John Bambenek - VP of Security Research and Intelligence, ThreatSTOP


Written by

John Bambenek has done it all — he’s been a malware researcher, security lecturer and computer science teacher at the collegiate level. Now the vice president for security research and intelligence at ThreatSTOP, Bambenek has added another bullet point to his resumé: tracking the movement of cryptocurrency between groups associated with white nationalism. Drawing from his previous work tracking the rise of ransomware, Bambenek tells us how his latest project will set the table for watching money move between shady outfits for years to come.

CyberScoop: We noticed you’ve been tracking the cryptocurrency wallets of various white nationalist groups. How did this come about? 

John Bambenek: I watched what happen in Charlottesville and said “Oh, wow, they are coming out of the woodwork.”  A couple of their names I was already familiar with, specifically through the printer abuse incidents.

I was familiar with googling around and seeing exactly what’s going on with them. So they were raising money in bitcoin, asking for donations, so I looked at their wallets and saw huge balances. I said “what the the hell is going on here? There’s actually real money involved.”

I remembered when WannaCry happened, somebody created a Twitter bot to track all the transactions for that. I was about to start my masters in CS where I had to learn Java. I figured why not do something in Node to warm up for it. So I downloaded the code. We started with The Daily Stormer and Weev and then just started adding other people as time went on.

CyberScoop: Do you have any fear of having these groups come after you?

JB:  They’ve come after me and said “Oh, we’re gonna dox you.” And I say, “Congratulations, I ran for office, you can find out a whole lot of information on me, so knock yourself out, kids.”

They like getting under people’s skin. So when you just say “I don’t care about you,” and send animated GIFs back at them, they eventually go away.

CyberScoop: How has that work influenced the work that you’ve been doing lately in cybersecurity?

JB:  It’s provided a good case study of bitcoin-related cases and investigations. I’ve developed tools to follow cryptocurrency transactions. It has given me some motivation to dive into it in earnest, to find other interesting things where we can build more conventional cases.

I know in some cases there have been cryptocurrency exchanges that have cut these people off their ecosystem, so there’s some interesting possibilities to be had there. There is also some work going around enumerating the donors and people who are actually funding these guys.

Some of the lawsuits going on against some of these guys, there’s eventually going to be judgments and the seizing of assets. For a lot of them or other assets of cryptocurrency, it’s an emerging problem of what to do with, you know, people who criminally gained wealth in cryptocurrency and how to seize that or otherwise take possession of it.

CS: How have you seen criminals evolve when it comes to the way they use cryptocurrency? How do the value fluctuations impact their actions? 

JB:  One of my first interactions with cryptocurrency cases was Cryptolocker back in 2013. Criminals basically hard-coded the ransom into the malware itself. But the price of bitcoin jumped suddenly, so they actually had to start issuing code updates to re-calibrate the ransom. Bitcoin is just a means, it’s not the actual wealth they are trying to get. If the ransom gets much above $1,000, victims just don’t pay. So criminals are actually starting to accommodate some of that because if I’ve got a ransom demand I care about the dollars, not the bitcoin, right?

Ransomware generally is on the wane, but it’s still an effective money laundering service to criminals. But ransomware has become the world’s best security awareness exercise, and I think has dramatically improved improved security awareness among the general population and the business community.

CyberScoop: What’s the biggest thing the cybersecurity industry has improved upon in the last 12 months?

JB: Part of the unfortunate reality is almost everybody chases the enterprise deal. So those solutions are priced out from the people who need it the most. But I think there’s this growing awareness that we need to get some of these tools in the hands of normal people and small-to-medium businesses.

So you’ve got things like Quad9, which actually integrates threat intelligence and threat feeds to the user community in a way that also protects privacy.

Additionally, I also think a lot of people talking about machine learning and analytics now are actually really talking about it, versus just rebranding next-gen histograms as “machine learning” and trying to become a billion-dollar company.

CyberScoopThere is so much new tech out there with the advent of the Internet of Things, yet we are still trying to secure so much of our legacy tech. Will we ever reach a balance where things are secure by design and stay secure five to 10 years into their use? 

JB: Probably not. If you take every new piece of technology that gets offered at CES or whatever trade show, it’s being sold based on features. Just look at Microsoft Windows. It took them two decades to get a relatively hardened operating system in Windows 10. It took them 10 years to say ” let’s apply updates and patches automatically” on Patch Tuesday. That was a 10-year problem. Just that one change has had an immensely positive impact. We’re just now starting the process of developing secure IoT operating systems. They could just be adopted by manufacturers.

We don’t have enough people to turn around say, “Okay, you’ve got this new feature. Well, this is how I can kill somebody with it.” Because those kind of people always make you nervous.  So I’m not worried about being professionally made obsolete any time in my lifetime.