With easy and routine access to virtual currencies in the way of game tokens and the proliferation of cryptocurrencies such as Bitcoin, it is imperative that law enforcement understands the criminal uses of these technologies. Whether you believe these alternative currencies have value or not, I assure you there are criminals in your jurisdiction transacting with these currencies. Investigating these crimes is not always easy, but there are techniques and tools available that will be discussed in this article.

Before we can jump into the investigation, let’s get on the same page with a few bits of terminology.

Virtual currency versus cryptocurrency

According to the Internal Revenue Service, “Virtual currency is a digital representation of value that functions as a medium of exchange, a unit of account and/or a store of value. In some environments, it operates like ‘real’ currency (i.e., the coin and paper money of the United States or of any other country that is designated as legal tender, circulates, and is customarily used and accepted as a medium of exchange in the country of issuance), but it does not have legal tender status in any jurisdiction. Cryptocurrency is a type of virtual currency that utilizes cryptography to validate and secure transactions that are digitally recorded on a distributed ledger, such as a blockchain.”

Non-convertible versus convertible

Non-convertible virtual currency cannot be converted back-and-forth, to-and-from real/fiat currency. In most instances, the virtual currency was created to be used in a closed platform (loyalty programs, frequent flyer miles, etc.) or virtual environment/games (WoW Gold in “World of Warcraft,” “FarmVille” cash, PokéCoin, etc.). Loyalty program or frequent flyer program virtual currency can usually be used to purchase items and services from the provider/sponsor of the loyalty program, such as hotel nights, airline tickets and car rentals. Virtual environment and game virtual currency is usually used to purchase in-game/world virtual items, such as equipment, weapons, real estate, characters and outfits.  

In some instances, non-convertible currency may have real-world value even though it cannot be directly converted to real/fiat currency. In recent years, some loyalty programs have started to allow their virtual currency to be exchanged for real-world items (clothes, tools, electronics, etc.) or even gift cards from retailers hosted by the loyalty program.

Some in-game virtual currencies can be purchased using real/fiat currency, allowing the user to bypass the need to play the game to earn the rewards. However, the virtual currency cannot be converted back to real/fiat currency, making the transaction one way. Usually, the conversion of in-game currency and/or virtual items to real/fiat currency is against the developer’s terms of service. This has not, however, stopped virtual “black markets” from being created and facilitating the ability to buy and sell in-game virtual currency and goods. Developers will usually try to ban accounts for those that use these virtual “black markets.”

Convertible virtual currency can be exchanged back-and-forth for real/fiat currency. Just because a certain virtual currency is categorized as convertible does not mean that by law or with some kind of government backing, these virtual currencies can be converted to fiat currency. It just means that markets currently exist that will trade the virtual currency to real/fiat currency. Examples of this are Bitcoin, Linden Dollars (Second Life currency), Ethereum and Monero.

Centralized versus decentralized

Centralized virtual currencies have a single administrating authority (administrator). The administrator is a third party that controls the system. These centralized virtual currencies can be either convertible (Linden Dollars) or non-convertible (PokéCoins, Gems, Gold). Most, if not all, non-convertible virtual currencies are centralized. Examples are WoW Gold, PokéCoin, “Clash of Clans” Gems, “Simpsons: Tapped Out” Donuts, “Second Life” Linden Dollars, e-gold (now defunct) and Marriott Rewards points.

Decentralized virtual currencies, also referred to as cryptocurrency, are distributed, open-source, math-based (public/private key encryption and hash algorithms), peer-to-peer virtual currencies that have no central administrative authority. Because there is no central authority, they also do not have central monitoring or oversight. Cryptocurrencies rely on cryptography to implement, distribute, decentralize and secure the virtual currency. Bitcoin was the first decentralized convertible virtual currency.

The term “altcoin” is often used to refer to all decentralized convertible virtual currencies other than Bitcoin.

While all cryptocurrencies are (at present) virtual currencies, not all virtual currencies are cryptocurrencies. While “virtual currency” and “cryptocurrency” are often used interchangeably, it is important to note the use of cryptography and the decentralized/convertible nature of cryptocurrency. We will be focusing on cryptocurrency in this article.

There are at present over 8,100 cryptocurrencies available for people to buy, sell and trade. At the time of this writing, the value of these cryptocurrencies ranges from just over $27,000 per coin for Bitcoin to less than a penny for the likes of Dogecoin. No longer is this the realm of the “super geek.” There are Bitcoin ATMs all over the country (likely in your jurisdiction, too, check out coinatmradar.com/bitcoin-atm-near-me), and even coin exchangers you find in the supermarket such as Coinstar are getting in the game and allowing you to get Bitcoin in exchange for cash.

Investigation

With a centralized virtual currency, there is a central administering authority to whom we can serve legal process if we come across a suspect or suspects being nefarious with these types of virtual currencies. These investigations can be treated much like we would treat an investigation when dealing with any other financial institution, such as a bank. We can likely obtain transaction records and other identifying data with relative ease. If we cannot get outright identifying information, we will likely be able to obtain data points we can use to identify the suspect, such as username, email address, IP addresses, etc., which we can use to locate other data stores to whom we can serve legal process to potentially obtain identifying information.

When it comes to cryptocurrencies like Bitcoin, the investigative process can become much more difficult. While the ledger is public and easily viewed using a blockchain explorer like www.blockchain.com/explorer or www.walletexplorer.com, which makes following transactions relatively easy, there is no central authority to whom we can serve legal process to deanonymize users. In this case, we must find a known entity with whom our suspect has transacted and serve legal process to them to deanonymize the user. Virtual currency exchanges are considered a money services business (www.fincen.gov/money-services-business-definition), and as such, at least within the United States, are required to follow know your customer and anti-money laundering (AML) regulations (www.finra.org/rules-guidance/key-topics/aml).

The basic investigative process is as follows:

1. Identify the address or transaction of interest.
2. Investigate the suspect address to determine what has been going on with it as far as other transactions.
3. Investigate transactions of interest, tracing them through the blockchain until a known entity is found.
4. Serve legal process on the known entity to deanonymize the suspect.

The difficulty for investigators is identifying which exchange an address belongs to. There are likely security issues (hack attempts, theft) and other administrative issues (moving currency internally from hot to cold wallets) at play for why exchanges don’t necessarily publish all of their addresses. Complicating the issue further is the fact that the free blockchain explorers don’t really know who’s who, either. This results in a somewhat frustrating conundrum when an investigator identifies an exchange address but then doesn’t know whom to serve process to in order to deanonymize their suspect. While some explorers identify some exchange addresses, the reality is that many are unknown, so you trace to a dead end.

Resources

While there is a multitude of free explorers, sometimes we need a little help. There are several paid tools that have identified many exchange addresses and have more full-featured investigative tools to assist in your virtual currency investigations. These vendors include Chainalysis, CipherTrace and Elliptic, to name a few. While the tools can be “expensive,” they are very useful in getting to a conclusion in a much faster and efficient way, while also likely being able to tell you who to serve process to. If you will be doing a lot of these types of investigations, it may be worthwhile to consider these paid solutions. They may actually pay for themselves in the long run when we consider asset seizure from our suspects.

The virtual currency space is a wide and deep one, which requires more training than can be provided in this high-level overview article. The National White Collar Crime Center (NW3C) has on-demand, live online and in-person courses that pertain specifically to virtual currencies, among many high-tech crime investigative techniques. In addition to course offerings, NW3C also maintains a wide array of investigative resources on this and many other topics related to the online space.

I would encourage you to avail yourself of these opportunities to learn more on this complex topic, which will likely only continue to grow. And as we know, as technology grows and blossoms, so too does the criminal use of it.

Find out more at www.nw3c.org.

---

A veteran law enforcement officer with nearly two decades of experience in patrol, SWAT and investigations, Casey has served as a member of multiple state and federal taskforces related to cybercrime investigations. Casey has taught thousands of local, state and federal officers and agents in areas related to digital forensics and cyber investigations. He has also presented at national conferences and speaks regularly on technology-related topics to various public and private organizations.