Underweb Payments, Post-Liberty Reserve – Krebs on Security

Following the U.S. government’s seizure this week of virtual currency Liberty Reserve, denizens of the cybercrime underground collectively have been progressing through the classic stages of grief, from denial to anger and bargaining, and now grudging acceptance that any funds they had stashed in the e-currency system are likely gone forever. Over the past few days, the top discussion on many cybercrime forums has been which virtual currency will be the safest bet going forward?

As I mentioned in an appearance today on NPR’s show On Point, the predictable refrain from many in the underground community has been that the demise of Costa Rica-based Liberty Reserve — and of eGold, eBullion, StormPay and a host of other virtual currencies before it — is the death knell of centrally-managed e-currencies. Just as the entertainment industry’s crackdown on music file-sharing network Napster in the late 1990s spawned a plethora of decentralized peer-to-peer (P2P) file-sharing networks, the argument goes, so too does the U.S. government’s action against centrally-managed digital currencies herald the ascendancy of P2P currencies — particularly Bitcoin.

Fluctuation in BTC values. Source: Bitcoincharts.com

Fluctuation in BTC values. Source: Bitcoincharts.com

This knee-jerk reaction is understandable, given that private crime forums are now replete with postings from members who reported losing tens of thousands of LR dollars this week. But as some of the more seasoned and reasoned members of these communities point out, there are several aspects of Bitcoin that make it especially unsuited for everyday criminal commerce.

For one thing, Bitcoin’s conversion rate fluctuates far too wildly for communities accustomed to virtual currencies that are tied to the US Dollar: In both Liberty Reserve and WebMoney — a digital currency founded in Russia — one LR or WMZ (the “Z” designation is added to all purses kept in US currency) has always equaled $1 USD.

The following hypothetical scenario, outlined by one member of an exclusive crime forum, illustrates how Bitcoin’s price volatility could turn an otherwise simple transaction into an ugly mess for both parties.

“Say I pay you $1k today for a project, and its late, and you decide to withdraw tomorrow. You wake up and the $1k I just sent you in Bitcoins is now worth just $600. It’s not yet stable to be used in such a way.”

Another forum member agreed: “BTC on large scale or saving big amounts is a mess because the price changes. Maybe it’s only good cashing out,” noting WebMoney now allows users to convert Bitcoins into a new unit called WMX.

Others compared Bitcoin to a fashionable high-yield investment program (HYIP), a Ponzi-scheme investment scam that promises unsustainably high return on investment by paying previous investors with the money invested by new investors.  As the U.S. government’s complaint alleges, dozens of HYIP schemes had a significant amount of funds wrapped up in Liberty Reserve.

“Bitcoin is a trendy HYIP. There are far more stable and attractive currencies to invest in, if you are willing to take the risk,” wrote “Off-Sho.re,” a bulletproof hosting provider I profiled in an interview earlier this month. “In the legit ‘real products’ area, which I represent, a very small niche of businesses are willing to accept this form of payment. I understand the drug dealers on Tor sites, since this is pretty much the only thing they can receive without concerns about their identities, but if you sell anything illegal, WMZ should be the choice.”

What’s more, MtGox — Bitcoin’s biggest exchanger and the primary method that users get money into and out of the P2P currency — today posted a note saying that it will now be requiring ID verification from anyone who wants to deposit money with it in order to buy Bitcoins.

A logo from perfectmoney.com

A logo from perfectmoney.com

Perhaps the closest competitor to Liberty Reserve and WebMoney — a Panamanian e-currency known as Perfect Money (or just “PM” to many) — appears to have been busy over the past few days seizing and closing accounts of some of its more active users, according to the dozens of complaints I saw on several different crime forums. Perfect Money also announced on Saturday, May 25 that it would no longer accept new account registrations from U.S. citizens or companies.

For now, it seems the primary beneficiary of the Liberty Reserve takedown will be WebMoney. This virtual currency also has barred U.S. citizens from creating new accounts (it did so in March 2013, in apparent response to the U.S. Treasury Department’s new regulations on virtual currencies.) Still, WebMoney has been around for so long — and its logo is about as ubiquitous on Underweb stores as the Visa and MasterCard logos are at legitimate Web storefronts — that most miscreants and n’er-do-wells in the underground already have accounts there.

But not everyone in the underground who got burned by Liberty Reserve is ready to place his trust in yet another virtual currency. The curmudgeon-in-chief on this point is a hacker nicknamed “Ninja,” the administrator of Carder.pro — a crime forum with thousands of active members from around the world. Ninja was among the most vocal and prominent doubters that Liberty Reserve had been seized, even after the company’s homepage featured seizure warnings from a trio of U.S. federal law enforcement agencies. Ninja so adamantly believed this that, prior to the official press announcements from the U.S. Justice Department on Tuesday, he offered a standing bet of $1,000 to any takers on the forum that Liberty Reserve would return. Only two forum members took him up on the wager.

Now, Ninja says, he’s ready to pay up, but he’s not interested in buying into yet another virtual currency. Instead, he says he’s planning to create a new “carding payment system,” one that will serve forum members and be housed at Internet servers in North Korea, or perhaps Iran (really, any country that has declared the United States a sworn enemy would do).


Another core member of a different, Russian-language crime forum used the Liberty Reserve news to announce his own, private e-currency and exchange exclusively for forum members. To generate interest in the new system, which this member says has been under development for six months, he is offering a $5,000 reward to any hackers who can break the system’s security.

Dear friends! I submit to your consideration a new project as a payment system,” writes “Taleon,” a longtime provider of cashout services for fraudulent wire transfers sent via Western Union and Moneygram (think cyberheists against small businesses).  “After eight years of excellent reputation in the financial services industry, I now want to offer a mini-payment system, designed specifically for your needs. It is not necessarily made for you to keep your savings in, but instead to use this system for small settlements.”

A new payment method that debuted since Liberty Reserve's demise.

A new payment method that debuted since Liberty Reserve’s demise.

Taleon highlighted the benefits of his new currency thusly:

“The pros:

  • -It is not registered anywhere, and is not governed by any law other than arbitration private forums.
  • -We do not ask for your personal data, except for the private message on the forum or confirmation from other members.
  • -The system focuses strictly on the activities of the forum.
  • -Security system is set up with the reality of today and even more.
  • -Information stored 2 months, and then permanently deleted, and deletion of information at the request of the user-specified encryption key.”

If these private systems focus heavily on security, it will be unsurprising given Liberty Reserve’s reputation. Liberty Reserve used an insanely secure and redundant system — including far more protections against account takeovers than I’ve seen at any legitimate financial institution. Users were required to enter an account number and password, and then a Login PIN. If the system didn’t recognize your computer and/or IP address, it would send a one-time “verification PIN” to your email and require that before logging you in. In the event that you wished to send someone LR currency, the process involved solving a CAPTCHA, entering a static, user-specific “Master Key” and your Login PIN — the latter two often requiring the use of a randomized on-screen keypad. Enter any of these incorrectly and the system required you to start over.

In the short run, I’d expect WebMoney to be the chief beneficiary from the closure of Liberty Reserve. Longer term, I’d expect to see more of these independently-run, forum-specific currencies+exchanges that are not tied to any specific country, or that are based in countries that are actively hostile or at least not particularly friendly to the United States.

Update, 9:58 p.m., ET: Looks like I am not alone in saying WebMoney will be the big winner here. Sophos just filed a blog post on the Liberty Reserve takedown that includes a graphic of a poll one underground site took on which e-currency would work best:

Image: Sophos

Image: Sophos

Deja un comentario