Leaked Emails Detail How Spyware Could Track Your Bitcoin History

July 14, 2015 Updated: July 14, 2015

Is the government spying on your bitcoin spending habits? It’s more possible than you might think.

Documents leaked earlier this month in the data-breach that hit Hacking Team S.r.l., the Italy-based spyware firm, confirmed what many had suspected: authoritarian regimes were using spying software purchased from overseas to crack down on political dissenters.

But evidence of political repression wasn’t the only takeaway from the 400 GB trove of data leaked in the breach. The company was also selling tools to spy on how people use their bitcoins and other digital currencies.

Internal emails released in the breach indicate that Hacking Team’s premier product, the Remote Control System, got an upgrade in January 2014 that enables it to track “cryptocurrencies, such as BitCoin, and all the related information.”

“The module is able to collect various information: list of contacts and local accounts, wallet (i.e., the money) and the history of transactions,” reads an email dated Jan 12, 2014, published by Wikileaks.

“Currently it is intended only for Desktops (Windows, OS X, Linux), while introduction in Mobiles is still under evaluation,” the email continues.

The process is fairly straightforward: Once Hacking Team’s spyware is installed onto the target’s device, a key-logger would collect the passwords for the target’s Bitcoin wallet, and the observer could examine the transaction history by remotely controlling the device.

The prosecution of Ross Ulbricht, the mastermind behind the Silk Road website, definitely proved that bitcoin transactions were not as anonymous or untraceable as commonly believed. The Hacking Team revelations only cement the fact that bitcoin is not as agile as popularly touted, and could pose unique vulnerabilities that can be exploited by criminals hoping to capitalize on the new technology—after all, spyware can’t monitor the transfer of cold, hard cash.

“Here is some relevant context to position them in your pitch: Cryptocurrencies are a way to make untraceable transactions, and we all know that criminals love to easily launder, move, and invest black money,” the Hacking Team email continues. “[Law enforcement agencies,] by using our Intelligence module combined with this new capability, can correlate the usage of cryptocurrencies, defeating the financial opacity they provide.” 

Bitcoin has faced a range of challenges to its survival as a currency: Its volatility, although on the decline, remains much higher than that of the dollar or the euro, making bitcoin largely useless as a store of value, and also its existence relies on the goodwill of the government, which could always strangle the currency with regulations if it desired to.

For bitcoin to reach escape velocity, existentially speaking, it would have to become popular enough that outlawing it would become politically unfeasible; no one wants to be held responsible for a recession. But its increasingly obvious security vulnerabilities could prove a roadblock toward widespread adoption.

“This type of risk may have a great impact on the average consumer’s willingness to adopt Bitcoin as a medium of exchange, despite the other positive features of Bitcoin,” Villanova University Assistant Professor of Finance John Sedunov said in an email.

“We are already worried about [Social Security numbers] and credit card data as it is, so it might be a tough sell to people to get them to adopt something that is new that may have similar technological vulnerability,” says Sedunov.

Unlike traditional financial institutions, many of which have sophisticated fraud-detection systems in place, services that manage bitcoin are still in the early stages of development, opening the door to heists like the one that emptied the Mt. Gox bitcoin exchange.

“One of the essential mechanisms for the currency is that you need to ‘sign’ your transactions with a unique key,” Sedunov said. “If someone were to log your typing or otherwise acquire this information in an unscrupulous manner, they could easily transfer money from your Bitcoin wallet without your knowledge or approval.”