Blockchain Consultants

Blockchain Transformations Done Here

cyberattacks-and-hacks

Hack Brief: Hackers Stole $40 Million from Binance Cryptocurrency Exchange

by

Binance is one of the world’s biggest cryptocurrency exchanges. As of Tuesday, it’s now also the scene of a major cryptocurrency theft. In what the company calls a “large-scale security breach,” hackers stole not only 7,000 bitcoin—equivalent to over $40 million—but also some user two-factor authentication codes and API tokens.

Theft has long been endemic to cryptocurrency; hackers stole more than $356 million from exchanges and infrastructure in the first three months of 2019 alone, according to a recent report from blockchain intelligence company Ciphertrace. But it’s less common to see an established exchange like Binance get hacked—and for the attackers to get so much other information along the way.

The Hack

Binance has been fairly forthcoming about the hack, detailing its impact in a blog post from Binance CEO Zhao Changpeng. “The hackers used a variety of techniques, including phishing, viruses and other attacks,” wrote Zhao. “The hackers had the patience to wait, and execute well-orchestrated actions through multiple seemingly independent accounts at the most opportune time. The transaction is structured in a way that passed our existing security checks.”

It appears that hackers were able to compromise several high-net-worth accounts, whose bitcoin was kept in Binance’s so-called hot wallet—which, unlike cold wallets, are connected to the internet—and filch those funds in a single transaction.

Zhao says the company will conduct a security review of all its systems and data, which he expects to take about a week. In a surprising move, Binance will continue to allow trading during that time—even though hackers may still control some high-net-worth accounts—though it will disable deposits and withdrawals until it’s sure the hackers are accounted for.

“Binance knows that they lost user credentials, that their users' 2FA got compromised, they do not know the exact extent of the attack, yet they keep trading going,” says Emin Gün Sirer, a computer scientist and codirector of Cornell University’s Initiative for Cryptocurrencies and Contracts. “This is a huge risk. Anyone can take highly risky positions, and if the trades turn sour, they can claim that it wasn't them, they were compromised by the hack.”

Who’s Affected?

Good question! Binance itself isn’t clear on the scope of the breach. The bad news is, if your bitcoin was in Binance’s hot wallet, it now belongs to bad guys. The good news is that $40 million comprises only 2 percent of Binance’s overall bitcoin holdings. The even better news is that the company will cover the losses out of its Secure Asset Fund for Users.

Binance traders generally will also be affected, both because they won’t be able to deposit or withdraw their digital money and because, as Sirer notes, the uncertainty of who exactly is participating in those markets could lead to some mayhem. “Hackers may still control certain user accounts and may use those to influence prices in the meantime,” writes Zhao. “We will monitor the situation closely. But we believe with withdrawals disabled, there isn’t much incentive for hackers to influence markets.”

The more interesting question might be who could have been affected, not by the hack itself but by Binance’s reaction. The company apparently considered doing a rollback on the bitcoin network, to undo the offending transaction. They ultimately decided against it, but even the specter has implications.

“It takes only a handful of miners who will go along with a reorg. And perhaps they wouldn't do it for $40 million, but there is a price at which they would do it,” says Sirer. “If it were to happen, it would undermine confidence in BTC, whose main claim to fame has always been security and immutability.”

At the very least, all Binance users need to update their API keys and two-factor authentication immediately.

How Serious Is This?

On the face of it, maybe not so bad. Forty million is a plenty big number, but it’s only a small percentage of Binance funds, and users will apparently get their money back.

But the fact that Binance can afford to take a mulligan doesn’t excuse what appears to be a devastatingly thorough hack. And it’s unclear whether the compromise of two-factor codes and API keys will have broader implications. Most of all, it’s the latest reminder that, for all the promise of cryptocurrency, it remains a Wild West for investors. If the price fluctuations don’t get you, a hacker, a fraud, or a scam is always just around the corner.

Additional reporting by Lily Hay Newman.

Read more: https://www.wired.com/story/hack-binance-cryptocurrency-exchange/

If You Want to Kill Someone, We Are the Right Guys

by

On a brisk day in March 2016, Stephen Allwine walked into a Wendy’s in Minneapolis. The smell of old fryer grease hung in the air as he searched for a man wearing dark jeans and a blue jacket. Allwine, who worked as an IT support technician, was lean and nerdy, with wire-rim glasses. He was carrying $6,000 in cash, money he’d collected by pawning silver bars and coins to avoid suspicious deductions from his bank account. He found the man he was looking for sitting in a booth.

They had connected on LocalBitcoins, a sort of Craigslist for people who want to buy cryptocurrency near where they live. Allwine opened the app Bitcoin Wallet on his phone and handed over the cash, and the man scanned a QR code displayed on the phone to transfer the bitcoin. The transaction went seamlessly. Then Allwine returned to his car to discover that he had locked his keys inside.

It was his birthday. He was 43. And he was supposed to join a woman named Michelle Woodard for lunch.

Allwine had met Woodard online a few months earlier. The relationship had progressed quickly, and for a while they exchanged dozens of messages a day. Their passion had since faded, but they still slept together from time to time. While he waited for the locksmith to arrive, he texted her that he'd stopped to buy bitcoin and was running late. Once the door was jimmied open, he met up with Woodard at a burger joint called the Blue Door Pub, determined to enjoy the rest of the afternoon.

That evening he gave himself another birthday present. Using the email address dogdaygod@hmamail.com, he wrote to a person he knew only as Yura. “I have the bitcoins now,” he said.

Kenneth R. Rosen

The Strange Life of a Murderer Turned Crime Blogger

  • Brooke Jarvis

    How One Woman's Digital Life Was Weaponized Against Her

  • Mara Hvistendahl

    Inside China's Vast New Experiment in Social Ranking

    • Yura ran a site called Besa Mafia, which operated on the dark web and was accessible only through anonymous browsers like Tor. More important for Allwine's purposes, Besa Mafia claimed to have ties to the Albanian mob and advertised the services of freelance hit men. The site's homepage featured a photo of a man with a gun and no-nonsense marketing copy: “If you want to kill someone, or to beat the shit out of him, we are the right guys.”

    Yura promised that customers' money was held by an escrow service and paid out only after a job was completed. But Allwine worried that when he deposited money it would simply end up in someone's bitcoin wallet. He wanted Yura's claims to be true, though, so against his better instincts he transferred the bitcoin. “They say that Besa means trust, so please do not break that,” he wrote Yura. “For reasons that are too personal and would give away my identity, I need this bitch dead.”

    “This bitch” was Amy Allwine, his wife.

    Stephen and Amy Allwine had met 24 years earlier at Ambassador University, a religious school in Big Sandy, Texas. Stephen showed up freshman year with a pack of friends from his church youth group near Spokane, Washington. Amy was from Minnesota and didn't know many people at the school. She quickly attached herself to the Washington crowd. She was sunny and easygoing, and she and Stephen became regular dance partners—an activity that brought them closer, but not too close. They belonged to the Worldwide Church of God, which observed a strict Saturday Sabbath, rejected holidays with pagan influence like Christmas, and frowned on too much physical contact on the dance floor.

    In 1995, while they were still at Ambassador, the United Church of God split off from the Worldwide Church of God. Stephen and Amy joined the new sect, which embraced the internet as a means of spreading the gospel. For Stephen, who had a passion for computer science, it was a logical choice.

    After college, the couple married and moved to Minnesota to be close to Amy's family. Amy could tame even the most unruly animals, and she taught for a few years at a local dog-training school before starting her own business, Active Dog Sports Training. The couple adopted a son, bringing him home when he was just a couple of days old, and in 2011 they moved into a house in Cottage Grove, Minnesota, a centerless enclave of commuters and farmers in the Mississippi River Valley, not far from the Twin Cities. Amy converted a large agricultural shed on the property to a dog-training arena, and their house was soon a homey mess, with fur from the Allwines' Newfoundland and Australian shepherd covering the upholstery and a trail of unfinished Lego projects on the kitchen center island.

    From the outside, nothing seemed amiss. Stephen rose to the rank of elder in the United Church of God, and Amy became a deaconess. The church followed the Jewish calendar, and on Fridays the family had dinner with Amy's parents, whom Stephen called Mom and Dad. On Saturdays they attended services. Every year they traveled to join in the church's fall festival, which was held at different sites around the world. As Amy's business grew, she traveled around the country with friends to attend dog competitions. In their spare time, the Allwines maintained a website called Allwine.net, which included a list of acceptable songs and instructional dance videos showing how to have fun without excessive touching. In one, Amy wears khakis and hiking boots while Stephen is in a polo shirt and baggy jeans, and the two are line dancing to “We Go Together.”

    The day after Stephen bought the bitcoin, he uploaded a photo of Amy to Allwine.net. The picture had been taken on a family vacation to Hawaii, and it showed Amy wearing a teal shirt, with a broad smile on her tan and freckled face. About 25 minutes after he posted the image, Stephen logged in to his dogdaygod email account and sent Yura the link. “She is about 5'6", she looks about 200lbs,” he wrote. The best time to kill her, he continued, would be on an upcoming trip to Moline, Illinois. If the hit man could make her death look like an accident—by, say, ramming her Toyota Sienna minivan on the driver's side—he would throw in a few more bitcoin.

    Yura confirmed the details shortly afterward in awkward English. “He will wait her at the airport, tail her with the stolen car, and when he has the chance will cause a car accident to kill her.” If the car accident didn't work out, he added, “the hitman will shoot her deadly.” Later he reminded dogdaygod to concoct an alibi: “Please make sure you are sorrounded [sic] by people most of the days, and spend some money to shop things on malls or public places where they have video surveillance.”

    On a typical day, Stephen was not surrounded by people. He and Amy lived on 28 acres on a dead-end street. Their house was a simple one-story, double-wide trailer on a basement, but it had four bedrooms, along with a spacious living room and an open kitchen. Stephen had rigged up the roof with solar panels, which he boasted generated so much energy that he was able to feed power back into the grid. He spent much of his time in his basement office, handling glitches in call center technology. Working from home allowed him to hold down two jobs, one with the IT service company Optanix and the other with Cigna, the health insurer. Coworkers often went to him with particularly thorny problems.

    The Allwines' pastor preached about conquering carnal desires, and Stephen himself counseled couples in the congregation who were struggling with marital problems. When he was alone, though, his attention strayed. He ventured onto Naughtydates.com and LonelyMILFs.com. He found an escort on the classified site Backpage and twice drove to Iowa to have sex with her. Through his counseling work, he learned about Ashley Madison, the dating service that caters to married people. It was there he met Michelle Woodard.

    On their first date, Stephen accompanied Woodard to a doctor's appointment. Within a few weeks, she was joining him on work trips. Woodard appreciated Stephen's extraordinary calm. On one trip their connecting flight out of Philadelphia was canceled. Stephen had an 8 am meeting the next day in Hartford, Connecticut, and without fuss he rented a car and drove them the remaining 210 miles.

    A month before Stephen ordered the hit on his wife, he told Woodard that he was going to try to make things work with Amy. In truth, the affair seemed to intensify his desire for a different sort of life.

    Disciplined and computer-savvy, Stephen was in theory the perfect criminal for a dark-web crime. He covered his tracks by using anonymous remailers, which strip identifying information off messages, and Tor, which cloaks an IP address by randomly bouncing communications through a network of relays. And he concocted an elaborate backstory: dogdaygod was a rival dog trainer who wanted Amy dead because Amy had slept with her husband. In his dark-web persona, he transferred his own infidelity onto his wife.

    The United Church of God met in a local Methodist church.

    Alec Soth

    Stephen scheduled the murder for the weekend of March 19, when Amy was going to be in Moline for a dog-training competition. But at the end of the weekend, he wrote to Yura, complaining that he hadn't yet seen any news of Amy's death. Yura explained that the hit man hadn't found the right moment to strike: “He needs to be in a position where he can hit her car to the driver door, lateral collisin [sic] to make sure she dies.” The Besa Mafia administrator seemed to sense that it was important to dogdaygod that Amy be taken out while traveling. “We are not interested in the reason for why the people are killed,” he wrote. “But if she is your wife or some family member, we can do it in your city as well,” he said, adding that his client could leave town on the appointed day. He suggested that Amy could be killed at home and agreed that her house could be burned to the ground—for an additional 10 bitcoin, or $4,100.

    “Not my wife,” Stephen replied, “but I was thinking the same thing.” The next day he scraped together the money. When he transferred the bitcoin to Besa Mafia, however, his screen refreshed and he didn't recognize the 34-digit code that popped up. Panicking, he worried that the cryptocurrency he had labored so hard to acquire had now disappeared without a trace. He hastily copied the code and pasted it into a note on his iPhone, then emailed the code to Yura under the subject line “HELP!” Less than a minute later he deleted the note.

    Yura wrote back seven hours later, assuring him that the transaction had gone through, but days passed and nothing happened. Over the coming weeks, Stephen's messages to Yura alternated between terse disappointment and increasingly detailed instructions. “I know her husband has a big tractor, so I suspect that he has gas cans in the garage,” he wrote, adding: “I ask that you only get her and not the dad or kid.” Like a friendly, chatroom-ready Satan, Yura responded promptly with messages reinforcing his client's basest instincts. “Yes she is really a bitch and she deserve to die,” he wrote. Ninety minutes later he added, “Please notice 80% of our hitman are gang members who do drug dealing, beatings, occasional murder.” For an additional fee, he said, dogdaygod could arrange for a more practiced killer—an ex-military Chechen sniper—to handle the job.

    Stephen had spent at least $12,000 on the hit man idea. Instead of giving up or reexamining the sin he was contemplating, he appeared to become more determined. He logged onto Dream Market, a dark-web marketplace best known for selling drugs, where he could explore other methods of killing. Common sense would suggest varying usernames, but he once again appeared as dogdaygod, as if he had become the character he'd created. He would make back his loss; the payout on Amy's life insurance policy was $700,000.

    In April 2016, about two months after Stephen first ordered the hit on his wife, Besa Mafia was hacked and Yura's messages with clients—including dogdaygod—were dumped in an online pastebin. The data dump revealed that users with names like Killerman and kkkcolsia had paid tens of thousands of dollars in bitcoin to have people killed in Australia, Canada, and Turkey, as well as the United States. The hit orders soon reached the FBI, which directed local field offices across the country to make contact with the intended victims named in the Besa Mafia data dump. FBI special agent Asher Silkey, who worked in the bureau's Minneapolis field office, learned that someone going by the name dogdaygod wanted Amy Allwine killed. He was tasked with warning her of the threat on her life.

    On a cloudy Tuesday afternoon just after Memorial Day, Silkey enlisted the help of Terry Raymond, an officer with the local police force, and they drove to the Allwines' house. Cottage Grove is a sleepy exurb, but, like police departments around the country, the local cops had been called on to address online threats with increasing frequency. Raymond, a reserved man with angular features accented by a trim beard, had been on the force for 13 years and was the department's designated computer forensics specialist.

    When Silkey and Raymond arrived, Stephen Allwine invited them inside. He told the two law enforcement officers that Amy was out, and they stood around in silence while he called her cell. Stephen struck Raymond as socially awkward, but he didn't think much of it. He'd dealt with all sorts in his work.

    The officers drove back to the station, and Amy showed up soon after. They met her in the lobby, which featured an oil painting of the department's canine, Blitz, and led her to a sparsely furnished interview room. Because the FBI was handling the investigation, Raymond mostly listened as Silkey explained that someone who knew Amy's travel schedule and her daily routine wanted her dead. Amy was stunned. She was further confused when Silkey mentioned the allegation about Amy sleeping with a dog trainer's husband. She couldn't think of anyone who considered her an enemy. “If you have any activity that you find suspicious, give us a call,” Raymond said as she left.

    A few weeks later, the Allwines installed a motion-activated video surveillance system at their home, setting up cameras at different entrances. Stephen, meanwhile, purchased a gun—a Springfield XDS 9 mm. He and Amy decided to keep it under her side of the bed. They went on a date to the shooting range.

    The Cottage Grove force, from left: captains Gwen Martin and Randy McAlister and detectives Terry Raymond and Jared Landkamer.

    Alec Soth

    On July 31, Amy called Silkey, distraught: Over the past week, she had received two anonymous email threats. Silkey drove over to the Allwines' house, where Stephen printed out the emails and listened while Amy explained to the agents what had happened.

    The first message came from an anonymous remailer registered in Austria. It read, in part:

    Amy, I still blame you for my life falling apart … I see that you have put up a security system now, and I have been informed by people on the Internet that the police were snooping around my earlier emails. I have been assured that the emails are untraceable and they will not find me, but I cannot attack you directly with them watching.

    Here is what is going to happen. Since I cannot get to you, I will come after everything else that you love.

    The email went on to list location information for Amy's family members, based on what the sender said was found on Radaris.com, a site that makes contact information and background reports available to subscribers. The writer also dropped details that only someone closely following Amy could know—the location of the gas meter on the Allwines' house, the fact that they had moved their RV to a new parking spot, the color of the shirt that their son had worn two days earlier. “Here is how you can save your family,” the email continued. “Commit suicide.” The writer offered various methods by which she could accomplish that end.

    A week later the second anonymous message arrived, chiding her for not taking her own life: “Are you so selfish that you will put your families [sic] lives at risk?”

    Amy handed over her computer, hopeful that something on it might help the agents track down her potential killer. Stephen gave the agents a laptop and his Samsung Galaxy cell phone. The FBI imaged the devices, creating a copy of their applications, processes, and files, and returned them a day or two later.

    Amy gave Silkey the names of people who taught at her arena, animal owners she had worked with, her best friend. The FBI agent interviewed four of them and pulled credit reports for several contacts. Few people stood to profit from Amy's death, yet dogdaygod had paid out thousands of dollars to kill her, suggesting a personal motive. What's more, her persecutor had taken care to instruct Yura not to kill Amy's husband. Investigating a spouse would seem a logical measure. Silkey interviewed Stephen, in addition to imaging the devices, but it is not clear if he did more. The FBI has declined interview requests, and the Cottage Grove police did not have much insight into the bureau's work. Beyond bringing Raymond into the initial interview and sending him a copy of the threatening emails, the agency did not involve the local police.

    Meanwhile, Amy tried to cope with the vicious threats. She enrolled in the police department's Citizen Academy, explaining on her application that she wanted to “learn about the police department, what it does, and how it works.” Sergeant Gwen Martin, who ran the course, didn't know about the threats on Amy's life, nor did Amy tell any of the other participants in the course about her worries as they practiced shooting targets and retrieving fingerprints from a Coke can. Amy asked to be assigned to the K-9 officer for her ride-along, and she was so enthusiastic about exchanging tips on dog obedience and scent training that the officer let her tag along for an extra hour or two. When the program was over, she celebrated with the rest of the group at a small graduation party.

    But Amy still felt powerless. The occasional migraines she suffered became more frequent, and she had trouble remembering things. She put on a brave face when she taught class, but inwardly she worried that her aggressor might be among her dog-training crowd.

    One summer night she sat outside with her sister, looking up at the stars and wondering who was responsible for the pall that had been cast over her life. Years earlier, when her sister started college, Amy sent her a note every week so she wouldn't get homesick. Now her sister returned the favor. In each note she quoted scripture.

    One Saturday afternoon in November, Stephen and Amy set off for church with their son. The road cut through the floodplain east of the Mississippi River, passing yellowing farm fields, yards filled with auto parts, and wooded ravines barren of leaves. The United Church of God rented space from a local Methodist congregation in a redbrick building. There was something appropriately austere about the setting, as if through architectural restraint alone the devil could be kept at bay.

    Inside the chapel, the family sat in a pew, joining men in suit jackets, women with modest hemlines, and children with freshly combed hair. Daylight flooded in through a large skylight as pastor Brian Shaw recited the New Testament's admonition against “having eyes full of adultery and that cannot cease from sin.” He spoke of Job, who trained his eyes not to look with lust at women. The cost of not following Job's lead was dear: “When we do not control our sinful natures, they control us.”

    On Sunday, Stephen woke up just before 6 am, as usual, and descended to his basement office, where he logged in to the Optanix system to start work. At noon he wandered upstairs to have lunch with Amy and their son. Amy, an avid baker, had part of a pumpkin left over from a dessert she'd made a couple days earlier, and she put it in the slow cooker on the kitchen island to roast. Soon after, she started to get woozy.

    Amy's father showed up to work on a dog door he was installing in the garage. Stephen told him that Amy wasn't feeling well and was in the bedroom resting. Her father left without seeing her. Five minutes after he started driving home, Stephen called to ask his father-in-law to turn around and pick up his grandson, explaining that he wanted to take Amy to a clinic.

    As dusk fell, Stephen drove to get gas, then retrieved the boy from his in-laws' house and took him to Culver's, a family-style restaurant chain. It was their Sunday night routine—dinner at Culver's while Amy led dog-training courses—and they sat in the brightly lit space eating chicken tenders and grilled cheese.

    When they returned home, the boy climbed out of the minivan and ran into the house, toward his parents' bedroom. Amy's body lay in an unnatural position, blood pooled around her head. The Springfield XDS 9 mm was at her side.

    Stephen called 911.

    “I think my wife shot herself,” he said. “There's blood all over.”

    Cottage Grove City Hall, where the police department is housed.

    Alec Soth

    Sergeant Gwen Martin arrived at the house a few minutes after the 911 call. When she saw Amy's body on the floor, she remembered training her in the Citizen Academy and burst into tears. Another sergeant took over, and Martin retreated to her squad car. Regaining her composure, she turned to the laptop mounted to the dash and ran a search on police calls to the residence. She was astonished to find the report that Terry Raymond had filed about the dark-web threats to Amy's life. Martin grabbed her phone and dialed Detective Sergeant Randy McAlister, who directed Cottage Grove investigations.

    A baby-faced man of 47 who rode a Harley, McAlister often joined in the frequent joking around the department. He drank coffee from a mug that read “Due to the confidentiality of my job I don't know what I'm doing.” But his chipper demeanor concealed his earnestness. A decade earlier, McAlister had responded to a murder in a nearby town; a couple had been killed in their home by the woman's former boyfriend, as her children cowered nearby. The woman had previously told police that her jealous ex had contacted her in violation of a court order. Frustrated that the system had failed that woman, McAlister started a program aimed at protecting potential victims from stalking and targeted violence. When Raymond mentioned the dark-web threats Amy had received, he suggested they be compared to a database of threats kept by the FBI's Behavioral Analysis Unit; it might help them come up with a profile of a potential perpetrator. But he had no authority in the case.

    Now he raced to the Allwines' home. As he entered through the garage, the aroma of roasting pumpkin, still in the slow cooker, hit his nose. This struck him as odd; people don't typically start cooking right before killing themselves. Other things about the scene were off: There were blood smears on both sides of the bedroom door. And while the mud room floor was covered with dog hair, the floor in the adjacent hall was clean.

    As McAlister waited for the medical examiner and state criminal investigators to arrive, an officer drove Stephen and his son to the station. As a colleague sat with the boy in the station's break room, Raymond escorted Stephen to the same interview room where he and Silkey had met with Amy five months earlier. Raymond pulled on a pair of latex gloves and swabbed Stephen's cheek for DNA. “Are you going to get that from my in-laws?” Stephen asked.

    “No, it should just be you and your son,” Raymond said. He asked Stephen to run through what he had done that day.

    Stephen was cooperative, though Raymond thought his demeanor was wooden for a man who had just lost his wife. He reminded the detective that Amy had an FBI file; he said that her computer had been acting strangely. “Being in the IT industry, it's frustrating because I know how things are supposed to work in a legitimate world,” he said, adding: “I don't know anything about hacking or anything like that.”

    For the next three days, investigators combed the crime scene. State technicians sprayed a chemical called luminol on the floors, then flicked off the lights. Where the luminol hit blood or cleaning solution, it glowed bright blue. The glow showed that the hallway had been cleaned; it also lit up some footprints leading back and forth from the bedroom to the laundry room.

    The Cottage Grove police executed a search warrant on the house. McAlister stationed himself at the dining room table, logging evidence. Raymond descended to Stephen's basement office. Stepping through the door, he saw every surface covered with junk: file folders, tangles of cords, external drives, SD cards, a voice recorder, and a Fitbit. There were hard drives of a type that hadn't been used in nearly a decade. On Stephen's desk were three monitors and a MacBook Pro laptop—not the machine he'd given the FBI.

    The officers brought their haul upstairs, then one by one handed the items to McAlister to log.

    “Holy crap,” he thought as the equipment amassed. Then, “Jeez, no más.” But the devices and drives kept coming. Sixty-six in all.

    Because the crime involved a local death, the Cottage Grove police took control of the investigation. Two and a half weeks after Amy died, the FBI sent over her file. When the police opened the documents, McAlister and Raymond saw—for the first time—the full Besa Mafia messages. That was when they learned that the person who wanted Amy dead went by the name dogdaygod.

    By this point, Stephen was a suspect, but there was no direct evidence linking him to the murder. That his DNA was on everything was hardly remarkable; it was his house. Video from the Allwines' security system revealed nothing abnormal, though the records were incomplete. Stephen explained that he and Amy had neglected to activate the camera over the sliding glass door because their dogs were constantly going in and out. McAlister hoped the answers might be inside the devices that Raymond had lugged out of the Allwines' basement.

    From the moment the Besa Mafia files appeared in the pastebin, bloggers had concluded that the site was a scam. One after another, Yura's clients complained that the hits they'd ordered hadn't been carried out. But McAlister didn't want to take anything for granted. He and Detective Jared Landkamer identified 10 other targets of Besa Mafia orders in the United States and contacted the police departments where they lived. They might get leads in their case or perhaps save other lives.

    McAlister divvied up the electronic work. He sent the computers to a digital forensics specialist at a neighboring police department. Landkamer subpoenaed the Allwines' emails—and then spent many long days reading them. Raymond started by extracting data from Stephen's phones. In a windowless room lined with department-issue monitors, he deployed software that sorted the data—apps here, call logs there—and reconstructed timelines for the devices. On the phone Stephen had given to the FBI to image, Raymond found the apps Orfox and Orbot, which are used to access Tor. He also found text messages containing confirmation codes from LocalBitcoins. The FBI seemed to have either missed them or paid them little mind.

    When he scanned Amy's phone, he could see that, on the day of her death, she seemed to be growing progressively more confused. At 1:48 pm she visited the Wikipedia page for vertigo. At 1:49, she typed “DUY” into Bing. Then, one minute later, “EYE.” Then “DIY VWHH.” It was as if she were desperate to understand why the room was spinning but couldn't execute a simple search.

    In an interview with a state investigator, Stephen had confessed to his affair with Woodard. Raymond found a contact for “Michelle” in Stephen's phone, and when investigators questioned Woodard, she told them about the birthday lunch, when Stephen messaged that he had locked his keys in the car while buying bitcoin. Stephen's call history confirmed that he had phoned for roadside assistance that day from a Wendy's in Minneapolis. The detectives used the text message confirmation codes on Stephen's phone to find his LocalBitcoins account. That led them to his correspondence with a seller about exchanging $6,000 in cash.

    In Stephen's devices, Landkamer found secondary email addresses that led to usernames he used to access Backpage and LonelyMILFS.com. That wasn't incriminating on its own, but it did suggest a motive.

    While Stephen had cloaked most of his criminal activity, he did not purge his more innocuous internet search history. On February 16, a few minutes before dogdaygod first proposed killing Amy in Moline, Stephen had Googled “moline il” on his MacBook Pro. One day later, he looked up their life insurance policy. In July, shortly before Amy received the first threatening email that included addresses gleaned from Radaris, he visited the Radaris pages for Amy's family members.

    Murder was rare in Cottage Grove, and the detectives, confronted with circumstantial evidence and the slipperiness of the dark web, obsessed over the case. Lying in bed one night after reading Amy's FBI file, Landkamer searched “dogdaygod” in Google. When he saw the results, he called out to his wife. The search engine had indexed some posts on Dream Market, the dark-web marketplace where drugs were sold.

    Landkamer immediately texted McAlister what he'd found. McAlister fired up Tor on his personal laptop and pulled up the full threads on Dream Market. In one thread, dogdaygod asked if anyone sold scopolamine, a powerful prescription drug. McAlister had worked as a paramedic, so he knew that scopolamine was prescribed for motion sickness, but it could also make people pliable and amnesiac, earning it the nickname Devil's Breath. As he scrolled down, he came to a comment from a user who assumed that dogdaygod wanted to use scopolamine recreationally. “There is a seller,” the person wrote, “but avoid that shit mate. It's dangerous as fuck and you WILL kill someone.”

    Later, Amy's gastric contents tested positive for scopolamine. But it was a quirk in Apple backups that provided the strongest piece of evidence. The digital forensics specialist from a neighboring department found, archived in Stephen's MacBook Pro, that a note with a bitcoin wallet address had appeared on Stephen's iPhone back in March 2016. This was 23 seconds before dogdaygod frantically wrote Yura with the same 34-digit bitcoin wallet code. Forty seconds after dogdaygod messaged Yura, the note was deleted from Stephen's phone. But deleted files don't disappear until they're overwritten by other files. Several months later, when Stephen backed up his phone to iTunes, the crucial history was preserved on his laptop.

    McAlister was elated. The detectives had linked Stephen's offline persona, a church elder concerned with the propriety of dance moves, with his online ones—the philanderer and the aggrieved would-be murderer. The enticing anonymity of the dark web that nurtured Stephen's crime had given him a sense of omnipotence. He failed to appreciate that this cloak of power didn't follow him to the clear web and to the real world.

    Stephen Allwine is now incarcerated in the Minnesota Correctional Facility, in Oak Park Heights, Minnesota.

    Alec Soth

    Stephen Allwine's trial lasted for eight days. County prosecutors paraded a string of colorful witnesses to the stand: the manager of the pawn shop where Stephen sold his silver, the Backpage escort in Iowa, and Woodard. McAlister held up the murder weapon in court, and in one awkward moment that would become the subject of endless jokes at the Cottage Grove police station, Jared Landkamer defined “MILF” for the court.

    Prosecutors Fred Fink and Jamie Kreuser used the testimony to outline a theory: Stephen had poisoned Amy with a large dose of scopolamine, either to kill or incapacitate her. Either way, while she grew dazed and light-headed, she didn't die. So Stephen shot her with their gun in the hallway. Then he moved the body into the bedroom and cleaned up the blood. When he left to get gas and take his son to Culver's, he was careful to save the receipts.

    The jury deliberated for six hours before finding Stephen guilty. On February 2, he appeared in a packed courtroom for sentencing. One by one, friends and family told the judge how much Amy had meant to them. (Amy's family declined to be interviewed.) Then Stephen rose to plead his case.

    Breathlessly, he tried to refute the technical testimony about backup files and bitcoin wallets. Then he shifted to his spiritual gifts. In jail, where he had been held during the trial, he was ministering to drug addicts and child molesters. He had converted at least three nonbelievers, he said.

    “Mr. Allwine,” the judge said when he had finished, “my perceptions aren't going to alter the sentence in this case. But my perception is that you're an incredible actor. That you can turn tears on and off. That you are a hypocrite and that you are cold.” He sentenced him to life without parole. (The case is headed to appeals court.) From a room adjacent to the courtroom, McAlister watched through a window with Raymond and Landkamer, taking satisfaction as the judge admonished the criminal. But the moment was not without uneasiness. McAlister saw why Stephen might not have triggered alarm bells during the FBI's dark-web investigation: Stephen and Amy appeared to have a happy relationship, with no history of violence or substance abuse. He knew that hindsight bias could color investigators' conclusions, but he also had the feeling that Amy's death might have been prevented. Threat assessment experts use a four-part checklist to determine whether an anonymous harasser is an intimate partner. Amy's harasser met all four conditions in that test: The person closely tracked her whereabouts, seemed to live nearby, knew her habits and future plans, and spoke of her with contempt or disgust.

    In the months following the trial, McAlister was promoted to captain. From time to time, he offers advice to police departments dealing with dark-web crime. There were no other deaths tied back to Besa Mafia customers, but Yura reportedly started other hit-man-for-hire scam sites—Crime Bay, Sicilian Hitmen, Cosa Nostra. It was almost like Yura was the devil watching from a distance, smirking as the seeds he planted germinated and grew into full-blown evil.

    All photographs by Alec Soth/Magnum Photos

    Mara Hvistendahl (@marahvistendahl) is writing a book for Riverhead on a trade-secrets theft case. She wrote about China's social credit system in issue 26.01.

    This article appears in the May issue. Subscribe now.

    Let us know what you think about this article. Submit a letter to the editor at mail@wired.com.

    Related Video

    Movies & TV

    Forensics Expert Examines Crime Scene Investigations from Film & TV

    In this episode of 'Technique Critique', crime scene analyst and investigator Matthew Steiner examines forensics investigations in crime scenes from movies and television to see how accurate they are. Crime scenes are from The Wire, NCIS, Zodiac, The Flash, The Boondock Saints, Heat, Seven, The Other Guys, How to Get Away with Murder, CSI: Miami, The Dark Knight, Dexter, Insomnia, True Detective, Bone Collector, Criminal Minds, Family Guy, Iron Man 3, Minority Report and more.

    Read more: https://www.wired.com/story/dark-web-bitcoin-murder-cottage-grove/

    The SIM Swap Fix That the US Isn’t Using

    by

    Around a year ago, André Tenreiro was called into a meeting between the chief technology officer of the phone carrier he worked for—one of the largest in Mozambique—and an executive of the country's largest bank. The latter had seen an escalating pattern of fraud based on so-called SIM swap attacks, where hackers trick or bribe a phone company employee into switching the SIM card associated with a victim's phone number. The attackers then use that hijacked number to take over banking or other online accounts. According to Tenreiro, the bank had seen more than 17 SIM swap frauds every month. The problem was only getting worse.

    "The gentleman from the bank, I could see by his face he was desperate. He wanted to do something but he didn't know what to do," says Tenreiro, who asked WIRED not to identify the phone carrier he worked for. "He was asking for our help. As mobile operators, we also had a responsibility to fight this fraud."

    SIM swap hackers rely on intercepting a one-time password sent by text after stealing a victim's banking credentials, or by using the phone number as a password reset fallback. So the phone company, Tenreiro says, offered a straightforward fix: The carrier would set up a system to let the bank query phone records for any recent SIM swaps associated with a bank account before they carried out a money transfer. If a SIM swap had occurred in, say, the last two or three days, the transfer would be blocked. Because SIM swap victims can typically see within minutes that their phone has been disabled, that window of time let them report the crime before fraudsters could take advantage.

    By August of 2018, Mozambique's largest bank was performing SIM swap checks with all the major carriers. "It reduced their SIM swap fraud to nearly zero overnight," says Tenreiro, who serves on Mozambique's Computer Emergency Readiness Team, and spoke about the SIM swap fraud fix at Kaspersky's Security Analyst Summit earlier this month.

    Mozambique isn't alone in implementing that fix for the growing epidemic of SIM swap fraud, which is increasingly used for everything from hijacking Instagram accounts to stealing cryptocurrency. According to WIRED's interviews with security firms and executives in the banking and telecom industries, companies in other countries across Africa, including Nigeria, South Africa, and Kenya—where the prevalence of mobile payments have made SIM swaps a particularly serious threat—have put similar carrier-checking remedies in place. So have the UK and Australia. But there's one country where experts say the fix hasn't taken hold: the US.

    "This is something where Africa is ahead of us," says Allison Nixon, director of security research at security firm Flashpoint. "It's something people have been asking for in the US, but no one has really moved forward to do it."

    Swap Meet

    Some security firms and banking executives point to US carriers as the main hurdle. They simply don't make real-time SIM swap data available for the kind of security checks other countries' banks have implemented. In fact, security company Telesign has sought to offer SIM swap fraud-checking to US banks, but has found that most US phone companies aren't yet willing to work with them.

    "Long story short, the data isn't available from most US carriers," says Stacey Stubblefield, Telesign's cofounder. She says only one US phone carrier has so far offered real-time SIM swap data, but declined to say which.

    Stubblefield admits it's hard to know what deals banks or other potential SIM swap attack targets might have cut with carriers privately. Those stakeholders have been tightlipped about their solutions, in part to avoid providing any clues that might help fraudsters circumvent their security measures. But Stubblefield is nonetheless confident that carriers aren't providing enough data to allow real-time SIM swap checks in the US. But Stubblefield says Telesign is in talks with two banks who are seeking that data—a sure sign that they don't have it already.

    Seven major US banks do collectively own a security firm called Early Warning, which like Telesign works to provide banks with data that can help them prevent fraud. Early Warning's "authentication evangelist" Hal Granoff says that carriers in fact provide some of that data to Early Warning and its owners. But he declined to say exactly what kind, and conceded that he wished they would go further. "They’re sharing information," Granoff said. "They could be sharing more."

    When WIRED reached out to the four major US carriers, they all either declined to respond on the record or referred questions to CITA, the telecom industry association. CTIA vice president for technology and cybersecurity John Marinho argued that while US carriers may not offer real-time SIM swap checks, that's in part because the US has other protections, like geolocation checks based on banks' mobile applications installed on smartphones, and two-factor authentication. (The latter, of course, is exactly the security measure SIM swaps attempt to circumvent.)

    "Security uses multiple layers and tools to mitigate the risks; you can’t focus on just one tool. There's no silver bullet, you have to use all the tools that are available," Marinho wrote in an email. "But the carriers, in collaboration with many large brands, do collaborate very closely to make sure they’re staying ahead of the bad guys to protect consumers from fraud."

    Marinho added that US carriers are prevented from sharing real-time SIM swap data in part by the difficulties of scale. US banks, he says, deal with too many users performing too many transactions to check them all against carrier data. Privacy represents a concern, too. Carriers are reticent to give any third party real-time data about users without their express opt-in consent. "Do the carriers look at account churn? Yes," Marinho writes. "But can they share that information cavalierly? No. Carriers treat privacy and security as top priorities and act in compliance with any applicable laws regarding consumer permission."

    One banking industry executive who spoke to WIRED and asked not to be named, however, described the situation differently. He dismissed the privacy explanation and pointed instead to a financial one: Not enough US banks are currently demanding real-time SIM swap data to create an incentive for carriers to sell access to it. "There’s no business model for a carrier to develop a system to support this," he says. "People aren’t willing to pay what it takes to make that system come into being. If someone's willing to pay them money for it, phone carriers are willing to sell your data to anyone."

    To his point, look no further than the carriers' current scandal over selling consumers' location data to bounty hunters. Historically, carriers have not shown much concern over opt-in consent.

    Tenreiro, who helped address Mozambique's SIM swap fraud problem, adds that it's possible to implement the fix without privacy compromises. His carrier simply set up an API that responded to banks' queries about SIM swap data while providing no other information. "All the operators do is reply with a binary response 'Yes/No' whether the subscriber has conducted a SIM swap within the last X days," he says. "We believe the privacy exposure is minimal."

    Forced Fix

    There are, of course, other ways to stop SIM swap fraud: As a rule, tech firms, cryptocurrency companies and banks shouldn't depend on the security of phone numbers. That means avoiding any password reset fallback based on them, and using two-factor authentication via apps or hardware tokens rather than text messages, as security professionals have advised for years.

    But real-time checks between SIM swap targeted companies and carriers should be part of the solution too, says Flashpoint's Nixon. And if the carriers aren't motivated to make that possible, she says, regulators may have intervene. "I don't know if this problem can be fixed by the private sector. It might be something the government has to step in and fix," she says. "I don’t knows if telcos are really planning on offering this, or waiting for the government, but something like this has to happen."

    Read more: https://www.wired.com/story/sim-swap-fix-carriers-banks/

    A ‘Blockchain Bandit’ Is Guessing Private Keys and Scoring Millions

    by

    Last summer, Adrian Bednarek was mulling over ways to steal the cryptocurrency Ethereum. He's a security consultant; at the time, he was working for a client in the theft-plagued cryptocurrency industry. Bednarek had been drawn to Ethereum, in particular, because of its notorious complexity and the potential security vulnerabilities those moving parts might create. But he started instead with the simplest of questions: What if an Ethereum owner stored their digital money with a private key—the unguessable, 78-digit string of numbers that protects the currency stashed at a certain address—that had a value of 1?

    To Bednarek's surprise, he found that dead-simple key had in fact once held currency, according to the blockchain that records all Ethereum transactions. But the cash had already been taken out of the Ethereum wallet that used it—almost certainly by a thief who had thought to guess a private key of 1 long before Bednarek had. After all, as with Bitcoin and other cryptocurrencies, if anyone knows an Ethereum private key, they can use it to derive the associated public address that the key unlocks. The private key then allows them to transfer the money at that address as though they were its rightful owner.

    That initial discovery piqued Bednarek's curiosity. So he tried a few more consecutive keys: 2, 3, 4, and then a couple dozen more, all of which had been similarly emptied. So he and his colleagues at the security consultancy Independent Security Evaluators wrote some code, fired up some cloud servers, and tried a few dozen billion more.

    In the process, and as detailed in a paper they published Tuesday, the researchers not only found that cryptocurrency users have in the last few years stored their crypto treasure with hundreds of easily guessable private keys, but also uncovered what they call a "blockchain bandit." A single Ethereum account seems to have siphoned off a fortune of 45,000 ether—worth at one point more than $50 million—using those same key-guessing tricks.

    "He was doing the same things we were doing, but he went above and beyond," Bednarek says. "Whoever this guy or these guys are, they're spending a lot of computing time sniffing for new wallets, watching every transaction, and seeing if they have the key to them."

    Combing a Gazillion Beaches

    To explain how that blockchain banditry works, it helps to understand that the the odds of guessing a randomly generated Ethereum private key is 1 in 115 quattuorvigintillion. (Or, as a fraction: 1/2256.) That denominator is very roughly around the number of atoms in the universe. Bednarek compares the task of identifying a random Ethereum key to choosing a grain of sand on a beach, and later asking a friend to find that same grain among a "billion gazillion" beaches.

    But as he looked at the Ethereum blockchain, Bednarek could see evidence that some people had stored ether at vastly simpler, more easily guessable keys. The mistake was probably the result, he says, of Ethereum wallets that cut off keys at just a fraction of their intended length due to coding errors, or let inexperienced users choose their own keys, or even that included malicious code, corrupting the randomization process to make keys easy to guess for the wallet's developer.

    Bednarek and his ISE colleagues eventually scanned 34 billion blockchain addresses for those sorts of weak keys. They called the process ethercombing, like beachcombing but for more guessable grains of sand among Ethereum's vast entropy. They ultimately found 732 guessable keys that at one point held ether but had since been emptied. Though some of those transfers were no doubt legitimate, Bednarek guesses that 732 is still only a small fraction of the total number of weak keys from which ether has been stolen since the currency launched in 2015.

    Amidst those emptied addresses, meanwhile, Bednarek was intrigued to see 12 that seemed to have been emptied by the same bandit. They had been transferred into an account that now held a remarkable horde of 45,000 ether. At today's exchange rates, that's worth $7.7 million.

    Ether Comb, Ether Go

    Bednarek tried putting a dollar's worth of ether into a weak key address that the thief had previously emptied. Within seconds, it was snatched up and transferred to the bandit's account. Bednarek then tried putting a dollar into a new, previously unused weak key address. It, too, was emptied in seconds, this time transferred into an account that held just a few thousand dollars worth of ether. But Bednarek could see in the pending transactions on the Ethereum blockchain that the more successful ether bandit had attempted to grab it as well. Someone had beaten him to it by mere milliseconds. The thieves seemed to have a vast, pre-generated list of keys, and were scanning them with inhuman, automated speed.

    In fact, when the researchers looked at the history of the blockchain bandit's account on the Ethereum ledger, it had pulled in ether from thousands of addresses over the last three years without ever moving any out—money movements Bednarek believes were likely automated ethercombing thefts. At the peak of Ethereum's exchange rate in January 2018, the bandit's account held 38,000 ether, worth more than $54 million at the time. In the year since then, Ethereum's value has plummeted, reducing the value of the blockchain bandit's haul by about 85 percent.

    "Don't you feel bad for him?" Bednarek asks with a laugh. "You have a thief here that amassed this fortune and then lost it all when the market crashed."

    Despite tracking those transfers, Bednarek has no real idea of who the blockchain bandit might be. "I wouldn’t be surprised if it’s a state actor, like North Korea, but that's all just speculation," he says, referencing the North Korean government's targeting of cryptocurrency exchanges and other victims to steal more than half a billion dollars worth of cryptocurrency in recent years.

    Weak in the Keys

    Bednarek also can't identify the faulty or corrupted wallets that produced the weak keys. Instead, he can only see the evidence of the weak keys' creation and the resulting thefts. "We can see people getting robbed, but we can’t say which wallets are responsible," he says. For the blockchain bandit in particular, it's not clear if simple weak key thefts comprise the majority of their stolen wealth. The bandit could have deployed other tricks, such as guessing the pass-phrases for "brain wallets"—addresses that are secured with memorizable words, which are more easily brute-forced than fully random keys. One team of security researchers found evidence in 2017 of 2,846 bitcoins stolen with brain-wallet thefts, worth more than $17 million at current exchange rates. One single Ethereum brain-wallet theft in late 2015 made off with 40,000 ether, nearly as big a haul as the blockchain bandit's.

    ISE hasn't yet managed to replicate its experiment on the original Bitcoin blockchain. But Bednarek did perform some spot checks of about 100 weak Bitcoin keys and found that the contents of the corresponding wallets had all been stolen, too, though none had been taken by an obvious big fish like the Ethereum bandit they'd identified—perhaps evidence of fiercer, more distributed competition among thieves targeting Bitcoin compared with Ethereum.

    Bednarek argues the lesson of ISE's ethercombing is, for wallet developers, to audit their code carefully to find any bug that might truncate keys and leave them vulnerable. And users should take care with what wallet they choose. "You can’t call the help desk and ask them to reverse a transaction. When it's gone, it’s gone forever," Bednarek says. "People should use trusted wallets and download them from a trusted source." Ethereum exchange rate fluctuations aside, the blockchain bandit doesn't need any more donations.

    Read more: https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/