Bitcoin is well-entrenched as the preferred payment for cybercriminals like the WannaCry hackers who have hit more than 300,000 computers over the past week, but cryptocurrencies offering more anonymity are threatening to displace it.
A key reason for bitcoin’s dominance in the nefarious online underworld, say technologists and cybercrime experts, is its size – the total value of all bitcoins in circulation is more than twice that of the nearest of hundreds of rivals.
That makes it easy for victims to access enough to pay the ransoms demanded, and for hackers to cash out of it via online exchanges to spend money in the real world.
Bitcoin was set up in 2008 by someone – or some group – calling themselves Satoshi Nakamoto, and was the first digital currency to successfully use cryptography to keep transactions secure and hidden, making traditional financial regulation difficult if not impossible.
Money is sent from one anonymous online “wallet” to another with no need for a third party to validate or clear the transactions.
In the WannaCry attack, the addresses of three anonymous bitcoin wallets were given to victims, with a demand for ransom payments from $300 worth of bitcoin, with a promise the affected machines would be decrypted in return, a promise that no evidence has shown will be kept.
But since the way that Bitcoin functions is via the blockchain – a giant, virtually tamper-proof, shared ledger of all bitcoin transactions ever made – payments can be traced, if users do not have the sophistication to take further steps to cloak themselves using digital anonymity tools.
“In the initial days of bitcoin, people…didn’t realize they were recording for posterity on the blockchain every financial transaction that ever took place,” said Emin Gun Sirer, a computer science professor at Cornell University.
Bitcoin addresses are anonymous, but users can be traced through IP addresses or by analyzing money flows.
If criminals using bitcoin want to stay truly anonymous, Gun Sirer said, they have to go through a number of additional, complex steps to make sure they do not get caught.
It is not yet clear what level of sophistication the WannaCry hackers have when it comes to laundering their cryptocurrency, as none of the money has yet been moved out of the three bitcoin wallets linked to the ransomware, which have had over $80,000 worth of bitcoin paid into them so far.
But some have suggested that the fact that the WannaCry hackers demanded bitcoin shows how amateur they are.
“If it was me, I would want people to use bitcoin all day, because you can trace it,” said Luke Wilson, vice president for law enforcement at Elliptic, a London-based security firm that tracks illicit bitcoin transactions and that counts the U.S. Federal Bureau for Investigations (FBI) among its clients.
Wilson, who used to work at the FBI, where he set up a taskforce to investigate the use of virtual currencies, did not disclose all the ways that Elliptic and law enforcement agencies find criminals using bitcoin. But sometimes, he said, the offenders make as obvious a mistake as withdrawing money from a bitcoin wallet directly into their bank accounts.
More sophisticated criminals use obfuscation methods that make it very hard to be tracked down. One of the most basic ones is a technique known as “chain-hopping,” whereby money is moved from one cryptocurrency into another, across digital currency exchanges – the less-regulated the better – to create a money trail that is almost impossible to track.
Newer and more complex money-laundering methods have also emerged in recent years, which make it very difficult for law enforcement and bitcoin security firms such as Elliptic or New-York-based Chainalysis to track down cybercriminals.
“It’s a cat-and-mouse game – as police and companies like Elliptic catch up to criminals’ techniques, they invent new techniques,” said Jerry Brito, executive director of the Washington, D.C.-based Coin Center, a not-for-profit advocacy group focusing on public policy issues around cryptocurrency.
These techniques are not foolproof, however – chain-hopping, for example, relies on unregulated exchanges that do not carry out know-your-customer (KYC) checks, and security firms say they will develop ways to trace such methods.
Easier, perhaps, would be for cybercriminals to use next-generation cryptocurrencies that have built-in anonymity from the start, such as Monero, Dash and Z-Cash.
And indeed, experts said late on Tuesday that a computer virus that exploits the same vulnerability as the WannaCry attack had latched on to more than 200,000 computers and begun using them to manufacture – or “mine” – Monero currency.
But with a total value of around $425 million – a little over 1 percent of that of bitcoin – converting that currency into spendable cash might not be so easy, and it is also much harder for victims to access, alternative payments experts said.
That is why the Monero attack did not demand a ransom, but rather used the infected computers’ computing power to create new currency.
“This used to happen in bitcoin before it became big – there were loads of botnets that went into computers that used to mine bitcoin, but you now can’t basically mine bitcoin on normal computers because you need specialist hardware,” said Chainalysis CEO Jonathan Levin.
Levin said such bitcoin-based attacks were carried out several years ago, when mining it was still largely a hobby for tech geeks using their home computers.
Get Data Sheet, Fortune’s technology newsletter.
As the bitcoin price has risen and as transaction numbers have grown, the computers have become so specialized that only they can only perform the function of bitcoin mining.
“If Monero does become adopted and is as big and liquid (as bitcoin), that means the crime (will) move from using computers to mine to getting to extortion,” Levin said.