This book has the subtitle “Understanding, Extracting, and Analyzing Blockchain Evidence,” and it has attempted to provide an appropriate level of theoretical understanding while teaching practical techniques for carrying out an investigation involving cryptocurrencies. Although Bitcoin is still the biggest cryptocurrency, it is arguably not the best, and new pretenders to the throne are being released every day. Although this book has had a Bitcoin focus, I hope it has prepared you and given you the necessary tools to be able to research and develop techniques for any new cryptocurrency that may need your attention.
The different types of crimes that may involve cryptocurrency use are virtually unending and eventually could find their way into almost any category of crime. A few years ago, I gave a talk at a local school about my job as a digital investigator, and before I started, the teacher asked what crimes involved computers. She had assumed it was all hacking and viruses, so she was surprised when I listed burglary, murders, drug dealing, and all the other “real world” crimes. The fact is that in the past 10 years, virtually every crime has some type of digital aspect to it—whether it's cell phone call data, searches made about a crime on Google, or digital CCTV systems—the list is endless. In the United States, a man killed his wife and dumped her body in a lake, and he was convicted partially on the basis of googling “the deepest place in the lake” the previous day. In my hometown, a man murdered his neighbor and was convicted partially on his Google Street View history, which showed him pre-planning the route from his home to the place the body was left.
My point is that cryptocurrencies are here to stay. I predict that within five years, an app will go viral that allows untraceable, cheap micropayments to be made via the blockchain, and that is how people, especially the young, will transact small amounts of money on a daily basis both online and in the real world. It is just a matter of time. This will also mean that investigation of cryptocurrencies will permeate into every type of crime, and investigators need to be ready with the skills and capability to follow the money.
So where do you start applying all you have learned in this book? Practice and get involved in investigations as soon as you can, remembering that they will all be different and no single process will cover each situation. In this final chapter, we'll look at a few examples.
Almost every day, I hear of new ways that cryptocurrencies have crept into different types of crimes, but the five examples described in this section will provide you with a reasonable sample of the possibilities that you may encounter.
A person may be using a cryptocurrency to buy goods online that are illegal. (They could use cryptocurrency payment methods to buy on the street, but at the moment, Bitcoin in particular is no good for that due to the time for transactions to be included in a block and confirmed.) Where might you start with this investigation? This all depends on how the suspect came to your attention.
Was the online store shut down by a police force, and log files and customer data have been found and provided to you? If so, you will already have Bitcoin addresses connected to real-world data. Taking the Bitcoin address or addresses and using clustering techniques may enable you to find other sites where the person has bought goods. Seizing computer equipment from the suspect may enable you to extract a wallet with payment history.
Alternatively, if a computer has been obtained by a suspect, you can use carving and searching techniques to find and extract wallets and addresses before attempting to track payments on the blockchain.
In the same manner as someone buying illegal goods, a trader in illegal merchandise may come to the attention of the authorities for different reasons other than using cryptocurrency payments. For example, there might be databases that link names and addresses to goods supplied and perhaps cryptocurrency addresses. In this case, you would not need to track the addresses since you have the owner's information. However, it may be useful to cluster addresses to find other purchases made and to track any cashing-out the trader may have done, and then use a financial investigator (FI) to trace the fiat currencies and seize any assets. Any cryptocurrency funds that are still on the blockchain can also be seized or cashed out and securely stored.
Many ways to steal a cryptocurrency exist that are not related to technological crime. In January 2018, Ottawa police sought two men after an attempted armed robbery at a cryptocurrency exchange. In that same month, four men in the UK attempted to steal a cryptotrader's bitcoins by gaining access to his home and forcing him to transact his wallet to another address. In December of 2017, the managing director of a cryptocurrency exchange in Kiev was kidnapped, and money was extorted for his release. Criminals will follow the money, and if they find investors or traders with cryptocurrency, they become a new target. Investigating crimes such as these requires both a traditional investigation into robbery or extortion as well as the need to follow transactions on the blockchain until the criminal cashes out to an exchange or trader.
Of course, technological means to steal cryptocurrencies also exist. Many exchanges have fallen foul of hackers and well-organized teams either gaining access to private keys or social engineering attacks to fraudulently engineer the transfer of funds to criminals addresses. In early 2018, Japanese authorities investigated the theft of $530 million of NEM coins from an exchange. This was one of the largest digital-currency thefts, similar in size to the Bitcoin theft from the Tokyo-based Mt. Gox exchange in 2014.
Investigating these thefts may seem extremely complex, but in fact, they're just like any theft with clues left behind for an investigator to follow. Hacks of exchanges will likely leave entries in log files, and social engineering attacks often come from spear-phishing incidents via e-mail, which again provides an ability to trace back to possible perpetrators. This is before an investigator starts to follow the money on the blockchain, watching for the use of mixers, exchanges, and traders that can then be approached using legal methods for real-world information.
This is complex area and goes back to the need to combine the skills of FIs and digital forensics specialists. Money laundering is the process of taking the proceeds of crime and combining those funds with legitimate funds and transactions to obfuscate their origins. On a blockchain, money can be laundered by moving coin through mixers and exchanges, buying and selling goods without leaving the cryptocurrency, as well as on gambling sites, which are a surprisingly popular choice for many criminals looking to move their funds. A white paper written by the Center on Sanctions and Illicit Finance (http://bit.ly/2HfT4tC) concluded that “In general, mixers and online gambling sites have the biggest bitcoin laundering problem—they process far and away the highest proportion of dirty bitcoins.”
Following the money can be a complex issue where criminals are deliberately trying to hide their tracks. Having a team of both technical and financial investigators can give you the best chance of finding services that can be approached to request a real-world suspect's details.
The days of leaving a suitcase full of cash on some remote rough ground in order to secure the release of a kidnap victim are probably long gone. Cash was often tagged so it could be traced and the drop site surveilled, which meant that picking up the bag was fraught with dangers of being caught. Asking for money to be transferred through the banking system also exposed the kidnapper to many opportunities for the authorities to track the payment. Bitcoin and other cryptocurrencies have provided a method to request payment that at least has the pretense of being anonymous and untraceable. Depending on the cryptocurrency, the payments are usually traceable and the parties involved can often be identified. We are also seeing cryptocurrencies being the payment method of choice for ransomware and other extortion scams. These crimes are not cryptocurrency crimes specifically, but they need to be treated as a standard extortion investigation with assistance from specialist investigators to monitor or follow any payments made on the blockchain.
This book has attempted to teach you how cryptocurrencies work and, to some degree, how they don't work. The phone call I received from an investigator asking me to carve bitcoins from a hard drive would not have been made if they had understood the underlying technology more clearly.
Here is a quick summary of some of the main points covered in this book:
I also discussed methods by which coins could be seized from a suspect and deliberated on the benefits and negatives of holding seized coins securely or cashing them out to a fiat currency. There is a need to consider this carefully and agree to a methodology with management to ensure that it is practical, achievable, and in line with applicable laws. Storage wallets, preferably multi-signature, or accounts with an exchange need to be agreed upon and set up, and the process needs to be practiced over and over. This planning needs to be done before you start any job that may require work on seizing coins—don't wait until you're sitting at the suspect's keyboard. Remember that once coins are moved to your storage wallet, they should be backed up to cold storage such as paper, multiple copies made, and electronic copies securely deleted.
I will not be so short-sighted as to pretend that this book has covered everything, or that the processes suggested are always going to be the most efficient way to proceed. This is a collection of recommendations based on several years of investigating cryptocurrencies and having to regularly find my own solutions to problems when the solutions had not been written down anywhere else. White papers and conference talks have begun to focus on cryptocurrency investigations, but it has only really been since 2015 and 2016 that large police and government investigators have begun to turn their attention to the issues with investigating the technology. Even now in 2018, the level of skills is very low within both the FI world and the digital forensics sphere. I hope that this will change and that this book helps with the dissemination of information.
Although blockchain technology, and Bitcoin specifically, is not actually new, it has only been in the last three years or so that the anonymization features have become more widely used by criminals. In addition, it has only been since the extraordinary growth of Bitcoin values in 2017 that criminals with large amounts of cash saw an opportunity to launder money while also increasing their overall value. This means that standard drug-dealing cases or organized-crime investigations are unveiling the use of cryptocurrencies, and many are unsure how to proceed with this element of the analysis. I hope that I have demonstrated to you that these examinations, although complex and often time-consuming, are achievable and worthwhile.
The information in this book is designed to start your journey into investigating cryptocurrencies, but it is not an end in itself. You should now understand the fundamentals of the technology, but new forks are appearing all the time in different currencies. Bitcoin Cash differs from Bitcoin in subtle ways, Ethereum is changing the way you mine coins, and ZCash has security features very different to the others.
A researcher recently said to me that she believes Bitcoin will be “the MySpace of cryptocurrencies.” Although MySpace was a hugely successful social media platform, it couldn't sustain its own success and eventually paved the way for Facebook and others that have learned from its mistakes and found a way to be relevant in the long term.
Bitcoin has problems with its comparatively high fees, the length of time it takes for confirmations, and wildly fluctuating values. This may, or may not, open the way for other cryptocurrencies to learn from Bitcoin's mistakes and fill the gap in the market for a readily tradable currency. Any new cryptocurrencies that begin to find traction with users, especially criminals, need to be understood by the investigator—preferably before facing the currency in an investigation. I recommend that you make this area a subject of continuous research, watch the cryptocurrency forums, follow the right people on Twitter, and download and try new tools designed to simplify the investigative process.
I have avoided any cryptocurrency investments, apart from small deposits in many of the front-runners, because I am waiting to see what the future holds. This means I missed the Bitcoin value explosion of 2017, but I have been able to think about cryptocurrencies as an investigator rather than an investor. However, I do recommend that you spend a few dollars (or whatever your local currency is) to buy coins on the primary blockchains, transact them, move them around, buy something, and get a feel for how they work, what is good, and what is bad. Then investigate your own transactions and try to answer questions such as these:
In the foreseeable future, in order to be good at investigating cryptocurrencies, you will need to be fairly self-sufficient, be able to do some of your own research, work with your colleagues to design processes and methods that work for you, and work within the laws of your country.
Since Sarah Meiklejohn and colleagues wrote arguably the first Bitcoin forensics paper, “A Fistful of Bitcoins,” in 2013 (https://bit.ly/2J4Rg7A), the development of investigation techniques surrounding cryptocurrencies has been slow. I recommend researching and developing your own methods and where possible, share them with the community. It is only this way that internationally accepted investigation standards will be achieved.
Feel free to keep your eye on the www.investigatingcryptocurrencies.com website, which is based on this book. This site will, from time to time, publish updates or corrections to information in the book. It also contains a discount code to take my online or live course.
Happy investigating!
18.226.133.49