by David Gerard
CryptoLocker, the first ransomware to use Bitcoin (though you could also pay by Moneypak or Ukash), showed up in September 2013. It was hugely successful, taking about $3 million, and spawned many imitators.
Security professionals I spoke to say that the reason for the explosion in ransomware from about 2015 on is not Bitcoin (as media reports often claim), but the ready availability of ransomware builders in malware kits from the hacker underground since that time – so that any script-kiddie can use a kit to make their own ransomware.
The best-known ransomware of late is probably WannaCry. The WannaCry attack of 12 May 2017 knocked out several NHS hospitals in the UK and companies around the world. It used a Microsoft Windows vulnerability that had been fixed in March, but many organisations had not updated their Windows installations.
Some victims have tremendous difficulty obtaining the bitcoins to pay the ransom – most exchanges have strong identity verification requirements, and often the delay before allowing trades is longer than the ransomware’s deadline. Not to mention the frequent delays getting Bitcoin transactions through at all.
Bitcoins are so hard for normal people to use that from Cryptolocker on, ransomware operators have been known to provide technical support to victims, so they can work out how to pay them and unlock their files. F-Secure even compiled a customer service evaluation of ransomware gangs.207
Citrix ran a promotional survey in 2016208 and again in 2017209 suggesting that some UK companies were keeping Bitcoins on hand just in case it happened to them – though paying ransoms is not recommended,210 as victims often don’t get their files back even then, and paying up marks you as a future target; Telstra’s “2017 Cyber Security Report” said that a third of surveyed Australian organisations who paid the ransom didn’t get their files back.211 Victims are, unsurprisingly, increasingly reluctant to trust the good will of organised criminal gangs; WannaCry infected PCs around the world and only took in $80,000.
IT professionals recommend keeping Windows fully updated for security, and keeping reliable daily backups, so that if you’re hit you can just wipe the PC and restore your data. When the NHS was hit by WannaCry, no patient data was stored on the affected machines and they did not pay the ransom – they just spent the next day reimaging thousands of PCs afresh.212
Bitcoin seems to be the only cryptocurrency used by ransomware so far – though one WannaCry imitator mined the altcoin Monero on infected PCs.213
If you do get an apparent infection, it’s worth checking it isn’t fake ransomware, that locks your screen and demands your money, but doesn’t bother with encrypting your files.214
The WannaCry attack was sufficiently egregious that some started calling for Bitcoin to be banned altogether, since its non-speculation uses are largely illegal. One exchange, Coin.mx, had even been charged in 2015 with money laundering violations for selling bitcoins to the victims of ransomware attacks, as this enabled the criminals to get paid for them – though this was as part of a long list of other money-laundering charges.215
Non-illegal goods and services
For ordinary people to regard Bitcoin as money, shops other than darknet drug markets have to accept it. Advocates are very keen on merchant adoption, because it spreads Bitcoin’s name in the wider world and makes it look useful. Unfortunately, approximately none of them buy things with bitcoins themselves.
The way the process usually works is:
advocates lobby a merchant to accept Bitcoin;
the merchant says no;
advocates harass the merchant.
If they do accept:
the merchant sets up a mechanism to accept Bitcoin – usually via Bitpay, Coinbase or a similar payment processor who will give them dollars, meaning they never touch a bitcoin themselves;
after an initial burst, nobody much uses it;
advocates protest loudly at the merchant dropping Bitcoin.
The advocates tend to hold their coins rather than spending them, in order to cash in when other people have increased demand and raised the price. Prominent Bitcoin advocates have even worried that too much merchant adoption might drop the value of their holding.216
The general public don’t buy bitcoins to spend on anything they could just buy in ordinary money, and without waiting hours or days for the transaction to confirm. All but a very few merchant adoptions fall by the wayside.
Cards Against Humanity in 2013 was a typical example of Bitcoin outreach in practice. Cards Against Humanity is a card game that you can buy mail-order, or just download the PDFs to print out yourself. One Bitcoiner asked if he could buy a pack with bitcoins; when they said no, he emailed back pressing the point and stressing the “exposure” value this would offer them. (Of course, every creator knows that when you offer them “exposure,” that means you have no intention of paying them.)
When they replied demurring once more, the Bitcoiner complained to his fellow advocates on Reddit /r/bitcoin.217 “I wasn’t expecting them to do a single sale in Bitcoins just for me but instead I wanted them to consider doing business using bitcoins and potentially benefit from the publicity that might come with that.”
One commenter posted: “They just prefer the imaginary debt based ‘money’ their slavemasters issue via the central banks of the world.” (Max Temkin of Cards Against Humanity responded: “Yes I use it to buy groceries.”218) Another suggested continuing to email them: “Hey OP, if you really want to prove your point to the sellers of this game, you should: Once a month send an email detailing how much the Bitcoin you would have sent in payment for the game has increased in value, compared to how much the USD has decreased in value due to inflation. After awhile they just might understand.” Others harassed Temkin on his blog and threatened further action on Reddit.219
When merchants do adopt Bitcoin, it tends not to result in a flood of business. Australian phone app MyBus, for local bus travel in Canberra, added Bitcoin as an option in March 2014, and had twenty-three transactions total by the time they removed it in January 2015. When they temporarily switched off the option for maintenance in September 2014, they received “about 30 emails from people asking for it to be reinstalled, which is odd because that’s more people than have actually used the feature.”220
Automattic, the company that develops blogging software WordPress, offered Bitcoin in November 2012 to allow paid wordpress.com upgrades for users without access to PayPal or credit cards. They withdrew the option in February 2015, noting it was only used approximately twice a week.221
The Mozilla Foundation, the charity that develops the Firefox web browser, began accepting Bitcoin donations for their end of 2014 campaign. This wasn’t good enough for the advocates: they demanded Mozilla include Bitcoin prominently on the primary donation page! With millions of page views, it was quite easy to run an A/B test, where you serve a different version of the page to a fraction of the viewers and can directly compare the effects of the two versions. The A/B test showed that the text “Donate with Bitcoin” dropped revenue per visitor by 7.5%; adding the text would have lost them $140,000 over the campaign, for the sake of a few thousand dollars in Bitcoin.222 The Bitcoin community, of course, claimed that this literal direct measurement was somehow statistically bogus, listing objections that showed they didn’t understand what an A/B test was.223
The Wikimedia Foundation (the charity behind Wikipedia) did rather better, accepting Bitcoin via Coinbase from August 2014; by August 2015 they had taken $220,000, though $140,000 of that was in the first week.224 Wikimedia didn’t A/B test Bitcoin on the primary page, only listing it at the end of the secondary “Ways to Give” page.
(This was after some problematic interactions with Bitcoin advocates. One member of the Wikimedia fundraising team noted in January 2014: “The bitcoin community should be aware that their persistent and often times aggressive, rude, and vulgar messaging towards me and my fellow coworkers is not appreciated; nor does it help their cause.”225)
/>
Overstock.com started accepting Bitcoin in early 2014 because CEO Patrick Byrne is a huge Bitcoin fan, and took in $1 million in the first month226 and another $2 million over the rest of 2014 – 0.2% of its total sales of $1.5 billion227 – though a loss of $117,000 on cryptocurrencies for 2015.228
WhollyHemp, a small manufacturer of hemp soap, started accepting Bitcoin out of interest in the technology, and founder Robert Lestak was for a time a moderator of Reddit /r/bitcoin. After the usual initial burst,229 WhollyHemp ended up making 0.2% of sales in Bitcoin, and an A/B test showed that prominent mention of Bitcoin acceptance reduced gross sales by 5.8%.230 They removed the Bitcoin option altogether in April 2015, and were harassed by Bitcoin advocates231 for the next several months.232 Lestak: “This is why you don’t hear about businesses publicly dropping Bitcoin as a payment option. Bitcoiners will make your life a living hell if you do.”
“Mr. Bitcoin” at the Bitcoin Bowl. Photo: ©2014 N00ba the Hutt.
Hoping to drum up business with merchants, payment processor Bitpay sponsored the St. Petersburg Bowl, a minor college football game, naming the 2014 game the Bitcoin Bowl. You couldn’t use Bitcoin in the stadium at all; a few attendees were interested, but almost nobody knew or cared what this thing was, or thought “Bitcoin” was a company233 – St. Petersburg presented a key to the city to “the chair of Bitcoin”.234 Bitpay claimed almost a hundred local businesses had signed up – but very few saw significant sales, and nearly half saw zero.235 A year later, local Bitcoin retail trade was almost nonexistent.236
The game was played on a baseball field with terrible turf, and the football fans were unimpressed. The main interest was the mascot, Mr Bitcoin, a man dressed up as a physical bitcoin, running around the bleachers attempting to whip up excitement.
Though originally a three-year deal, the sponsorship was ended after just one year, Bitpay having had to lay off several employees shortly after the event.
Case study: Individual Pubs
Individual Pubs, a small UK pub chain, is the most successful Bitcoin merchant adoption I know of. Steve Early is a Cambridge computer scientist and beer enthusiast turned publican. He writes all his own till software and control systems for the pubs. (The only pub chain ever to get a six-page writeup in a Linux magazine.237) When he said in mid-2013 that he was thinking about Bitcoin, I considered he was the one person I knew who was most likely to do well out of it. The pub corporation sells the coins to Steve at the Bitpay rate for that day, Steve sells them at his leisure.
It was actually easier to process bitcoins than cards: “I was so frustrated, and still am, with the inability to integrate card payments with the tills. This seems to be a uniquely UK thing – the banks own the terminals. You always have to rent them from the bank or a reseller. They configure the terminal, you don’t get an API to it. This is why Britain was able to go chip-and-PIN so quickly – the banks could just replace the terminals without having to convince the merchants.
“In June 2013, I was relief-managing our pub in Norwich and I was bored. Adding Bitcoin to the tills was two evenings of hacking. There were a couple of weeks of testing and refinement, and it’s basically been untouched since then, except when an interface changes.238 I did it to scratch the itch, not for publicity or profit.
“Takings stayed high for about nine months, about £1000 a month out of a couple of hundred thousand across the chain. Currently it’s about £200 a month, which I suspect represents two or three customers. Since I’ve started, I’ve taken about £17,000 worth.
“I am accepting Bitcoin in the most naive manner possible, accepting zero-confirmation transactions.” (Where you can see someone’s tried a transaction, but it hasn’t made it into a block yet; vulnerable to fraudulent customers double-spending.) “Which is pretty much the only way it can work in a pub setting. Zero confirmation has worked out so far. There’s been one occasion where a transaction wasn’t confirmed.
“The transaction backlog getting bigger and bigger as the block size stays the same is going to be a problem. A hundred percent of your customers can be honest, and you can still lose out because your transactions are dropped. When too many are dropped, that’s when I’ll have to push the off switch. I have probably more than recovered that from people accidentally paying twice because we didn’t think the transaction went through the first time. For comparison, we take about fifty quid of bogus notes a year. I’ve turned off Bitcoin transactions at all the pubs except the Pembury and Queen Edith; the other pubs were getting more failed transactions than successful ones.”
Chapter 8: Trading bitcoins in 2017: the second crypto bubble
If you want to trade bitcoins, or crypto assets in general, in 2017, approach it like penny stocks, only with less regulation or substance. These are extremely risky assets. If you don’t seriously know your stuff, you will be the one other people make their money from.
Approximately 95% of on-chain transactions are day traders on Chinese exchanges;239 Western Bitcoin advocates are functionally a sideshow, apart from the actual coders who work on the Bitcoin core software.
How to get bitcoins
If you don’t mine bitcoins yourself or sell a product or service for bitcoins, you’ll need to buy them. This can be fraught. Even the mostly-unregulated exchanges want to be able to convert to US dollars, so they comply with US Know Your Customer anti-money-laundering laws (KYC/AML), demand trustworthy government identification – and remember that you’re often sending this to people you know nothing about – and will cut off your account if they think you’re doing anything even slightly suspect. (Coinbase ask to verify your US bank account by logging into it as you.240)
You can buy bitcoins without ID at a price premium (and much greater risk) from less trustworthy sources, such as a business deal in a parking lot with someone you met on LocalBitcoins – those always work out well.
You can buy bitcoins with ID at a price premium (and some risk) from a Bitcoin ATM, if you find one that works properly, and you’re prepared to wait ages for anything to happen. These used to be far easier to use, but then the authorities realised they were handy street-corner money-laundering devices and started requiring KYC/AML-quality identification.
Other cryptocurrencies can be bought similarly, or you can buy bitcoins and then buy the other coin with those.
Some banks in the UK241 and Australia242 have closed accounts for Bitcoin-related activity – it has a stigma as a currency widely used for questionable transactions.
From the first bubble to the second
After the 2013 bubble and 2014 price crash, people lost interest and the trading volume declined. The price slowly rose again and was $630 by mid-October 2016 and bubbled to a peak of $3000 in June 2017 – but large holders trying to sell their bitcoins risk causing a flash crash; the “price” is not realisable for any substantial quantity. The market remains thin enough that single traders can send the price up or down $30,243 and an April 2017 crash from $1180 to 6 cents (due to configuration errors on Coinbase’s GDAX exchange) was courtesy 100 BTC of trades.244
As well as drugs and ransomware, non-speculative usage includes various “Republic of Bitcoin” schemes run by the infamous Russian MMM concern, who perpetrated the largest Ponzi in history in the 1990s. After starting up again in 2011, they adopted Bitcoin in 2015, running schemes in China and Nigeria.
The price rise during 2016 without organic volume was helped along by “painting the tape,” in which automated systems trade in a coordinated manner to push the price up. The “Willybot” and “Markus” bots were notorious on Mt. Gox from the end of 2013 until its closure, and appeared to be operating even when the exchange was offline.245 There were accusations of similar tape-painting in 2016 between Chinese exchanges OKCoin and Huobi.246 As soon as Chinese regulators stopped by in early 2017 to look at what the local exchanges were actually doing, both price247 and on-exchange transaction volume248 collapsed and withdrawals were suspended for a month
.249 MMM’s Nigerian scheme also pushed the price up in late 2016.250
The quoted price of Bitcoin – typically a weighted average of exchange spot prices251 – has been observed going up even when the blockchain was getting hammered with transaction spam, when non-spam transactions were all but impossible; this was activity entirely inside the individual exchanges, without reference to the outside world.
If you’re online when you’re reading this section, go to Cryptowat.ch,252 a list of prices at various exchanges, and look at the spreads. Bitcoin is not short on programmers who can automate obvious arbitrage opportunities, so spreads like that directly indicate just how hard it is in practice to get your actual money (and sometimes your bitcoins) out of the exchanges.
The price rose dizzyingly in a second major bubble in mid-2017, going from $900 in April to around $3000 in June, bringing other crypto assets with it – but this price was difficult to realise, as many exchanges had trouble sending out hard currency at all.
Bitfinex: the hack, the bank block and the second bubble
Taiwan-based Bitfinex is one of the more popular Bitcoin exchanges. Advocates like and trust it and enjoy using it – it has margin trading and other fancy features, and lists a wide variety of crypto assets – and recommend it to others.
