Criminals' faith in cryptocurrency’s anonymity is investigators’ gain. Through blockchain analysis of cryptocurrency transactions, investigators have a powerful tool in their research.

Cryptocurrency: the lynchpin to your investigation

Cryptocurrencies like Bitcoin, Ethereum, Monero and Dogecoin are still in their infancy compared to fiat currency. Yet due to their popularity — and perception of anonymity — they play an increasing role in criminal activity.

For any crime that involves money, it’s crucial for investigators to incorporate cryptocurrency into their research wheelhouse. As we’ll discuss, the connections between cryptocurrency and fiat currency, the digital sphere and the real world, the dark web and the surface web are getting blurrier every day. Understanding the links between these may give you the investigatory break you need.

A (very) brief history of cryptocurrency

For anyone whose eyes glaze over when they embark on yet another explanation of what blockchain, cryptocurrency, NFTs, etc., are — I’ll try to make this quick. (For those familiar with the concepts, I’ll see you in the next section.) 

Cryptocurrencies are decentralized digital currencies. This means they are a bank-free means to transfer “money, wealth or ownership of any other commodity without needing a third party.” Unlike fiat currency — a legal tender with its value tied to a government-issued currency — cryptocurrency derives its value from the blockchain. 

Blockchain is a distributed database spread across a computer network. In the case of cryptocurrency, it maintains a secure, public record of transactions that (because of its decentralized nature) no one, in particular, owns or can manipulate. The “blocks” in a cryptocurrency’s blockchain represent details of a transaction: the sender, the receiver and the amount exchanged. This information must be verified across the entire network, making cryptocurrency difficult to counterfeit — a key component to its value. Additionally, cryptocurrency value stems from the promise of finite supply, either caps on the total number of coins that will ever be generated or circulated within a given year.

While cryptocurrency in some form has been around since the 1980s, Bitcoin changed the game when it emerged in 2008. Core to its functionality was that its sender/receiver addresses contained no personal identifying information about their owners. This made it an attractive option to privacy freaks as well as criminals. But as many investigations have proven true, the blockchain would actually be a key element to unmask who was behind an address — and some of the world’s most heinous crimes.

Mythbusting cryptocurrency’s anonymity claims

An April 2022 Wired article dove into one of the most infamous cases of leveraging blockchain research to take down a criminal enterprise, a site hosting a massive volume of child sexual abuse content: Welcome to Video. Crypto payments flowed freely on the site and could be used to track down site operators, contributors and visitors. The excerpt below describes why the cryptocurrency Bitcoin was so crucial to the investigation:

“Every Bitcoin payment is captured in its blockchain, a permanent, unchangeable and entirely public record of every transaction in the Bitcoin network. The blockchain ensures that coins can’t be forged or spent more than once. But it does so by making everyone in the Bitcoin economy a witness to every transaction. Every criminal payment is, in some sense, a smoking gun in broad daylight. ”

— Andy Greenberg, Wired

Because of the criminals’ (false) belief in crypto’s anonymity, they did little to conceal their payment activity. The Wired article notes, “Many of [Welcome to Video’s] users — and, by all appearances, its administrators — had done almost nothing to obscure their cryptocurrency trails. An entire network of criminal payments, all intended to be secret, was laid bare before him.” 

From our podcast

 

Watch the full episode of the NeedleStack podcast, Follow the money: how cryptocurrency shines a light in the dark web >

Learn more about the fallacy of anonymity in cryptocurrency in our blog >

Tactics to cover cryptocurrency tracks

As some criminals grew wise to how easily the anonymity of cryptocurrencies like Bitcoin can be undone, they changed tactics. A go-to technique to make it harder for investigators to understand who’s behind certain payments is to use something called “mixer services.”

“What a mixer does is attempt to break a transaction up by mixing it with a bunch of other people's deposits, and breaking up the link so that it makes it much more difficult to trace the actual transaction.”

— Matt Price, Binance

In a recent NeedleStack episode, guest Matt Price, former IRS-CI special agent and current regional head of investigations at Binance, described how these services work and why criminals use them.

 

 

A mixer service works almost like money laundering, obscuring the criminal activity that earned the original payment by mixing it with other deposits, so it’s approved by a cryptocurrency exchange. If the exchange isn’t able to detect this service, criminals will be able to receive fiat currency — often their ultimate goal. Because, while crypto is convenient for enabling crime, its use is still limited in the broader world.

Cryptocurrency exchanges “chokepoint” for catching criminals

Two factors make cryptocurrency exchanges so pivotal to investigations:

  1. Exchanges are the means by which fiat currency is turned into cryptocurrency and vice versa
  2. In the U.S. and other nations, exchanges are subject to financial regulations that require users to prove their identity

Blockchain provides the payment details; exchanges can link those details to individuals. 

This was the case in the Welcome to Video investigation. Investigators of the site were able to see payments flowing freely between uniquely identifiable sender and receiver addresses. The process to attach these long, alpha-numeric addresses to real persons hinged on the moment cryptocurrency exchanges came into play: when fiat currency was exchanged for cryptocurrency in the case of the site’s “content consumers” and when exchanged back to fiat currency in the case of the site’s “content producers” and administrators.

The investigators would eventually subpoena hundreds of exchanges around the world, many of which were under jurisdictions to comply and provide identifying information of the exchange account users. While not a slam dunk in every instance, these details became pivot points investigators would not otherwise have had. Of the thousands of Welcome to Video accounts, 337 arrests were made — the majority of whom had paid Bitcoins into the site’s wallets. The site admin and several content producers were among these arrests, again thanks in part to cryptocurrency payments.

 

 

Matt Price discusses how he used cryptocurrency in his investigation of the Grams and Helix, a dark web search engine for narcotics and mixing service. “What you're trying to do is identify those addresses as a starting point. And using that intelligence, you're building out the financial picture of how the system works, how payments are deposited, how withdrawals are taken out,” Price says. Watch more on maximizing crypto pivot points here >

Hone your skills now

Cryptocurrency and blockchain analysis have opened up new doors in investigations. But the race is on to harness the power of this information, as criminals develop new ways to overcome crypto’s anonymity shortcomings. As investigators, it's imperative to get up to speed — and fast — on how to leverage cryptocurrency transactions. Because the advice given for decades still rings true in the crypto-future: follow the money. 

“In every investigation I've worked, whether it was cyber, or traditional crime, money is always the weakness. It's always the thing to focus on.”

— Matt Price, Binance

To learn more about how Authentic8 keeps investigators safe as they research cryptocurrency — including on the dark web — check out Silo for Research >

TAGS OSINT

About the Author

Shannon Ragan
Shannon Ragan

Shannon Ragan is a producer of Authentic8’s online research podcast, NeedleStack. She has been blogging in the cybersecurity industry for nearly ten years and hopes to never write another Patch Tuesday update again.

Author’s Latest Posts

Related Resources

Podcast

S1E14 | Follow the money: how…
S1E14 | Follow the money: how cryptocurrency shines a light in the dark web

blog
blog

The fallacy of anonymity in cryptocurrency

Cryptocurrency addresses can feel like an investigative dead end due to the belief of anonymity. As with most things in research and investigations, it’s not that simple or easy: cryptocurrency addresses and transactional details can be attributed to a person’s name, physical location, IP address, email address and other identifying information.

blog
blog

Cryptomining and geopolitics: why location matters

Cryptocurrency may seem like it’s not beholden to geographical borders, but the logistics of cryptomining — and the energy it requires — make location an important factor in the crypto economy.

Close
Close