Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bitcoin Battle: Burning Bitcoin for Geopolitical Fun and Profit

Kris Oosthoek, Kelvin Lubbertsen, Georgios Smaragdakis

TL;DR

This paper presents the first empirical study of large-scale Bitcoin misuse by nation-state cyber actors, focusing on an OP_RETURN–based campaign that burned at least 7 BTC with Cyrillic-annotated messages linked to Russian intelligence (GRU, SVR, FSB). It combines a Bitcoin full node workflow, custom OP_RETURN parsing, address clustering, and open-source attributions to connect wallets to state actors and to ransomware infrastructure such as Conti, while distinguishing funding via mixers from downstream payments. The work illuminates how state-linked actors used BTC to obfuscate provenance, generate transaction traffic, and potentially signal insider or compromised-key involvement, culminating in a dataset of 986 addresses and 1,011 labeled wallets released for community use. The findings underscore the geopolitical significance of cryptocurrency misuse in cyber operations and offer a methodological blueprint for tracing similar operations at the intersection of finance and geopolitics.

Abstract

This study empirically analyzes the transaction activity of Bitcoin addresses linked to Russian intelligence services, which have liquidated over 7 Bitcoin (BTC), i.e., equivalent to approximately US$300,000 based on the exchange rate at the time. Our investigation begins with an observed anomaly in transaction outputs featuring the Bitcoin Script operation code, tied to input addresses identified by cyber threat intelligence sources and court documents as belonging to Russian intelligence agencies. We explore how an unauthorized entity appears to have gained control of the associated private keys, with messages embedded in the outputs confirming the seizure. Tracing the funds' origins, we connect them to cryptocurrency mixers and establish a link to the Russian ransomware group Conti, implicating intelligence service involvement. This analysis represents one of the first empirical studies of large-scale Bitcoin misuse by nation-state cyber actors.

Bitcoin Battle: Burning Bitcoin for Geopolitical Fun and Profit

TL;DR

This paper presents the first empirical study of large-scale Bitcoin misuse by nation-state cyber actors, focusing on an OP_RETURN–based campaign that burned at least 7 BTC with Cyrillic-annotated messages linked to Russian intelligence (GRU, SVR, FSB). It combines a Bitcoin full node workflow, custom OP_RETURN parsing, address clustering, and open-source attributions to connect wallets to state actors and to ransomware infrastructure such as Conti, while distinguishing funding via mixers from downstream payments. The work illuminates how state-linked actors used BTC to obfuscate provenance, generate transaction traffic, and potentially signal insider or compromised-key involvement, culminating in a dataset of 986 addresses and 1,011 labeled wallets released for community use. The findings underscore the geopolitical significance of cryptocurrency misuse in cyber operations and offer a methodological blueprint for tracing similar operations at the intersection of finance and geopolitics.

Abstract

This study empirically analyzes the transaction activity of Bitcoin addresses linked to Russian intelligence services, which have liquidated over 7 Bitcoin (BTC), i.e., equivalent to approximately US$300,000 based on the exchange rate at the time. Our investigation begins with an observed anomaly in transaction outputs featuring the Bitcoin Script operation code, tied to input addresses identified by cyber threat intelligence sources and court documents as belonging to Russian intelligence agencies. We explore how an unauthorized entity appears to have gained control of the associated private keys, with messages embedded in the outputs confirming the seizure. Tracing the funds' origins, we connect them to cryptocurrency mixers and establish a link to the Russian ransomware group Conti, implicating intelligence service involvement. This analysis represents one of the first empirical studies of large-scale Bitcoin misuse by nation-state cyber actors.

Paper Structure

This paper contains 18 sections, 5 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Russian Cyber Operations
  4. SVR
  5. FSB
  6. GRU
  7. An OP_RETURN Anomaly
  8. Methodology
  9. Address Ownership
  10. Democratic National Committee Breach
  11. SolarWinds Breach
  12. Address Characteristics
  13. Label-Based Address Clustering
  14. Financial Analysis
  15. Funding Transactions
  16. ...and 3 more sections

Figures (5)

  • Figure 1: Fig. 1: Time series of BTC Burned on OP_RETURN in 2022.
  • Figure 2: TABLE II: Summary of Transactions containing OP_RETURN Outputs
  • Figure 3: TABLE III: General statistics of clusters
  • Figure 4: Fig. 2. Force-clustered payment transaction activity.
  • Figure 5: Fig. 3. Timeline of Payment Transactions in the OP_RETURN Campaign, highlighting normal (blue) and outlier (red) values.