education

Training Calendar

Forensics & Investigation
Cryptocurrency / Dark Web / Deep Web

Investigators, 3 Common Crypto Criminal Mistakes

The cryptocurrency was once thought of as a magical anonymity mask for criminals who use cryptocurrencies such as Bitcoin or Ethereum for criminal purposes, including buying and selling illegal goods and service, money-laundering, fraudulent scams, monetization of ransomware, terrorism funding, and more. However, with the advancement of open-source tools, software developed companies such as CipherTrace and Chainalysis, and specialized training programs from Zentau Inc. to teach law enforcement how to follow the digital breadcrumbs left by crypto criminals, it is becoming easier and faster to unmask criminals hiding in the cyber shadows. To err is human. Crypto criminals are human, after all. They make mistakes. Cryptocurrency investigators leverage three common mistakes made by criminals who use cryptocurrency to facilitate their illicit deeds: Leaky Encryption Many encrypted data formats are known to leak metadata through their plaintext headers. For example, the encryption format PGP reveals intended recipient public keys, the algorithms used to encrypt the data, as well as the length of the payload. Encrypted messaging apps such as Signal or WhatsApp aren't an absolute privacy guarantee. Encrypted messages aren't always kept private. Conversations could be retained on a device indefinitely. Someone could screenshot the decrypted message. As long as there is human interaction with an encrypted message, mistakes can happen. For example, the FBI was able to obtain WhatsApp messages from the people who received messages from Paul Manafort, former Trump campaign chair. In an FBI leak investigation, the FBI was able to get Signal messages that James Wolfe, a Senate Intelligence Committee aid. In an investigation int leaks, the FBI seized the communications records of New York Times reporter Ali Watkins, access her encrypted apps, and learn more about her messaging habits. If a person syncs chats between devices or backs them up in the cloud, opportunities for the data to be exposed rises. The Manafort case, again, provides an example. Investigators were able to access Manafort's iCloud and gathered new intel about Manafort's activities. Jumping Across Blockchains Some criminals who use cryptocurrency to facilitate their nefarious acts thought law enforcement investigators could only track transactions within blockchains and, therefore, their identity could stay hidden if they moved crypto from one blockchain to another. They were wrong. Investigators can create network maps that show the movement of cryptocurrency between addresses. Cryptocurrency users who utilize different blockchains end up with multiple addresses. People often use cryptocurrency exchanges to manage multiple addresses. Law enforcement officials can subpoena exchanges to get more information about the accounts using specific addresses. Even with cryptocurrencies such as Monero, Dash, and Cash that offer greater anonymity or services such as ShapeShift that enable users to convert one of those currencies to another, research reveals that skilled cryptocurrency investigators have been able to ultimately de-anonymize criminal cryptocurrency users. For example, ShapeShift publicly reveals its API. Using the API, investigators were able to find detailed information about ShapeShift's user transactions that spanned eight different blockchains. They coupled this data with other investigative techniques to pick out "cross-chain" trades and following the digital breadcrumbs from there. Since this research was conducted, ShapeShift changed its policy to comply with anti-money-laundering regulations such as Know-Your-Customer (KYC), a move that significantly depleted their user base. True Identity Leaks People make mistakes. Even the tiniest mistake can lead to a real identity behind a pseudonym. For example, the U.S. Department of Justice launched an investigation to identify and go after Silk Road and the person behind the marketplace who operated under the pseudonym Dread Pirate Roberts (DPR). The pseudonym paid homage to a character in the novel and film The Princess Bride. An FBI expert first noticed an online mention of Silk Road in 2011. An FBI expert first noticed an online mention of Silk Road in 2011. A person using the handle "Altoid" wrote a post on a forum for consumers of magic mushrooms, "I came across this website called Silk Road (adding a link to the site). I'm thinking of buying off it. What do you think?" A couple of days s later, a person using the handle "Altoid" wrote a similar post on the Bitcoin Talk forum, providing the link "Has anyone seen Silk Road yet? It's kind of like an anonymous Amazon.com. I don't think they have heroin on there, but they are selling other stuff." An investigation began. Several months later, "Altoid" made another posting on Bitcoin Talk writing; he was "looking for an IT pro in the Bitcoin community" to hire in connection with a "venture-backed Bitcoin startup company". The post asked people to contact him at rossulbricht@gmail.com. This simple mistake, the simple revelation of a real email address, ultimately led to the takedown of Silk Road and the capture of Ross Ulbricht. With the email address, investigators were able to connect the dots, grab the IP address, and determine Ulbricht's location. Federal agents arrested Ulbricht in San Francisco. They intercepted a package from Canada containing fake ID documents in nine different names, all attached with a photograph of Ulbricht. More recently, police were able to identify 15,000 usernames and the identity of 70 people in the "Telegram Nth Room" scandal. The "room" distributed illegal sexual exploitation of women and child pornography. Customers paid to access the content using cryptocurrency. Seoul Metropolitan police were able to track the cryptocurrency transactions and identify the people who sent their room access initiation fees to Jo Joo Bin, who used three digital wallets to receive the charges. The investigation revealed two of the three wallets were fake to undermine investigators. The third was real, used personally by Jo Joo Bin. Finally, more and more currency conversion services are complying with KYC and AML (anti-money-laundering) requirements as well as Combatting the Financing of terrorism (CFT) provisions. Once a crypto criminal uses one of these services to change cryptocurrency into fiat, government-issued, currency, at least some real personal information must be revealed. Investigators can use that information to piece together the real identity of a criminal using cryptocurrency to transact illegal activity. Many cryptocurrency users, criminals or not, don't like the new regulations. In February 2019, MyEtherWallet (MEW) collaborated with Bity, a crypto finance firm, to introduce a new platform that promised to convert crypto to fiat without KYC requirements. Users can exchange up to 5,000 Swiss Francs worth of Bitcoin (BTC) and Ethereum (ETH) without going through KYC requirements within the wallet. However, users were eventually asked to provide personal data such as banking details, billing addresses, and phone numbers, all of which can be traced to a real identity, for compliance purposes. The bottom line is nothing is done under a cloak of complete and absolute anonymity. People are people, and people make mistakes that ultimately reveal true identity. The more crypto criminals try to hide the more sophisticated cryptocurrency investigation skills and tools become. You can run, but you can't hide forever.

Recent Posts

See All

Bitcoin Connection to Mafia Malta Hit Job?

Journalist Daphne Caruana Galizia was murdered in October 2017. She was digging deep to expose corruption rotting within Malta’s institutions and beginning to penetrate other areas in the European Uni

ZENTAU INC. 

200 2nd Ave South, Suite 412,  St. Petersburg, Florida 33701  Phone: +1 (727) 202-6948 

Copyright ©2020 Zentau Inc. USA