The Anatomy Of A Crypto Crime
Crime for fun, drugs and alcohol. Hacking computers to steal cryptocurrencies. Then using them to pay for illicit goods and services. Eventually, jail.
That's the story of 26-year-old Sri Krishna Ramesh, or Sriki.
Nearly a year ago, the Bengaluru police arrested Sriki for allegedly dealing in narcotics. The chargesheet in the case, dated Nov. 6, 2021, reveals the link between Sriki's activities, illegal narcotics trade and cryptocurrencies.
BloombergQuint has a copy of the charge sheet, which includes a voluntary statement from Sriki. Details in this report are based on that statement.
The revelations come at a time when policymakers in India are debating whether to regulate or ban cryptocurrencies in India. Reserve Bank of India Governor Shaktikanta Das recently reiterated the central bank's concerns around virtual currencies saying there are issues of macroeconomic and financial stability involved. Prime Minister Narendra Modi has urged democratic nations to work together to regulate cryptocurrencies. Modi said it was important to ensure that digital currencies are not be used in an unlawful manner as "it can spoil the youth".
Dabbling On The Darknet
"I learnt that by the end of my 1st PU (Pre-University or 11th grade) or my second PU days about the existence of a cryptocurrency called Bitcoin," Sriki said in his statement.
This would have been in the early part of the decade of 2010, barely a year after Bitcoin came into being. The price then was about $100, Sriki said. Today it is over $56,000.
Ever since he was a teenager, Sriki had already been active in the "blackhat" hackers community. While whitehat hackers test the strength of an online system and suggest solutions, blackhat hackers breach the system specifically to steal data or funds.
Sriki, now aware of cryptocurrencies, found his way into a darknet market for illegally imported drugs called Silk Road. From here he imported drugs into India for personal consumption. Sriki doesn't specify explicitly whether he paid for these with stolen bitcoins.
Addicted to the lifestyle of drugs and crime, I changed into a habitual user of narcotic substances...Sri Krishna Ramesh, Hacker Arrested In Karnataka Bitcoin Scam (Based On Chargesheet)
Over many twists and turns in his life, Bitcoin started to play a more important role in Sriki's life and crimes.
While studying in Amsterdam, he briefly worked with an authorised cryptocurrency exchange which was permitted to deal in cash. Sriki collected cash for such conversions and made a 3-5% margin on the deals.
Sriki claims to have lost $3 million worth of Bitcoin in a computer theft during his stint there. This only pushed him deeper towards cryptocurrency crime as he and a network of friends across Italy, Switzerland, Sweden, France and Germany helped recoup the losses, partly by hacking cryptocurrency exchanges.
Sriki and his friends discovered early that cryptocurrencies and the anonymity they allow can make these tokens useful in crime. Their use for illicit purposes has only grown since then.
Chainalysis, a crypto research platform, estimated that $4 billion worth of crypto funds were received by illicit entities in 2020. Of these, $1.7 billion were via the darknet, up nearly 30% year-on-year, the platform said in a report released in February.
India accounted for $42 million in such funds sent or received on the darknet, coming in at number 9 among the top 10 countries seeing darknet transactions. Most of these transactions are related to the global drug trade, according to the Chainalysis report.
While the value of darknet transactions has risen, there was a drop in volumes in 2020 owing to a crackdown by authorities, the report said.
The Big Hack
Back in Sriki's life, a turning point emerged in 2015.
This is when he claims to have hacked a large cryptocurrency exchange. While the exchange is named in the voluntary statement, BloombergQuint is not disclosing the name since the hack could not be independently confirmed.
Sriki exploited a bug in this exchange's data centre and got access to 2,000 Bitcoin, he said. He then transferred this stolen Bitcoin to his own address.
"This was a major financial profit for me," Sriki said in his statement.
Describing this instance as his "first big bitcoin exchange hack," Sriki explained that he used a bug in the data centre which allowed him to reset the root password. He then logged in and reset the withdrawal server passwords and routed the money via bitcoin.cli to his own bitcoin address.
Approx 2000 BTC (Bitcoin), didn't save anything...blew it up on the luxurious lifestyle which I continued by spending 1-3 L(lakh) a day on alcohol and hotel bills at an average.
In another major hack, Sriki stole 3,000 Bitcoin from another exchange, earning a profit of around $3.5 million, by his own admission. He also claims to have hacked other crypto exchanges.
Sriki's statement said he used a specific online tool to get access to the private keys linked to hacked crypto wallets. These private keys are those that are held only by the owner of token.
Through his hacks, Sriki claimed he earned close to Rs 8 crore.
Hacks like these have become increasingly common.
In 2020, there were 86 attacks with cryptocurrencies worth $532 million stolen, according to Chainalysis. These were through hacks of exchanges, decentralised finance platforms and social engineering or phishing attacks on individuals.
Sriki may be an outlier in using crypto for illicit purposes, as suggested by his own voluntary statement. Equally, cryptocurrencies are not only used for crime, nor are they the only means to run illicit activities.
Yet, at a time when India is debating whether to regulate or ban cryptocurrencies, Sriki's case throws up important red flags. These include the vulnerability of tech-based assets or currencies and the ability to execute crimes with greater anonymity using cryptocurrencies.
These risks have been flagged off by a number of regulatory bodies. Agencies like the Bank for International Settlements have repeatedly raised concerns about money laundering and terror financing concerns linked to cryptocurrencies.
In a report in April 2021, the BIS said that a number of jurisdictions have performed national risk assessment linked to illicit activities using cryptocurrencies. "These assessments largely conclude that the risks associated with cryptoassets are relatively high or have grown over the last few years..."
The industry argues that lessons have been learnt along the way and safety features are being built in.
"The use of cryptocurrencies on the darknet rose because it was difficult to share legitimate payment details like your credit card number there. But as the crypto ecosystem has developed, we note that there is an increase in compliance standards and a marked drop in the share of illegal transactions," said Sathvik Vishwanath, chief executive officer and co-founder, Unocoin.
Shivam Thakral, chief executive of BuyUcoin, argued that exchanges have ramped up their security now, compared with 2017-18, when Sriki's hacks had taken place. "Now exchanges don't allow access to their core servers unless it is from list of approved IP addresses," Thakral said. "So for a hacker to access the servers is next to impossible."
It's difficult to completely do away with hacks though and losing cryptocurrency through hacks is a very real problem, said Sharat Chandra, blockchain and emerging tech evangelist.
"There are two ways to counter this. Firstly, the exchanges could insure the cryptocurrencies held in the customer's wallet through a specialised insurance company," Chandra said. "The other, and maybe more efficient, way is to have decentralised wallets."
Typically, exchanges hold the customer's wallet in a central server, making the information vulnerable to hacks. In a decentralised format, the customers self-host their crypto wallets.
Vishwanath of Unocoin argues in today's tech-driven world, all financial systems can be hacked into. But he acknowledges that with cryptocurrencies, the problem is slightly more complex.
"If someone hacks a bank's server, they tend to get only financial data and not actual money. For the hacker to use this data and extract money is a time-consuming process. In the case of cryptocurrencies, what they are stealing is an actual asset which has immediate worth," Vishwanath said.
Thakral doesn't share that view.
The likelihood of losing money on a crypto exchange, compared with a fiat entity like a bank, are pretty much the same, he said. "Users need to follow basic principles like not sharing password with unauthorised person intentionally or unintentionally."
"We're also seeing authorities being more vigilant of any crypto-related breaches, even though there is no legislation to regulate cryptocurrencies," Thakral said. "We have received multiple requests from agencies on certain suspect transactions and we cooperate fully."
Nikhila Henry of The Quint contributed to this report.
Note: This report is based on a voluntary statement by Sri Krishna Ramesh included in the chargesheet. BloombergQuint has not been able to reach him or his legal representatives and has not been able to verify the statement or confirm if it is truly voluntary.