Kathryn Haun put away the DEA and Secret Service agents who tried to make off with more than $800,000 in stolen bitcoin while investigating the darknet Silk Road marketplace. She talks about how the blockchain technology underlying Bitcoin made it possible to uncover their theft, why she believes blockchain will create a lot of good, and what she does when the very people behind tumblers and mixers — technology that makes her work more difficult — turn to her when they are the victims of crimes. Along the way, we learn about the habits of cryptocurrency criminals and get a fascinating view into the world of “breeder documents.”

Show Notes

https://www.forbes.com/sites/laurashin/2016/11/01/federal-prosecutor-kathryn-haun-on-how-criminals-use-bitcoin-and-how-she-catches-them/#260d24281871

Transcript

Female Speaker:

Welcome to Forbes Podcasts.

Laura Shin:

Hi, everyone. Welcome to Unchained, a Forbes podcast produced by Fractal Recording. I’m your host, Laura Shin, a Forbes contributor covering blockchain, cryptocurrencies, and fintech. Thanks for tuning in. If you’ve been listening to the show and like what you’ve been hearing, please review, rate, and subscribe to Unchained on iTunes or wherever you get your podcasts. It helps get the word out about the show. Just a heads up that this is the final episode of season one, but please check back in 2017 for season two.

For today’s episode, I’m speaking with Kathryn Haun, who is the Assistant U.S. Attorney and Digital Currency Coordinator for the U.S. Department of Justice in San Francisco and who also teaches Stanford Law School’s first class on digital currency and cybercrime. Kathryn is also the prosecutor who put away the DEA and secret service agents investigating the darknet Silk Road marketplace who tried to make off with more than 800 thousand dollars in stolen Bitcoin. She is here speaking with us in her personal capacity and not official capacity today. Welcome to the show, Kathryn.

Kathryn Haun:

Thanks for having me, Laura.

Laura Shin:

Tell me about what you do, how you came to be a federal prosecutor, and how fintech, cybercrime, and privacy became your areas of specialty.

Kathryn Haun:

Well, now I specialize in the areas that you just mentioned, fintech, cybercrime, privacy, but about over a decade ago, when I began as a prosecutor in the Washington, DC area, that’s not what I did. I worked cartel cases and national security matters and then some time ago, I moved back here, back here to California, and my focus really became organized crime, prison gangs, and murders. So, that’s kind of when I came back out to California, and then some time ago, I decided well, we’re here in Silicon Valley, why not focus on emerging technologies that are so at the heart of our culture here and so that’s what I did, starting about three years ago, and that’s how I ended up specializing in some of the areas that you just mentioned.

Laura Shin:

And so does that mean like you chose cases like those?

Kathryn Haun:

I did. Initially, I started working on some of the Bitcoin, the early Bitcoin cases, and of course, that led me to some of the darknet cases and more cybercrime, cybersecurity matters.

Laura Shin:

And how did you even learn about that area or come to be interested in it?

Kathryn Haun:

Well, I’ll never forget. In about 2012, I was sitting in my office and someone came to me in my office and said how would you like to prosecute Bitcoin and at that time, I really hadn’t heard about it. This was 2012. Now, of course, we can all laugh now because now that we understand what it is, we know that it’s not a thing. You can’t prosecute Bitcoin, of course. I guess it’s kind of like saying how would you like to prosecute cash, but back in 2012, when we were just learning about the technology, that wasn’t clear. So, that’s how I first heard about it and came to learn about it.

Laura Shin:

That’s hilarious. So, how did you come to realize that you can’t prosecute Bitcoin?

Kathryn Haun:

Well, I quickly figured that out. Like I said, it would be like prosecuting cash, which just is not a thing. It’s not possible. So, as soon as I delved in and started learning what it was, that became immediately apparent. Rather, of course, what we could prosecute were some of the criminal uses involving Bitcoin just like we do some of the criminal uses involving cash or checks or PayPal or any other kind of scheme.

Laura Shin:

And so what were some of those early cases?

Kathryn Haun:

Well, some of the early cases were ones you would expect, kind of involving darknet marketplaces, and you’ve also mentioned one about the agents that were involved on one of the task forces dedicated to looking at the Silk Road.

Laura Shin:

Yeah. So, tell me more about that. Like, what was going on there and what were they investigating and then how did you come to realize that they were part of the problem?

Kathryn Haun:

Well, so the case that you’re referring to involves two federal agents who have since pled guilty, but at the time, we didn’t know that, of course. We didn’t know it involved two federal agents. We just knew that we got a tip about one and it might seem strange, but actually, it was an investigative journalist, kind of someone who is in more your line of work, that came to me. That person’s since become a lawyer and he came to me in my office and said I want to give you a tip. I smell a rat and I think you ought to investigate this, but of course, realize that when someone from the public just comes to you to give you a tip and especially when the tip is you’ve got a dirty agent on your payroll, you know, I had to take it with a grain of salt. To be quite honest with you, I felt that it was, I needed to look into it, but more look into it to kind of put this what I’ll call rumor to rest.

So, when I started looking into this matter and investigating it, I was doing it from the perspective of oh, I want to clear this person’s name, but I quickly learned that that wasn’t going to be the result.

Laura Shin:

So, how did you investigate that?

Kathryn Haun:

Well, you know, at the beginning, like I said, it’s a bit of a sensitive thing to look into a federal agent, especially when you don’t really have anything more than a tip. We need to be really careful about that and so we looked at some publicly available sources and we did what I’ll call a very high-level review and that high-level review really quickly showed us that this particular individual was liquidating hundreds of thousands of dollars worth of Bitcoin a month. Laura, you mentioned 800 thousand in the beginning, but actually the number was far greater than that because it was 800 thousand from the Silk Road, but of course, the criminal conduct, in this case, was not limited just to the Silk Road, but to many others in the world out there as well. So, once we saw that the volume was in the hundreds of thousands of dollars and the way it was being moved around, we knew there was something more nefarious afoot and that’s when I did more of a deeper dive.

Laura Shin:

So, what exactly was he doing? He was investigating these and then just transferring the Bitcoin to his own personal account?

Kathryn Haun:

Well, in some cases. I mean, I’m stepping away from the Silk Road aspect. This also, by the way, was the lead undercover agent communicating with Ross Ulbricht almost on a daily basis for years so he was very involved in that Silk Road case, at least the Baltimore case, not the New York case, investigation that was going on at the time, but he was literally going around to different exchanges, alerting them that they had criminal proceeds on their exchanges and that he’d be seizing them and then those funds would make their way back to his own personal accounts.

Laura Shin:

Wow, and so have you learned to read the blockchain or like how do you, you know, dive into all those technical details, which I’m sure you’re not exactly trained in?

Kathryn Haun:

I wasn’t trained in it, you’re right, but you know, like any kind of thing that we’re involved in investigating or prosecuting, you have to learn to get up to speed on a new area of technology or a new area of law. It’s no different than when I wasn’t an expert in motorcycle gangs. I had to learn about what all of the symbols meant, you know, and how those structures were organized. So, too here, I didn’t know about the blockchain. I needed to learn about how it worked and so I really have to give the credit to the agents that I was working with.

I was working with some federal agents, many of whom are not in the San Francisco area, but who are throughout the country at this point and they’re really some of the government specialists in this and they helped me discover how one could go use the blockchain to trace transactions, transactions of value, using things like Wallet Explorer, for example, and so I would not say I’m an expert in the technical aspect of blockchain analysis, but I was able to learn how to go on and trace transactions.

Laura Shin:

So, when you’re unraveling a crime that involves Bitcoin, how does that compare to doing the same for a traditional type of crime?

Kathryn Haun:

Well, let me talk about first how it would be similar to investigating another crime and then I’ll talk about how it would be different. I mean, the similarities are that in most any crime, you can follow the money and so that’s simply what we did here or what we’re doing when we’re investigating a crime involving the use of, criminal use of, Bitcoin. We’re following the money. Another thing that we would do in common is we would get, typically, an email search warrant or a search warrant for communications facilities, cell phones, like I mentioned, emails. So, those are some of the similarities.

But then, there are also some differences and some of the differences are things like anonymizing technologies that are being used, I mean, things like Tor or I2P. In the case of the agents that we were talking about, one of the things that was different in that case is these were the perfect criminals. I mean, they knew how to cover their tracks like almost no one else that we’ve investigated. They were able to use their agent status to unwittingly get companies to alter evidence, unwittingly of course. They were able to use burn bags and shred evidence and get rid of, kind of covering their tracks, but they really couldn’t escape from was that immutable and permanent record of blockchain and so that actually came in very handy to us in unraveling this.

Laura Shin:

Yeah, and so that’s something we didn’t discuss. You got the tip about the one, but then how did you figure out that there were actually two?

Kathryn Haun:

Well, actually, it was from the blockchain and here’s how. We knew that the first agent, the DEA agent, had been liquidating hundreds of thousands of Bitcoins. We traced those to Bitcoins back to the Silk Road. It turns out that that agent had also been extorting Ross Ulbricht, his target, under a name. The moniker he was using was Death From Above and then, separate from that, he was also using another moniker, French Maid, to actually sell Ross Ulbricht information into the government’s case. So, we knew about those sources of Bitcoins that this agent had obtained.

There was then a theft from Silk Road vendor accounts of 21 thousand Bitcoin and for those of your listeners who obviously are following Bitcoin and the price, that’s a lot of money, 21 thousand Bitcoin, and we knew it had disappeared from Silk Road vendor accounts using a Silk Road administrator’s username, credentials, and password. So, of course, many people involved in our investigation believed well, it’s got to be the DEA agent because he had access to all of those things or it’s got to be the Silk Road administrator himself, but what we could see from the blockchain is that the patterns of this DEA agent did not match the patterns of the person who had stolen the 21 thousand Bitcoin. We could just look at the blockchain and see that the modus operandi, what we call in law the signature, was different.

Laura Shin:

And by that you mean just the accounts were different or like how do you define that?

Kathryn Haun:

Not only the accounts but kind of the pattern of where the funds would flow. For example, the DEA agent used numerous hops, numerous different wallets, and was really moving things around, kind of every three days, to different addresses and different wallets on the system and only after, you know, about a month or more would he liquidate those through his digital currency account.

Laura Shin:

And so he was basically trying to kind of like…

Kathryn Haun:

Obfuscate.

Laura Shin:

Okay.

Kathryn Haun:

Correct.

Laura Shin:

I see, but the other was…

Kathryn Haun:

The other was kind of one fell swoop, I’m generalizing of course, but one fell swoop into Mt. Gox, which, as you know, is the now-defunct digital currency exchange that was based in Japan, and so it was kind of all into one place and then all out of that place. All out of that place, curiously, just two days before the feds did a seizure warrant on Mt. Gox, which also made us think that timing is very odd. Was it someone who knew that Mt. Gox accounts were soon to be seized by the federal government.

Laura Shin:

Wow.

Kathryn Haun:

So, we could really see the patterns were different and that did tell us we think we might be dealing with more than one rogue actor.

Laura Shin:

Oh, interesting. So, he is not one of those people that lost his funds the Mt. Gox…

Kathryn Haun:

No. He actually got them out before the feds seized the Mt. Gox bank accounts and also before the hacks and so what happened was these funds were transferred out of Mt. Gox and using the blockchain we could see that they were transferred to ultimately a shell company, a shell company’s bank account here in the US and imagine our surprise when we used other investigative methods to uncover who owned that shell company and it was revealed that it was a Secret Service agent who had also been on that same Baltimore Silk Road task force.

Laura Shin:

And do you know those people personally?

Kathryn Haun:

Well, I prosecuted them so I do now.

Laura Shin:

Okay, but before you didn’t?

Kathryn Haun:

I did not.

Laura Shin:

Oh, okay.

Kathryn Haun:

No.

Laura Shin:

Okay.

Kathryn Haun:

No. They were agents based on the East Coast so I hadn’t come into contact. Apparently, we had been at some of the government’s meetings on these kind of new technologies, but I had never met them personally.

Laura Shin:

Okay, and I’m just curious also about this transition that you made to, you know, learning more about fintech and prosecuting crimes in this area. How does it compare to other stuff that you’ve, you know, prosecuted before, like in terms of maybe your own interest or the kind of like intellectual, you know, richness of it?

Kathryn Haun:

Well, I mean, I think I always really had the fire in the belly about violent crime. To me, just violent criminals were always the ones that kind of got me fired up to go do my job every day and a job that I was passionate about because I felt like they’re hurting other people directly and I never really, honestly, Laura, thought I would get that same kind of passion for doing what we might call more white collar or cybercrime cases or even public corruption because what we’re talking about really is a public corruption case, but I have to say, these cases, at the end of the day, particularly the one that we’re talking about, I was every bit as motivated to kind of find out who done it and to make sure that that wrongdoing was brought to justice as I was for many of my other cases involving more violent crime. So, I think that’s how I would contrast them.

I mean, obviously…I guess the other difference is well, that’s a similarity, a difference would be just in the kind of technologies that we’re using to catch some of the darknet purveyors, for example, or, you know, large-scale vendors say of those selling machine guns on the darknet and those individuals are very smart. They know how to cover their tracks. They know about Tor, they know about anonymizing technologies, they know about how they can best remain anonymous whereas some of the kind of criminals that I’ve prosecuted over the years and kind of prison gangs or street crime, bank robberies, you know, they’re not trying to cover their tracks so much as just get out of town, but they do leave a paper trail a lot more or at least they leave a forensic trail, I guess, a lot more than some of these criminals involved in using financial technologies and the like.

Laura Shin:

Yeah. So, speaking of trying to hide your trail, there, you know, has been increasing use of tumblers and mixers that make it difficult to track exactly where Bitcoins that are involved in illicit activity end up so I’m curious to know how that’s affected your work and you know, if you’re still able to follow the trail.

Kathryn Haun:

Well, there was a lot of talk about tumblers and mixers maybe a year or two ago and certainly they existed and initially, we thought oh no, this is really going to end our trail, if you will, it won’t be possible to keep following the funds, but the truth of it is, Laura, those tumblers and mixers were early technologies and they weren’t, frankly, all that great. They didn’t tumble and mix as well as I think they advertised in some cases so I’ll just say that some of the time, we were able, fortunately, to unscramble, if you will, what the tumbler or mixer had done.

Now, that was only, in my opinion, that was only because it was early days of tumbler and mixer technology and I do think that now times have changed and they’ve changed quickly and so tumblers and mixers, I think, going forward are going to be a real problem for us to do that unscrambling, but that said, I don’t think we can just give up because we come into a tumbler and mixer. We have to at least try and see if there is a way to continue to follow the funds and it some point, it might be that the technologies behind tumblers and mixers are so good and so foolproof that the trail will end for us.

Laura Shin:

Okay. Well, that’s maybe not as optimistic of a view as one might hope for from a prosecutor, but you know, it is true that we’ve seen, you know, huge advances in this technology in a short time. So, I was curious to know if there are any overall trends that you’ve noticed in the crimes that are committed with cryptocurrency versus those that are not? Like, are they, you know, different in any particular way?

Kathryn Haun:

Well, as I alluded to earlier, the one thing that does kind of standout is the use of other technologies like Tor or like I2P. Also, kind of these…

Laura Shin:

I don’t know what I2P is.

Kathryn Haun:

Oh. The Invisible Internet Project. Think of it as another version of Tor, The Onion Router. It has less kind of what I’ll call market cap right now. Still, Tor is much more heavily used, but I2P is kind of catching up a bit.

Laura Shin:

And so when those are used, then that just means like you, again, that the trail goes cold for you?

Kathryn Haun:

I wouldn’t say the trail goes cold just for the use of Tor. I mean, you know, Tor is not perfect, obviously. Interestingly, you know, Tor was developed, as you probably know, by the government, the United States government, but of course, it makes it much more difficult. I mean, the whole purpose of things like Tor or I2P are to mask IP addresses. Another thing that I think I see trends, as you asked, for those using cryptocurrencies to commit crimes would be using kind of nontraditional email providers, so email providers based, for example, in Russia and not using a Gmail address or not using an Apple email address. Also, use of kind of messaging apps, not WhatsApp, for example, but using instead Telegram…

Laura Shin:

Which I’ve never even heard of.

Kathryn Haun:

…and Telegram is getting a lot of notoriety because of some of the kind of terrorist uses of Telegram. Telegram is, in theory, an application where you can essentially instant message, but then the messages are not kept or stored. They’re gone.

Laura Shin:

Oh. So, it’s sort of like Snapchat, but not for teens.

Kathryn Haun:

Exactly.

Laura Shin:

Why do you think they’re using these email providers in Russia and stuff, like why?

Kathryn Haun:

Well, I think, I mean, we saw that actually getting back to the case you asked me about, the Secret Service agent, is a great example of that. He…and talk about different patterns and how we knew we were talking about two different actors. We saw the DEA agent was still using kind of the Hotmail email addresses. The Secret Service agent, to cover up his crimes, was using, you know, Yandex in Russia. I think the thinking here is well, if the government gets a search warrant and they’re not going to be able to serve it without a whole lot of headache on a Russian company, on a company that’s not here in the US. It’s much easier to go, or at least it used to be, much easier to go to Microsoft or Google and say here’s a federal search warrant, we’ve justified probable cause for getting this content than it is to go a Russian company.

Laura Shin:

Oh, wow. I wouldn’t even know how to get a Russian email address, but I guess if you  _____ 00:20:05…

Kathryn Haun:

I’m not going to advertise here on your show either.

Laura Shin:

So, in general, how quickly would you say that we’re seeing criminals start to use cryptocurrency? Is the prevalence growing and if so, like how quickly, and you know, would you say that’s happening?

Kathryn Haun:

Oh, I think it’s happening very quickly, but I want to be clear. I don’t just think only criminals are using this, right. I think there are, I mean, I actually know federal agents who have Bitcoin and they’re not doing it, and they’re not having it to steal. They actually have it because they find it an interesting technology. So, I think that the…I hope that the overwhelming uses are becoming more and more legitimate, but you know, like all great technologies, I mean, it starts out that criminals are often the first or the earliest adopters.

So, I think we’re seeing that they’re quickly using cryptocurrency and that’s on the rise, but at the same time, it’s also on the rise of kind of the population at large. I think it’s no different than just everything going digital, right. I mean, you start out using cash, you move to kind of checks and the credit card era, then you move to the PayPal and the Apple Pay era and then you’re on to cryptocurrency. I mean, just like the public at large is moving in this direction, so too are the criminals. So, I think it’s rising very quickly.

Laura Shin:

Well, if you were a criminal, what would be your preferred, you know, medium of transaction?

Kathryn Haun:

Well, I certainly won’t answer that question.

Laura Shin:

Okay. Well, I’m curious to know, do you feel like cash is still preferred by a lot of criminals?

Kathryn Haun:

Oh, I think it really depends on the crime. I mean, if you’re talking about the need to move, you know, relatively little cash, I think yes, it is, and if you’re talking about a crime where it can take place like a transaction on the street, absolutely, because we know that that’s not trackable or traceable. Then, you run other risks though if you’re meeting person to person, but where you’re talking about kind of large-scale criminal activity or fraud, it’s just not feasible to make the cash payments.

Laura Shin:

Okay. Yeah, and I guess also if it’s like happening across border.

Kathryn Haun:

Exactly.

Laura Shin:

Right. When you look at some of the crimes that you commonly see, and not just with cryptocurrency, but you know, just across the board, what are some of the ways that you think blockchain technology could help you prevent those?

Kathryn Haun:

Well, I think one of the interesting, I think, use cases, and I don’t know that it actually is a use case yet, it might just be being tested, but is in the area of public records. For example, of all of the kinds of cases, and I said this a couple weeks ago, but of all of the cases that I’ve ever done, whether you’re talking about the Hells Angels or whether you’re talking about marriage fraud or whether you’re talking about the bank officer I prosecuted for impersonating dead people, I mean, or whether you’re talking about some of the criminals that I’ve prosecuted in using cryptocurrency, they all have one thing in common. There’s always been, somewhere along the way, a forged, counterfeit, or stolen public document and they all have that in common. Even a murder case I tried, same thing. It had a forged public document and so I think one of the interesting use cases for blockchain is to kind of help prevent crime or rather help stop fraud, let’s just call it that, help stop fraud in the first place is could public records be issued on a blockchain and I think that’s a very interesting thing to explore.

Let’s take the case of birth certificates, for example. Did you know, Laura, that in the United States alone, over 6,500 different entities issue birth certificates?

Laura Shin:

Oh, my god. No.

Kathryn Haun:

Using over 14 thousand different forms and that’s just in this country so you can imagine that it’s extremely easy to counterfeit or create a forged birth certificate. I mean, people can’t even recognize what a forgery is because we’re using 14 thousand different forms and have 6,500 different entities issuing them and you might think well, what can you really do with a forged birth certificate? Well, a lot. We call these, in law enforcement, we call these breeder documents because they quite literally breed new identities. Let me tell you how.

You get a forged or a fake or stolen birth certificate in a name and you take that down to the DMV and you get your photo taken with that and now you all of sudden have also a driver’s license. You take the driver’s license and the birth certificate to the passport office. Now, you’ve got yourself a passport and all of sudden, with these three kind of identity documents, the sky is the limit on what kind of criminal activity you can do. You could file for fraudulent benefits from the government, you could commit some kind of terrorist offense, you could purchase weapons, you could traffic in people, you can, obviously, commit drug smuggling. I mean, really the sky. Like I said, the sky, unfortunately, is the limit and so it’s a real problem having the ability to kind of steal or counterfeit a birth certificate quite so easily and you know, don’t take my word for it.

I mean, the Department of Health and Human Services, some time ago, sounded the alarm when their inspector general wrote a pretty scathing report on the prevalence of this kind of fraud happening with birth certificates and you can go look that up online to see what I’m talking about if you’re listeners are interested.

Laura Shin:

That’s absolutely terrifying to listen to just how easy it is to do that. When you think about implementing that kind of a solution though, I also think of tons of obstacles, you know. What do you imagine will happen as we’re starting to see…I mean, governments are taking an interest in it, but do you have a sense of like where it might first be applied or how it might roll out?

Kathryn Haun:

Well, first of all, let’s talk about the problem that it be trying to solve. So, one problem is I just alluded to it be trying to solve forgeries or fakes, right. At the end of the day, these centralized databases spit out for us a paper document and you know, sitting here going into 2017, it just doesn’t really make sense anymore to have that be a paper document, particularly whereas I said, they’re so easy to forge.

So, that’s one problem, the forgery, but another problem with some of the centralized databases right now that the municipalities and the governments have for maintaining these public records are they are subject to tampering and I think that’s a concern also because, for example, in 2008, here in San Francisco, I don’t know if you, you were possibly not here at the time, but the City of San Francisco’s network administrator became disgruntled after getting some poor performance reviews and he changed all of the other engineers passwords and he literally held the entire City of San Francisco’s computer systems and databases hostage for five full days. No one had access to those documents so anyone needed a city document during that time was out of luck.

Laura Shin:

But that is crazy.

Kathryn Haun:

Yeah. Don’t mess with the IT guy, right. That was the lesson there, but he…the point I’m making is that kind of tampering, where you have a centralized database, is possible. So, the problems are fraud with paper documents and tampering with centralized databases. People are looking to the blockchain as possibly solving those because, one, it’s no longer a decentralized database, right. You have it spread out over millions of different systems worldwide so the possibilities for tampering, I don’t want to say they’re none, as a prosecutor, I would never say none, but let’s say significantly reduced and very difficult to tamper with decentralized systems and then also you don’t have the possibility for fraud because you’re not printing out a paper record. Because of the immutability and the permanence, one can simply look to the fact of that blockchain to prove that, you know, did a hospital write a record to the blockchain when a particular child was born.

Laura Shin:

And I know it’s very early days, but are any pilots or kind of any initiatives that you know of that are sort of interesting to you in this realm?

Kathryn Haun:

In the public records realm?

Laura Shin:

Yes.

Kathryn Haun:

I’m not actually…I haven’t looked into it too much. None come immediately to mind. I know that there are some pilots. I don’t know what the MIT Digital Currency project is I think possibly involved in some of those. I’ve heard about pilots in some of the countries involving not necessarily birth certificates but involving, you know, land titles, I believe, in Georgia, Honduras, I’ve heard as well.

Laura Shin:

Sweden, I think.

Kathryn Haun:

And of course, we have Estonia as kind of a model of eGovernment, right, but to answer your question about what, you know, what would be some of the hurdles, I think one hurdle is if we’re looking at the United States, look, we’ve got 50 different states, but I already told you that 6,500 different entities can issue birth certificates in this country so I think it would be very interesting to have kind of an experiment with, you know, one state. Like, let’s start small. Let’s have a small state start issuing, as a pilot project, birth certificates on a blockchain and see how it works and then let’s test it. Let’s have people try and hack that and let’s see if they can and so you’re not saying oh, let’s move the entire country, let’s move everyone to this system all at once. I think really start with a small pilot project, start in a small jurisdiction, and kind of see how it goes.

Laura Shin:

Yeah. Yeah. I think that’s what we’re seeing with a lot of these pilots these days. So, one thing we’ve been talking about a lot in this episode is the public Bitcoin blockchain, but soon there will be some cryptocurrencies that are more private, including one that’s getting a lot of buzz called Zcash. How will something like Zcash, which is effectively like a more private cryptocurrency, how will that affect your work?

Kathryn Haun:

Well, I think Zcash is supposed to publicly launch next week, at the end of October. I think it was October 28th and if it works like it is supposed to, it would make our work a lot harder. Now, I say if and that’s if it works as it’s supposed to because we don’t really know yet if it lives up to the hype of being purely and truly anonymous, but the thing that we do know is that it’s a matter of when, not if, we have an anonymous kind of form of payment, that the technology will catch up, that we will someday have that. I do believe that and I think that, I don’t know whether that’s Zcash or that’s some other form that comes out, but I think that will make our work a lot harder because, as I told you, one of the main ways we can trace criminal activity is following the money, right. Criminals want to be paid and if we all of a sudden omit an entire kind of source of evidence that’s historically been available to us, that’s going to make our job a lot more difficult. Absolutely.

Laura Shin:

And so is this the kind of thing where, you know, like I know way back in the day, some people talked about like oh, is the government going to shut Bitcoin down, but you know, then of course, I think the government realized that actually, the blockchain is really useful to them, but in the case of Zcash, which you know, might have a different reputation, is that something that either could be shut down or that the government might try to?

Kathryn Haun:

Well, I just want to clarify, I don’t think the reason that the government didn’t shut down Bitcoin was because the blockchain was useful to the government. I think the reason is the government recognized you can’t shut down Bitcoin. I mean, there’s simply no way and that’s what we’re seeing here is once…with these technologies, when the genie’s out of the bottle, you can’t put it back in, right, and so even if the US government, and it would require, I think, a kind of change in our laws and policies that society would, you know, inform that decision making, but even if we could hold, I think, developers of these technologies accountable, and right now, generally speaking, that’s very hard to do. It’s very hard to say you’ve made a technology, we will now prosecute you for making that technology. That’s really counter to our existing kind of legal system right now.

We’re seeing this debate, by the way, not just in anonymizing technologies, we’re seeing this debate with gun manufacturers. I mean, I think there’s some real analogs there. You know, our laws, right now, are such that we do not hold gun manufacturers liable for the harm that their product causes and I think, at some point, we, as a society, need to say at what point might we want to change those laws. I don’t know that we do and I’m not advocating that we do want to change them. I’m just putting that out there as food for thought.

I hear a lot of times some of developers, creators of these anonymizing technologies, say oh, well, we’re doing this for privacy. We just want everyone to be able to have private transactions, which I very much like and endorse. On the other hand, look, it’s obviously the case that a large percentage of criminals are also going to be using and gravitating towards those kind of technologies. So, at what point do you, as a developer, I mean, is there a percentage that you’re comfortable with as a developer of where your technologies are being used for more harm than good? Do you think about those questions and I don’t know the answer to that. I don’t know what’s in the mind of the some of the people that are creating this and I think there are a lot of, as I’ve made clear, very good uses and very legitimate uses for some of these technologies, but I do worry about the effect that they will have on our ability to help solve crimes.

I mean, you know, ironically, some of these very technologies come to us when they’ve been hacked, when they’ve been the victim of a hack, you know, a tumbler or a mixer, and all the funds are stolen. Well, you know, who do they turn to, to kind of help try and get their money back or put the wrongdoer behind bars and ironically, some of these technologies or these developers are becoming sometimes victims.

Laura Shin:

Interesting.

Kathryn Haun:

And you know, it makes it hard for us to solve their crimes because of their technologies or the crimes that have afflicted them, I should say.

Laura Shin:

So, that’s fascinating. So, when an organization like that comes to you, in that case where you know that they’ve kind of been making your job difficult, like how does that, you know, affect the calculus of like whether or not you’re going to, you know, choose that case?

Kathryn Haun:

Well, I don’t think that really would affect the calculus, to be totally honest with you, because I don’t think that we are thinking that we’re adversaries with these technologists or developers, quite the contrary. I mean, so I don’t think it would affect whether or not we would take a case. I’m just pointing out the irony that some of the exchanges over the years that have been hacked that have come to the government to seek assistance in solving the hack or getting back the money were kind of, I think, originally not thinking they would be coming to the government for help, but I don’t think it would affect our calculus and whether or not we would take a case and that’s true not just in the space of anonymizing technologies or cryptocurrencies. It’s true in any case, right.

It’s true in the cases of violence or assault or robberies. I mean, just because, let me give you analog. Let’s say, kind of a bank robber who I prosecuted over the years, actually, I did have one who came back after he got out of prison and did another bank robbery, let’s say he was the victim of an assault and he came to me to report that. I wouldn’t not take that case because he had previously been in a posture that was adversarial to me and I think it might be a farfetched analogy, but I think you get my point.

Laura Shin:

Okay. Are there any other kind of like new frontiers in crimes in financial technology that you think are coming up or that are trending?

Kathryn Haun:

Well, I don’t want to give anyone any ideas. I think people out there know what they are who are using them already so I don’t want to draw or highlight them.

Laura Shin:

As far as I know, you recently gave a TED talk about some good uses of blockchain technology, you know, aside from the government records. Is there anything else that you want to highlight that you’re excited about?

Kathryn Haun:

Well, I don’t know how it will play out, but I am excited about some of the pilot projects with respect to putting kind of sometimes private data, maybe whether it’s onto private blockchains or whether it’s on public blockchains in an encrypted form. In the case of, for example, something like medical records. I mean, we talked earlier about public records and birth certificates and people always say well, aren’t you concerned about privacy and I say well, when I’m talking about public records, I’m not concerned about privacy because those are public.

Now, let’s talk about private data and if you want to talk about private data, let’s talk about, for example, your medical data. You know, Laura, I don’t think most people realize that their medical data is more valuable on the darknet, far more valuable than their financial or credit card information and I don’t think they realize that hackers are actively targeting the health sector. Did you know that over 150 million breaches of patient records have already happened as a result of things that we’ve probably all heard of like the Anthem breach and of course, the Anthem data wasn’t even encrypted, right.

Laura Shin:

And why is that medical records are so much more valuable on these marketplaces?

Kathryn Haun:

It’s a good question. I mean, a couple reasons. One, with medical data, you can, thieves can take that to create fictitious or fake IDs and bill insurers for fraudulent claims, kind of en masse. They can also buy medical equipment and drugs that are consistent with a particular patient profile and avoid detection because the insurance companies or medical providers don’t catch this because it’s, of course, consistent with a particular patient’s profile that they would be buying that medicine or that they would buying that medical equipment and then they resell those, whether on the black market or elsewhere and so there’s a huge marketplace for that and like I said, 150 million patient records have already been breached. That’s staggering and those are just the ones we know about that have been announced and we know that hackers are actively targeting the healthcare industry and part of this is because high reward, right, I just said they can make a lot of money with this information, but it’s also some of the least secure.

Laura Shin:

Right. Yeah.

Kathryn Haun:

I mean, hospitals and insurance companies and doctors’ offices and the medical industry as a whole is more focused on patient care than cybersecurity and we…

Laura Shin:

Especially compared to something like a bank.

Kathryn Haun:

Exactly, and also banks have been sometimes having to comply with certain kind of regulations that particularly apply to financial institutions, which aren’t really as much in a factoring force when you’re talking about medical data. Of course, there are things like HIPAA, but in terms of securing the actual data, this is a real problem where you have kind of some centralized databases that aren’t that secure, but that yet are so valuable to thieves. So, if thieves break into a centralized database as they did, for example, with Anthem, they can make off with everything.

So, getting back to your question of some use cases that might be exciting, I mean, if it is the case, and I don’t know if it is, but if it is the case that, for example, what some of the MIT researchers are exploring right now with putting private, encrypted medical data onto some form of a blockchain that’s decentralized so you don’t have a central repository for hackers to hit, I think that’s an exciting use case because I think that we’re just starting to see how dangerous it is with having private medical data kind of in these not-well-guarded repositories that are central.

Laura Shin:

Yeah, and the other thing I was thinking is that, you know, with your financial data, you can change your credit card number or, you know, but you can’t change like your social security number, you can’t change your prescription. You know, these are all things that are really just central to you.

Kathryn Haun:

And they’re also private, right. I mean, how many people want thieves or being able to know what kind of medical treatment or procedures they’ve undergone. Those are incredibly sensitive pieces of information and another thing is we see ransomware providers and we see ransomware providers actively targeting two sectors. The first is the healthcare sector and hospitals and the second is municipal governments, things like police offices and so…but if you go back to targeting hospitals and all of a sudden a ransomware provider can take an entire hospital system hostage and demand some kind of cryptocurrency for payment…now, right now, if they’ve used blockchain and they haven’t used tumblers and mixers, we might have a fair chance at solving that crime, but if these things achieve kind of perfect, complete anonymity, like tumblers and mixers and Zcash and a hospital system is taken siege, will we ever be able to kind of uncover who is responsible for that? I hope that we can up our game and use other investigative methods, but at some level, it’s trying to…you know, we’re prosecutors. We can only use the tools that the public and society give us and that our laws give us and at some point, we have to be able to solve crimes and prosecute crimes with two hands tied behind our back.

Laura Shin:

Right, and so in this case, definitely the better solution would be to put the medical records on a blockchain that’s secure and can’t be hacked.

Kathryn Haun:

And that’s not something that law enforcement is obviously going to mandate. That’s something that private industry, the researchers, the regulators, I mean, will all have to work out those things. That’s not in my area of specialty, but I do think that where you’re talking about private data like medical records, it is really a problem.

Laura Shin:

Yeah. Well, this has been such a fascinating discussion. Where can people learn more about your work and get in touch with you?

Kathryn Haun:

Well, I would just direct them to the Justice Department’s website, which is www.usdoj.gov and you can see about not just my work, but the work of the many prosecutors around the country in all of the districts are doing and you can visit kind of the cybercrime sections page on that website, which is CCIPS back in…CCIPS is a component of main justice at headquarters.

Laura Shin:

Well, thanks so much for coming on the show.

Kathryn Haun:

Thank you so much for having me.

Laura Shin:

Thanks for joining us today. If you’re interested in learning more about Kathryn, check out the show notes, which are available on my Forbes page, Forbes.com/sites/LauraShin/. Today’s episode concludes season one, but please check back in 2017 for season two and if you’ve been enjoying the podcast, please remember to review, rate, and subscribe to it in iTunes or your preferred platform. Thanks again for listening.

Female Speaker:

You just enjoyed a Forbes podcast. To learn more about our other shows, visit Forbes.com/podcasts. Thank you.