The Robert Mueller-led investigation has indicted 12 Russian Intelligence operatives, acting in their official capacity as members of the Kremlin’s’ Main Intelligence Directorate of the General Staff (GRU), for a litany of acts each designed to undermine the integrity of the election. The indictment states: “The object of the conspiracy was to hack into protected computers of persons and entities charged with the administration of the 2016 U.S. elections in order to access those computers and steal voter data and other information stored on those computers.”
Bitcoin-enabled operation infrastructure
The allegations leveled against the Russian agents range from hacking email addresses of people connected to the Hillary Clinton Campaign, creating and installing malware designed to steal private information, impersonation and identity theft, and actions connected to money laundering.
While the indictment confirms the widespread suspicions that Moscow was the lead orchestrator of the attack, it further provides details how cryptocurrencies, specifically bitcoin, were used in an effort to obscure any incriminatory trail left behind.
“To hide their connections to Russia and the Russian government, the Conspirators used false identities and made false statements about their identities. To further avoid detection, the Conspirators used a network of computers located across the world, including in the United States, and paid for this infrastructure using cryptocurrency.”
For instance, the Russians used bitcoin to pay for the domain through which data stolen from compromised emails within the Clinton campaign were uploaded for public viewing. “On or about April 19, 2016, after attempting to register the domain electionleaks.com, the Conspirators registered the domain dcleaks.com through a service that anonymized the registrant.
The funds used to pay for the dcleaks.com domain originated from an account at an online cryptocurrency service that the Conspirators also used to fund the lease of a virtual private server registered with the operational email account [email protected] The dirbinsaabol email account was also used to register the john356gh URL-shortening account used by LUKASHEV to spearphish the Clinton Campaign chairman and other campaign-related individuals.”
Additionally, the operatives used bitcoin to provide a further level of anonymity through the use of a VPN. “Conspirators used the same pool of bitcoin funds to purchase a virtual private network (“VPN”) account and to lease a server in Malaysia. In or around June 2016, the Conspirators used the Malaysian server to host the dcleaks.com website.
However, the use of the same bitcoin wallet was an important tool the investigators used to link persons of interest to the investigation. “On or about March 14, 2016, using funds in a bitcoin address, the Conspirators purchased a VPN account, which they later used to log into the @Guccifer_2 Twitter account. The remaining funds from that bitcoin address were then used on or about April 28, 2016, to lease a Malaysian server that hosted the dcleaks.com Website.”
Through the charges detailed in the indictment, it is clear that the hackers used the pseudonymity provided by bitcoin to their advantage. This was an attempt to both distance Russia from the attack as well as make it look like it originated from American citizens. The use of bitcoin as a payment method made it possible for the attack to function effectively.
“Although the Conspirators caused transactions to be conducted in a variety of currencies, including U.S. dollars, they principally used bitcoin when purchasing servers, registering domains, and otherwise making payments in furtherance of hacking activity. Many of these payments were processed by companies located in the United States that provided payment processing services to hosting companies, domain registrars, and other vendors both international and domestic. The use of bitcoin allowed the Conspirators to avoid direct relationships with traditional financial institutions, allowing them to evade greater scrutiny of their identities and sources of funds.”
Money laundering charges
As a result of the amount of money involved, prosecutors are accusing the perpetrators of money laundering. “The Defendants conspired to launder the equivalent of more than $95,000 through a web of transactions structured to capitalize on the perceived anonymity of cryptocurrencies such as bitcoin.”
Using fake names, the perpetrators created many different email addresses which they used to access payment processors. “In some cases, as part of the payment process, the Conspirators provided vendors with nonsensical addresses such as “usa Denver AZ,” “gfhgh ghfhgfh fdgfdg WA,” and “1 2 dwd District of Columbia.” 60. The Conspirators used several dedicated email accounts to track basic bitcoin transaction information and to facilitate bitcoin payments to vendors.”
The investigators, however, were able to link some transactions to activities connected with the conspiracy by analyzing the blockchain. “One of these dedicated accounts, registered with the username “gfadel47,” received hundreds of bitcoin payment requests from approximately 100 different email accounts. For example, on or about February 1, 2016, the gfadel47 account received the instruction to “[p]lease send exactly 0.026043 bitcoin to” a certain thirty-four character bitcoin address. Shortly thereafter, a transaction matching those exact instructions was added to the Blockchain.”
Interestingly, it was revealed that some of the funds utilised within the scheme came from mining profits. “The Conspirators funded the purchase of computer infrastructure for their hacking activity in part by “mining” bitcoin….The pool of bitcoin generated from the GRU’s mining activity was used, for example, to pay a Romanian company to register the domain dcleaks.com through a payment processing company located in the United States.”
Additionally, the Russian operatives allegedly used a number of tools to obscure the trail of their transactions, which included the use of bitcoin mixers. “The Conspirators acquired bitcoin through a variety of means designed to obscure the origin of the funds. This included purchasing bitcoin through peer-to-peer exchanges, moving funds through other digital currencies, and using pre-paid cards. They also enlisted the assistance of one or more third-party exchangers who facilitated layered transactions through digital currency exchange platforms providing heightened anonymity.”
Mueller and his team conclude that the plot relied heavily on the use of bitcoin as a payment method through which they could both finance and purchase all the tools required. “The Conspirators used the same funding structure – and in some cases, the very same pool of funds – to purchase key accounts, servers, and domains used in their election-related hacking activity. […] The bitcoin mining operation also funded, through the same bitcoin address, the purchase of servers and domains used in the GRU’s spearphishing operations, including accountsqooqle.com and account-gooogle.com.”