The IRS is looking for help to break into cryptocurrency hardware wallets, according to a document posted on the agency website in March of this year.
Many cryptocurrency investors store their cryptographic keys, which confer ownership of their funds, with the exchange they use to transact or on a personal device. Some folks, however, want a little more security and use hardware wallets—small physical drives which store a user's keys securely, unconnected to the internet. The law enforcement arm of the tax agency, IRS Criminal Investigation, and more specifically its Digital Forensic Unit, is now asking contractors to come up with solutions to hack into cryptowallets that could be of interest in investigations, the document states.
"The decentralization and anonymity provided by cryptocurrencies has fostered an environment for the storage and exchange of something of value, outside of the traditional purview of law enforcement and regulatory organizations," the document reads. "There is a portion of this cryptographic puzzle that continues to elude organizations—millions, perhaps even billions of dollars, exist within cryptowallets."
The security of hardware wallets presents a problem for investigators. The document states that agencies may be in possession of a hardware wallet as part of a case, but may not be able to access it if the suspect does not comply. This means that authorities cannot effectively "investigate the movement of currencies" and it may "prevent the forfeiture and recovery" of the funds.
That's why the IRS wants researchers and contractors to come forward with solutions to hack into hardware wallets. Crucially, the IRS does not want a one-off solution, but tools that it can reliably use in multiple cases going forward.
"The explicit outcome of this contract is to tame the cybersecurity research into measured, repeatable, consistent digital forensics processes that can be trained and followed in a digital forensics’ laboratory," the document says.
Do you research vulnerabilities on cryptocurrency wallets? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
While the desire for a reusable tool makes a lot of sense, it's also what makes this request so challenging, according to Andrew Tierney, a security researcher who has done research into cryptocurrency hardware wallets.
"Hardware wallets are really getting quite secure now, with a lot of research into them. You might be able to find issues in a few, but to have ready made exploits to work against lots of them is going to be very hard," Tierney, who is also known as Cybergibbons, told Motherboard in an online chat. "Another challenge of course is that the funds aren't actually on the wallet. Just the keys. If the owner knows they are attacking it and can act, the funds can be moved."
According to the cryptocurrency research firm Chainalysis, around 20 percent of all the Bitcoin in existence—equalling more than $100 billion—is locked in wallets.
"There's SO MUCH lost Bitcoin out there, it's like the 21st century of sunken ships with treasure aboard," Adrian Sanabria, a cybersecurity expert, told Motherboard in an online chat.
The IRS has recently signalled its intent to track and enforce against fraud related to cryptocurrencies even more closely than it has in the past. In March, the agency announced "Operation Hidden Treasure," which has the goal of ferreting out undeclared cryptocurrency gains.
The document makes no mention of that operation, and it is unclear if it is connected to it or not. Regardless, as more and more criminals choose hardware wallets to protect their ill-gained bitcoins, the feds clearly want methods to access them to find key evidence. For some, however, there may be easier and cheaper solutions.
"It seems like overkill," Nicholas Weaver, a senior researcher at the International Computer Science Institute at UC Berkeley, told Motherboard in an online chat. "For most of these devices a choice of 'Either give us the password or rot in jail for contempt' might be sufficient."
Subscribe to our cybersecurity podcast CYBER, here.