How Telcos Could Lose Billions from Ultrafast Transactions

Consider the plot of the following movie.  A cybercrook steals Bitcoin (BTC) from an illegal online marketplace used by drug dealers and organised crime.  Takes some nerve, huh?  Then when Bitcoin is split into two cryptocurrencies, he gets a 50,000 Bitcoin cash bonus.  The downside is that US authorities have just seized it all and our cybercrook is now facing up to 20 years’ free accommodation amongst – you guessed it – drug dealers and organised criminals.  It sounds like a great story, but the problem for telcos is that this story is based on actual events that could also apply to them.

Silk Road

I’m sure many of you will remember that Silk Road was a black market on the dark web. It was operational from 2011-13 as a forum for drug dealers and other unlawful vendors to distribute illegal drugs, goods and services. It was also used to launder funds passing through it.

Enter our ‘hero’, James Zhong (pictured between two female friends). In September 2012, Zhong set up nine accounts on Silk Road, providing only the minimum of information to open the accounts.  He funded them with deposits of between BTC200 and BTC2,000.  Then came the clever part: he withdrew BTC50,000 from those accounts.  How is it possible to withdraw many multiples of the number of Bitcoins he deposited?  In 2010, the Dow Jones Index declined 1,000 points and dropped 10% in just 20 minutes. This was due, in part, to automated high frequency trading based on mathematical models and algorithms.  The relevance here is the speed: trades happened in milliseconds, and that was the key to Zhong’s scam.  I quote from US Department of Justice (DoJ) press release:

As an example, on September 19, 2012, ZHONG deposited 500 Bitcoin into a Silk Road wallet.  Less than five seconds after making the initial deposit, ZHONG executed five withdrawals of 500 Bitcoin in rapid succession — i.e., within the same second — resulting in a net gain of 2,000 Bitcoin.

Basically, Zhong initiated over 140 transactions in rapid succession, causing Silk Road to release approximately 50,000 Bitcoin from its payment system into his Silk Road accounts.  He then withdrew his loot, in a process designed to prevent detection, conceal his identity and ownership, and hide the Bitcoin’s origin. At the time of the scam, the stolen Bitcoin was valued at USD3.3bn. Yes, he stole over three billion dollars’ worth of cryptocurrency.

Silk Road was shut down by the Federal Bureau of Investigation in 2013 and its founder, Ross William Ulbricht, was sentenced to life in prison in 2015.

Bitcoin Bonanza

Zhong was sitting on 50,000 Bitcoin and then, in August 2017, Bitcoin split into two cryptocurrencies, traditional Bitcoin and Bitcoin Cash (BCH).  When the split was implemented, any Bitcoin address with a balance on the Bitcoin blockchain now also had the equivalent balance on Bitcoin Cash blockchain.  Zhong traded his BCH50,000 through an overseas cryptocurrency exchange and added a further 3,500 Bitcoin to his stash.

The End of the Road

According to the Athens Banner-Herald, Zhong was living on Ruth Street in Athens, Georgia in March 2019, when he reported a burglary at his home.  After being out of town for a few days, he came home to discover a rear bedroom window shattered and a briefcase containing USD400,000 in cash and a USB thumb drive had been stolen.  Zhong reportedly told the police officer that he felt the person who stole the money must know him, because he had hidden the brief case behind an air vent.

Police Lt. Shaun Barnett said Tuesday that the cash was never recovered, nor was a suspect identified. However, he said the burglary and amount of money reported stolen “raised a red flag with the IRS.”

On November 9, 2021, law enforcement officers executed a search warrant at Zhong’s house in Gainesville, Georgia; they seized BTC50,676, then valued at over USD3.36bn.  The majority of the Bitcoin had been hidden on a single-board computer stored in a popcorn tin which was hidden under blankets in a bathroom closet.  For good measure, he also had USD661,000 in cash and a bunch of gold and silver bars.  Zhong has apparently been co-operating with the investigation, as he has subsequently surrendered 1,004 additional Bitcoin.  Zhong, who is 32, has pleaded guilty to wire fraud, which carries a maximum sentence of 20 years in prison.

What Else Do We Know?

Maybe you’ll do better than me, but internet searches on James Zhong didn’t produce much helpful information.  A real estate website states that after studying computer science at the University of Georgia, Zhong started a real estate investment business in Memphis.  Zhong’s LinkedIn and social media profiles have disappeared, but his LinkedIn profile is said to have stated that he was a

large early bitcoin investor with extensive knowledge of its inner workings

and that he had software development experience in computer programming languages.

Analysis

The Athens Banner-Herald stated Zhong is 30 years old, whilst the Department of Justice (DoJ) says he is 32, so Zhong was no more than 22 years old when he ripped off Silk Road and became a Bitcoin billionaire.

Zhong was found in possession of over 50,000 Bitcoin and has been charged with the theft of over 50,000 Bitcoin, so did he steal more and spend some, or has the IRS/DoJ only charged him on the Bitcoin in his possession?  It appears that Zhong still held virtually all the Bitcoin he stole – is that because he was the world’s most patient 22 year old, or because he saw how much he had stolen and realised it was too dangerous to touch it?  I hope the inevitable movie will provide some clarification on this.

While I give credit to Zhong for the scale of his crime, there’s a huge gulf between his technical ability and his criminal pedigree.  Remember, this is the man who drew attention to himself when he told the police he’d had USD400,000 stolen from a stash in an air vent by someone he knew. Sharing such information with the police is not clever.  Either he told the thief about his stash or they had seen it for themselves, which also suggests Zhong made foolish choices for his friends.  Maybe he learned a little, because when the authorities finally raided his home and found another USD600,000 in cash, at least it was in a safe this time.  But where was the USD3bn in Bitcoin?  Security had been upgraded from the air vent to the popcorn tin; Zhong may have been a Billionaire cybercrook, but he was no criminal mastermind.

Takeaways

Silk Road was reportedly ripped off by another hacker who surrendered BTC70,000 to US authorities last year. Two alleged money launderers in New York were accused of stealing cryptocurrency worth USD4.5bn from the Bitfinex exchange. These billion-dollar crimes make me long for the days when the proceeds from the biggest heists were still only counted in the millions.

For telcos, these events should be a reminder to review your processes for assessing new products and services.  I’m sure they are checked for flooding and denial of service attacks, but are they proofed against ultrafast transactions?  Could business pressures to deliver faster systems result in solutions which can process 10,000 transactions per second, but without any billing or reconciliation controls to maintain a proper track of what has occurred?  It only took milliseconds for one simple crook to take USD3bn from the Silk Road.

David Morrow
David Morrow
Dave has 35 years of law enforcement, investigation and fraud management experience including multiple international assignments. He is a recognised telecoms fraud expert and for a number of years chaired the GSMA workgroup responsible for Security & Fraud Risk Assessments.

Dave now provides fraud management support as an independent consultant.