 So this story has been posted on a few crypto news sites and even a few mainstream news sites talking about how Finnish authorities managed to trace Monero transactions that were tied to the Vastamo hack. Now if you aren't familiar with this particular incident, Vastamo was a private online psychotherapy service in Finland that had been operating pretty successfully for about 10 years and then they got hacked back in November of 2018 and they ultimately fell victim to a double extortion ransomware attack. In October of 2020, nearly two years after the initial intrusion, the hackers managed to access the company's most sensitive data and they downloaded the private medical records of over 30,000 patients and the hackers demanded a ransom of 40 bitcoins first from Vastamo and then later from the victims directly and in exchange the hackers said that they wouldn't publish this private information online. Vastamo, they refused to pay but some of the victims that the hacker contacted directly did end up making smaller payments usually around 500 euro each worth of bitcoin to keep their private medical records off of the dark web but thousands of victims and probably ultimately all of the victims still had their data published to the hackers darknet blog. Now as a result of this data breach incident, the Vastamo company, they went bankrupt, the CEO actually got in some legal trouble himself for the patient database not being properly secured because the hacker should have been able to access those records in the first place and thousands of people, they obviously had their private data leak and a hacker now has some ill gotten bitcoin probably a couple thousand worth and now he wants to try and wash it right he wants to try and cash it out because of course bitcoin has a public blockchain and it doesn't have very much privacy built into it right anyone can see everything you do with bitcoin so somewhere along the line he ends up swapping his bitcoin into Monero which is supposedly untraceable right so how did this hacker man end up getting caught that's how we get headlines like this saying the Finnish authorities trace Monero well like I've said numerous times about the Tor network in particular these anonymization technologies they actually do work pretty well okay Tor of course it works pretty well at keeping your IP address a secret and Monero works pretty well at keeping how much money you send and receive as well as who you send and receive it from a secret basically your financial details secret as long as you're dealing in Monero but these tools only help to improve those specific aspects of your Opsac they don't protect you from talking too much on an IRC channel or otherwise making other Opsac mistakes like this hacker did now I can't definitively say that the Finnish authorities can't trace Monero that they don't have access to some kind of super quantum computer that's able to do all this crazy stuff because of course the feds they don't publish all of the details about these busts but based on the publicly available information about this bust I doubt that they ever needed to do something crazy like actually trace Monero because simple Opsac mistakes made by this hacker are what ultimately led to him being caught the first big mistake was made right when the hacker first posted about this hack on several Finnish language image boards mainly and I'm probably gonna mess up the names of these but Yola Lalta and Tori Lalta so here you can see the hacker bragging about hacking Vastamo and they posted an onion link to where you could view the patient records that they were posting each day they were doing like a hundred each day and something that was both interesting and alarming about the records that were posted a tour is that they didn't seem to be coming out of the stolen database in any kind of alphabetical or chronological order but rather it looked like the hacker had handpicked records that would be most embarrassing to the victims to post first so the fact that the hacker is posting about these hacks on Finnish language sites and that they're likely reading patient notes that are written by a Finnish therapist in the Finnish language to figure out which records would be the most damaging it definitely makes it seem like the hacker might be from Finland right which really narrows down your pool of suspects because when you think about it Finland's population is so small that it could simply be a rounding error in the world census and not even exist right like there's a 50 chance that Finland's not even real and in several of the hacker's communications they mentioned the value of the bitcoin ransom that they were asking for in euros instead of dollars so that also helps to corroborate the Finnish attacker theory since someone that's thinking in euros is of course going to be in the EU plus the victims in this case are also Finnish which means you don't even necessarily need international cooperation between different agencies to solve this case which makes things much easier for the authorities so already like it's been you know narrowed down right we already know that our attacker and the authorities are pretty literally pretty close to each other now I think the reason that the hacker decided to post the most damaging records first and possibly why they decided to post on these Finnish boards were because he thought that the people who had the most damaging information in the leak he would have the most success with extorting and you've got to think that notes from somebody's therapist along with the person's real name and their social security number that's got to be some of the worst things that you could have posted about you online probably the worst things you could have compacted into the smallest amount of bytes at the very least right maybe embarrassing photos or an embarrassing videos worse and on these Finnish dark web forums you can even see several posts from people that are asking the hacker directly how they can send bitcoin to him to have their records deleted because if those records get posted they're going to unalive themselves right so I this is what I think the like psychology was behind why he did it this way even though it's obviously very bad for his opsec but for whatever reason the hacker eventually got tired of just releasing 100 records each day maybe he wasn't getting enough bitcoin out of time for this so on the third day of leaking patient records he just decided to upload an 11 gigabyte archive called vastamo dot tar now those of you who have worked with databases before or even if you've just had a bunch of text files saved in a folder before you probably know that 30 000 simple text records should not take up nearly 11 gigabytes right this is way too much space and the reason this archive was so big is because it contained the hackers entire home folder so obviously this is a huge huge opsec mistake and the hacker actually caught the mistake pretty quickly you know some people even pointed it out on these online forums and he removed the tar file after a few hours but uploading the data in that tar format was also a really really big opsec mistake because even though the slowness of the tor network might have prevented anyone from downloading the entire 11 gigabyte archive I mean it's hard to say how soon somebody actually saw this and you know how soon after they didn't have access to it there's just going by the timestamps here but the way that tar like the way that that archive format packs files together in order without any compression means that a partial download that gets interrupted is still going to be partially readable just you know whatever files you were able to download you're able to read them because if this was a zip file for example or some other kind of like compressed archive there's a very good chance that the partially downloaded archive especially if you have like less than half of it would have just been corrupted and totally unreadable so some people that were working with law enforcement they were able to get some additional information from the home folder that was not related to patient records like the hackers private ssh folder and some known host files and folders that were related to other hacks with other databases and this helped authorities connect this hacker to other crimes because it turns out that this hacker was already known to authorities when he was arrested back in July 2015 for computer crimes when he was working with lizards quad so like I stated earlier catching this guy didn't really even seem to require tracing Monero transactions in the first place there's been some mention in the Finnish news publications that the feds were able to trace Monero transactions by first getting bitcoin transactions because you know they're working with the victim so and of course bitcoin's transparent anyway so they can see those transactions and then they compare the bitcoin transactions to the amounts that were ultimately deposited into the hacker's bank account by working with the bank and working with the victim the person who's sending this bitcoin to basically do an eve alice eve attack and you can learn more about this in breaking Monero I mean again it really doesn't even seem like it applies to Monero because there's bitcoin that's involved as well so it's not exactly like an eve alice eve attack but even if it was right like even if this guy was smart enough to just ask for Monero directly and not deal with bitcoin at all the eve attack can be mitigated by making more intermediary Monero transactions right so putting more wallets between the victim or like let's say if you're a vendor that's selling something between your customer and between the KYC exchange that you're ultimately cashing out so putting more wallets and also putting more time in between receiving the Monero and cashing it out that is going to increase the likelihood that your outputs are going to be used in other people's ring signatures which helps to increase your your plausible deniability and the best thing you could probably do is to just avoid depositing the same amounts right or roughly the same amounts minus the transaction fees into a KYC exchange or you can just avoid all that KYC business altogether by actually using your Monero like actually using it as a currency instead of cashing it out and you can use it as a currency at many many businesses that accept Monero like based out when my online merch and electronics store which actually gives an automatic 10 discount at checkout when you pay in Monero XMR but all of this Monero Opset and even the plausible deniability that each Monero transaction gives you won't be much help when the feds can build a case on you with Opset mistakes like being one of the only active ransomware hackers in a country with a very small population and you upload your home folder that contained your user data that's linking you to other hacks that you are already arrested and identified for once again the Opset failure here was not with Monero it wasn't with Tor, Mulvad or any of these technologies or protocols that this hacker used it was with the user. Thanks for watching and have a great day!