CipherTrace Uses Honeypots

CipherTrace Uses Honeypots

CipherTrace Uses Honeypots

CipherTrace, a blockchain intelligence company owned by Mastercard, uses “honeypots” to gather information about Bitcoin addresses, according promotional material sent to a government official.

A Freedom of Information Act (FOIA) request from CoinDesk asked the Treasury for emails that “included the word ‘cryptocurrency’ or several synonyms (‘virtual currency,’ ‘digital asset,’ etc.) or mentioned prominent companies in the industry like Coinbase or Ripple.” In the trove of documents received nine months later, CoinDesk found an email sent to then-Treasury Secretary Steven Mnuchin by the CEO and co-founder of CipherTrace.

FOIAd CipherTrace Slides

A picture of a slide released under FOIA

The slide contained a graphic not found on their public-facing material.

The email contained promotional material in the form of slides about the services provided by CipherTrace. Like Chainalysis, CipherTrace advertises “blockchain intelligence” services to the public and private sectors. The slide shared by CoinDesk appears to be part of a set of promotional materials for CipherTrace’s “CipherTrace Inspector” suite, which the company describes as:

“A suite of powerful and easy-to-use de-anonymization tools for law enforcement. Investigators use this integrated platform to obtain solid evidence on individuals who use Bitcoin to launder money, finance terrorism, or carry out drug dealing, extortion, and other crimes. The intuitive CipherTrace visual environment allows even non-technical agents and analysts to easily identify and trace criminals who attempt to use Bitcoin on the internet to conceal their illicit activities. The platform also supports de-anonymization for more than 800 cryptocurrencies — including Bitcoin Cash, Ethereum, and Litecoin. This de-anonymization capability spans more than 87% of global virtual assets.”

A picture of a promotional image from CipherTrace.

A picture of a promotional image from CipherTrace.

Unlike the publicly available datasheet and product page for Inspector on the company’s website, the slide sent to Mnuchin listed “honeypots” as one of the sources of data used by the company.

CipherTrace does not make this information publicly known. As a result, we do not know anything about CipherTrace’s honeypots.

Chainalysis as a honeypot example

However, unrelated slides from a Chainalysis presentation to Italian police revealed the way Chainalysis used a honeypot for years under the radar. CipherTrace’s tactics could resemble those employed by the industry leader, Chainalysis.

A picture of a leaked Chanalysis slide.

Somebody leaked Chainalysis material intended for Italian police.

The slides, which surfaced on Dark Leaks, the “decentralized information black market,” revealed that Chainalysis collected the I.P. addresses of people who used a block explorer secretly controlled by the company. When a user visits the site and looks at a specific transaction or address, Chainalysis associates their I.P. address with the transaction or address.

“Confidential” Slides from Chainalysis

In machine-translated English, the relevant part of the slide reads:

• Capability: Suspects may use walletexplorer[.]com to monitor transactions rather than checking exchanges directly for fear of leaving a “footprint”: The Exchange “scrapes” the suspects' I.P. address. Chainalysis owns walletexplorer[.]com, and as such, we collect this data_._

• Results (empirical): Using this dataset, we provided law enforcement with meaningful leads related to I.P. data associated with a relevant cryptocurrency address. It is also possible to conduct a reverse lookup on any known I.P. address to identify other BTC addresses. It can also collect the data of an address of a data form that has yet to transit on the Blockchain - that is, ‘The BTC address provided as part of an investigation into a kidnapping or a threat to life - if the suspect checks his own address.

(I added emphasis where I suspect the automated translation may have failed. I am not entirely sure what the sentence in italics means. The URLs were also broken by me and appeared without the brackets in the slide.)

Wallet Explorer

A picture of Before


The website’s only mention of Chainalysis was a footnote that stated, “the author of WalletExplorer[.]com now works [at Chainalysis] as analyst and programmer.” CoinDesk wrote an article about the slide, prompting Chainalysis to add a privacy policy to the site wherein they identified themselves as its owner.

A picture of After


The new privacy policy on WalletExplorer

CoinDesk emailed the company to ask about their use of honeypots. In response, CipherTrace sent, “A ‘crypto money pot’ or ‘honeypot’ is a security term referring to a mechanism that creates a virtual trap to lure would-be-attackers.”

I do not know what kind of honeypot(s) CipherTrace is using. Another block explorer website? Could they succesfully run a Bitcoin mixer? I expect any honeypot would need to provide as much data or the same type of data as Chainalysis’ WalletExplorer.

CipherTrace has appeared on Darknetlive in the past, as many will remember.

They provided the feds with a set of “Monero tracing” tools (“tracing” seems like a stretch but they used those words). They have two patents for tracing Monero. And they highlighted the movement of 69,370 Bitcoins in 2020 that someone had originally stolen from the Silk Road many years ago. A few days later, the feds announced they had tracked down the hacker, identified in court documents only as “Individual X,” and somehow “convinced” the individual to forfeit the Bitcoin to the U.S. government.

Also, CipherTrace is owned by Mastercard now and does business with the largest defense contractor in Europe, BAE Systems. It seems like they were a small-ish startup not long ago. Amazing.

A screenshot from CipherTrace’s Maltego transform

They do have a neat Maltego transform though

The OP honeypot would be creating a cryptocurrency, encouraging criminal use of your coin, and then charging the federal governnment hundreds of thousands of dollars to trace these transactions. Or do the same thing as the feds…