Author: Francesca Ginexi

From 51% Attack to Tracking through Transaction Flooding

This week, we committed ourselves to looking more in depth into how North Korea uses the cryptocurrency it steals. We also pitched our shift in perspective with our sponsor. The OSD seemed to be interested in the idea, and put us in touch with Colonel Giordano, who works in the Cyber Command and has more familiarity with cryptocurrencies. What are in the process of setting up a time to chat with him and further contacts.

One of the MVPs that we presented last week, considered the possibility of performing a 51% attack that would “freeze” all anonymous coins (Monero, Zcash…), in order to make North Korea unable to do anything with the currencies it holds and that, unlike pseudonymous coins, are not traceable. We called this “Digital Asset Freeze”. This idea seemed to receive positive feedback from the teaching team, and as a consequence we decided to further develop it.

We had the opportunity to pitch the idea to academics, current and former government people (particularly, Department of Justice and Treasury), and practitioners in the field. Although the majority acknowledged it was “an interesting” perspective and a novel idea, the concerns they expressed some recurrent concerns with respect to feasibility:

“Treasury and White House would not allow messing with financial system, because collateral is way too big”

     Former Intelligence Officer

“Disruptive things like this look like the US government going to war with commercial industry, which they are going to be really hesitant to do”

  Ming Luo, In-Q-Tel

“It’s not really a realistic concept…They would never do that, going up against the tech community as a whole”

   Kayla Izenman, Royal United Service Institute

Although the likelihood that a 51% attack would be deployed seems very small, the assumption upon which this MVP rests – that untraceability of anonymous coins is the bulk of the problem – is fully validated.

A related learning we had this week is that North Korea likely exchanges cryptocurrency to access foreign currency. Consequently, we tried to map what the laundering of a stolen coin might look like:

After having stolen cryptocurrencies from insecure exchange, North Korea likely launders it and exchanges it to a fully anonymous coin, primarily Monero. They then exchange it back to Bitcoin, before turning it into hard currency. Although the stolen BitCoin is traceable, the US government loses track of it once it is converted into fully anonymous coins.

We heard from more than one interviewees that all coins have vulnerabilities that can be somehow exploited. While the tech sector would look at how those can be exploited for profit, the goals of the US government are obviously different. We tried to understand how the US can leverage said vulnerabilities to touch the issue we’re trying to solve. Because of the skeptical feedback we got on the possibility of a 51% Hold Attack, we started to look at an alternative option.

We have come across the potential of performing a tracking through transaction flooding.

This would technically work as follows:

Assuming a Monero transaction tx with one input tx.in containing six keys (tx.in = {pk1, pk2, pk3, pk4, pk5, pk6}), while one of the keys (e.g. pk4) represent the real coin being spent, the remaining three keys are being used as decoys to obfuscate the real key being used in the transaction. However, if five of the public keys (e.g. pk1, pk2, pk3, pk5 and pk6) are owned by the attacker, it becomes easy to find out which is real.

Source: https://eprint.iacr.org/2019/455.pdf

In short, having a large enough rolodex of keys, it would become increasingly easier to identify which ones are “decoy” and to track what is happening to cryptocurrency.

This process has already been described on a recently published paper, so we have supporting data showing its feasibility from a practical perspective. On a more utilitarian side, this solution presents less disadvantages from a 51% attack, as it would likely not cause the same extent of backlash in the cryptocurrency industry.

In order to deploy this product, however, we will have to perform some activities, such as test the algorithm in the Monero chain, create output gathering wallets and ramp up transactions to avoid detection. We will also have to ensure we have beneficiary support. So far, we found some evidence that the Department of Homeland Security (DHS) would support a similar project. In fact, a few months ago, they issues a solicitation request for tools for blockchain forensic analysis.

As we further explore this latter MVP, additional next steps for this week will be:

  • Pitch MVPs to sponsor, Treasury and possibly IC and adjust
  • Continue to flesh out deployment strategy by speaking with cyber/crypto analysts in the DoD, IC, and U.S. Treasury
  • Explore vulnerabilities in other anonymous coins

Interviewee List

  1. H.R. McMaster, Former National Security Advisor
  2. Intelligence Officer
  3. Will Rich, Dept. of Treasury
  4. Maurice Herlihy,  Professor of Computer Science
  5. Alex Pruden, Crypto Investor
  6. Kayla Izenman, Center for Financial Crime at RUSI
  7. Ming Luo, In-Q-Tel
  8. Herb Lin, Cyber Policy Expert
  9. Elizabeth Philip, Harvard Kennedy School
  10. Mehek Sethi, Harvard Kennedy School
  11. Michele Korver, Dept. of Justice Money Laundering Section
  12. Jessica Renier, Dept. of Treasury Office of Terrorist Financing
  13. John Giordano, CYBERCOM

Week 5.5 – A Shift in Perspective: Keeping the Big Picture in Mind, While Identifying an Actionable Pinpoint

TL;DR:

Inspired by a conversation with Capt. Miller, we decided two things: a) commit to “zooming in” into the enforcement piece and understand how to make it easier for those who perform it daily (more details in our “Week 6” Blog Post)!; b) not to disregard our “zooming out”: keep the wealth of insights we gather, and crystalize it into a policy report, which will be produced alongside our final product.

Background

Last week was probably one of the most important ones for Embargo.NK so far. Our learning curve was the steepest yet, as we went through a process of trying, failing, hitting a wall, retrying. As a recap, in week 4 we came up with three MVPs:

  • An internal sanctions wiki, which would allow different government agencies to have at their disposal various information regarding sanctioned entities, to speed up the démarche process;
  • A watchlist, which would be relied upon by private entities, as part of a due diligence process to ensure they are not trading with “bad actors”;
  • A “prioritization” tool that would help identify where to best deploy enforcement resources, in light of the strategic objectives the sanctions purports to accomplish.

After our rounds of interviews for week 5 and, particularly, after enlightening chats with Ambassadors Hill and Stephens, we reconsidered our perspective. We decided to zoom out, once again, and look at the bigger picture. We told ourselves the best way to address the issue was to empower the negotiators, and to affect the enforcement decision-making process by encouraging information sharing among the different parties involved.

This idea was, at best, idealistic. True, we got several signals from our interviews that “the process is broken” and that the negotiator needs a menu of option, a range of analytical and anecdotal evidence that they can leverage during the negotiations level. We learned that, sometimes, sanctions are more effective when un-or under-enforced, and that you want to make sure that you are equally able to lift them, as you’re able to apply them. However, if we want to have an impact in this process, and an immediately helpful one, zooming out is not the right option. We need to zoom in, and dig further, and assess our pinpoint.

We learned this the hard way – when we presented what we thought were our breakthrough learnings and, yet, could not come up with an actionable MVP. We thought we had figured out the whole picture, but were also looking at it through the wrong angle. Hitting this wall was crucial in our growth as a team, and in the development of our project.

Brainstorming & an Important Interview

We then had a major brainstorming session. We boiled down and mapped out this enormous quantity of information that we had been gathering in the previous weeks, concerning the actors involved, the process, and the strategic goals at play.

What we had investigated, up to this point, was the relationship between the “results” and the decision-making process. We did not have a clear MVP in mind, but we were thinking to help influence that process by providing a system, a process, or just more information on how the sanctions should align with our strategic goals.

Through our brainstorming session, however, we reached a different conclusion: regardless of our other findings, improving enforcement is valuable, as it is the central piece that connects decision and results.

The brainstorming session came right after an important conversation with Captain Jeffrey Miller, COMPACFLT Maritime Homeland Defense Office in Charge, Coast Guard Area Pacific. Capt. Miller shared with us what vessel monitoring operation looks like in the East China Sea. Miller has a target list of potential vessels that are trafficking with North Korea: the list is based on intelligence he receives from DC, as well as on an algorithm that detects routine people that have been caught performing similar operations. Although in most cases the interdiction operation cannot be performed, as it is not authorized, Miller’s team follows suspected vessels across the horizon, takes pictures and/or annotates the vessel’s number.

Based on Captain Miller’s description, and the cumulative knowledge we gathered from previous interviews, we plunged into the enforcement piece and developed the following diagram:

Captain Miller reiterated a common theme from DoD interviews, that illegal ship-to-ship transfers of refined petroleum are a key focus. Basically, vessels act like a gas station: another vessel can stop and get fuel from them. A key regional problem related to ship-to-ship transfers is that a lot of them happen in the East China Sea unrelated to North Korean sanctions evasion. But as, the latest report from the UN Panel of Experts highlights, North Korea’s use of these illegal transfers have increased exponentially in 2018. The techniques used for sanction circumvention range from less sophisticated, like painting their vessels and changing their names, to more professional ones, like using flags of convenience and spoofing AIS (Automatic Identification System).

Our interviewee reported that, in this process, what he and his team would benefit from is a model that tracks the “normal traffic” of ship-to-ship transfer in the East China Sea. Having a pattern that identifies the regular behavior during these transfers; ie. licit and not-North Korean related ones, will make it a lot easier to spot the outliers.

Inspired by this request, we decided two things:

a) commit to “zooming in” into the enforcement piece and understand how to make it easier for those who perform it daily (more details in our “Week 6” Blog Post)! ; b) not to disregard our “zooming out”: keep the wealth of insights we gather, and crystalize it into a policy report, which will be produced alongside our final product.

Week 5: Customer Discovery

During week 5, we are seeking to test our hypotheses and potential MVPs by interviewing three categories of possible beneficiaries: state department officers involved or familiar with the démarche process; private companies – and in particular, risk manager officers – and OSD.

Our goal for the week is to further brainstorm our MVPs, understand their utility, and possibly narrow them down to one.

Weekly Hypotheses:

  1. The démarche process is lengthy and complex. An internal wiki or tool that would provide more easily accessible information, would speed up the process significantly (Possible MVP: Internal Wiki).
  2. Private companies often violate sanctions, by unwittingly trading with North Korean companies. A publicly available list of sanctioned entities would facilitate due diligence and prevent n0n-compliant transfers due to ignorance (Possible MVP: Public Bad Actor List).
  3. Not all sanctions are best when enforced. Sometimes a prioritized approach can lead to better strategic outcomes. The US needs a tool that analytically suggests what to devote resources to when enforcing (Possible MVP: Prioritization Tool).

Experiment(s)

We will conduct Customer Discovery interviews to test our hypotheses. We are looking forward to understanding which of the possible MVP has a potential for being useful, so that we could further elaborate on it.

Week 4: Brainstorming MVPs

Key Learning Moments

  1. The DoS, and specifically analysts beneficiaries, would find it useful to have an internal wikipedia-like page compiling information related to sanctioned entities;
  2. The permeability of sanctions enforcement is not necessarily a negative thing: it can be a net positive for US strategic interests;
  3. US blacklisting practices are stricter than UN ones.

Experiment Results

This week, we tested three hypotheses:

  1. Different governmental agencies conducting enforcement do not adequately share information related to their activity in this respect;
  2. Although a list of bad actors already exists, and it is managed by the US Treasury, the list it not comprehensive and under-inclusive: a less formal blacklist would facilitate impacting shippers involved in violations;
  3. Not all sanctions are created equal: some have a stronger impact than others. The government can and should prioritize their enforcement strategically.

Our interviewees this week involved people from State Department and Intelligence, as well as a wide range of experts in North Korea economy and markets. We also had the opportunity to interview a plurality of journalists and bloggers.

As to the first hypothesis, it was difficult for us to fully prove or disprove the lack of information sharing within different agencies. The issue is classified, and as such we were unable to get a clear-cut answer. We were able to find out that a task – force agency does exist for the purpose of information sharing. However, the actors that are not part of it do not benefit from this information sharing – for this reason, they should be the focus of our further research.

Secondly, we tested the possibility of creating a less formal lists of “bad actors” and its potential utility. Notably, there was no consensus between intelligence and other enforcement authorities, to whom we submitted the idea. The primary concern with the list is the costs it would bear: as such, further pursuit of this idea will require an attentive balance of its costs and its benefits.

Lastly, we discussed with our interviewees the differential impact of sanctions. We learned that, in some cases, sanction violation can be a positive outcome for the US strategy. Whether and how the US could better prioritize enforcement remains unclear, but we plan on engaging our sponsor and, potentially, other intelligence contacts to further elaborate a possible prioritization scenario.

Our Potential MVPs

Based on these findings, we started drafting three possible product directions.

First, to encourage better sharing of interagency information, we could develop an internal Government Sanctions Wikipedia. Having a centralized database, in fact, would significantly decrease the time necessary for State Department negotiators/desk officers to perform démarches, once intel is received regarding a sanction-evasion related activity. We know a similar, external tool, called Pyongyang Papers, already exists and is open sourced. The information is gathered from media outlets, or other public reports. However, we believe the database is flawed. We plan on digging in more deeply in the upcoming weeks to flesh out how it can be improved and effectively deployed.

Second, to increase barriers to ship-to-ship transfers for North Korean ships, we could build a government sponsored, yet informal “Watchlist” of “bad actors”. This product would achieve two goals: first, it would name and shame the companies that help with sanction evasion, leveraging the possibility of a deterrent effect; second, it would prevent shipping companies from claiming “ignorance” when conducting transfers to North Korea.

One idea we had is to rely on technology, such as automation, to help deploy a more effective product than the currently existing Treasury OFAC List. In fact, as it came up in one of our interviews:

“…if  there were a way that was more dynamic in helping to understand who you are dealing with – that would give you a better shot at doing enforcement. Being able not to be manually update these tools could be extremely valuable. There might be ways to look at previous cases where we know that there was a network going on and train through AI a system to look for similar patterns.

Third, we will continue brainstorming on a potential prioritization tool. Before further focusing on it, we will discuss with our sponsor whether this direction might reveal itself to be useful or not.

Interviewees

This week, we focused on conversations with a wide range of North Korean experts, including former State Department and Intelligence officials, journalists and policy experts.

  1. William Brown, Former ODNI
  2. Alastair Gale, Wall Street Journal
  3. David Slayton, US Navy, Hoover
  4. Andy Kim, Former CIA
  5. Chloe Chung, Korean Foreign Ministry
  6. Todd Buchwald, Former Ambassador for Global Criminal Justice
  7. Richard Johnson, Nuclear Threat Initiative
  8. Kyle Ferrier, Korea Economic Institute of America
  9. Andray Abrahamian, Chosen Exchange
  10. Eddie Fishman, Former State
  11. Joshua Stanton, One Free Korea
  12. Sig Hecker, Stanford Nuclear Energy Expert
  13. Matt Prusak, Korean Institute
  14. Michael Matheson, Former State