Black Hat Demo to Reveal ‘White Rabbit’ New Blockchain Surveillance Tool
This week in Las Vegas there are two well-known events taking place focused on information security and the global hacking counterculture – Black Hat Arsenal and Defcon 2018. Two developers from the intelligence platform firm Trustar will be revealing a new ‘early warning system’ called White Rabbit that detects emerging ransomware campaigns that utilize the Bitcoin Core network for ransom payments. During the conference festivities, there will be a bunch of demonstrations showcasing all types of hacker tools, security services, and engineering studies.
New Blockchain Surveillance Tool Called White Rabbit
Right now, many tech-savvy enthusiasts, cyberpunks, and hackers are gathering in Las Vegas to attend two well-known tech-conferences: Defcon 2018 (Caesar’s Palace), and Black Hat Arsenal (Mandalay Bay). This year’s events will feature all sorts of mobile jailbreaking and rooting methods, opsec methods, online certificate abuse, DDoS attacks, and drone technology, but only one demonstration that ties to cryptocurrencies.
During the visit, people will be able to see a tool created by the intelligence platform Trustar’s lead developers, Olivia Thet (engineering) and Nicolas Kseib (data science), which tethers illicit ransomware crimes to bitcoin transactions. The tool is called White Rabbit and the developers claim it provides a “near real-time contextual awareness of a specific ransomware campaign.” Essentially White Rabbit monitors bitcoin transactions associated with these types of crimes allowing investigators the ability to tag specific transactions.
Clean and Dirty Addresses
According to the demonstration summary, White Rabbit is a three-part model that first starts by collecting BTC addresses and classifying them as “clean” or “dirty.” “The second part is to check the classification models using this dataset and propose decision metrics to optimally select a model. In this part, we will also discuss ideas about how to compute expensive, but important features obtained from transaction data kept on a graph database,” explains the Trustar developers. In the third part, we will show how to use the obtained optimal model to predict if an address is “dirty”. Finally, we will discuss our challenges when solving this problem and propose solutions to overcome them.
The subject involving a firm or entity monitoring a public blockchains and blacklisting or tainting bitcoin addresses is a very controversial topic among cryptocurrency proponents. However, Olivia Thet, the software engineer at Trustar, thinks the public should know who’s coordinating these kinds of attacks. Because of blockchain surveillance tools like White Rabbit, bitcoin transaction mixers and privacy-centric cryptocurrencies have increased in popularity over the years.
“We’re fighting the wrong fight in trying to deanonymize the blockchain – we should be looking at the bigger picture instead,” said Thet. “Security analysts who are using Trustar are far more interested in how bitcoin wallet addresses are correlating with the other IOCs they’re tracking versus who is actually implementing the ransomware campaigns.”
The Collection of Bitcoin Seed Addresses Involved in Illegal Activities
Defcon demonstrations have always caught people’s attention when it comes to specific hacking tools. Cryptotronix had shown fault injection methods, timing, and power analysis methods using the open source hardware tool the Chip Whisperer and the subject caused a large stir among crypto enthusiasts and hardware wallet manufacturers. Last year at Defcon 2017 a group called Cryptotronix revealed a presentation to the audience that showed a few hardware wallet exploits.
The White Rabbit creators say that the data science collected of “seed bitcoin addresses involved in illegal activities” can be used as a starting point for observers to create “dirty” address clusters reconstructed from the analysis. The White Rabbit demo will take place on August 9 at the Black Hat Arsenal, and then on August 11 at the Defcon Recon Village. Trustar’s Nicolas Kseib explains as ransomware and malicious cryptocurrency malware grows exponentially throughout our online lives, the security community needs to up their game. “As the blockchain evolves and potentially plays a bigger in cyber-attacks, the security community will have to dramatically rethink the existing concepts of tracking adversaries,” the lead data scientist at Trustar, Nicolas Kseib concludes.