Follow the Crypto

A

You're listening to the Cyberwire Network, powered by N2K. Cryptocurrency analysis is not a niche activity anymore. Like, no one's saying they missed the boat on AI, so they're not going to adopt it. I would say the same for cryptocurrency and blockchain intelligence. It's another tool in your toolkit. It's not going to be the end all, be all, but combined with other telemetry and visibility, it can be really powerful.

B

I'm Michael Sikorski, the CTO of unit 42, and I'm filling in for David Moulton today as the guest host of Threat Vector. Today I'm speaking with Jackie Burns Coven, the head of cyber threat Intelligence at Chainalysis. We're actually at the Lynx conference, the chain analysis premier conference focused on all things cyber and crypto intelligence. We're going to talk about how defenders are tracking criminal and nation state actors across the blockchain and what the next era of threat intelligence actually looks like. Here's our conversation. Jackie, welcome to Threat Vector. Really great to have you here.

A

Thanks for having me, Mike. I'm a new fan.

B

Awesome. Yeah, that's. We're excited to be able to have you on the podcast and talk to me a little bit about what your day looks like, sort of combining, you know, blockchain for financial signatures of threat actors and like, I really want people to understand, like, what the work is that you do as it pertains. Because, like, people hear about the blockchain and cryptocurrency and threat actors using it. How does that turn into what your job is in this space?

A

Yeah, exactly. So my role at Chanalysis, I lead cyber threat intelligence, so I'm responsible for understanding the wallets and identifying them of those actors that scam, steal, extort for cryptocurrency, the tools and services they use, the marketplaces where that commercial activity takes place and identifying those so that compliance officers at financial institutions and exchanges can identify those and flag those transactions. But also empowering intelligence analysts in private sector, public sector and law enforcement to better understand and disrupt those networks.

B

That's pretty awesome. Can you also tell us about this Lynx conference that we're currently in Times Square hanging out, recording and what is this event? What does it mean to Chainalysis as a company and then the industry as a whole?

A

Yeah, I think it truly reflects the diversity of the, the players in this ecosystem. If you think about anything a dollar touches and who touch it's expanse, cryptocurrency is unique. In that you can see all the transactions on the blockchain. And so it brings together really in cryptocurrency transactions and this conference, players from all over the ecosystem, from finance and insurance, regulators, law enforcement. So I get sometimes questions that, well, my institution doesn't custody crypto, I don't pay ransoms. How does crypto impact me? But in cyber threat intelligence, it's totally different because all threat actors, whether they're nation state or cyber criminals are, whether they're pursuing crypto for profit or using it to purchase tools and services, infrastructure, bulletproof hosting, residential proxies. Cryptocurrency is the oxygen of these marketplaces that is helping and these are powerful intelligence leads. So this is an incredibly unique conference and you're having all of those players in the ecosystem that crypto touches in a room together and talking. And I think it also speaks to how fraud and cyber and compliance teams really need to be on the same page because these threats are evolving so fast. I have so much empathy and sympathy really for compliance and fraud analysts who are not only having to learn crypto, but also having to learn what a residential proxy services, what is black Boston ransomware, and why am I getting an alert that they deposited funds onto our exchange. So I love this conference because it also underscores the public private partnerships that have to happen for disruption.

B

So I want to take a step back and then get back into like the panel we had yesterday at the conference and, but first I wanted to get into your background. So you came up through the US Intelligence community similar to me in some, some regards, before ending up here at Chainalysis. You know, what drew you from sort of the traditional intelligence work towards this like crypto threat intelligence? Like what's, what's the backstory for, like going from that into this, this space?

A

Yeah, it certainly wasn't a linear path. I, you know, started my career in the intelligence community. I worked on nuclear proliferation issues on a particular adversary. Cryptocurrency was not in my vocabulary or my mandate at all. I'm positive that has changed since I left my position. But I actually left government to go to grad school with the intention of returning back to government. But once I left that black box of those windowless rooms where everything was super classified and compartmentalized, and I went to grad school in New York and it was just this epicenter at the time, you know, big data was the buzzword. Startups build fast, break things. And the blockchain revolution was actually happening in New York City at the Same time, I was just so energized by the optimism of new technology. The thought of kind of going back into my black box, I wanted to try the private sector just seemed so energetic at the time. And I stumbled across chainalysis on doing a grad school project for a consulting firm. And it just opened my eyes to the fact that I can still go after bad guys and also harness this new exciting technology. It was just the perfect marriage of those two interests of mine and I've never looked back.

B

And I was talking to some of your colleagues about you and the story was that when you came here, like this role is like, it's like your role, like this role didn't, like it didn't even exist in the world. Like it wasn't like it became the situation and like what it is for the team. Is that, is that true? Like is it like, like it was like this evolved into what it has become because of the explosion of what the threat actors are doing, this explosion of the company of chain analysis and so on and so forth. And now you've, you've found yourself like testify in Congress multiple times and the list goes on and on of, of like, you know, the accomplishments you've had here. So do you, can you provide any insight of like some cool accomplishments you've had in role here?

A

Well, it's funny because, you know, when I started here over seven years ago now, I think I was employee like 60 or in the 60s, I applied for the only non technical role which was customer success and, and just loved it. It was actually really great because I got to deeply understand our products and our data and deeply understand customer use cases. And that's when I first kind of stumbled into cyber and it was like following ransomware payments and like just finding my obsession about that and how they operated and what they were spending their money on and those rebrands. So I would say like accomplishment I think is being able to proliferate your work through others. I think in the intelligence community everything was so siloed. But in it chanalysis I'm like a kid in the candy store because there's no compartmentalization. Everything is available to everyone. And so being able to identify wallets that lead to the attribution of the threat actor disruption or even the seizure of funds and returning of funds to victims, like those are the moments that mean the most to me when I reflect back over the years. But certainly, as you know, speaking to Congress is an intense endeavor. The preparation for that is like marathon training. I Think just preparing for all possible outcomes.

B

I was telling you that I did the closed door session recently, which is in complete contrast to, you know, the open door cameras rolling and how different the experience was. And you were like, next time I want to do closed doors, how different it was from a, you know, progress perspective and questions getting answered and just, you know, really hyper focused on what, what we were in the room to discuss. So I really thought that was cool. You are a member of the ransomware Task force. So I guess that's in addition to what you do at Chainalysis. Can you, you know, it, it seems like an unusual coalition. Industry, government, civil society, and, and so like from the inside of working with that task force, you know, what does that collaboration actually look like when it comes to ransomware? And you know, what are, what are things that are working? What are things we could do better?

A

That's been a very special organization for me personally, and I think it's had a lot of impact. And one of the benefits of blockchain intelligence is that it's not just following the ransomware payment from point A to point B. You can actually measure impact of operations and policy at a macro level. And we've seen ransomware payments flatline for the past two years. 2024 was the first time we've saw ransomware payment revenue decline ever after year after being record breaking years for so long. And I think that's directly tied to a lot of initiatives, including the ransomware Task force, but public awareness, education, preparedness, having a plan for if and when attacked that negate the need to pay, but also hopefully preventing them from ever getting the crown jewels. And I think this organization has really reinforced like the, the necessity of using blockchain analytics for every cybercrime problem. Because even if they're not looking for ransomware money, they need cryptocurrency to buy that access, to buy that bulletproof holster. And so being that having that puzzle piece in the room when there's so many different telemetries and visibilities and skill sets, it's really gratifying to sometimes be able to come to the team like, oh, I got that missing puzzle piece. Now we can see the picture, the full picture. And it's also created opportunities for disruption using blockchain analytics. You can see those central nodes of gravity that are supplying tools and services across a number of streams. And it's been really encouraging to see over the past few years a steady drumbeat of unpredictable actions against bulletproof posters, access brokers, marketplaces that are imposing costs, creating friction, creating distrust within these organizations. And I think those actions also contribute to the decline in actual payments.

B

You mentioned disruption. I mean, that's a big part of what you all do too. And that coordination with the ransomware task force of, like, how do we coordinate with each other? Because we all have different visibilities and we can bring different things to the table. And that data set coming together with another data set, for example, sort of helps you unravel and tell the story, but it also makes it easier to do things like disruption because you know that this is connected to this, which is connected to this, which is actually this threat actor, and that's who we're after and who we want to disrupt. So when it comes to, you know, any sort of disruption that you've been a part of, what kind of, like, model works, like, who need. Who do you see has to be at the table, like, does it, you know, with law enforcement, without law enforcement, have, you know, because I've seen some private to private happening now as well. There seems to be, like a trend happening where people really want to get after, you know, taking down the bad guy, so to speak.

A

Yeah, I think trust is the basis of everything. Trusting an organization with sensitive data has been whether it's private to private or public to private. I think when public sector is able to initiate first, I think that's a good starting point because oftentimes there's not a great feedback loop if it's the other way around. I think we've been analysis has been used for a number of disruptions for ransomware, including netwalker lock bit, the Colonial Pipeline takedown, or, excuse me, the recovery of over $2 million of that ransom payment. The Caesars Casino ransom payment. So there's been a number of cases.

B

Yeah, I mean, and those are all like, really from the headlines, ripped from the headlines, you know, recoveries and takedowns. I even remember being a part of working the incident response for the pipeline hack and then being like, wait, money can be, like, recovered? I remember being like, because, you know, that's years ago at this point. So even then, it's like, it still feels like that was like the early days of, like, this explosion of. Of, you know, the use of cryptocurrency for threat actors to get their payments from ransomware gangs and stuff like that.

A

And I think an important component that I miss going through is victim cooperation. So the general public. So in the case of Netwalker, where they recovered over $30 million, they needed victims to come forward Right. And claim. Claim the funds come forward and say that they were victimized with Colonial Pipeline. We had, like that. That company was very cooperative with law enforcement. So victim reporting is essential, whether it's ransomware, phishing scams and the like. So that. That's a critical component. And so having victims know where to go, know who to trust, and being sensitive with their data and handling is very important too, with whatever the actual crime is.

B

Yeah, well, I would say victims used to be so afraid to even come forward or talk about it or whatever, and now that willingness seems to be way more open than ever before. And I think it leads to better outcomes for fighting against the adversary, for sure. And so it's like, the more people talk about their hacks, the better the world is. It's hard for people to comprehend that because it's like, oh, you're a victim. You also think like, oh, I got hacked. It's kind of like an embarrassment to me. It's like, no, because everyone gets hacked. And if we all work together, we could actually make this stop or at least make the world a better place. And I think that's like, where it's like, talk about it, please. Like, the more you do, the more threat intel we get, right? The more indicators we get, the more wallets we get, the more what are the attackers using and stuff like that. And I started, I mentioned wallets and threat intelligence. I started to go down this path. And that's a question I had for you, is like, for our listeners, like, how does that world of threat intelligence actually work? When you talk about, like, you know, I think of traditional IOCs, like the attacker is coming from this IP address or the, you know, malware, obviously, like having this hash and like this binary is the piece of malware to look for on, on your computers and your network. Like, that's how, you know, sort of traditional threat intelligence was done with these IOCs. What does that look like in your world for connecting the dots on what's happening and what's what?

A

Yeah, so the benefit of blockchain and blockchain intelligence is you can see everything, right? You can see where funds go from point A to point B, whether they're in Zimbabwe or your next door neighbor. Right? So, and that's also the challenge of blockchain intelligence is you can see everything. So we don't have the benefit of a police unit where there's something outside of their jurisdiction. Doesn't matter. Everything is our jurisdiction in crypto. And so it's round the clock, constant, and that can be great for investigations. And it's also part of the challenge. What is challenging is also developing our intelligence requirements and understand who's who in the zoo, what are the important actors to go after, entities to go after at the same time constantly receiving inputs related to new Darknet marketplaces, takedowns, hacks, scams, happening all the time around the world and making sure we can label those wallets and put it in our data set in a timely manner so it can be actioned. And then once we identify those threat actors, each threat actor, threat group has its own unique signature. Just like you and I use different banks. Threat actors have specific laundering patterns, spending habits, wallet types, and even like how,

B

how they're breaking up their payments of like so and so gets 20% cut and the access, you know, the initial Access broker gets 20%. And then you know, some of that kind of stuff is unfolding. Right. Where you see constant like literally to the percentage sometimes, right?

A

Yes. So and a lot of these times they may be expert hackers, but they're not necessarily expert launderers. They want to kind of set it and forget it. And even though they may do something like rebrand their ransomware group or change their handle on Telegram or their, their username on a marketplace, they're often exhibiting the same financial signatures on chain, so we can follow them throughout the course of their criminal career. So their wallets for me are like a criminal resume. It's like their rap sheet all online because you can see where they're getting money from. So you can even track their evolution to different crime types or to sophistication

B

and, or if they change gangs and stuff like that. Right, like you could see that as well.

A

Absolutely. And you can even see hierarchy. It really does paint a vibrant picture. And so like IT workers, you can see where are they funneling their money to who's their, who's in charge of their group. Same thing with scams, ransomware and time zone analysis. All of that can really paint a really vibrant picture of what's happening.

B

I wanted to talk about the panel that we did yesterday. I thought it was really awesome. I think you were the moderator and I was lucky enough to be on with two amazing people as well. And we all had different visibility. So it was Kimberly Goody from Google Threat Intelligence. Her focus is this world, but much more on the nation state side, I believe. Right. And then Allison Nixon from unit 221B, which just like unit 42, but more Sherlock Holmes focused than Galaxy Hitchhiker's Guide to the Galaxy, which I think is pretty funny, but she's more like in the weeds with the threat actors and really getting after it. Specifically, you know, big groups that were all talking about scatter spider or the comm. Like, the list goes on and on. What was like, so. So I thought our conversation was great. We went into so many different areas. We ran out of time. And I think the audience was like. I think it was standing roomy, which is really cool. And the questions went on and on. They had to kick us out of the room eventually. What was like. What were like, some of the highlights you had from the panel that you think our listeners should hear on that, like, because it wasn't recorded, so people can't watch the video of that panel, but maybe they could get a little. Little taste of what you thought was, like, the highlights and takeaway from it.

A

I thought it was really interesting to hear you and the other panelists break down that, like, blockchain intelligence is more than just following the money post incident. It's important to look at it as an indicator of attack preparation. So being able to understand what's in a threat actor shopping cart, what kind of infrastructure they're purchasing, how they're trying to. What they're going to use to try to break into the house, essentially, that was really interesting to hear how it's actually working in the field. And also, I think you pointed this out. The. The attribution has never been more challenging in cybersecurity. It's certainly.

B

Yeah, it's really tough these days compared to the early days when it was like, oh, that piece of malware, it's a variant. I know exactly who wrote it. Those days are kind of gone.

A

Yeah. And so that was really illuminating for me to hear that blockchain intelligence can be that missing puzzle piece in some cases where it can strengthen confidence in an assessment or shed light on an area that you weren't even thinking of before, like, oh, this actor's definitely North Korean. Nope. Actually, he's using a Nigerian exchange. So chances are. And I think it's really helpful to. It opens up the scope of the case because now you have cryptocurrency businesses. You can ask for telemetry on their end to marry it up with what you have. So that was really fascinating to hear. I think we had live breaking cases while we were on the panel. North Korea.

B

It was like things were unfolding as we were on stage. It's like, what do you know about this? It's like you just read that from the, you know, breaking news on the supply chain stuff. Right.

A

And to your point on information sharing, I think in all the sidebar conversations I've had, I feel like I've had the same conversation literally six different times of people being targeted by North Korean IT worker, their businesses. This is the honeypot at this conference right here. Everybody's having the same telegram interactions, the same lures, and likely talking to the same people. So I think we need more of that. You have to move it from sidebar conversations at a conference to.

B

To actual collaboration. Yeah. I think also on that insider threat, you know, we've done upwards of 300 victim notifications on North Korean insiders across, like, you know, what we have visibility into, and a lot of that is through collaboration, where somebody's like, hey, I hired this person, we found out they were an insider, then that information gets shared with us, and then we could use that to search through our telemetry and our visibility. And it's like, wait, that person actually had five other jobs at these five other entities, and they're working all of them. And we need to, like, notify now. Instead of just the one company who maybe got rid of that employee, now there's five more just like, that are the exact same Persona that is. Is getting the job. So, yeah, like, without the collaboration, it'd just be like, if you didn't know, get that piece of intelligence, you're kind of in trouble. That's a great place to really mine and get after.

A

What were some of your takeaways?

B

That's a good. So my takeaways from the panel, I thought, you know, I thought each of our visibility was just so diverse and like, you know, Alison's ability to kind of talk about, like, what's really happening at the victim level, I thought was really. It really kind of put things in perspective. I think, even for the audience was like, you know, maybe I was on stage talking about. There was a question about AI, and I'm talking about, well, you know, how threat actors are using AI.

A

And.

B

And then when the question about her visibility on the threat landscape, it was much more like, these are like child workers and how horrible the situation is for the victims or the people who are, like, causing there to be more victims because they're forced into it and sort of that side of things really kind of like, put it in perspective of why this is so important and why. Why being in this game is like, this is why I'm here. That's why I love this. Because what other job do we get to take down criminals, but then also be in tech and learn and having these new things like cryptocurrency pop up, and then all of a sudden the threat actors start using it. So I think anytime I'm in a situation where I get that feeling, I get this energy and this surge of, I'm going to go get it, we're going to go take them down, and we're going to win because, you know, good will win over evil. Like, you know. And so, like, I think that was a big, a big part of, like, what I, what I saw on stage. Another question I have for you is like, on the nation state side, what are you seeing there that's of interest and like, you know, what should our listeners know from that? Because I think people are pretty familiar with, like, the ransomware as a service and people getting access and then brokering that over to ransomware as a service and sort of the escalation. But what does that look like on the nation state side when it comes to crypto and tracking them?

A

Yeah, so North Korea certainly is always at the top in terms of crypto crime revenue. They exceeded $2 billion worth of stolen cryptocurrency last year. That was a 50% increase over the year prior. And that, that $2 billion, maybe two or three attacks comprise the majority of those funds. But we know they're doing individual wallet hacks. So we're tracking hundreds of thousands of private wallet hacks, not all attributed to DPRK, but we know that's part of their M.O. we're seeing IT workers aren't bringing in as big of hauls as we are seeing those massive heists, but certainly significant and pervasive. Just a couple weeks ago, we had six individuals and two entities tied to dprk, IT network sanctioned. And so it's interesting to see playbooks from other crime types. Like we talked about ransomware, we need all levers of government on scams, on fraud, on DPRK as well. So it's great to see other doj, treasury and our global partners all taking actions to name and shame, to actually recover funds. We've seen civil forfeitures targeting DPRK funds to make it harder for them to, to make money. As I said, I say this a lot. Imposing cost is not a metaphor to analysis. We actually want that to literally imposing cost.

B

Yeah, I love that. So, you know, when you think about this threat landscape, specifically when it comes to chain analysis in the space that you're in and how the threat actors are getting access to money Funds so, so much easier than they did, you know, 30 years ago or whatever when, when the hacks were first starting to happen. What's the thing that keeps you up at night that like most defenders are not paying enough attention to that they need to like wake up and get after.

A

I've been to multiple conferences over the years and had the privilege of, of addressing different audiences in, in the CTI community and I often ask if any, if people for folks to raise their hand if they encounter cryptocurrency in, in their work. And pretty much the entire conference room, hands up, shoot up. And then I ask, all right, who has a tracing tool so that they can actually pivot off of that identifier? All the hands go down in the room, right? It, it's. Cryptocurrency analysis is still, still such a niche tool and I think it's a shame because I think it's so powerful for attribution, for disruption, for network analysis, even looking at macro trends. And so I think that I hope there's no perception that anyone's missed the boat. It's more accessible than ever. Even if you're not using cryptocurrency, you're not paying ransoms. Your institution doesn't custody crypto. The threat actors targeting you, your organization, your customers absolutely are using cryptocurrency and I think that's really important to drive home to every CTI analyst. Foreign.

B

Jackie, it's been really eye opening conversation, awesome links conference, great panel yesterday with you as the moderator. It's really cool that we got to pull aside here in Times Square to have this conversation for our listeners and it's been great to have you pull back the curtain on how financial intelligence and and cyber threat intelligence are sort of converging and sort of the diversity of what all that means for defenders.

A

Thank you so much for having me.

B

That's it for today. If you liked what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your feedback helps us understand what you want to hear. If you want to reach out about the show, email us at threatvectoralto Networks. I want to thank our executive producer, Michael Heller. Elliot Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant, happy reversing. Goodbye for now.

A

Sam.