Maybe you’re one of the many in law enforcement who jumped on the investment zeitgeist for cryptocurrency, suddenly becoming an “expert” from watching various YouTube videos that were promoting the next dog-themed token to dump your hard-earned cash into. Perhaps you’re on the other end of that spectrum, having pure anathema toward digital currencies, believing it’s all a “scam.” But regardless of what feelings you may harbor, the reality is cryptocurrency is not going away, and likely the reports your department are fielding pertaining to fraud or digital exploitation involve cryptocurrency in some fashion. From scams targeting the elderly to blackmail over racy photos and SIM swapping, there is no shortage of crimes in the digital space that will have a nexus to cryptocurrency. It is imperative that we in law enforcement understand how to investigate cryptocurrency and comprehend the evolving criminal trends that have incorporated cryptocurrency into their tradecraft. If you haven’t investigated a crime yet that involves cryptocurrency, I can promise that you will sooner rather than later.

“Year zero” for what we know as cryptocurrency can be traced back to the advent of Bitcoin, when the mysterious “Satoshi Nakamoto” published a white paper (research paper) regarding the implementation of digital currency and a public ledger as the backbone of the digital currency’s ecosystem. A year later, in 2009, Bitcoin became a reality … and the criminal underworld changed forever. What we know today as “darknet markets” became a reality. Whereas traditional payment methods such as ACH and credit cards could easily be traced back to a subscriber, a pseudonymous medium like cryptocurrency allowed sellers and buyers to remain unknown. A case study would be Ross Ulbricht’s “Silk Road.” While albeit not the first illicit marketplace hosted on a darknet that accepted cryptocurrency, it was unarguably the most successful and notorious. While we in law enforcement are quick to associate both the dark web and cryptocurrencies as “untraceable,” the reality is quite the opposite when it comes to crypto. For example, the Bitcoin blockchain is viewable to anybody, and every single transaction that has taken place since 2009 and continues to take place is viewable (see blockchain.com). The foundation of UTXO (unspent transaction output) coins like bitcoin are wallet addresses (sending/receiving) and a transactional hash. It is fundamentally no different than receiving a receipt at a store, while being far less detailed and still outlining the date, time and denomination. Comparatively, the Ethereum blockchain (Ether is the native currency) is much more robust and has a variety of uses, specifically with smart contracts. Instead of UTXO, Ethereum’s protocol is ERC (Ethereum Request for Comment), with traditional token protocol being ERC-20.

As the accessibility and availability of cryptocurrency became more commonplace over the past decade, the advent of VASPs (virtual asset service providers), otherwise known as exchanges, have become the easiest way to purchase cryptocurrency. Well-known exchanges like Coinbase (coinbase.com), Binance (binance.com) and Robinhood (robinhood.com) have become the most preferred way to purchase cryptocurrency. Regulation concerning exchanges has become a furor in politics, as the fraud of the massive exchange FTX has occupied the news headlines (see tinyurl.com/5yphkjmv). While VASPs are geared more toward “investments” in specific cryptocurrencies, we in law enforcement see cryptocurrency ATMs being the popular medium for nefarious activity, whether it’s an unknowing victim being coerced into purchasing cryptocurrency as part of a scam or a suspect purchasing cryptocurrency to send to an illegal service. Thankfully, most cryptocurrency ATMs are the reverse of traditional ATMs, meaning they are deposit only (purchasing) and don’t allow for the withdrawal of funds (cashing out).

While not illegal, cryptocurrency ATMs are havens for illegal activity. Most legitimate exchanges (like the aforementioned Coinbase, Binance, etc.) are Know Your Customer/Anti-Money Laundering (KYC-AML) compliant. Conversely, cryptocurrency is the opposite, with little to no KYC-AML protocols and exorbitant fees for transactions. If you were to use CoinAtmRadar.com to search for cryptocurrency ATMs in your jurisdiction, you would likely find them at your local gas station, convenience store, bodega or (surprise) smoke shop. Can you think of a legitimate reason why you would ever need to go to those places to purchase cryptocurrency? While those seeking to utilize cryptocurrency for illegal purposes know this, the unknowing victims not versed in the cryptocurrency space often do not know they are being deceived. Many cryptocurrency ATMs have affixed warning labels concerning awareness to the scams; however, this has not stemmed the tide of scams.

While I have found many in law enforcement who express that their department is becoming inundated with frauds and scams that have a nexus to cryptocurrency, few have been proactive in investigating these cases. Either a report is taken and remains uninvestigated, or departments opt to send victims to the FBI’s Internet Crime Complaint Center (IC3.gov) instead of taking the report, believing these types of investigations are out of the purview of their department. In an article I previously authored for APB entitled “The impact of cybercrime on our communities,” I discuss the extremely negative repercussions of this approach (see apbweb.com/2022/12/cybercrime). While investigating cryptocurrency can be cumbersome, it is not something that is as complicated as initially perceived. CipherTrace offers the blockchain analytic tool “Inspector,” which correlates attribution to wallet addresses and can help law enforcement determine where to issue legal notice. While not always straightforward and an “open and shut” case, the usage of “Inspector” can help further a case that would usually sit dormant with your department.

It may sound eerily all too familiar, but let’s say an elderly person in your community calls to report a fraud. They were contacted by somebody they believed to be the local power company, saying their bill was delinquent and money was due immediately, with bitcoin being the only available way to get the money to them immediately. Only after the elderly victim sent the bitcoin did they realize the caller was not affiliated with the power company, and has now called the police. With any cryptocurrency investigation, wallet addresses or transaction hashes are important, and the victim is able to provide you with this photo (see top of page 20). It appears the wallet address where the victim sent the funds is “bc1qv3s7q95x844rzd
qs6qud5t59rk3vws5fmxatfm.”

If we are to utilize CipherTrace “Inspector,” we can see this transaction represented on the Bitcoin blockchain (see bottom of page 20). We would want to follow the flow of funds, whereas the funds flowing from the wallet address provided by the victim.

As we can see in the graph, funds were immediately withdrawn from the victim’s wallet to another wallet, being withdrawn to another wallet, only to arrive at a wallet attributed to the VASP/exchange MEXC Global. The next step in the investigatory process would be to issue legal notice to said VASP/exchange … requesting account subscriber information attributed to the wallet where the funds were sent. Although cybercrime has no borders, sometimes we arrive at jurisdictional roadblocks with VASP/exchanges being domiciled in other countries. Some are very responsive to law enforcement, but sadly others are not. They may require an MLAT (mutual legal assistance treaty) to provide any information, which means that the U.S. would be requesting a foreign court to issue legal compliance on its behalf. This process is a bit involved, and absent a federal case, it will likely not happen. However, many Tier 1 exchanges, such as Coinbase and Binance, are very responsive to law enforcement and will answer legal notice!

It is important to understand that the cryptocurrency ecosystem is ever changing and constantly evolving. The foundation of “Web3” is built upon decentralized and distributed governance. If these concepts are abstruse to you, do not feel discouraged! Even to versed experts like myself, decentralized tokens and “trustless swaps” can be convoluted, hard to explain and, likewise, even harder to investigate. However, thankfully, those cases are not the status quo for the cases your department are likely to field. Traditional coins, like Bitcoin, remain the preferred medium due to their accessibility and ease of use.

Before I start to field the complaints of “We can’t afford enterprise licenses to these tools, Keven!”, I want to express that I wholeheartedly understand. The past few years of the “defund” rallying cries have not been easy on police department budgets. While CipherTrace is willing to adapt to budget allotments, there are platforms where you can view the blockchain for free. Tradeblock and Etherscan.io are excellent online platforms to view the Bitcoin or Ethereum blockchains. A crowdsourced online investigative platform called Breadcrumbs offers a free membership for cryptocurrency enthusiasts and investigators alike.

In closing, something I also feel is a huge investigative component to cryptocurrency cases is IC3.gov. Taking the report from the victims, doing some investigative blockchain analysis and then filling out a report on behalf of the victim with your findings can be extremely fruitful, especially correlating cryptocurrency wallet addresses to other crimes. Federal partners like the FBI, HSI, USSS and IRS-CI are willing and able to work cryptocurrency cases in tandem with state and local partners. Although the victim in your small town may have lost a few thousand dollars, the suspect could be related to millions in losses from other scams. The only way to correlate that is to be as detailed as possible when submitting an IC3 complaint, specifically with wallet addresses! Deferring to take a complaint from a victim and referring them to IC3 will either result in the victim not filing the complaint or the victim not including this vital information.