Podcasts
Threat Vector
Ep 118
Threat Vector 5.21.26
Ep 118 | 5.21.26

Follow the Crypto

Show Notes
Transcript

Jackie Burns Koven: Cryptocurrency analysis is not a niche activity anymore. Like, no one's saying they missed the boat on AI, so they're not going to adopt it. I would say the same for cryptocurrency and blockchain intelligence. It's another tool in your toolkit. It's not going to be the end all be all; but, combined with other telemetry and visibility, it can be really powerful.

Michael Sikorski: I'm Michael Sikorski, the CTO of Unit 42. And I'm filling in for David Moulton today as the guest host of Threat Vector. Today, I'm speaking with Jackie Burns Koven, the head of Cyberthreat Intelligence at Chainalysis. We're actually at the Links conference, the Chainalysis premier conference focused on all things cyber and crypto intelligence. We're going to talk about how defenders are tracking criminal and nation-state actors across the blockchain and what the next era of threat intelligence actually looks like. Here's our conversation. Jackie, welcome to Threat Vector. Really great to have you here.

Jackie Burns Koven: Thanks for having me, Mike. I'm a new fan.

Michael Sikorski: Awesome. Yeah. That's a -- we're excited to be able to have you on the podcast. And talk to me a little bit about what your day looks like, sort of combining, you know, blockchain for financial signatures of threat actors. And, like, I really want people to understand, like, what the work is that you do as it pertains -- because, like, people hear about the blockchain and cryptocurrency and threat actors using it. Like, how does that turn into, like, what your job is in this space?

Jackie Burns Koven: Yeah. Exactly. So my role at Chainalysis, I lead cyberthreat intelligence; so I'm responsible for understanding the wallets and identifying them of those actors that scam, steal, extort for cryptocurrency; the tools and services they use; the marketplaces where that commercial activity takes place; and identifying those so that compliance officers at financial institutions and exchanges can identify those and flag those transactions but also empowering intelligence analysts in private sector, public sector, and law enforcement to better understand and disrupt those networks.

Michael Sikorski: That's pretty awesome. Can you also tell us about this Links conference that we're currently in Times Square hanging out recording. And what is this event? What does it mean to Chainalysis, the company, and then the industry as a whole?

Jackie Burns Koven: Yeah. I think it truly reflects the diversity of the players in this ecosystem. If you think about anything a dollar touches and who touches -- its expanse, like, cryptocurrency is unique in that you can see all the transactions on the blockchain. And so it brings together really in cryptocurrency transactions and this conference players from all over the ecosystem, from finance, insurance, regulators, law enforcement. So I get sometimes questions. Well, my institution doesn't custody crypto. I don't pay ransoms. How does crypto impact me? But, in cyberthreat intelligence, it's totally different because all threat actors, whether they're nation state or cybercriminals, are -- whether they're pursuing crypto for profit or using it to purchase tools and services, infrastructure, bulletproof hosting, residential proxies, cryptocurrency is the oxygen of these marketplaces that is helping. And these are powerful intelligence leads. So this is an incredibly unique conference. And you're having all of those players in the ecosystem that crypto touches in a room together and talking. And I think it also speaks to how fraud and cyber and compliance teams really need to be on the page -- the same page because these threats are evolving so fast. I have so much empathy and sympathy really for compliance and fraud analysts who are not only having to learn crypto but also having to learn what a residential proxy service is, what is Black Basta ransomware, and why am I getting an alert that they deposited funds onto our exchange? So I love this conference because it also underscores the public-private partnerships that have to happen for disruption.

Michael Sikorski: So I want to take a step back and then get back into, like, the panel we had yesterday at the conference and -- but first I wanted to get into your background. So you came up through the U.S. intelligence community, similar to me in some regards, before ending up here at Chainalysis. You know, what drew you from sort of the traditional intelligence work towards this, like, crypto threat intelligence? Like, what's the backstory for, like, going from that into this space?

Jackie Burns Koven: Yeah. It certainly wasn't a linear path. I, you know, started my career in the intelligence community. I worked on nuclear proliferation issues on a particular adversary. Cryptocurrency was not in my vocabulary or my mandate at all. I'm positive that has changed since I left my position. But I actually left government to go to grad school with the intention of returning back to government. But, once I left that black box of those windows rooms where everything was super classified and compartmentalized and I went to grad school in New York, and it was just this epicenter. At the time, it -- you know, big data was the buzzword; startups, build fast, break things. And the blockchain revolution was actually happening in New York City at the same time. I was just so energized by the optimism of new technology. The thought of kind of going back into my black box, I wanted to try -- the private sector just seemed so energetic at the time. And I stumbled across Chainalysis on doing a grad school project for a consulting firm, and it just opened my eyes to the fact that I can still go after bad guys and also harness this new exciting technology. It was just the perfect marriage of those two interests of mine, and I've never looked back.

Michael Sikorski: And I was talking to some of your colleagues about you. And the story was that, when you came here, like, this role is, like, it's, like, your role. Like, this role didn't -- like, it didn't even exist in the world. Like, it wasn't like it became the situation and like what it is for the team. Is that -- is that true? Like, is it, like, it was like this evolved into what it has become because of the explosion of what the threat actors are doing, explosion of the company of Chainalysis, and so on and so forth. And now you've -- you've found yourself, like, testify in Congress multiple times; and the list goes on and on of, like, you know, the accomplishments you've had here. So can you provide any insight of, like, some cool accomplishments you've had in role here?

Jackie Burns Koven: Well, it's funny because, you know, when I started here over seven years ago now, I think I was employee like 60 or in the 60s. I applied for the only non-technical role, which was customer success and just loved it. It was actually really great because I got to deeply understand our products and our data and deeply understand customer use cases. And that's when I first kind of stumbled into cyber, and it was like following ransomware payments and, like, just finding my obsession about that and how they operate and what they were spending their money on and those rebrands. So I would say, like, accomplishment I think is being able to proliferate your work through others. I think in the intelligence community everything was so siloed. But, in Chainalysis, I'm like a kid in the candy store because there's no compartmentalization. Everything is available to everyone. And so being able to identify wallets that lead to the attribution of the threat actor disruption or even the seizure of funds and returning of funds to victims, like, those are the moments that mean the most to me when I reflect back over the years. But certainly, as you know, speaking to Congress is an intense endeavor.

Michael Sikorski: Yes, it is.

Jackie Burns Koven: The preparation for that marathon training, I think, just preparing for all possible outcomes.

Michael Sikorski: And I was telling you that, like, I did the closed-door session recently, which is in complete contrast to, you know, the open door cameras rolling and how different the experience was. And you're like, next time I want to close doors. How different it was from a, you know, progress perspective, and questions getting answered and just, you know, really hyper-focused on what -- what we were in the room to discuss. So I really thought that was cool. You are a member of the ransomware task force, so I guess that's in addition to what you do at Chainalysis. Can you -- you know, it seems like an unusual coalition, industry, government, civil society. And so, like, from the inside of working with that task force, you know, what does that collaboration actually look like when it comes to ransomware? And you know, what are things that are working? What are things we could do better?

Jackie Burns Koven: That's been a very special organization for me personally, and I think it's had a lot of impact. And one of the benefits of blockchain intelligence is that it's not just following the ransomware payment from Point A to Point B. You can actually measure impact of operations and policy at a macro level. And we've seen ransomware payments flatline for the past two years. 2024 was the first time we saw ransomware payment revenue decline ever after year after year being record-breaking years for so long. And I think that's directly tied to a lot of initiatives, including the ransomware task force; but public awareness, education, preparedness, having a plan for if and when attacked that negate the need to pay but also hopefully preventing them from ever getting the crown jewels. And I think this organization has really reinforced, like, the necessity of using blockchain analytics for every cybercrime problem because, even if they're not looking for ransomware money, they need cryptocurrency to buy that access, to buy that bulletproof hoster. And so being that -- having that puzzle piece in the room when there's so many different telemetries and visibilities and skill sets, it -- it's really gratifying to sometimes be able to come to the team, like, oh. I got that missing puzzle piece. Now we see -- we can see the picture, the full picture. And it's also created opportunities for disruption. Using blockchain analytics, you can see those central nodes of gravity that are supplying tools and services across a number of streams. And it's been really encouraging to see over the past few years a steady drumbeat of unpredictable actions against bulletproof hosters, access brokers, marketplaces that are imposing costs, creating friction, creating distrust within these organizations. And I think those actions also contribute to the decline in actual payments.

Michael Sikorski: You mentioned disruption. I mean, that's a big part of what you all do, too, and that coordination with the ransomware task force of, like, how do we coordinate with each other because we all have different visibilities; and we can bring different things to the table, and that dataset coming together with another dataset, for example, sort of helps you unravel and tell the story. But it also makes it easier to do things like disruption because there -- you know that this is connected to this, which is connected to this, which is actually this threat actor. And that's who we're after and who we want to disrupt. So, when it comes to, you know, any sort of disruption that you've been a part of, what kind of like model works? Like, who need -- who do you see has to be at the table? Like, does it -- you know, with law enforcement, without law enforcement, I've -- you know, because I've seen some private to private happening now as well. There seems to be like a trend happening where people really want to get after, you know, taking down the bad guys, so to speak.

Jackie Burns Koven: Yeah. I think it -- trust is the basis of everything. Trusting an organization with sensitive data has been -- whether it's private to private or public to private. I think when public sector is able to initiate first, I think that's a good starting point because oftentimes there's not a great feedback loop if it's the other way around. I think we've been -- Chainalysis has been used for a number of disruptions for ransomware, including NetWalker, LockBit, the Colonial Pipeline takedown -- or, excuse me, the recovery of over $2 million of that ransom payment, the Caesars Casino ransom payment. So there's been a number of cases.

Michael Sikorski: Yeah. I mean, and those are all like really for the headlines, ripped from the headlines, you know, recoveries and takedowns. I even remember being a part of working the incident response for the pipeline hack and then being like, wait. Money can be, like, recovered. I remember being like -- because, you know, that's years ago at this point. So even then it's -- like, it still feels like that was like the early days of, like, this explosion of, you know, the use of cryptocurrency for threat actors to get their payments from ransomware gangs and stuff like that.

Jackie Burns Koven: And I think an important component that I missed going through is victim cooperation so the general public. So, in the case of NetWalker where they recovered over $30 million, they needed victims to come forward, right, and claim -- claim the funds, come forward and say that they were victimized. With Colonial Pipeline, we had -- like, that -- that company was very cooperative with law enforcement. So victim reporting is essential, whether it's ransomware, phishing, scams, and the like. So that's a critical component. And so having victims know where to go, know who to trust, and being sensitive with their data and handling it is very important, too, with whatever the actual crime is.

Michael Sikorski: Yeah. Well, I would say, like, victims used to be so afraid to even come forward or talk about it or whatever. And now that willingness seems to be way more open than ever before. And I think it leads to better outcomes for fighting against the adversary, for sure. And so, like, it's like the more people talk about their hacks, the better the world is. It's hard for people to comprehend that because it's like, oh, you're a victim. You also think, like, oh, I got hacked. That's kind of like an embarrassment to me. It's like no because everyone gets hacked. And, if we all work together, we could actually make this stop or at least make the world a better place. And I think that's like where it's, like, talk about it, please. Like, the more you do, the more threat intel we get, right. The more indicators we get. The more wallets we get. The more whatever the attackers' using and stuff like that. And I started -- I mentioned wallets and threat intelligence, I started to go down this path. And that's a question I had for you is, like, for our listeners, like, how does that world of threat intelligence actually work when you talk about, like, you know, I think of traditional IOCs, like the attacker is coming from this IP address; or the mal -- you know, malware, obviously, like, having this hash and, like, this binary is the piece of malware to look for on your computers and your network. Like, that's how, you know, sort of traditional threat intelligence was done with these IOCs. What does that look like in your world for connecting the dots on, like, what's happening and what's what?

Jackie Burns Koven: Yeah. So the benefit of blockchain and blockchain intelligence is you can see everything, right? You can see where funds go from Point A to Point B, whether they're in Zimbabwe or your next door neighbor, right? So then that's also the challenge of blockchain intelligence is you can see everything. So we don't have the benefit of, like, a police unit where, if there's something is outside of their jurisdiction, it doesn't matter. Like, everything is our jurisdiction in crypto. And so it's round the clock constant, and that can be great for investigations; and it's also part of the challenge. And what is challenging is also developing our intelligence requirements and understanding, like, who's who in the zoo, what are the important actors to go after, entities to go after, at the same time receive -- constantly receiving inputs related to new darknet marketplaces, takedowns, hacks happening, scams happening all the time around the world and making sure we can label those wallets and put it in our dataset in a timely manner so it can be actioned. And then, once we identify those threat actors, each threat actor, threat group has its own unique signature. Just like you and I use different banks, threat actors have specific laundering patterns, spending habits, wallet types.

Michael Sikorski: And even, like, how they're breaking up their payments of, like, so-and-so gets 20% cut; and the access -- you know, the initial access broker gets 20%. And then, you know, some of that kind of stuff is unfolding, right, where you see constant, like, literally to the percentage sometimes, right?

Jackie Burns Koven: Yes. So -- and a lot of these times they may be expert hackers; but they're not necessarily expert launderers. They want to kind of set it and forget it. And, even though they may do something like rebrand their ransomware group or change their handle on Telegram or their username on a marketplace, they are often exhibiting the same financial signatures on chain. So we can follow them throughout the course of their criminal career. So their wallets for me are like a criminal resume. It's like their rap sheet all online because you can see where they're getting money from. So you can even track their evolution to different crime types or to sophistication and --

Michael Sikorski: Or if they change gangs and stuff like that, right? Like, you could see that as well.

Jackie Burns Koven: Absolutely. And you can even see hierarchy. It really does paint a vibrant picture. And so, like, IT workers, you can see where are they funneling their money to, who's there -- who's in charge of their group. Same thing with scams, ransomware, and time zone analysis. All of that can really paint a really vibrant picture of what's happening.

Michael Sikorski: I wanted to talk about the panel that we did yesterday. I thought it was really awesome. I think you -- you were the moderator, and I was lucky enough to be on with two amazing people, as well; and we all had different visibility. So it was Kimberly Goody from Google Threat Intelligence. Her focus is this world but much more on the nation-state side, I believe, right? And then Allison Nixon on the -- from Unit 221B, which, you know, just like Unit 42 but more Sherlock Holmes focused than Galaxy, Hitchhiker's Guide to the Galaxy, which I think is pretty funny. But she is more, like, in the weeds, you know, with the threat actors and really getting after it specifically, you know, big groups that we're all talking about, Scattered Spider, The Com. The list goes on and on. What was like -- so I thought our conversation was great. So many different areas. We ran out of time. And I think the audience was, like, I think it was standing room only, which was really cool. And the questions went on and on. They had to kick us out of the room eventually. What was like -- what were, like, some of the highlights you had from the panel that you think our listeners should hear on that? Like -- because it wasn't recorded, so people can't watch the video of that panel. But maybe they could get a little -- little taste of what you thought was, like, the highlights and takeaway from it?

Jackie Burns Koven: I thought it was really interesting to hear you and another panelist break down that, like, blockchain intelligence is more than just following the money post incident. It's important to look at it as an indicator of attack preparation so being able to understand what's in a threat actor's shopping cart, what kind of infrastructure they're purchasing, how they're trying to -- what they're going to use to try to break into the house essentially. That was really interesting to hear how it's actually working in the field. And also I think you pointed this out. The attribution has never been more challenging in cybersecurity. It's certainly --

Michael Sikorski: Yeah. It's really tough these days compared to the early days when it was like, oh, that piece of malware, it's a variant. I know exactly who wrote it. You know, those days are kind of gone.

Jackie Burns Koven: Yeah. And so that was really illuminating for me to hear that blockchain intelligence can be -- can be that missing puzzle piece in some cases where it can strengthen confidence in an assessment or shed light on an area that you didn't -- you weren't even thinking of before. Like, oh, this actor is definitely North Korean. Nope. Actually, he's using a Nigerian exchange, so chances are -- so -- and I think it's -- it's really helpful to have -- it opens up the scope of the case because now you have cryptocurrency businesses you can ask for telemetry on their end to marry it up with what you have. So that was really fascinating to hear. I think we had live breaking cases while we were on the panel, North Korea --

Michael Sikorski: Yeah. It was like things are unfolding as we were on stage. It's like, what do you know about this? It's like, did you just read that from breaking news on the -- like the supply chain stuff, right?

Jackie Burns Koven: And, to your point on information sharing, I think in all the sidebar conversations I've had -- I feel like I've had the same conversation literally six different times of people being targeted by North Korean IT workers, their businesses. This is the honeypot, right, at this conference right here. Everybody's having the same Telegram interactions, the same lures, and likely three in the same pick. So I think we need more of that. We have to move it from sidebar conversations at a conference to --

Michael Sikorski: -- to actual collaboration. Yeah. I think also on that insider threat, you know, we've done upwards of 300 victim notifications on North Korean insiders across, like, you know, what we have visibility into. And a lot of that is through collaboration where somebody is like, hey. I hired this person. We found out they were an insider. Then that information gets shared with us, and then we could use that to search through our telemetry and our visibility. And it's like, wait. That person actually had five other jobs at these five other entities, and they're working all of them; and we need to, like, notify now instead of just the one company who maybe got rid of that employee, now there's five more just, like -- that are the exact same persona that is getting the job. So, yeah. Like, without the collaboration, it'd just be, like, if you didn't know to get that piece of intelligence, you're kind of in trouble. That's a great place to really mining and get after.

Jackie Burns Koven: What were some of your takeaways?

Michael Sikorski: That's a good -- so my takeaways from the panel, I thought -- you know, I thought each of our visibility was just so diverse. And, like, you know, Allison's ability to kind of talk about, like, what's really happening at the victim level I thought was really -- it really kind of put things in perspective, I think even for the audience. It was like, you know, maybe I was on stage talking about there's a question about AI, and I'm talking about, well, you know, how threat actors are using AI. And then when the question about, you know, her visibility on the threat landscape, it was much more like these are like child workers; and, you know, how horrible the situation is for the victims or the people who are, like, causing there to be more victims because they're forced into it. And sort of that side of things really kind of put it in perspective of, like, why this is so important and, like, why -- why being in this game is, like, this is why I'm here. That's why I love this because what other job do we get to, like, take down criminals but then also, like, be in tech and learn -- and, you know, having these new things like cryptocurrency pop up, and then also the threat actors start using it. So I think, like, anytime I'm in a situation where I get that feeling, I get, like, you know, this energy and this surge of, like, I'm going to go get it. We're going to go, like, take them down. And we're going to win because, you know, good will win over evil, like, you know. And so, like, I think that was a big -- a big part of, like, what I saw on stage. Another question I have for you is, like, on the nation-state side, what are you seeing there that's of interest? And, like, you know, what should our listeners know from that? Because I think people are pretty familiar with, like, the ransomware as a service and people getting access and then brokering that over to ransomware as a service and sort of the escalation. But what does that look like on the nation-state side when it comes to crypto and tracking them?

Jackie Burns Koven: Yeah. So North Korea certainly is always at the top in terms of crypto crime revenue. They exceeded $2 billion worth of stolen cryptocurrency last year. That was a 50% increase over the year prior. And that -- that $2 billion, maybe two or three attacks comprised the majority of those funds. But we know they're doing individual wallet hacks; so we're tracking hundreds of thousands of private wallet hacks, not all attributed to DPRK. But we know that's part of their MO. We're seeing, you know, IT workers aren't bringing in as big of hauls as we are seeing those massive heists but certainly significant and pervasive. Just a couple weeks ago, we had six individuals and two entities tied to DPRK IT networks sanctioned. And so it's interesting to see playbooks from other crime types, like we talked about ransomware. We need all levers of government on scams, on fraud, on DPRK as well. So it's great to see other -- DOJ, Treasury, and our global partners all taking actions to name and shame, to actually recover funds. We've seen civil forfeitures targeting DPRK funds to make it harder for them to -- to make money. As I -- I say this a lot. Imposing cost is not a metaphor to Chainalysis. We actually want that to -- in the pocket.

Michael Sikorski: Literally imposing cost. Yeah. I love that. So, you know, when you think about this threat landscape specifically when it comes to Chainalysis and the space that you're in and how the threat actors are getting access to money funds so, so much easier than they did, you know, 30 years ago or whatever when the hacks were first starting to happen, what's the thing that keeps you up at night that, like, most defenders are not paying enough attention to that they need to, like, wake up and get after?

Jackie Burns Koven: I've been to multiple conferences over the years and had the privilege of addressing different audiences in the CTI community, and I often ask if any -- for folks to raise their hand if they encounter cryptocurrency in their work. And pretty much the entire conference room, hands up, shoot up. And then I ask, all right. Who has a tracing tool so that they can actually pivot off of that identifier? And all the hands go down in the room, right? It's -- cryptocurrency analysis is still -- still such a niche tool. And I think it's a shame because I think it's so powerful for attribution, for disruption, for network analysis, even looking at macro trends. And -- and so I think that -- I hope there's no perception that anyone's missed the boat. It's more accessible than ever. Even if you're not using cryptocurrency, you're not paying ransoms, your institution doesn't custody crypto, the threat actors targeting you, your organization, your customers absolutely are using cryptocurrency. And I think that's really important to drive home to every CTI in on us.

Michael Sikorski: Jackie, it's been really eye-opening conversation, awesome Links conference, great panel yesterday with you as the moderator. It's really cool that we got to pull aside here in Times Square to have this conversation for our listeners. And it's been great to have you pull back the curtain on, like, how financial intelligence and cyberthreat intelligence are sort of converging and sort of the diversity of what all that means for defenders.

Jackie Burns Koven: Thank you so much for having me.

Michael Sikorski: That's it for today. If you liked what you heard, please subscribe wherever you listen; and leave us a review on Apple Podcasts or Spotify. Your feedback helps us understand what you want to hear. If you want to reach out about the show, email us at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Happy reversing. Goodbye for now.

Threat Vector
Podcast Info
HOST(S):
David Moulton

Meet David Moulton, the voice for Threat Vector, the Palo Alto Networks podcast dedicated to sharing knowledge, know-how, and groundbreaking research to safeguard our digital world.

Moulton, leads Thought Leadership for Palo Alto Networks, draws on a rich background of experience, including roles in design, strategy, marketing, and sales, to connect with experts from across the globe.

Schedule: Biweekly, Thursdays
Credits: Executive Producer is Michael Heller, Show production by Kenne Miller, Joe Bettencourt, Virginia Tran and David Moulton. Editing and audio engineering by Elliott Peltzman.
Creator: Palo Alto Unit 42
Threat Vector