White hat hackers, it seems, are being stripped of their accounts on Coinbase.
Less than a year ago, Vinny Troia, CEO and principal security consultant of Night Lion Security and a certified white hat hacker, was sent a compliance form by US bitcoin exchange Coinbase, where he had an account.
Coinbase wanted to know how Troia was using bitcoin and his account.
“I told them I run a security firm. I pay for ransoms and buy documents on the dark web when clients request it,” Troia told CoinDesk.
The ransoms Troia helps his clients pay are those stemming from ransomware attacks, which have surged in number over the past few years. Many, like the well-publicized WannaCry attack, are asking for bitcoin. And the documents?
“We do breach investigations a lot of times. If a fraudster is saying they’re selling my client’s stolen documents, the only way to make sure they have what they say they have is to buy those documents.”
According to Troia, Coinbase “did not like that at all”.
Coinbase then asked the IT expert whether he had a letter from the Department of Justice giving him permission to do those things. No, Troia said. Upon further research, Troia has not found that any such permission exists.
But, “I have my clients authorizing me to do this,” he said.
Coinbase sent Troia back an email explaining that those actions were against the exchange’s rules and shut down his account. Troia then tried setting up an account with his wife’s information, but that too was shut down. Then he tried his brother. Shut down. Then his mother. Shut down.
“My entire family is blocked from Coinbase,” he said.
The only option?
The problem is ransomware attacks are on the rise, and the prevalence of those attackers requesting bitcoin over bags of cash (or even wired fiat funds) is also up.
Black hat hackers love bitcoin, primarily because its wallets don’t have to be registered with a central intermediary, and with the use of anonymizing mixers and tumblers, the movement of that money can be hard to track.
Last month, several publications reported companies stockpiling bitcoin in preparation for future ransomware attacks. According to Citrix Systems, in 2016, about one-third of British companies were hoarding a store of “digital monies” to recover critical data in the event of an attack.
Sometimes, it’s the only option.
Troia, who is based in St Louis, worked with a local vendor in early October 2016 who was hit with a ransomware attack performing full disk encryption. In this case, full disk encryption meant the hackers had encrypted all the data held on the company’s hard drive storage. And according to Troia, almost no companies, including the one he was called to help at 2:00 am on a Sunday morning, keep full disk backups.
Troia scrambled around looking for ways to purchase bitcoin quickly and get the attackers paid. His solution: pooling money from company executives and purchasing bitcoin through a bitcoin ATM in the Galleria Mall in the Brentwood area of St Louis.
While the process took nearly 24 hours, without the bitcoin ATM, it would have taken even longer with waiting periods for bitcoin account onboarding and purchasing and withdrawal limits, Troia said. He even tried the Craigslist-like LocalBitcoins service, but since it was Sunday, a bank wire transfer wouldn’t be initiated till the next week.
“When someone has to pay a ransom, they need to pay it right away, not wait four days or so,” he said. “The consequences [of waiting] are more on the business side, reputational risk, with customers trying to get access to the system and not being able to. And there can be significant financial impacts of customers’ inability to access the system.”
It seems almost antithetical that it’s becoming harder for the ‘good guys’ to use bitcoin, when companies like Coinbase that operate with the digital currency have an uphill battle convincing individuals, businesses and government agencies that cryptocurrency should not be faulted for the bad actors’ use of it.
But, according to Juan Llanos, a cryptocurrency compliance expert and the fintech and regtech lead at blockchain startup ConsenSys, it’s all part of the same battle.
“Coinbase is meeting the expectations and standards of any highly regulated and scrutinized financial institution,” Llanos told CoinDesk. “They are a systemically important player and are backed by big-name investors. They all are, as they need to be, cognizant of the reputational and regulatory risks of associating themselves with negative news and potentially bad actors.”
“This is a very controversial topic.”
Seems so. The non-profit advocacy group Coin Center, for example, voiced strong opinions last month about a court filing which suggested helping someone exchange fiat for bitcoin to pay a ransomware attack might be unlawful.
The policy-focused non-profit declined to comment for this story, though Neeraj Agrawal, Coin Center’s director of communications, did say: “The decisions that Coinbase or any other company make about who can and cannot use their platforms are private matters internal to those companies.”
Brought against Coin.mx, the court filing stated that the exchange violated anti-money laundering law in that it “knowingly processed and profited from numerous bitcoin transactions conducted on behalf of victims of ransomware schemes”.
Judicial actions such as this obviously make others wary.
“I don’t blame them,” said Llanos.
Although, while federal law enforcement agencies typically caution US businesses against paying digital ransoms, in October 2015, FBI agent Joseph Bonavolonta told C-level business executives they might be better served succumbing to attackers requests for ransom in return for data.
Coinbase offered little comment on the situation.
“We work with a number of third-party vendors and need to make sure we comply with the types of businesses and activity they are comfortable with us servicing,” said David Farmer, director of business operations at Coinbase.
Farmer also sent a link to the exchange’s publicly available terms and conditions and prohibited business activity list. While neither document states anything specifically about white hat hacking or ransomware, the prohibited business activity list does note that it’s “representative, but not exhaustive.”
This gives Coinbase sole discretion to remove an account that increases any risk to its business.
Don’t say a word
Troia isn’t the only security consultant doing this kind of work at the behest of legitimate and paying clients.
Although, he doesn’t know exactly why his account was flagged for suspicious activity in the first place. In this light, he wonders whether the accounts he sent ransom payments to might have already been flagged as problematic.
“I could never figure it out,” he said. “I had, maybe traded an entire bitcoin, literally one. I didn’t have a high volume of trading.”
Troia recently tried reaching out to Coinbase executives, including CEO Brian Armstrong, explaining the situation, and that theoretically he could have lied and kept his account, hoping the truth angle could win him some points.
Via email, Armstrong said he would look into it, and forwarded Troia’s email to the support team.
The next day, though, Troia got a message back from support, saying upon further inspection, he was still unable to open an account, whether it be business or personal. And that looks unlikely to change.
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Coinbase.
The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Interested in offering your expertise or insights to our reporting? Contact us at [email protected].
Join our Bitcoin Mining Pool