Finland’s National Bureau of Investigation made headlines when it was able to record the financial footprints of a cyberattack and subsequent data breach at the Vastaamo clinic.
Finnish Researchers Map Monero Transactions. They identified Julius Aleksanteri Kivimäki as the cyberattacker and extortionist responsible, according to top prosecutor Pasi Vainio. Finnish investigators from the National Bureau of Investigation (KRP) conducted a meticulous transaction analysis that revealed a complex network of transactions involving the cryptocurrency Monero (XMR), a digital asset designed to maintain user privacy.
This cryptocurrency, created in 2014, prioritizes privacy and decentralization. It hides the identity of senders, receivers, and the amounts of transactions within the blockchain. Its developers claim it is “impossible to trace,” or at least so far. Monero is the favorite cryptocurrency of privacy advocates but also of cybercriminals seeking to evade law enforcement when moving funds from their criminal activities. On the other hand, People used peer-to-peer mining features to distribute the mining by helping legitimate Internet publishers and cyber hackers who insert these mining codes into websites and smartphone apps to make a profit from Monero mining.
Despite their ability to obfuscate data on their blockchain, authorities in Finland were able to follow the money trail, which began with a hefty ransom demand of 40 BTC in October 2022 (about €450,000 at the time), in exchange for not publishing the records of more than 33,000 patients of Finnish psychotherapy service provider Vastaamo. Vastaamo’s refusal to pay the demand led the cyber hacker to target individual patients. However, high-level KRP investigators allegedly followed Kivimäki’s financial flow with a fake shipment, which they could rebuild in detail.
Researchers Map Monero Transactions
According to the analysis, this flow initially started with Bitcoin (BTC), then went through an exchange that was neither KYC nor AML compliant, which switched to XMR the funds before reaching a dedicated wallet. Subsequently, these funds in XMR reached a wallet on Binance, where fraudsters converted them back to BTC, after which they dispersed the money to various wallets. In Finland, the police have kept a tight rein on their investigative methods and have been unwilling to reveal further details about their on-chain analysis. The head of the investigation himself, Marko Leposen, said that the information is secret because it involves the police’s technical methods, but evidence obtained points to them possessing the ability to crack the XMR blockchain.
These actions show Finnish police officers possess a sophisticated blockchain forensic analysis level capability, which was able to crack Monero’s privacy features, including Ring Confidential Transactions (RingCT), ring signatures, and stealth addresses, to obfuscate their addresses.
RingCT Protocol, Ring Signatures, and Stealth Addresses
The RingCT protocol mixes user transactions to hide the origin of the funds. Then, ring signatures hide the sender’s identity by showing him as part of a group of possible senders. Finally, Monero’s stealth addresses make it possible to generate a single-use address for each transaction, making it hard to link multiple transactions to the recipient’s wallet. The single address makes it even more complicated to identify users in that cryptocurrency.
Due to these Monero capabilities, in 2020, the US Internal Revenue Service (IRS) authorities offered a public challenge consisting of a $625,000 reward to anyone who could crack supposedly untraceable private coins such as XMR and Zcash (ZEC), the result of which is unknown. However, in Finland, it seems that the authorities learned the method to decrypt Monero transactions, as prosecutor Vainio revealed that the KRP investigated the fund transfers received by the Vastaamo cybercriminal. He showed that the ransom money sent to the extortionist ended up in Kivimäki’s bank account.
Conclusion
The Finnish prosecutor’s office requested the investigation in November last year to the KRP, which completed the on-chain analysis in the middle of this month. Prosecutor Vainio called the additional investigation a significant piece of evidence against Kivimäki. However, during the hearing, the defense did not agree with the evidence, as they questioned the KRP report (Finnish). Kivimäki’s lawyers claimed that it was not possible to know the movements of the money as claimed by the police, so the defendant himself denied all criminal charges.
If anything, what happened with Finland’s KRP and its ability to track transactions in Monero underscores the capabilities of police and investigative agencies to perform on-chain analysis of anonymous cryptocurrencies. If true, law enforcement can track even the most private digital currencies. On the other hand, now Monero users who supposedly use this cryptocurrency to keep their transactions private must be thinking that their Monero transactions are not so private and untraceable after all.