The Data Day: Tracking Cybercriminals and Nation-State Actors in the World of Cryptocurrency—A Conversation with Jackie Koven of Chainalysis

April 25, 2023
22:27 minutes

Tune in to the third episode of Ropes & Gray's podcast series, The Data Day, brought to you by the firm’s data, privacy & cybersecurity practice. This series focuses on the day-to-day effects that data has on all of our lives as well as other exciting and interesting legal and regulatory developments in the world of data, and features a range of guests, including clients, regulators and colleagues. On this episode, hosts Fran Faircloth, a partner in Ropes & Gray's Washington, D.C. office, and Edward Machin, a London-based associate, are joined by special guest Jackie Koven, who is head of cyber threat intelligence at blockchain analysis firm, Chainalysis. Join us as we discuss how Jackie and the Chainalysis team track cybercriminals and nation-state actors who are involved with ransomware payments and other cryptocurrency schemes.


Edward Machin: Welcome, and thank you for joining us on the third installment of The Data Day from Ropes & Gray, a podcast series brought to you by the data, privacy & cybersecurity practice at Ropes. In this podcast, we'll discuss exciting and interesting developments in the world of data. We feature attorneys at Ropes & Gray, as well as clients, regulators, and other industry leaders in conversation about what's new in the world of data. I'm Edward Machin, an attorney in Ropes & Gray's data, privacy & cybersecurity practice. I'm based in our London office. I'm joined by my colleague and co-host, Fran Faircloth, who's based in our Washington, D.C. office.

Fran Faircloth: Thanks, Edward. This week, I'm talking to Jackie Koven. Jackie is head of cyber threat intelligence at Chainalysis. In that role, she tracks cybercriminals and nation-state actors who are involved with ransomware payments and other cryptocurrency schemes. She's part of the ransomware task force at Chainalysis and came to this role from the intelligence community. She was previously an intelligence officer with the Department of Defense, has a really interesting background, and should have a lot of interesting things to say about this.

Edward Machin: Yes, absolutely—I'm looking forward to the conversation.

Fran Faircloth: Welcome, Jackie. Thank you so much for joining us on the podcast today.

Jackie Koven: Thank you. Thanks for having me, Fran.

Fran Faircloth: Just to start out, can you introduce yourself to our listeners a little bit?

Jackie Koven: I'm Jackie Burns Koven. I lead cyber threat intelligence at the blockchain intelligence company, Chainalysis.

Fran Faircloth: What does that involve? What are your day-to-day activities at Chainalysis like?

Jackie Koven: Chainalysis is a data company—we're the blockchain intelligence company. We provide software, data, investigative services, and training to our customers, and that can be anyone from regulators, government intelligence services, law enforcement, as well as private sector financial institutions, cryptocurrency businesses, cybersecurity firms, and even brands. The core of our platform is the data that's blockchain data and attributing different individuals and entities to specific cryptocurrency wallets. And so, my team is focused on cyber threat actors and their enablers on the blockchain, tracking their scams, stolen and extorted funds on the blockchain, but also, all of those purchases leading up to that flashpoint event, so, sellers of access, sellers of Malware-as-a-Service, crypting services, bulletproof hosters—all of those components that comprise an attack, and then, where the funds go post-attack.

Fran Faircloth: Sounds really fascinating. How'd you get into this area?

Jackie Koven: I started in the intelligence community. Blockchain was not even in my vocabulary, neither was OSINT. If something wasn't top secret, then it had no value to me—that was my mindset back in the day. It wasn't until I actually left the IC to go to graduate school that I discovered blockchain technology. As an intelligence officer, I was an information junkie, and I was really intrigued by how the blockchain worked, how it could be a source of record, and how it was immutable. It was the perfect combination at Chainalysis of this advanced technology and going after bad guys, which is what I was passionate about in the IC. And you have that skill at Chainalysis: the transparency of the blockchain, and the ability to follow funds and use them for attribution of threat actors—it's just an incredible capability that I never had exposure to before.

Fran Faircloth: I can see how that could be really interesting and very helpful to people in the private sector even. I'm just thinking of my clients when they are under these cyberattacks. Can you tell us about some of the more interesting matters you've worked on?

Jackie Koven: Ransomware has loomed large over the past couple years—that really hits the blockchain use case on the nose. The ransomware payment is usually demanded in a form of cryptocurrency, mainly Bitcoin, and so, we've been looking at those threat actors behind those attacks, where the funds are going. Notably, we were used to assist the attribution of a Canadian threat actor who was deploying the NetWalker ransomware, who was sitting right in our backyard in Canada. They were able to recover $30 million of cryptocurrency that were largely the proceeds of ransomware, so that was a big case. There continues to be opportunities like that—I think there's this misconception that ransomware is only conducted by threat actors based in Russia. I think it's actually a global problem, and funds are moving all the time, so it's a constant cat-and-mouse game.

Fran Faircloth: I would imagine that the development of Ransomware-as-a-Service has only made it more widespread, more global.

Jackie Koven: Yes, it's definitely made the problem more challenging. It's expanded these capabilities to threat actors who didn't have the resources to launch these kind of campaigns on their own, but it's also put a bigger target on their back because they're all under one umbrella, so it's made the center of gravity more obvious. We have seen successful takedowns as a result—high ransomware most recently—but several other strains are no longer in existence because of international scrutiny that has been placed on these actors.

Fran Faircloth: That's really fantastic. What kind of things are keeping you or your clients up at night these days?

Jackie Koven: We have the ability to get alerted when funds move immediately. The types of threat actors we look at are global, and they're up at all hours of day and night. And so, when your alert goes off that funds are on the move—we love this stuff—a lot of our analysts are up and tracing the funds, and alerting various folks with equities on those cases. So, that's probably the most literal thing keeping me up at night.

Fran Faircloth: That makes a lot of sense. I think when we signed up for these careers, we knew those kind of things were going to happen. And it sounds like for you, similar to me, part of the fun is the adrenaline of those kind of crisis situations. Is there anything particularly interesting, exciting, or even weird in the cybersecurity world that you've been watching recently?

Jackie Koven: I think what comes to mind is, first, a sad case, which is related to privacy. I think more recently, there's been an onslaught of ransomware attacks against the health services and hospitals, and we actually saw a breast cancer facility get attacked. In a sad turn, one of the patients is actually suing the care facility for not protecting the data. I think one of the sad realizations of this is that hospitals and schools being attacked are dumping children’s, minors’, and medical patients’ medical history, healthcare history, and mental health documentation. I don't often think about privacy in my work, though it rules everything I do. InfoSec is all about privacy, and ransomware is all about the breach of privacy, and those cases remind me of that when I forget what's at the heart of what we do.

On the lighter end of the spectrum regarding privacy, I think there's been some almost humorous quotes resurfacing from former administrators of mixing services. So, for those unfamiliar, a mixing service, also called a “tumbler,” their purpose is to receive deposits of cryptocurrency, essentially jumble it up with other people's funds, and it spits out your funds on the other end, and it makes it more difficult for investigators and tracers to follow the flow of funds. We've had a successful takedown because of global law enforcement on a major mixing service called ChipMixer. Old comments from that administrator have resurfaced saying, "Privacy is not a crime." But then, the admin went on to say that they weren't aware that North Korea was depositing funds there, so, admitting to this gross negligence and the lack of any kind of transaction monitoring. We've seen similar comments from former mixers, but the takedown of ChipMixer was a huge win, not just for ransomware, but all manner of crimes and criminals globally that were using it to obfuscate their flow of funds.

Fran Faircloth: That's wonderful. Your comments about the connections between InfoSec, privacy, and data really ring true, because my practice mixes all of those. I think especially the rise of double extortion ransomware, which probably has come up mainly because people like you have been so successful at going after the attackers, and so, people weren't paying the ransoms as often. But I think that just really makes it more salient, especially when the attackers are going after places like you mentioned—hospitals and schools—where you have really sensitive data, and that kind of threat of exposure is really dangerous.

Jackie Koven: Yes, that's a great point. We recently published our 2022 Crypto Crime Report retrospective, which found that ransom payments had dropped significantly, as much as 40% from the year prior, which was nearly $800 million dollars—we're hovering around $400-$500 million in 2022. That's not to say that attacks aren't happening—we wanted to make that very clear that attacks are persistent. What is clear is that these threat actors are having a harder time extorting funds—there's more friction. Their victims were better prepared, better defended, had backups, and had plans. As a result, they could be looking at those more vulnerable institutions and ratcheting up the pressure from double to triple extortion, to quadruple extortion. And so, it's an unfortunate consequence of that, but I think there are lessons to be learned from why victims in some cases didn't need to pay or refused all together. Some of it is defenses. Some of it is law enforcement activity that is taking down these networks. I think and I hope that we'll see more and more instances of fund recovery for these victims. We saw several instances of assets getting seized from ill-gotten gains, and I think that's a heartening trend that we're going to continue to see. I think the Hive ransomware example really kicked off 2023 in a good way, and that was another example of why victims didn't have to pay, because there was a decryptor available. So, that was just an incredible win all around.

Fran Faircloth: Yes, that was a really wonderful development for a lot of people I know. If I have a client that comes to me and they've been hit with a ransomware attack, how can you help them?

Jackie Koven: First, I would refer to literature from FBI, CISA, and the Secret Service on the necessity to report. I think reporting to law enforcement as soon as possible is the best tack to take. Not saying that there is a decryptor available necessarily, but in the case of Hive, there was—and if you had reported it, you would have been able to get helped probably. And so, where we come in is for one, tracing funds after a ransom is paid. We have clients that look to us to try to track the payment and see if they can recover the funds, but we also have incident response firms, law firms, and cybersecurity firms that look to us and at our dataset to try to figure out if they're paying a potentially sanctioned entity, which is another problem that a victim doesn't want to have to deal with. "Wait. What? I got hit by ransomware and now I could be potentially violating sanctions?"

What we've seen over the past couple years—and it really accelerated last year—was this rebranding that ransomware actors undertook, and that's as cybersecurity researchers and blockchain investigators discovered that a ransomware strain was tied to a sanctioned entity. They would just change their names, making it harder to discover, and what we found on the blockchain actually is that they are reusing the same wallets. As many may have found out personally during the Silicon Valley Bank scare, it's hard to change bank accounts. It's hard for these threat actors to find new laundering mechanisms and off-ramps, and not just find them, but trust them. Because there's scammers out there, they might not get their funds back, and so, we see oftentimes that threat actors, including ransomware actors, will reuse the same wallets or reuse the same laundering patterns. And so, we can often tell fairly easily on the blockchain that one brand has rebranded to another. We see a lot of incident response firms that are doing due diligence on chain prior to paying to understand their potential risk. Not only do we see designated entities or strains as a concern, but we do see threat actors based in nation states that are sanction jurisdictions—we do see ransomware emanating from North Korea and Iran. Without any specific designation tied to those strains, victims are left with limited resources to try to discern whether they're paying a designated entity.

Fran Faircloth: That is so interesting. I just had a client the other day say, "If these people are hiding on the blockchain, how will we know if we're paying someone on the OFAC list?" So, it's good to know that there are those resources out there. At what point in the process should a private entity be looking to contact Chainalysis for your help?

Jackie Koven: After an attack, I would certainly advise that someone undergoing a cyber incident or breach contact law enforcement and report accordingly. We do have many clients that are reporting cryptocurrency addresses to us, so that we can tag it in our software, and what that does is it really plugs them into our community of cryptocurrency businesses that might receive those tainted funds. At the end of the day, if they receive that ransom payment, stolen funds, or scammed funds, that cryptocurrency business will get an alert that they've received tainted funds, and can freeze the funds, file a SAR, or respond to subpoenas accordingly. It just makes responding to that incident so much quicker when they're able to have that visibility on chain through our platform. We also experience incidents regularly where ransom payments reported to us will have a law enforcement entity from the U.S. or another jurisdiction contact us with more information about that incident, or they've been able to recover payment from that incident and require talking to the victim to confirm that was indeed the proceeds of ransomware. So, we really do have this global dataset and this community that can make time to seizure much quicker, but also enhance our collective intelligence picture on the ecosystem. We have a very comprehensive library of all the ransomware families and payments, so it allows victims to crosscheck against and to understand: Has this been paid before? Did that payment go to an Iranian exchange? Is it likely an Iranian strain? And they can make that determination based on their risk threshold whether or not they're going to pay.

Fran Faircloth: That's fantastic. We know the threat actors are out there talking to each other and coordinating to some extent, so it's great that the victims also have resources like you that can help them do the same kind of coordination. Thanks, Jackie—that was really fascinating.

Now, Edward, I'm going to ask you the same question that I just asked Jackie, as we normally do at the end of this show: What's the strangest, most interesting, or even the best thing that you've heard about in privacy in the last few weeks?

Edward Machin: I think it's the “strangest” and the “most interesting” thing, and that's the explosion of public interest and regulatory interest in AI. In the UK in the last couple of weeks, we have had the UK government issue its regulatory approach into how they are going to govern and oversee AI, which is generally viewed as quite a light-touch approach. You can contrast that to the European Union, which is much more top-down, heavy-handed, and prescriptive in terms of legislation. Also, in the EU in the last week or so, we have seen ChatGPT, the famous or infamous chatbot being banned in Italy. So, what we're starting to see now is this area really hotting up in terms of regulatory scrutiny, companies looking at what they're doing, and frankly, individuals questioning a little bit more about how their data is being used. We're still at the very early stages of this development, but it promises to be certainly one to watch. How about you, Fran?

Fran Faircloth: The most interesting thing I've heard this week came during a panel at IAPP yesterday. Our listeners may be familiar with IAPP, the International Association of Privacy Professionals, and the summit that happens every spring in Washington, D.C. We're in the middle of it right now, and at a panel yesterday, Melanie Fontes Rainer, HHS's director of OCR, said that HHS is actively looking at multiple healthcare providers' websites for allegedly misusing data, probably involved with pixel use is what we're expecting. This was surprising to a lot of people in the audience—it broke news that HHS may be expanding their scrutiny of this to a lot more health systems. She referenced a study published earlier this week that came from researchers at Penn and Carnegie Mellon that said that almost 99% of hospitals use online data trackers. Not incredibly surprising given that probably 99.9% of the internet uses them. The study was looking at websites in 2021, so before HHS had come out with their guidance on use of trackers, and I know a lot of health systems in hospitals have changed practices since then. So, it will be interesting to see where those investigations go.

Edward Machin: Absolutely. I think these are two topics that will be returning to the podcast probably sooner rather than later. That's it for another episode. Thank you to everyone who tuned into this episode of The Data Day from Ropes & Gray. And thank you, Jackie, for joining us. If you would like to join us for an episode or you know someone who we need to have on the show, please reach out to Fran or me by email, or we're both on LinkedIn. If you enjoyed the show, please do subscribe. And you can listen to the series wherever you regularly listen to your podcasts, including on Apple and Spotify.

Jackie Koven
Jackie Koven
Head of Cyber Threat Intelligence, Chainalysis
Subscribe to The Data Day Podcast