How Blockchain is Abused for Account Management and Payment Verification

Posted on February 17, 2020 by Ran Geva

read the article

For the sake of this article, let’s say you are a drug lord or an illegal weapon dealer and you want to sell your merchandise – how would you go about it? The Dark Web you say? Build a marketplace on the TOR network? You are probably right. 

How will you manage your users? Will they register for an account using their email? Nope. No one is using emails on the Dark Web as it can be traced back to the owner by the authorities. You would probably ask them to create an account using a unique username and password.

How will you get paid? It’s common knowledge that cryptocurrency, mainly Bitcoin, is being used as a means of payment on dark networks such as TOR. It provides an anonymous way to transfer funds from point A to point B. 

Managing unique user account creation, preventing spam accounts and payment verification could prove itself to be quite the challenge. 

Screenshot of a darkweb account creation page

A new method that leverages the blockchain (the technology behind Bitcoin) architecture as a distributed database helps cyber criminals to solve this problem. 

Here’s how it works: 

Instead of asking the user to create an account and choose a username, the site automatically sets the username to be a unique Bitcoin wallet address it creates on the fly on the blockchain. This address is unique and it’s visible only once when a user creates an account. The site also assigns a unique password for that address. 

In order to activate the account, the site owner then asks the user to transfer funds to the address (which is now also the username). Once a confirmation on the blockchain is received, the account is activated. The user will now be able to access his account by entering the user name (wallet address) and the associated password.

This way, the site owner is using the blockchain to manage both user name creation (wallet address), and anonymously transfer and verify funds. 

This makes it nearly impossible for law enforcement to recognize or associate any illegal activity as the address is unique and won’t show up anywhere else. Only in case the marketplace servers are seized and the addresses are extracted, is there a chance for them to trace the buyers by looking at the transaction log on the blockchain. Unfortunately, many times experienced users know not to associate their address with personal information, or use cryptocurrency tumbler/mixers to obscure the trail back to the fund’s original source.

I’m always excited to see how new technologies evolve and are being applied. However in this case, it saddens me that a common use case for blockchain technology is as a dark web currency. One can only hope to see more advancement in countermeasure technology to circumvent money laundering activity. At Webhose we help cyber security companies fight the bad guys, by providing them with the data they need from the darkest corners of the web.