiest parts of intelligence operations because electronic payment networks and checks are generally off-limits to undercover spies. That has led to famous scenes of covert exchanges of suitcases full of cash.

The bitcoin network allows anyone to move millions of dollars across the world without any in-person meetings, and without the approval of any financial institutions. First released in 2009 by its mysterious creator, Satoshi Nakamoto, bitcoin was designed to operate without any central authority that could block transactions or verify the identities of the people involved.

Advertisement



All bitcoin transactions and wallets are recorded on a database known as the blockchain, by a network of computers that anyone can join. The unusual structure has long made bitcoin a primary means of payment for drugs on online black markets, and more recently as a method for making ransom payments.

When bitcoin’s price spiked last year, many big financial institutions took an interest in the virtual currency as a new kind of investment and have looked to move it away from its unsavory associations. But Friday’s allegations are likely to make that effort more difficult.

While the Russians accused of attacking Clinton’s campaign also used traditional currencies, the indictment said they had “principally used bitcoin when purchasing servers, registering domains and otherwise making payments in furtherance of hacking activity.”

Bitcoin, the indictment added, “allowed the conspirators to avoid direct relations with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”

The Russians took several steps to obscure their bitcoin transactions, according to the indictment. They bought some bitcoins on peer-to-peer exchanges, where buyers and sellers can interact directly without exchanges collecting details on either side.

The Russians also created bitcoins themselves through the process known as mining, the indictment said. With mining, computers compete to unlock new bitcoins by solving difficult computational problems. This requires expensive equipment and lots of electricity, but that was apparently not a hindrance to the Russians.

The operatives used the bitcoins to pay for much of the computer infrastructure that was employed in the hacking attacks, the indictment said. That included payments for a server in Malaysia that hosted dcleaks.com, and money sent to a Romanian company that registered the domain name.

Advertisement



In March 2016, the indictment said, the Russians also used bitcoin to buy a virtual private network account that allowed them to obscure their Internet Protocol address and their location when they went online. They used that VPN account to operate a Twitter account known as Guccifer 2.0, which became infamous after releasing some of the emails stolen from the Democratic National Committee and of the chairman of the Clinton campaign, John Podesta.

The Russians also used bitcoin to pay for the servers from which they launched malware campaigns and “spearphishing” attacks against the Democratic National Committee, according to the indictment. In those attacks, it said, the Russian operatives gained control of the email accounts of U.S. officials.

American investigators were able to use the blockchain to go back and identify some of the transactions that Russian agents made. But it was not enough to stop them from making the transactions at the time.

“The fact that cryptocurrencies are global and real time means that you might only find out about these things after the fact,” Levin said. “We need to think about the responsibilities that we all have in a world where payments move seamlessly across borders in the blink of an eye.”


Nathaniel Popper reported from San Francisco, and Matthew Rosenberg from Washington.

Advertisement