WannaCry Bitcoin trail leads investigators to Swiss exchange

Investigators are following the trail of the WannaCry attackers' Bitcoin ransom, with one digital currency asset change service confirming they were used to convert the nefarious funds. The notorious ransomeware took advantage of security loopholes in older versions of Windows to seize control of users' systems, locking up their files until they coughed up $300 or more. That cash, amounting to more than 50 BTC, had been sitting in digital wallets until earlier this week.

In total, around $143,000 worth of Bitcoins had been amassed, across three wallets known to be used by the WannaCry attackers. On Wednesday evening, the funds from those wallets began to be withdrawn, and several hours later all 52.2 BTC was gone.

At the time, it was speculated by security researchers that the attackers had converted the Bitcoin into another cryptocurrency. That alternative, Monero, was created in 2014 and has a particular focus on privacy. It can obscure not only the sending address but the amount of the transaction and the address of the recipient.

Now, that route has been confined. ShapeShift, a digital asset change based in Switzerland, has issued a statement verifying that at least a portion of the Bitcoins passed through its service. Describing it as a breach of its terms of service, namely using it to process the proceeds of a crime, ShapeShift said that it has "taken measures to blacklist all addresses associated with the WannaCry attackers that are known to the ShapeShift team."

Although Monero may hide who sent digital currency and who received it, ShapeShift says that's not the case on its exchange. "Any transactions made through ShapeShift can not be hidden or obscured," the company said in its statement, "and are thus 100 percent transparent, making laundering of any digital tokens impossible."

It's now working with law enforcement on the WannaCry case, "and will assist them with any needs they may request to apprehend the perpetrators."

ShapeShift's involvement was highlighted by Neutrino, a cryptocurrency intelligence firm, Cyberscoop reports. Its appeal comes down to the lack of registration required. Neutrino's CTO, Alberto Ornaghi, said the criminals likely favored the service "because it's easy to use and it does not require any registration. You use it completely anonymously."

However he also warned that, should investigators get access to ShapeShift's records, those responsible for WannaCry might find their transaction wasn't quite as clandestine as they believed. "If they can have access to the ShapeShift logs," Ornaghi explained, "maybe they can find some other clues of who utilized the service and from where."

Earlier this week, the inadvertent hero credited with putting the breaks on WannaCry was arrested in the US. Marcus Hutchins, a Kryptos Logic researcher better known by his handle of MalwareTech, was arrested by the FBI for alleged involvement in the Kronos banking trojan back in 2014-2015.