The Wild Hunt for the WannaCry Hackers

This report was first published as a three-part podcast series.

On 12 May 2017, employees in Spanish telecoms giant Telefonica came under attack. Their computer monitors displayed a disturbing message: their files had been scrambled and to get them back they would have to pay the hackers who’d infected them.

wcry

Telefonica wasn’t alone. The virus first struck at 8.57am that day, and within hours, computer users around the world were seeing the same message. Global brands were hit, hospital departments turned patients away. In the UK, emergency meetings were held at the highest level of government.

So-called “ransomware” attacks have been around in various guises for decades. The standard delivery method is via email. But emailing viruses is a headache. The hackers needed a continuous supply of fresh addresses to feed their blackmail machine (hence the now-ubiquitous mega-hacks in which millions of users’ details are stolen). They also needed to tweak their viruses constantly to make sure they got through users’ ever-updated defences.

The ransomware crooks needed an easier way of spreading their infection. And in 2017 they got it, apparently thanks to America’s spy agency.

It’s alleged that the National Security Agency (NSA) discovered a security weakness in Microsoft computers. Here’s how it works:

Imagine you have a PC in the bedroom with all your music on it, and you want to listen to your tunes on a PC in the living room. Microsoft computers have a handy feature that lets the two machines share files.

The NSA allegedly discovered that this handy file-share feature could be used to spread viruses. It’s also alleged (by Microsoft’s President) that this secret file-share infection trick was later stolen from the NSA.

It was leaked onto the dark web by a hacking group called ShadowBrokers, whom some security analysts believe is linked to the Russian Government.

sbrokers

The file-share flaw meant viruses could be spread automatically from computer to computer, and it wasn’t long before the ransomware hackers cottoned on. They realised that instead of having to use email to spread ransomware, they could simply get the virus onto one machine, and then let it spread itself, potentially generating big profits with minimum effort.

Microsoft had released an update in March 2017 which fixed the file-sharing hole. But many users didn’t update (or they used older version of Windows that couldn’t be updated at that time). They were sitting ducks.

On 12 May 2017, WannaCry, as the summer ransomware campaign became known, was unleashed. Within less than 24 hours its automated computer-hopping saw it spread from Russia to the Middle East, to Europe and then to the UK. Pretty soon it ended up inside the NHS, which is when the real havoc began.

There are different explanations as to why the NHS was disproportionately hit (a third of England’s NHS Trusts ended up infected). It’s a massive organisation with dwindling tech budgets, ageing equipment, little central IT oversight from Government, critical machines that could not be taken offline for updates, and a trusted communications network that linked different trusts together. Added together, this created a perfect breeding ground for the virus.

Meanwhile, WannaCry had another trick up its sleeve. Spreading between connected machines inside an organisation was all very well, but sooner or later it would hit a limit, having infected all the computers it could reach within the organisation. It needed some way of breaking into fresh pools of machines.

The virus writers came up with a neat solution. Every now and again the code would call out to a random computer somewhere on the internet. If the computer was running the unprotected version of Windows, the virus would hop onto it, and begin infecting that organisation too.

It was the digital equivalent of an Ebola-infected person in Istanbul catching a plane to New York and taking the virus with them.

In the end, around 300,000 computers in 150 countries were infected. Panicked, hundreds of victims paid up using the virtual currency Bitcoin. At the time, the total amount paid was just over £100,000. However, given Bitcoin’s meteoric rise in value, at its peak it was worth over £1m.

Where did the ransom money go?

Victims were given instructions on the lock-screen to pay their ransom to a specific Bitcoin address (equivalent to a bank account number). And that’s where the hackers made their first mistake.

Bitcoin is a virtual currency, so unlike bank accounts, it’s possible to generate new Bitcoin addresses with the click of a mouse. A competent ransomware virus writer will generate a new address for each victim’s payment, which makes it harder for investigators to trace the money.

WannaCry’s creators used only three Bitcoin addresses which never changed, and that made them vulnerable to surveillance.

Each address is unique, and every Bitcoin address’s transactions are published online. (This transparency is part of the edifice of trust that underpins Bitcoin. Of course, transparency doesn’t mean identifiability: while you can see every transaction in and out of every Bitcoin address, you don’t necessarily know the real-world identity of those behind the transaction).

Nonetheless, analysts, journalists and law enforcement around the world began obsessively monitoring the three WannaCry addresses, hoping that when the crooks turned up to collect their winnings, they’d find out who was behind the crime. There was even a Twitter account set up to monitor the cashflow in real-time.

actual

On 3 August 2017, at 3am UK time, all three addresses were cleaned out within a matter of minutes. But those who imagined the thieves would finally be unmasked were disappointed.

To spirit away the profits, the crooks used a technique called “tumbling”. They created a network of Bitcoin addresses and mixed the money through them (in money-laundering circles this practice is called “layering”).

It was the digital version of the magician’s thee-cups-and-a-ball trick. Many people believed the money had vanished into a web of cryptocurrency.

They were wrong.

The crooks who moved the money made two mistakes in their tumbling. Firstly, they didn’t use enough addresses (fewer than a dozen, compared to the hundreds used in more complicated tumbling operations).

The second mistake concerned the amounts they transferred. In a competent tumbling operation, the criminal money will be split 50/50, and combined with money from “innocent” addresses in equal amounts. After a few transactions, this makes it impossible for investigators to trace the criminal portion of the funds.

Instead, the WannaCry money was moved in large chunks, making it possible to track the ransom cash as it moved from address to address.

As I traced the profits, something strange started to happen: they started to converge on just one address. It looked like this:

wallets

Of the 52 Bitcoins paid in ransom money, at least half of it ended up in that one, red-circled wallet.

Question was: who owned that master address?

An internet search showed it listed on the profile of a computer gamer who went by the nickname 2Clickz. He was a massive fan of a shoot-em-up game called Counter-Strike: Global Offensive.

2clickx

2Clickz bought and sold “skins”: bespoke versions of computer gaming weapons, spray-painted and tweaked to look and perform better. 2Clickz was a prolific buyer and seller with almost 3,000 transactions under his belt, hence the need for a Bitcoin address.

I found some websites created by 2Clickz, and some Skype names he’d used, but no real-world identity.

Even his location was hard to establish. He seemed to be in the US: on his gaming profile he said he was in Los Angeles; an old post on Hack Forums showed him attending a gaming convention in Ohio; and an archive site showed a player named 2Clickz had been playing while connected to servers in the Western US.

Despite weeks of searching, 2Clickz still existed only among the murky pseudonyms and avatars of online gaming.

But if he was indeed the owner of the master Bitcoin address where the WannaCry money washed up, it seemed computer gaming wasn’t his only pastime.

Further web searching revealed that the master wallet address was used on a series of websites touting a get-rich-quick scheme for Bitcoin traders. Here are two examples:

sites

In total there were around a dozen. Each site used a slightly different design, but at heart, they were duplicates. Their offer was simple, and tempting: they claimed they could double investors’ money in a few days (However, when I sent a small payment as a test, my money disappeared and I never received any profit).

Design and purpose wasn’t the only thing the sites had in common. Each of them had a “Why Trust Us?” section in which they attempted to reassure potential customers by telling them that all the sites’ transactions could be viewed online under the company’s Bitcoin wallet address. The address they gave was the same one into which the ransomware money had flowed.

The sites also had an “About Us” section that contained something startling: a British company name and a registration number for it at UK Companies House.

about

When I checked the number, the company did indeed exist. Furthermore, its business address matched that given out on the get-rich-quick websites, and many of those websites had been registered to the company’s address as well.

The company had a sole director whose name and address in South London were in the registration documents. Not only had I apparently identified the money launderer, but he lived just a few miles away from me.

I tried calling the number given on the website, and sent an email to the support address given, but received no response. The next move was to go and visit the company director’s address.

I waited outside the house from early in the morning, hoping to catch him before he left for work. It has to be said: the small, semi-detached property didn’t look like the home of a wealthy Bitcoin scammer. And when a man left the house and walked past the expensive BMW I’d assumed was his, I started to get dubious.

As I approached, the man’s response only deepened my concern: he turned with a look of benign curiosity, as though expecting to be asked for directions, rather than accused of involvement in a global cybercrime. If he was a Bitcoin crook, he was very relaxed.

It quickly became clear he was an innocent patsy. He had no idea of the existence of the get-rich-quick sites, and didn’t even really understand what Bitcoin was. He confirmed he had set up the company, but it was years ago and he’d done nothing with it subsequently.

It seemed someone had hijacked his company details and used them to lend credibility to the get-rich-quick schemes (it’s easily done: simply find a company that’s been dormant for a while and copy-and-paste the details onto your website).

But if he was an innocent victim, who was the real crook? Who had hijacked his company’s information, used it to set up dozens of websites, and also used the Bitcoin address with the ransom money in it?

The main get-rich-quick site was called CoinFXPro. A search for it on Facebook threw up a post by someone called Eric Kelvin from 28 June 2017, just over a month before the WannaCry addresses were emptied. “This is our first project as a group”, he wrote, “Share share, promote promote and we will make money”.

eric

Eric was attempting to get people to promote his get-rich-quick site in exchange for a cut of the profits. What’s more, Eric had posted it on a Facebook fan page for the computer game Counter-Strike: Global Offensive, the same game played by 2Clickz.

Eric’s Facebook profile bore all the hallmarks of a dyed-in-the-wool hacker. His timeline was filled with posts advertising hacker websites; he gave away credit card account details; he touted to buy an old Facebook profile; and in July 2017 he set up a Facebook group called Intelligent Scammers. Pinned to the top of the group’s page was an advert for CoinFXPro.

scammers

Eric used the Intelligent Scammers page to urge others to spread the word about his get-rich-quick scheme. And the people who’d engaged with his plans had an interesting demographic. They were a group of around a dozen men, almost all from either Ghana or Nigeria. They were keen to get involved and make some money.

I got in touch with Eric through Facebook, posing as a potential customer and asking to find out more about CoinFXPro. I was surprised when he responded, but he seemed open to chatting (at least, as long as he thought I could help him).

I asked him about the Bitcoin address he used on CoinFXPro. He told me it was his wallet, that he used it for his projects, and that only he had access to it.

He claimed he made more than £17,000 from running CoinFXPro. But he quickly moved on to talking about his next scam. He’d created a rip-off version of a Bitcoin exchange site (he’d called it shapeshilt.io, subtly changing the characters from the legitimate site, shapeshift.io). He hoped users would be fooled into sending their money through the scam site.

I tried to stall for time, switching Eric to instant messenger where he gave his address as evil_heart@blah.im. But he proved very impatient; when he realised I couldn’t help him, he quickly ended our conversation.

Still, he’d given me a new lead, so I started looking for mentions of shapeshilt.io, his new scheme. I discovered the only time it had been mentioned was in October 2017 by a Facebook user called Samantha Brown.

shapeshilt

Unlike Eric, Samantha’s profile looked real: the photos showed a striking, tattooed woman touting a different hairstyle seemingly every week. There were status updates, likes from friends, an educational history and a hometown.

samantha

Finally, after weeks of searching through ghosts, this was a real person.

I searched online for Samantha’s name and hometown. It led to a police report of an arrest. She had been picked up with five others after police found heroin in the place where she was staying.

Could Samantha be the real person behind Eric and the master Bitcoin address? On the one hand she’d had a run-in with the law, but on the other, she didn’t look like the computer-gaming, cryptocurrency-trading nerds I’d come across in the past.

I went back to the police report. Among the others arrested was a woman called Susan Smith. The name rang a bell. I looked back at Eric’s profile. Some months previously he’d asked to buy a Facebook account. A woman named Susan had responded: “I have one”.

susan

The Susan who responded to Eric’s request used a different surname to the Susan who was arrested, but when I searched among Samantha’s friends, there she was. Like Samantha there were tattoos, glamorous selfies, and her bio placed her in the same town as the Susan who was arrested.

Had Susan sold Samantha’s Facebook account? Was Samantha not as real as she first appeared? I began to have doubts about whether Samantha was behind the money laundering, or whether she was even a real person.

I looked more closely at her profile. Yes, there were photos, but they’d all been uploaded on the same date. And nothing new had been added in the meantime.

Then there was Samantha’s list of Facebook friends: almost all men, from a random selection of countries, with a high prevalence of people wearing the Guy Fawkes masks favoured by Anonymous supporters.

I messaged Samantha, pretending to be someone interested in finding out more about Shapeshilt.io. The person who messaged me back admitted the profile had been hijacked. When I asked for an instant messaging address, I was given the following: evil_heart@blah.im. I was talking with Eric again.

To launch his new get-rich-quick scam Eric had simply bought Samantha’s profile from Susan, hopped inside her digital self and carried on

How did this all tie into the WannaCry hack? The UK government believes North Korea was behind the attack. Was it really they who’d emptied out the three addresses on 3 August 2017? Is North Korea that desperate for £100,000 (albeit subsequently  worth £1m thanks to Bitcoin’s inflation)? And if you’d committed such a globally-significant attack, why use someone like Eric to harvest the money?

And in any case, Eric wasn’t a real person: he rarely updated his profile, never posted photos of himself, and used the account solely to promote his hacker schemes. Clearly, someone was pulling Eric’s strings behind the scenes.

I went back to the get-rich-quick sites that had been set up using the UK company’s details. They’d largely been registered using one email address, so I looked for other sites set up using the same address. They were all Bitcoin-related. Except for one.

unek

It was a barely-complete website for a fashion design company in Nigeria. Specifically, in Asaba, a town of around 150,000 people on the Niger Delta.

There was no suggestion that those behind the fashion design company were involved in anything illicit. But Asaba rang a bell. It was listed on Facebook as the home town for a man named Danny K’uzo.

When I’d first started researching CoinFXPro I’d found a series of mentions of it on a blog seemingly set up by graduates of Madonna University, which is a few kilometres south of Asaba. On the blog, a user named DK Exclusives had posted rave reviews of CoinFXPro. In fact, the entire blog seemed a thinly disguised promo for CoinFXPro.

madonnites

DK Exclusives turned out to be Danny K’uzo. Real name: Daniel Chukwudi.

danny

I started looking back through the get-rich-quick websites. Most had been registered using fake details, including those of the company in South London.

But one of the earliest versions, set up in October 2016 and soon deleted, was different. It was registered using an email address that seemed to belong to Danny K’uzo, and there was a Nigerian mobile number attached.

I contacted the number on WhatsApp, pretending to be someone interested in CoinFXPro. Danny confirmed he ran the site and confirmed he’d owned the master Bitcoin wallet.

whatsapp

He immediately tried to sell me on his new get-rich-quick scheme.

Danny, it seemed, was the true face of Eric, and therefore of Samantha too.

Then, just when I thought things couldn’t get weirder, I got an email with a Christmas greeting from one of the get-rich-quick sites; the one I’d made a small payment to months previously. They wished me and my family well for the festive season, and urged me to invest in their scheme; to ride the wave of Bitcoin inflation that had seen its value soar.

I was assigned a representative to deal with my investment, a man with a Nigerian mobile number, called “Patrick”. I asked him if Danny K’uzo and Eric Kelvin worked with him, and Patrick confirmed they did, before hastily changing his mind and claiming Danny was a “client”. I asked about the Bitcoin address, and Patrick told me it was the “company wallet”.

Had the proceeds from one of the world’s most high-profile cyber-attacks really been laundered through a Bitcoin network run by a group of Nigerians including Danny Chukwudi?

It seems not: the story had one final, bizarre twist. I sent my Bitcoin wallet tracing to a company which does forensic analysis on digital currencies. After investigating, they came back with some frustrating news.

They claimed that the master wallet into which I’d traced the WannaCry proceeds actually belongs to a company called HitBTC, an online exchange where customers can swap Bitcoin for other digital currencies, and vice versa. The forensics firm told me the believed the wallet is an internal corporate account used to balance HitBTC’s different payments.

In other words, they believed the wallet did not belong to Danny’s Bitcoin websites at all. In which case, perhaps Danny and his gang had just hijacked the HitBTC Bitcoin address to make their sites look convincing, just as they had used hijacked UK company details to make themselves look legitimate.

What of HitBTC? Its website showed office addresses in both Chile and Hong Kong. I contacted the company and asked where they are headquartered, and whether they did indeed own the wallet through which the WannaCry money flowed.

HitBTC did not answer either question. In a statement the company said: “We have developed the Anti-Illegal Activity policy which describes the basis of the multi-level procedure we implement on our platform. We constantly work on monitoring the environment, improving the procedures and instruments which protect our community, and, being an international company, collaborate with law enforcement agencies from across the world on a regular basis to contribute to making crypto trading a safe and civilized market.”

With the ransom money apparently rinsed through a Bitcoin wallet, and with the wallet’s true owner beyond reach, it seems whoever laundered the WannaCry profits had got clean away.

As for Mr Chukwudi, I approached him for a comment, asking him what involvement he has with the WannaCry attack, if any, and why the network of websites he seemed to have set up had used stolen company details, but he failed to respond to my requests. Neither did I receive a response from Eric Kelvin nor Coin FX Pro. The latter website has been removed, but several of its partner sites are still live, waiting to snare unwary Bitcoin investors.

(In order to protect innocent parties, some names in this report have been changed)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s