Recently, the media has been abuzz with headlines that the Finnish National Bureau of Investigation (NBI) has traced transactions on the Monero blockchain. The announcement was made at a court hearing regarding the theft and further ransom demand in Bitcoin (BTC) of the Finnish psychotherapy centre Vastaamo patient database back in 2020.
The hacker exchanged BTC he received into Monero (XMR) and then back into Bitcoin, which, as stated, allowed the agency to trace the transaction. Let's break down what is known for sure at this point and why such statements are not quite correct.
What is Monero
Monero is a blockchain with a native cryptocurrency of the same name (ticker XMR) that emerged in 2014. The network operates on a Proof-of-Work (PoW) consensus. The main difference from other blockchains is the focus on anonymity and privacy.
Unlike Bitcoin and other similar blockchains with data being easily accessible, Monero is deliberately obfuscated with transaction details such as transfer amounts, party addresses, and balances. To illustrate, compare these two random transactions on the Bitcoin and Monero blockchains.
Monero does not have smart contracts like Ethereum; it only allows simple cryptocurrency transfers like Bitcoin, Dogecoin, and Litecoin blockchains. That said, Monero is different from other solutions that increase privacy in transfers, such as different Bitcoin mixers or Tornado Cash.
To understand how Monero achieves a high level of privacy, take a look at the main cryptographic solutions it implements: Ring Signature, Ring Confidential Transactions (RingCT), and Stealth Address. Each of these helps hide different parts, but together they make Monero attractive to those who do not want information about fund transfers to be publicly available.
Unfortunately, such solutions attract criminals and malicious actors.
Aleksanteri Kivimäki case, or how the Finnish NBI allegedly traced Monero transaction
In October 2020, the Finnish psychotherapy centre Vastaamo fell victim to cybercrime. A hacker with the nickname "ransom_man" demanded a sum of 40 BTC (€450,000 at the time) for a database containing confidential patient data and doctors' notes from each session. Otherwise, it would be released to the public. The centre refused to make a deal with the criminal.
After a few days, the "ransom_man" uploaded the database to the darknet. Quite quickly, it turned out that among the files there was a folder from the hacker's home computer. The attacker deleted the database, but it was too late.
Before posting the database, the hacker contacted patients with an offer to pay 200 to 500 euros in BTC for deleting all the information about them. The NBI, pretending to be a victim, paid 0.1 BTC to the extortionist, which is a common practice for tracking the further movement of funds.
Local Finnish media MTV Uutiset writes that as part of the investigation, NBIfound that the hacker transferred Bitcoins into Monero through a platform (its name is not mentioned) that did not conduct know-your-customer (KYC) procedures to identify users.
Later, NBI reports, the hacker transferred Monero to Binance, exchanged it there again for BTC, and withdrew it to other wallets. As a result, in October 2022, the investigation reached Aleksanteri Kivimäki, against whom criminal proceedings were initiated.
On January 22, there was another court hearing on the case, at which the prosecution stated that, thanks to the analysis of the Monero blockchain, they have undeniable additional evidence that Aleksanteri Kivimäki committed a crime.
What's wrong with the Monero traceability claim in Aleksanteri Kivimäki case
According to the head of the investigation, Marko Leposen, information about how the Monero blockchain was analysed is classified. However, there are doubts that it was the work with blockchain data that allowed the hacker to be found, and here are three reasons:
1️⃣ the files from the hacker's home computer, which were in the database, could already help the investigation establish the identity of the criminal;
2️⃣despite a platform for BTC to XMR exchange that did not have KYC, there are other data points that the investigation could have obtained: the time of transfers, IP address, transfer amounts, withdrawal wallet address, and so on;
3️⃣ the hacker later used a centralised exchange Binance to transfer XMR to BTC. Even though he must have forged the data for KYC, there still remains a pretty strong digital footprint.
Moreover, NBI stated it is working with at least one person from Estonia through whom the hacker further cashed out BTC obtained from Binance. According to the description, the unnamed service resembles a P2P platform, so they are not an accomplice but rather an unlucky person who exchanged stolen BTC for money.
All in all, there's quite a bit of data to link the hacker's activities on various platforms. So it is more likely that the attacker was let down by the human factor than the investigators' ability to track Monero transactions.
Such loud statements by investigators may be more of a signal to other hackers than the real state of affairs. Csilla Brimer, a MAGIC Monero Fund ex-member, told Decrypt in an interview that "if you're not careful with your operational security and you keep switching between Bitcoin and Monero, you might leak some information", which allows regulators to "use this slip-up to claim they can track Monero".
Some X (formerly Twitter) users have a similar opinion. They believe that the media publishes incorrect headlines, and most likely the investigation did not “crack” Monero but simply took advantage of errors on the part of the hacker.
The price of XMR does not react to NBI traced transactions
Monero (XMR) is currently at $162, and its capitalization is $2.9 billion, making it the 29th cryptocurrency. Overall, its rate has not reacted to the information about the allegedly tracked transactions. As you can see on a daily chart below, its price walks along with Bitcoin and the entire crypto market.
Recall that at the end of December 2023, OKX exchange delisted Monero. On January 4, Binance included XMR in the Monitoring Tag list, which includes assets for which the exchange has a special check. Often, such coins are delisted from exchanges over time. Privacy-focused cryptocurrencies are finding it increasingly difficult to trade on large exchanges that follow the regulatory rules of different countries.
👀 You might also like:
Tornado Cash founders charged by US federal courts
KYC tightening in crypto: AML bill backed by 5 more senators
Spot Bitcoin ETFs launch in the US takeaways: why did BTC drop