Profit motives are a powerful incentive for criminals hackers who roam the internet locking up victims’ data and demanding a ransom for releasing it: In June, just one scheme — a cyberattack that crippled the world’s largest meat processing company — yielded an $11 million bounty for a Russia-based hacker gang. But those flows of dirty money also place the gangs squarely in the IRS’ bailiwick.
“A lot of other agencies do more of the technical investigation of the actual [hacking] infrastructure,” said Jarod Koopman, acting head of the IRS’ recently combined cybercrime and digital forensics team, acknowledging that his agency is just one part of a governmentwide anti-hacking effort that includes entities such as the FBI and the Department of Homeland Security. “Our wheelhouse is that financial tracing.”
The IRS’ role in hacker probes has also gone beyond ransomware. After the U.S. became aware in late 2020 of a wide-ranging cyberespionage campaign blamed on Russia’s Foreign Intelligence Service, the IRS used its cryptocurrency tracing tools to learn more about the intruders who had broken into at least nine federal agencies and 100 private companies.
But ransomware has emerged as an especially bedeviling threat to governments and businesses worldwide, after years of attacks have targeted victims including police departments, water utilities and the National Rifle Association. One challenge to investigating such crimes is the fact that the perpetrators overwhelmingly demand payment in cryptocurrency because of its supposed untraceability.
The IRS’ criminal investigations are “the tip of the spear when it comes to crypto investigations,” said Ari Redbord, a former senior official in the Treasury Department’s terrorism and financial intelligence office.
The IRS has two main avenues for hindering ransomware: It could theoretically track the cryptocurrency payments through companies and other victims’ tax returns, and it can investigate the underground movement of cryptocurrencies between victims and ransomware gangs.
Congress helped the first scenario a bit when passing last year’s bipartisan infrastructure package, which expanded the tax code’s definition of “broker” to include cryptocurrency exchanges like Coinbase. These brokers, typically people who buy and sell stocks on someone’s behalf, will eventually have to report annually the names and addresses of their customers whenever they file tax returns after trading or selling crypto — providing a level of transparency into the average crypto owner’s transactions that doesn’t exist now.
It’s a step in the right direction for cybersecurity policy experts who have pushed the IRS and Congress to require companies to disclose high-dollar cryptocurrency payments, arguing it could provide additional insight into when a ransom payment is made.
“As a first step, you have to know the universe of what we’re doing here,” said Michael Daniel, president of the Cyber Threat Alliance and a former National Security Council cyber adviser during the Obama administration. “Obviously you’ll never get 100 percent reporting, but you can get a very good statistically accurate picture of what’s happening in the economy.”
But tax reporting has severe limits. In most instances, the new reporting rules focus on the entity receiving the funds, which in this case would be the Russian ransomware criminals — who aren’t subject to U.S. tax laws or known for obeying government mandates.
The IRS has had better luck tracking down ransomware gangs through the second option: digging into ransomware gangs’ cryptocurrency transactions — or advising the FBI and DHS on how to do it.
At the IRS, Koopman said the agency relies on two types of tools for cryptocurrency investigations: so-called clustering algorithms that gauge the likelihood that two digital wallets are connected to one another, and open-source intelligence, including public records such as wallet addresses, domain name registrations, email addresses and court documents.
Often the agency works with companies like Chainalysis that have proprietary technologies that make linking one Bitcoin wallet to another a lot faster. One example Koopman pointed to is a tool that collects all the “public-not-public” data about people into one place to make homing in on possible suspects much easier.
The IRS isn’t a silver bullet on its own, though. Redbord, who is also a former assistant U.S. attorney, said federal prosecutors often have a choice in which agency they go to with cybercrime tips: the FBI, Homeland Security or the IRS.
The differences among the three are somewhat limited because they all use the same cryptocurrency tracing tools and open-source investigative tactics. “We all work very closely, so it’s all of us bringing our expertise to the table,” Koopman said.
However, both the FBI and the Homeland Security Department’s investigative unit, known as HSI, are more equipped than the IRS to focus on the technicalities of a ransomware attack, such as how the hackers broke in and what ransomware strain they deployed. Tapping the IRS to focus on the cryptocurrency side of an investigation helps law enforcement keep up with cybercriminals’ agility and constantly changing online locations.
“There is a perception that [the agencies] all don’t get along and that they never work cases jointly,” Redbord said. “But if you look at the big crypto investigations, they involve IRS [criminal investigations], HSI and FBI, and what we would do is create a dream team of agents across the interagency to drive together.”
The FBI brings its range of investigatory experience, tools and funding. DHS’ investigations unit, which sits within Immigrations and Customs Enforcement, often has one key ingredient needed to start an investigation: the digital wallet addresses found through any electronics seizures at the border. And the IRS brings the financial nitty-gritty — and somewhat nerdy — know-how.
That detailed financial crime knowledge allows the IRS to crack cryptocurrency cases at a pace like no other, Redbord said.
In many regards, the IRS cyber criminal investigations unit has a startup mentality. It was created in 2014, making it much younger than the more established cyber investigations offices at the FBI and DHS.
The IRS played only supporting roles in cybercrime cases until 2019, when it led an investigation that resulted in a Justice Department takedown of a South Korean child pornography ring and its dark-web site, Welcome to Video. Visitors to the site had to pay in bitcoin to watch videos, and by tracing the flow of the cryptocurrency payments, the IRS was able to close the case in eight months.
“It’s really one of the first times you’ve got a case that isn’t solely focused on server logs or some kind of special high tech,” said IRS agent Chris Janczewski, who led the probe. “It was just a lot of ‘following the money.’”
When Janczewski started investigating Welcome to Video, the only lead he had was the location of the website itself. Koopman likens the scenario to what investigators usually see at the beginning of a ransomware investigation: “You have the technology aspect of the attacks, the footprint of what occurred and then you have the transactional flow,” Koopman said about ransomware cases. “That’s it.”
But there are a few limits to following the money in cybercrime, said Gurvais Grigg, global public sector chief technology officer at Chainalysis. Cybercriminals are agile and quick to cover their tracks, and law enforcement officers could lose their chance to track them while waiting for higher-ups’ approval to start an investigation.
On the other hand, “we do see a growing level of crypto literacy, sophistication and agility across these federal agencies that’s reassuring,” said Grigg, who is also a former FBI investigator.
International probes face other roadblocks: The most notorious ransomware actors live in Russia, which is usually unlikely to cooperate with U.S. law enforcement. The one exception: Russia’s arrest last month of a hacker accused of being behind last year’s Colonial Pipeline attack.
But Janczewski said the IRS has experience tackling those hurdles, noting a couple of cases in which his team found transactions en route, digitally, to China or Russia as they crossed through U.S. allied countries.
“When it comes to international investigations, especially if you want them to be timely, it’s all based on relationships,” Janczewski said.
The IRS’ parent, the Treasury Department, is also likely to take on a growing role in the ransomware fight. In September, the department announced sanctions against Suex, a crypto exchange operating in Russia, saying 40 percent of its transactions involved ransomware and other illicit online activities. At the time, Treasury indicated that this could be the first of several actions against similar exchanges.
Congress is also on the move.
In September, Sen. Maggie Hassan (D-N.H.) introduced legislation, S. 2864, that would direct the Treasury Department to tell Congress how other nations are mining, using and regulating cryptocurrencies. Several lawmakers have introduced proposals to mandate reporting of ransom payments within two to three days, depending on the bill, to DHS — a step that would provide more insight into how many ransomware attacks U.S. businesses are facing, as well as hackers’ financial information. And Hassan is already in conversations with the IRS about the best way to help them address crypto’s use in cybercrime.
In a letter released earlier this month, IRS Commissioner Charles Rettig requested $21 million to support cyber, crypto and “other highly technical” investigations. He also suggested that Congress tweak current crypto reporting rules so the IRS can more easily share the information with its investigative partners at Treasury’s Financial Crimes Enforcement Network and other agencies.
This could all come in handy as the Biden administration continues to toss anything it can at the burgeoning ransomware problem.
“When you look at the strategy that you would need to put together to combat ransomware, you’re going to need a large number of different departments and agencies across the federal government,” said Daniel, of the Cyber Threat Alliance. “It has so many different aspects to it.”