In many ways, the inherent transparency of blockchains makes cryptocurrency investigations easier for law enforcement. But the pitfalls must be overcome to avoid drawing a blank.
Blockchains act as a large, permanent and publicly visible ledger of virtually all cryptocurrency transactions, allowing investigators to track the movement of funds between cryptocurrency addresses, which is simply impossible with Fiat money.
However, cryptocurrency addresses are pseudonyms, so investigators need reliable data that attributes these addresses to services and organizations to derive actionable information from blockchain transaction records. Wrong or missing address assignments and misunderstandings about how cryptocurrency companies manage funds can lead to erroneous conclusions. It is therefore important that investigators use the best blockchain analysis tools to limit these errors and complete their analyzes. Here are three of the most common mistakes made in cryptocurrency investigations.
Getting lost in cryptocurrency mixers
Mixers are services that cloud the path of funds by grouping the cryptocurrencies of multiple users and redistributing to each an amount equal to what they initially put in, minus a service fee. Each ends up with a “mix” of funds that everyone else has pooled, making it more difficult to connect inbound and outbound transactions. Criminals often use mixers in an attempt to hide the illicit origins of their cryptocurrencies. Mixers aren’t necessarily a dead end in blockchain analytics – investigators can often continue to track funds even if they’ve gone through these blackout services. However, investigators should be aware that they are dealing with a mixer, which is only possible if they use a blockchain analysis tool that has marked the addresses in question as belonging to a mixer.
Take for example the recent transactions made by an administrator of DarkSide, the ransomware strain behind the attack on Colonial Pipeline last May. It is noted that shortly after the attack the administrator transferred the funds to an intermediate wallet, where they remained until October 21, 2021. On that date, the funds were moved to a second intermediate wallet and, about an hour later, the funds were moved to a second intermediate wallet. in a blender. We are able to see this activity because we have previously identified the receive address on the final transaction as belonging to the mixer in question. However, if users attempted to analyze this transaction via a block explorer or blockchain analytics tool that didn’t catalog the receive address as part of a mixer, they wouldn’t be able to figure out what’s going on. Instead, they would see the funds moving to different addresses in quick succession, in a pattern similar to a “peel chain”.
A “peel chain” is a transaction model commonly seen in blockchain analysis, where funds appear to go through multiple intermediate addresses. In reality, these addresses are part of a single wallet and are automatically created to receive the remaining funds from certain transactions. In the case of an unidentified mixer, the intermediate addresses are part of the mixer itself – not a wallet – which distributes the funds to new addresses also hosted by the mixer. This transaction model has likely contributed to the belief that peeling chains themselves are an obfuscation technique for criminals looking to launder cryptocurrencies. Indeed, although cybercriminals often take advantage of the confusion they can cause to investigators, peel chains are a completely normal pattern of how cryptocurrency wallets are designed to raise money from transactions.
If investigators used a blockchain analysis tool that did not catalog the addresses of the mixer used by DarkSide administrators, they may have inferred that the ransomware’s money movements were simply part of a “peel chain”. These investigators likely came to the incorrect conclusion that DarkSide’s funds were being collected in one or more self-hosted wallets, when in fact they were confused and sent to the DarkSide admin at a new address. It appears these investigators also continued to track the funds – funds that were no longer under the control of DarkSide administrators – as they left the mixer and ended up on services such as cryptocurrency exchanges. This may have led to mis-citations, wasted time and resources for investigators and scholarships.
Attempt to track funds through a service
Criminals therefore often move cryptocurrencies through intermediary wallets in an attempt to mislead investigators. These transactions are relatively easy to track with most analytics tools, as investigators can rely on the blockchain to show them which new address received the funds after each transaction. However, investigations become more complicated when funds are transferred to services such as an exchange, as it is impossible to track where funds are sent after arriving at a deposit address hosted by a service. The blockchain alone – without attribution data – is no longer a reliable source.
This is due to the way the services handle users’ cryptocurrencies. When someone sends cryptocurrency to their deposit address via a service, they don’t just stay there. Rather, the service moves them internally, groups them, and mixes them with other users’ funds as needed. For example, many cryptocurrency exchanges keep a portion of the funds deposited in cold wallets disconnected from the Internet for security reasons. This is also true in the world of fiat money: if you deposit a 20 euro banknote in an ATM and withdraw 20 euro a week later, you will not receive the same banknote that was deposited.
Blockchains no longer track funds once they are sent to a service, as the owner of the deposit address is usually not the one moving them. Only the exchange knows the deposits and withdrawals associated with specific customers, and this information is kept in order books, invisible on blockchains or blockchain analytics platforms. Inexperienced investigators using block explorer or blockchain analytics tools without this knowledge sometimes end up sending incorrect citations requiring internal address information to be exchanged, which wastes time and resources.
Unable to identify addresses linked to nested services or commercial service providers
Nested services are cryptocurrency services that operate using addresses hosted by larger exchanges to tap into the liquidity and transactions of those exchanges. Over-the-counter (OTC) markets are a common example, although many operate as standalone services. Clients of commercial service providers function in a similar way. These allow traditional businesses to accept cryptocurrencies as payment for their products and services, just like payment companies in the fiat world. Companies using service providers are comparable to the nested services described above, as they receive cryptocurrencies using addresses hosted by another company. This means that investigators can draw wrong conclusions in cryptocurrency investigations if they come from an address that has not been correctly identified as belonging to an embedded service or service provider.
We saw an example of this in June 2021, when it was revealed that addresses associated with the Ever101 ransomware strain were sending funds to an address belonging to RubRatings, an adult site that accepts cryptocurrency payments. This information was false. Ever101 had indeed sent funds to a deposit address hosted by a merchant service provider of which RubRatings was also a customer. Investigators got it wrong because they used a blockchain analytics tool that made the mistake of cataloging all addresses in the service provider’s wallets as belonging to RubRatings, not realizing that RubRatings was one of many clients receiving funds at hosted addresses. from the service provider. This error may have led law enforcement to sue RubRatings rather than the service provider, who may have been able to provide more account information using the address in question.
Maps need accurate legends
We must consider the blockchain as a map that shows the movements of cryptocurrencies. It is useful, but by default the blockchain is a map where no country is labeled, which limits its possibilities for action. Blockchain data platforms complement this map by providing the necessary legends for investigators to understand who is in control of the funds as they are transferred to a specific address. If the captions are inaccurate, investigators waste time and resources pursuing inaccurate clues.
The errors described above mostly boil down to incorrect or missing identification and show why it is so important for investigators to evaluate the track record of blockchain analytics providers in assigning cryptocurrency addresses to good services. Ultimately, blockchain analytics tools are only as effective as the associated data.