Unchained - Federal Prosecutor Kathryn Haun On How Criminals Use Bitcoin -- And How She Catches Them
Episode Date: November 1, 2016Kathryn Haun put away the DEA and Secret Service agents who tried to make off with more than $800,000 in stolen bitcoin while investigating the darknet Silk Road marketplace. She talks about how the b...lockchain technology underlying Bitcoin made it possible to uncover their theft, why she believes blockchain will create a lot of good, and what she does when the very people behind tumblers and mixers -- technology that makes her work more difficult -- turn to her when they are the victims of crimes. Along the way, we learn about the habits of cryptocurrency criminals and get a fascinating view into the world of "breeder documents." Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Welcome to Forbes Podcasts.
Hi, everyone.
Welcome to Unchained, a Forbes podcast produced by Fractal Recording.
I'm your host, Laura Shin, a Forbes contributor covering blockchain, cryptocurrencies, and fintech.
Thanks for tuning in.
If you've been listening to the show and like what you've been hearing,
please review, rate, and subscribe to Unchained on iTunes or wherever you get your podcasts.
It helps get the word out about the show.
Just a heads up that this is the final episode of Season 1.
But please check back in 2017 for Season 1.
For today's episode, I'm speaking with Catherine Hahn, who is the assistant U.S. Attorney
and Digital Currency Coordinator for the U.S. Department of Justice in San Francisco,
and who also teaches Stanford Law School's first class on digital currency and cybercrime.
Catherine is also the prosecutor who put away the DEA and Secret Service agents investigating
the Darknet Silk Road Marketplace, who tried to make off with more than $800,000 in stolen Bitcoin.
She's here speaking with us in her personal capacity and not official capacity today.
Welcome to the show, Catherine.
Thanks for having me, Laura.
Tell me about what you do, how you came to be a federal prosecutor,
and how FinTech, Cybercrime, and Privacy
became your areas of specialty.
Well, now I specialize in the areas that you just mentioned,
fintech, cybercrime, privacy.
But about over a decade ago, when I began as a prosecutor
in the Washington, D.C. area, that's not what I did.
I worked cartel cases and national security matters.
And then some time ago, I moved back here,
out back here to California. And my focus really became organized crime, prison gangs, and murders.
So that's kind of when I came back out to California. And then some time ago I decided, well, we're here
in Silicon Valley. Why not focus on emerging technologies that are so at the heart of our culture here?
And so that's what I did starting about three years ago. And that's how I ended up specializing in some of the
areas that you just mentioned. And so does that mean like you chose,
cases like those?
I did.
Initially, I started working on some of the Bitcoin, the early Bitcoin cases.
And, of course, that led me to some of the darknet cases and more cybercrime,
cybersecurity matters.
And how did you even learn about that area or come in the interest in it?
Well, I'll never forget.
In about 2012, I was sitting in my office and someone came to me in my office and said,
how would you like to prosecute Bitcoin?
And at that time, I really hadn't heard.
about it. This was 2012. Now, of course, we can all laugh now because now that we understand what
it is, we know that it's not a thing. You can't prosecute Bitcoin, of course. I guess it's kind of like
saying, how would you like to prosecute cash? But back in 2012, when we were just learning about
the technology, that wasn't clear. So that's how I first heard about it and came to learn about it.
That's hilarious. So how did you come to realize that you can't prosecute Bitcoin?
Well, I quickly figured that out. Like I said, it would be like prosecuting cash, which just is not a thing.
not possible. So as soon as I delved in and started learning what it was, that became immediately
apparent. Rather, of course, what we could prosecute were some of the criminal uses involving
Bitcoin, just like we do, some of the criminal uses involving cash or checks or PayPal or any
other kind of scheme. And so what were some of those early cases? Well, some of the early cases
were ones you would expect involving dark net marketplaces. You've also mentioned one about the
agents that were involved on one of the task forces dedicated to looking at the Silk Road.
Yeah, so tell me more about that, like what was going on there and what were they
investigating and then how did you come to realize that they were part of the problem?
Well, so the case that you're referring to involves two federal agents who have since pled
guilty, but at the time, we didn't know that, of course. We didn't know it involved two federal
agents. We just knew that we got a tip about one. And it might seem strange, but actually it was
an investigative journalist, kind of someone who is in more your line of work that came to me,
that person's since become a lawyer. And he came to me in my office and said, I want to give you
a tip. I smell a rat. And I think you ought to investigate this. But of course, realize that
when someone from the public just comes to you to give you a tip, and especially when the tip is,
you've got a dirty agent on your payroll, you know, I had to take it with a grain of salt.
To be quite honest with you, I felt that it was, I needed to look into it. But
more look into it to kind of put this, what I'll call rumor, to rest. So when I started looking
into this matter and investigating it, I was doing it from the perspective of, oh, I want to clear
this person's name. But I quickly learned that that wasn't going to be the result. So how did you
investigate that? Well, you know, at the beginning, like I said, it's a bit of a sensitive thing to
look into a federal agent, especially when you don't really have anything more than a tip. We need to be
really careful about that. And so we looked at some publicly available sources, and we did what I'll
call a very high-level review. And that high-level review really quickly showed us that this
particular individual was liquidating hundreds of thousands of dollars worth of Bitcoin a month.
Laura, you mentioned 800,000 in the beginning, but actually the number was far greater than that
because it was 800,000 from the Silk Road. But of course, the criminal conduct in this case was
not limited just to the Silk Road, but to many others in the world out there as well. So once we
saw that the volume was in the hundreds of thousands of dollars and the way it was being moved
around, we knew there was something more nefarious afoot. And that's when I did more of a deeper dive.
So what exactly was he doing? He was investigating these and then just transferring the Bitcoin to his
own personal account? Well, in some cases, I mean, I'm stepping away from the Silk Road aspect. This also,
by the way, was the lead undercover agent communicating with Ross Ulbricht, almost on a daily
basis for years? So he was very involved in that Silk Road case, at least the Baltimore case,
not the New York case, investigation that was going on at the time. But he was literally
going around to different exchanges, alerting them that they had criminal proceeds on their
exchanges and that he'd be seizing them. And then those funds would make their way back to
his own personal accounts. Wow. And so have you learned to read the blockchain or like how do you
dive into all those technical details, which I'm sure you're not exactly trained in? I wasn't trained in it.
You're right. But you know, like any kind of thing that were involved in investigating or prosecuting,
you have to learn to get up to speed on a new area of technology or a new area of law. It's no different
than when I wasn't an expert in motorcycle gangs. I had to learn about what all of the symbols meant.
and how those structures were organized.
So to here, I didn't know about the blockchain.
I needed to learn about how it worked.
And so I really have to give the credit to the agents that I was working with.
I was working with some federal agents, many of whom are not in the San Francisco area,
but who are throughout the country at this point.
And they're really some of the government specialists in this.
And they helped me discover how one could go use the blockchain to trace transactions,
transactions of value, using things like Wallet Explorer, for example.
And so I would not say I'm an expert in the technical aspect of blockchain analysis,
but I was able to learn how to go on and trace transactions.
So when you're unraveling a crime that involves Bitcoin,
how does that compare to doing the same for a traditional type of crime?
Well, let me talk about first how it would be similar to investigating another crime,
and then I'll talk about how it would be different.
I mean, the similarities are that in most any crime, you can follow the money.
And so that's simply what we did here.
Or what we're doing when we're investigating a crime involving the use of criminal use of Bitcoin.
We're following the money.
Another thing that we would do in common is we would get typically an email search warrant
or search warrant for communications facilities, cell phones, like I mentioned, emails.
So those are some of the similarities.
But then there are also some differences.
And some of the differences are things like anonymizing technologies that are being used.
I mean, things like Tor or I-2P.
In the case of the agents that we were talking about, one of the things that was different in that case is these were the perfect criminals.
I mean, they knew how to cover their tracks like almost no one else that we've investigated.
They were able to use their agent status to unwittingly get companies to alter-exam.
evidence, unwittingly, of course. They were able to use burn bags and shred evidence and get rid of
kind of covering their tracks. But what they really couldn't escape from was that immutable and
permanent record of the blockchain. And so that actually came in very handy to us in unraveling this.
Yeah, and so that's something we didn't discuss. You got the tip about the one, but then how did you
figure out that there were actually two? Well, actually, it was from the blockchain. And here's how.
we knew that the first agent, the DE agent, had been liquidating hundreds of thousands of
Bitcoins. We traced those Bitcoins back to the Silk Road. It turns out that that agent had also
been extorting Ross Ulbricht, his target, under a name, the moniker he was using was
death from above. And then separate from that, he was also using another moniker French made
to actually sell Rosselbrick information into the government's case. So we knew about
those sources of Bitcoins that this agent had obtained. There was then a theft from Silk Road vendor
accounts of 21,000 Bitcoin. And for those of your listeners who obviously are following Bitcoin and
the price, that's a lot of money, 21,000 Bitcoin. And we knew it had disappeared from Silk Road
vendor accounts using a Silk Road administrator's username, credentials, and password. So, of course,
many people are involved in our investigation believed, well, it's got to be the DEA agent because
he had access to all of those things. Or it's got to be the Silk Road administrator himself.
But what we could see from the blockchain is that the patterns of this DEA agent did not match
the patterns of the person who had stolen the 21,000 Bitcoin. We could just look at the blockchain
and see that the modus operandi, what we call in law, the signature, was did.
different.
And by that you mean just the accounts were different or like how do you define that?
Not only the accounts, but kind of the pattern of where the funds would flow.
For example, the DE agent used numerous hops, numerous different wallets and was really moving
things around kind of every three days to different addresses and different wallets on the system.
And only after, you know, about a month or more would he liquidate those through his digital
currency account?
He was basically trying to kind of like...
Off the skate.
Okay.
Correct.
I see.
But the other was...
The other was kind of one fail swoop, I'm generalizing, of course, but one fail swoop into
Mount Gox, which, as you know, is the now defunct digital currency exchange that was based in Japan.
And so it was kind of all into one place and then all out of that place.
All out of that place, curiously, just two days before the feds did a seizure warrant on
Mount Gox, which also made us think that timing is very odd. Was it someone who knew that Mount
Cox accounts were soon to be seized by the federal government? So we could really see the
patterns were different, and that did tell us we think we might be dealing with more than one
rogue actor. Oh, interesting. So he is not one of those people that lost his funds in the Mount
No, he actually got them out before the Fed seized the Mount Cox bank accounts and also before the hacks.
And so what happened was these funds were transferred out of Mount Gox.
And using the blockchain, we could see that they were transferred to ultimately a shell company,
a shell company's bank account here in the U.S.
And imagine our surprise when we used other investigative methods to uncover who own that shell company.
and it was revealed that it was a Secret Service agent who had also been on that same Baltimore Silk Road Task Force.
And do you know those people personally?
Well, I prosecuted them, so I do now.
Okay, but before you didn't?
I did not.
Okay.
No.
Okay.
No, they were agents based on the East Coast.
Right.
So I hadn't come into contact.
Apparently, we had been at some of the government's meetings on these kind of new technologies, but I had never met them personally.
Okay.
And I'm just curious also about this transition that you made to, you know, learning more about fintech and prosecuting crimes in this area.
How does it compare to other stuff that you've, you know, prosecuted before, like in terms of maybe your own interest or the kind of like intellectual, you know, richness of it?
Well, I mean, I think I always really had the fire in the belly about violent crime.
To me, just violent criminals were always the ones that kind of got me fired up to go do my.
job every day and a job that I was passionate about because I felt like they're hurting other people
directly. And I never really, and I never really honestly, Laura, thought I would get that same
kind of passion for doing what we might call more white collar or cyber crime cases or even public
corruption, because what we're talking about really is a public corruption case. But I have to say
these cases, at the end of the day, particularly the one that we're talking about, I was every bit as
motivated to kind of find out who done it and to make sure that that wrongdoing was brought to
justice as I was for many of my other cases involving more violent crime. So I think that's how
I would contrast them. I mean, obviously, I guess the other difference is, well, that's a similarity.
A difference would be just in the kind of technologies that we're using to catch some of the
dark net purveyors, for example, or, you know, large-scale vendors, say of those selling
machine guns on the darknet.
And those individuals are very smart. They know how to cover
their tracks. They know about tour. They know about anonymizing
technologies. They know about how they can best remain anonymous.
Whereas some of the kind of criminals that I've prosecuted over the years
in kind of prison gangs or street crime, bank robberies,
they're not trying to cover their tracks so much as just get out of town.
But they do leave a paper trail a lot more. Or at least they leave a
forensic trail, I guess, a lot more than some of these criminals involved in using financial
technologies and the like. Yeah, so speaking of trying to hide your trail, there, you know, has been
increasing use of tumblers and mixers that make it difficult to track exactly where Bitcoin's
that are involved in illicit activity end up. So I'm curious to know how that's affected your work
and, you know, if you're still able to follow the trail. Well, there was a lot of talk about tumblers and
mixers maybe a year or two ago. And certainly they existed. And initially we thought, oh, no,
this is really going to end our trail, if you will. It won't be possible to keep following the funds.
But the truth of it is, Laura, those tumblers and mixers were early technologies. And they weren't
frankly all that great. They didn't tumble and mix as well as I think they advertised in some cases.
So I'll just say that some of the time we were able fortunately to unscramble, if you will, what the Tumblr and Mixer had done.
Now, that was only, in my opinion, that was only because it was early days of Tumblr and mixer technology.
And they do think that now times have changed, and they've changed quickly.
And so tumblers and mixers, I think going forward are going to be a real problem for us to do that on scrambling.
But that said, I don't think we can just give up because we come into a Tumblr and mixer.
We have to at least try and see if there is a way to continue to follow the funds.
And at some point it might be that the technologies behind tumblers and mixers are so good
and so foolproof that the trail will end for us.
Now streaming on Paramount Plus, it began on the shores of New Jersey.
The calls of Jim, tan, laundry, reverberated north to Canada, where a new type of party animal resides.
They move as a herd migrating to their favorite watering holes, asserts.
Dominance by flexing, grinding, and twerking.
Coupling is quick, steamy, and sometimes in hot tubs.
When morning arrives, they do it all over again.
Canada Shore, new original series, now streaming on Paramount Plus.
Okay, well, that's maybe not as optimistic of a view as one might hope for from a prosecutor,
but, you know, it is true that we've seen, you know, huge advances in this technology in a short
time. So I was curious to know if there are any overall trends that you've noticed in the crimes
that are committed with cryptocurrency versus those that are not. Like, are they, you know,
different in any particular way? Well, as I alluded to earlier, the one thing that does kind of stand
out is the use of other technologies like Tor or like I2P. Also kind of these... I don't know what
I2P is. Oh, the Invisible Internet Project. Think of it as another version of Tor, the Onion Router.
It has less kind of what I'll call market cap right now.
Still, Tor is much more heavily used, but I2P is kind of catching up a bit.
And so when those are used, then that just means like you, again, the trail goes cold for you?
I wouldn't say the trail goes cold just for the use of Tor.
I mean, you know, tour is not perfect, obviously.
Interestingly, you know, Tor was developed, as you probably know, by the government, the United States government.
But of course it makes it much more difficult.
I mean, the whole purpose of things like Tor or I2P are to mask IP addresses.
Another thing that I think I see trends, as you asked, for those using cryptocurrencies to commit crimes, would be using kind of non-traditional email providers.
So email providers based, for example, in Russia and not using a Gmail address or not using an Apple.
email address. Also use of kind of messaging apps, not WhatsApp, for example, but using instead
Telegram, which I've never even heard of. And Telegram is getting a lot of notoriety because of
some of the kind of terrorist uses of Telegram. Telegram is in theory an application where you can
essentially instant message, but then the messages are not kept or stored. They're gone.
Oh, so it's sort of like Snapchat, but not for teens.
Exactly.
Why do you think they're using these email providers in Russia and stuff?
Like, why?
Well, I think, I mean, we saw that actually getting back to the case you asked me about.
The Secret Service Agent is a great example of that.
He, and talk about different patterns and how we knew we were talking about two different actors,
we saw the DE agent was still using kind of the hotmail email email addresses.
The Secret Service agent, to cover up his crimes, was using, you know,
you know, Yandax in Russia. I think the thinking here is, well, if the government gets a search
warrant and they're not going to be able to serve it without a whole lot of headache on a Russian
company, on a company that's not here in the U.S. It's much easier to go, or at least it used to be,
much easier to go to Microsoft or Google and say, here's a federal search warrant. We've
justified probable cause for getting this content than it is to go to a Russian company.
Oh, wow. I wouldn't even know how to get a Russian email address, but I guess if you have the motivation.
I'm not going to advertise that here on your show either.
So in general, how quickly would you say that we're seeing criminals start to use cryptocurrency?
Is the prevalence growing? And if so, like, how quickly? And, you know, would you say that's happening?
Oh, I think it's happening very quickly. But I want to be clear, I don't just think only criminals are using this, right? I think there are, I mean, I actually know federal agents who have.
have Bitcoin. And they're not doing it, they're not having it to steal. They actually have it
because they find it an interesting technology. So I think that the, I hope that the overwhelming
uses are becoming more and more legitimate. But, you know, like all great technologies,
I mean, it starts out that criminals are often the first or the earliest adopters. So I think
we're still seeing that they're quickly using cryptocurrency, and that's on the rise. But at the same time,
it's also on the rise of kind of the population at large. I think it's no different than just
everything going digital, right? I mean, you start out using cash, you move to kind of checks in the
credit card era, then you move to the PayPal and the Apple pay era, and then you're on to
cryptocurrency. I mean, just like the public at large is moving in this direction, so two are the
criminals. So I think it's rising very quickly. Well, if you were a criminal, which would be your
preferred, you know, a medium transaction? Well, I certainly won't answer that question.
Okay. Well, I'm curious to know, do you feel like cash is still preferred by a lot of criminals?
Oh, I think it really depends on the crime. I mean, if you're talking about the need to move, you know,
relatively little cash, I think, yes, it is. And if you're talking about a crime where it can take place,
a transaction on the street. Absolutely, because we know that that's not trackable or traceable.
Then you run other risks, though, of your meeting person to person. But where you're talking
about kind of large-scale criminal activity or fraud, it's just not feasible to make the cash payments.
Okay. Yeah, and I guess also if it's like happening cross-border.
Exactly. Right. When you look at some of the crimes that you commonly see, and not just with
cryptocurrency. But, you know, just across the board, what are some of the ways that you think
blockchain technology could help you prevent those? Well, I think one of the interesting, I think,
use cases, and I don't know that it actually is a use case yet, it might just be being tested,
but is in the area of public records. For example, of all of the kinds of cases, and I said this
a couple weeks ago. But of all of the cases that I've ever done, whether you're talking about
the Hells Angels, or whether you're talking about marriage fraud, or whether you're talking about
the bank officer I prosecuted for impersonating dead people, I mean, or whether you're talking
about some of the criminals that I've prosecuted and using cryptocurrency, they all have one
thing in common. There's always been, somewhere along the way, a forged, counterfeit or
stolen public document.
And they all have that in common.
Even a murder case, I tried.
Same thing.
It had a forged public document.
And so I think one of the interesting use cases for blockchain is to kind of help prevent crime or rather help stop fraud.
Let's just call it that.
Help stop fraud in the first place is could public records be issued on a blockchain?
And I think that's a very interesting thing to explore.
Let's take the case of birth certificates, for example.
Did you know, Laura, that in the United States alone, over 6,500 different entities issue birth certificates?
Oh, my God, no.
Using over 14,000 different forms.
Wow.
And that's just in this country.
So you can imagine that it's extremely easy to counterfeit or create a forged birth certificate.
I mean, people can't even recognize what a forger is because we're using 14,000 different forms and have 6,500 different entities.
entities issuing them. And you might think, well, what can you really do with a forged birth certificate?
Well, a lot. We call these, in law enforcement, we call these breeder documents because they quite
literally breed new identities. Let me tell you how. You get a forged or a fake or stolen birth certificate
in a name, and you take that down to the DMV and you get your photo taken with that. And now you
all of a sudden have also a driver's license. You take the driver's license and the birth certificate to the
passport office, now you've got yourself a passport, and all of a sudden, with these three
kind of identity documents, the sky's the limit on what kind of criminal activity you can do.
You could file for fraudulent benefits from the government.
You could commit some kind of terrorist defense.
You could purchase weapons.
You could traffic in people.
You can obviously commit drug smuggling.
I mean, really the sky, like I said, the sky, unfortunately, is the limit.
And so it's a real problem having the ability to kind of steal or counterfeit.
a birth certificate quite so easily. And, you know, don't take my word for it. I mean,
the Department of Health and Human Services some time ago sounded the alarm when their Inspector General
wrote a pretty scathing report on the prevalence of this kind of fraud happening with birth certificates.
And you can go look that up online to see what I'm talking about if your listeners are interested.
That's absolutely terrifying to listen to just how easy it is to do that.
When you think about implementing that kind of solution, though, I also think of tons of obstacles, you know, kind of what do you imagine will happen as we're starting to see. I mean, governments are taking an interest in it, but do you have a sense of like where it might first be applied or how it might roll out?
Well, first of all, let's talk about the problem that it would be trying to solve. So one problem is I just alluded to it, be trying to solve forgeries or fakes. Right. At the end of the day, these centralized databases spit out for us a paper document.
And, you know, sitting here going into 2017, it just doesn't really make sense anymore to have that be a paper document, particularly where, as I said, they're so easy to forge.
So that's one problem, the forgery.
But another problem with some of the centralized databases right now that the municipalities and the governments have for maintaining these public records are they're subject to tampering.
And I think that's a concern also because, for example, in 2008 here in San Francisco,
I don't know if you were possibly not here at the time, but the city of San Francisco's network
administrator became disgruntled after getting some poor performance reviews.
And he changed all of the other engineers' passwords.
And he literally held the entire city of San Francisco's computer systems and databases hostage for five full days.
No one had access to those documents.
So anyone needing a city document during that time was out of luck.
That is crazy.
Yeah, don't mess with the IT guy, right?
That was the lesson there.
But the point I'm making is that kind of tampering where you have a centralized database is possible.
So the problems are fraud with paper documents and tampering with centralized databases.
People are looking to the blockchain as possibly solving those because, one, it's no longer a decentralized.
database, right? You have it spread out over millions of different systems worldwide. So the
possibilities for tampering. I don't want to say there are none. As a prosecutor, I would never say
none, but let's say significantly reduced and very difficult to tamper with decentralized systems.
And then also, you don't have the possibility for fraud because you're not printing out a paper
record. Because of the immutability and the permanence, one can simply look to the fact of that
blockchain to prove that, you know, did a hospital write a record to the blockchain when a
particular child was born. And I know it's very early days, but are there any pilots or kind of
any initiatives that you know that are sort of interesting to you in this realm? In the public
records realm? I'm not actually, I haven't looked into it too much. None come immediately to mind.
And I know that there are some pilots.
I don't know what the MIT digital currency project is, I think possibly involved in some of those.
I've heard about pilots in some of the countries involving not necessarily birth certificates, but involving land titles.
I believe in Georgia, Honduras, I've heard as well.
Sweden, I think.
And, of course, we have Estonia as kind of a model of e-government, right?
But to answer your question about what would be some of the hurdles,
I think one hurdle is if we're looking at the United States, look, we've got 50 different states.
But I already told you that 6,500 different entities can issue birth certificates in this country.
So I think it would be very interesting to have kind of an experiment with, you know, one state.
Like, let's start small.
Let's have a small state start issuing as a pilot project for certificates on a blockchain and see how it works.
and then let's test it. Let's have people try and hack that. And let's see if they can. And so you're not saying, oh, let's move the entire country. Let's move everyone to this system all at once. I think really start with a small pilot project, start in a small jurisdiction, and kind of see how it goes.
Yeah, I think that's what we're seeing with a lot of these pilots these days.
So one thing we've been talking about a lot in this episode is the public Bitcoin blockchain.
But soon there will be some cryptocurrencies that are more private, including one that's getting a lot of buzz called Zcash.
How will something like Zcash, which is effectively like a more private cryptocurrency, how will that affect your work?
Well, I think Zcash is supposed to publicly launch next week at the end of October.
I think it was October 28th.
And if it works like it's supposed to, it would make our work a lot harder.
Now I say if, and that's if it works as it's supposed to,
because we don't really know yet if it lives up to the hype of being purely and truly anonymous.
But the thing that we do know is that it's a matter of when,
not if we have an anonymous kind of form of payment,
that the technology will catch up, that we will someday have that.
I do believe that.
And I think that, I don't know whether that's Zcash or whether that's some other form that comes out.
But I think that will make our work a lot harder.
Because as I told you, one of the main ways we can trace criminal activity is following the money.
Right. Criminals want to be paid.
And if we all of a sudden omit an entire kind of source of evidence that's historically been available to us,
that's going to make our job a lot more difficult.
Absolutely.
And so is this the kind of thing where, you know, like I know way back in the day, some people talked about like, oh, is the government going to shut Bitcoin down? But, you know, then of course, I think the government realized that actually the blockchain is really useful to them. But in the case of Zcash, which, you know, might have a different reputation, is that something that either could be shut down or that the government might try to? Well, I just want to clarify. I don't think there.
the reason that the government didn't shut down Bitcoin was because the blockchain was useful
to the government. I think the reason is the government recognized you can't shut down Bitcoin.
I mean, there's simply no way. And that's what we're seeing here is once with these technologies,
when the genies out of the bottle, you can't put it back in. Right. And so even if the U.S.
government, and it would require, I think, a kind of change in our laws and policies that society
would, you know, inform that decision-making. But even if we could hold, I think,
developers of these technologies accountable. And right now, generally speaking, that's very hard to do.
It's very hard to say, you've made a technology. We will now prosecute you for making that
technology. That's really counter to our existing kind of legal system right now. We're seeing
this debate, by the way, not just in anonymizing technologies. We're seeing this debate with gun
manufacturers. I mean, there's, I think there's some real analogs there. You know, our law
right now are such that we do not hold gun manufacturers liable for the harm that their product
causes. And I think at some point we as a society need to say at what point might we want to
change those laws? I don't know that we do, and I'm not advocating that we do want to change them.
I'm just putting that out there as food for thought. I hear a lot of times some of the developers
creators of these anonymizing technologies say, oh, we're doing this for privacy. We just want
everyone to be able to have private transactions, which I very much like and endorse.
On the other hand, look, it's obviously the case that a large percentage of criminals are also
going to be using and gravitating toward those kind of technologies.
So at what point do you, as a developer, I mean, is there a percentage that you're
comfortable with as a developer of where your technologies are being used for more harm than good?
Do you think about those questions?
And I don't know the answer to that.
I don't know what's in the mind of some of the people that are creating this.
And I think there are a lot of, as I've made clear, very good uses and very legitimate uses for some of these technologies.
But I do worry about the effect that they will have on our ability to help solve crimes.
I mean, you know, ironically, some of these very technologies come to us when they've been hacked.
When they've been the victim of a hack, you know, a tumbler, a mixer, and all.
the funds are stolen. Well, you know, who do they turn to to kind of help if they help try and get
their money back or put the wrongdoer behind bars? And ironically, some of these technologies or these
developers are becoming sometimes victims. Interesting. And, you know, it makes it hard for us to
solve their crimes because of their technologies or the crimes that have afflicted them, I should
say. So that's fascinating. So when an organization like that comes to you,
in that case where you know that they've kind of been making your job difficult,
like how does that, you know, affect the calculus of like whether or not you're going to, you know,
choose that case?
Well, I don't think that really would affect the calculus, to be totally honest with you,
because I don't think that we are thinking that we're adversaries with these technologists
or developers, quite the contrary.
I mean, so I don't think it would affect whether or not we would take a case.
I'm just pointing out the irony that some of the exchanges over the years that have been hacked
that have come to the government to seek assistance in solving the hack or getting back the money
were kind of, I think, originally not thinking they would be coming to the government for help.
But I don't think it would affect our calculus and whether or not we would take a case.
And that's true, not just in the space of anonymizing technologies or cryptocurrencies.
It's true in any case, right?
it's true in the cases of violence or assault or robberies.
I mean, just because, let me give you an analog,
let's say kind of a bank robber who I had prosecuted over the years.
Actually, I did have one who came back after he got out of prison
and did another bank robbery.
Let's say he was the victim of an assault,
and he came to me to report that.
I wouldn't not take that case because he had previously been in a posture that was adversarial to me.
And I think it might be a far-fetched analogy, but I think you get my point.
Okay.
Are there any other kind of like new frontiers in crimes and financial technology that you think are coming up or that are trending?
Well, I don't want to give anyone any ideas.
I think people out there know what they are who are using them already.
So I don't want to draw or highlight them.
As far as I know, you recently gave a TED talk about some.
some good uses of blockchain technology, aside from the government records, is there anything
else that you want to highlight that you're excited about?
Well, I don't know how it will play out, but I am excited about some of the pilot projects
with respect to putting kind of sometimes private data, maybe whether it's onto private
blockchains or whether it's on public blockchains in an encrypted form.
In the case of, for example, something like medical records.
I mean, we talked earlier about public records and birth certificates, and people always say, well, aren't you concerned about privacy?
And I say, well, when I'm talking about public records, I'm not concerned about privacy because those are public.
Now let's talk about private data.
And if you want to talk about private data, let's talk about, for example, your medical data.
You know, Laura, I don't think most people realize that their medical data is more valuable on the dark net, far more valuable than their financial or credit card information.
And I don't think they realize that hackers are actively targeting the health sector.
Did you know that over 150 million breaches of patient records have already happened as a result of things that we've probably all heard of, like the anthem breach?
And of course the anthem data wasn't even encrypted, right?
And why is it that medical records are so much more valuable on these marketplaces?
It's a good question.
I mean, a couple reasons.
One, with medical data, thieves can take that to create fictitious or fake IDs and bill insurers for fraudulent claims kind of en masse.
They can also buy medical equipment and drugs that are consistent with a particular patient profile and avoid detection because the insurance companies or medical providers don't catch this because it's, of course, consistent with a particular patient's profile that they would be buying.
that medicine or that they would be buying that medical equipment. And then they resell those,
whether on the black market or elsewhere. And so there's a huge marketplace for that. And like I said,
150 million patient records have already been breached. That's staggering. And those are just
the ones we know about that have been announced. And we know that hackers are actively targeting
the healthcare industry. And part of this is because high reward, right, I just said they can make a lot
of money with this information. But it's also some of the least secure. Right. I mean, hospitals and
insurance companies and doctors offices and the medical industry as a whole is more focused on patient
care than cybersecurity. Right, especially compared to something like a bank. Exactly. And also,
banks have been sometimes having to comply with certain kind of regulations that particularly
apply to financial institutions, which aren't really as much in effect or enforce when you're
talking about medical data. Of course, there are things like HIPAA, but in terms of securing
the actual data, this is a real problem where you have kind of some centralized databases
that aren't that secure, but that yet are so valuable to thieves. So if thieves break into a
centralized database as they did, for example, with Anthem, they can make off with everything.
So getting back to your question of some use cases that might be exciting, I mean, if it is the case, and I don't know if it is, but if it is the case that, for example, what some of the MIT researchers are exploring right now with putting private encrypted medical data onto some form of a blockchain that's decentralized, so you don't have a central repository for hackers to hit, I think that's an exciting use case because I think that we're just starting to see how dangerous it is.
with having private medical data kind of in these not well-guarded repositories that are central.
Yeah, and the other thing I was thinking is that, you know, with your financial data,
you can change your credit card number or, you know, but you can't change like your Social Security number.
You can't change your prescription.
You know, these are all things that are really just central to you.
And they're also private, right?
I mean, how many people want thieves or being able to know what kind of medicine,
treatment or procedures they've undergone. Those are incredibly sensitive pieces of information.
And another thing is we see ransomware providers, and we see ransomware providers actively targeting
two sectors. The first is the health care sector and hospitals. And the second is municipal
governments, things like police offices. But if you go back to targeting hospitals and all
a sudden a ransomware provider can take an entire hospital's systems hostage and demand some
kind of cryptocurrency for payment. Now right now, if they've used blockchain and they haven't
used tumblers and mixers, we might have a fair chance at solving that crime. But if these things
achieve kind of perfect complete anonymity like tumblers and mixers and Zcash and a hospital
system has taken siege, will we ever be able to kind of uncover who is responsible for that?
I hope that we can up our game and use other investigative methods, but at some level, it's
trying to, you know, we're prosecutors, we can only use the tools that the public and society
give us and that our laws give us. And at some point, we have to be able to solve crimes and prosecute
crimes with two hands tied behind our back. Right. And so in this case, definitely the better
solution would be to put the medical records on a blockchain that's secure. It can't be hacked.
And that's not something that law enforcement is obviously going to mandate. That's something
that private industry, that researchers, that regulators, I mean, we'll all have to work out
those things. That's not in my area of specialty. But I do think that where you're talking about
private data like medical records, it is really a problem. Yeah. Well, this has been such a fascinating
discussion, where can people learn more about your work and get in touch with you?
Well, I would just direct them to the Justice Department's website, which is www.usdoj.gov.
And you can see about not just my work, but the work of the many prosecutors around the country
in all of the districts they're doing. And you can visit kind of the cybercrime sections
page on that website, which is C-Sips back in. C-Sips is a component of main justice at headquarters.
Well, thanks so much for coming on the show.
Thank you so much for having me.
Thanks for joining us today.
If you're interested in learning more about Catherine, check out the show notes, which are available on my Forbes page, Forbes.com slash sites slash Laura Shin.
Today's episode concludes Season 1, but please check back in 2017 for Season 2.
And if you've been enjoying the podcast, please remember to review, rate, and subscribe to it in iTunes or your preferred platform.
Thanks again for listening.
Thank you.