Battles of Dirty Money and Blockchain: How to Trace Stolen Crypto

The amount defrauded in the crypto space has grown to more than $12 Billion and despite global efforts, 98% of cases have gone unsolved.

On the other hand – as in the case of QuadrigaCX, a cryptocurrency exchange which lost $190 Million in customer assets early last year after the apparent death of its founder Gerald Cotton, along with the loss of the cold wallet keys – well prepared and verifiable evidence makes it far easier to gain effective court action.

How can the difference in outcomes be so vast? Assets like Bitcoin and Ethereum, before treated as ‘anonymous’ and ‘high risk’, are now at the front line of advancement in anti-money laundering technology – usurping traditional finance at a fraction of the cost. And some have woken up.

Blockchain investigators are now being turned to by law firms to negotiate a constantly morphing crypto crime environment. An advantage Miller Thomson has sought in the recent retention of our strategic partner Kroll, a division of Duff and Phelps, to collaborate alongside us in the QuadrigaCX matter.

In light of this sea change, read about the kind of battles in technology typical cases present – and how Coinfirm’s operation traces stolen crypto.

Crypto Mixing Schemes

Misappropriated cryptocurrency funds related to hacks, scams, ransoms, drug and human trafficking and all other types of illicit and criminal activities tend to be passed through complex layering/mixing schemes aimed to conceal the trail of funds. 

One scheme is by the use of blockchain transaction mixers (also referred to as tumblers/anonymizers) – services that attempt to confuse the trail of blockchain transactions. In most cases funds are divided into smaller parts. These parts are then ‘mixed’ at random with similar sizes of other users’ funds. As a result, the criminal perpetrator receives the funds with a much lower ‘taint’ ratio (low traceability to perpetrator’s initial blockchain addresses).

Some blockchain protocols like Dash or Zcash have embedded anonymizing functions within their protocols. Although according to existing regulations (e.g. 5th AML Directive of the EU) running a mixing service may be illegal – it doesn’t stop the bad actors of the ecosystem. Mixing services are useful to criminals if the amount of illicit funds is not extraordinarily large. The higher the amount, the more difficult it is to conceal the source of funds.

Afterwards, large and sophisticated hacking and scam operations typically pass funds through a deliberately designed chain of hundreds or thousands of ‘layering’ transactions – similar to traditional finance money laundering methods.

The destination of illicit funds are typically cryptocurrency exchanges. Most often those with no or low KYC standards as well as reputable exchanges, owing to many of them still missing truly effective, high-tech AML and Transaction Monitoring solutions such as Coinfirm’s AML Platform.

The other usual recipients of crime-related coins are various disreputable Clearnet and Deep Web blockchain services such as; marketplaces, decentralized finance applications or gaming and gambling sites. All of these end points may serve criminals both to cash out illicit cryptocurrencies as well as a means of further hindering the trail of funds by exchanging them through several such services.

But despite the sophistication of the schemes’ route, the blockchain ledger is immutable. It can and is tracked.

The Blockchain System Counters

Crypto fraudsters and those in blockchain-driven compliance are forever in a technological arms race, but Coinfirm is always a step ahead of the nefarious actors.

Fraud investigation engines often encompass several automatic analytical techniques allowing investigators to overcome even very complex layering schemes. The basic typology distinguishes three types of examinations – the destination of funds, source of funds and fingerprints of activity.

Destination of funds is aimed to identify blockchain addresses that hold or received funds originating from misappropriated wallets, as well as evidencing transaction paths (chains of consecutive transactions) between them.

Contrarily, the source of funds is designed to identify addresses that send funds to blockchain addresses related to criminal activity.

The purpose of fingerprints of activity is to identify accounts of known blockchain services and methods used by the perpetrators.

The aforementioned examinations are supported with numerous data mining techniques such as ownership analysis, clustering and e-discovery.

Ownership analysis is aimed to provide as many possible ‘quality’ pieces of evidence and strong indications as to who is an owner and who is a beneficiary of each blockchain address deemed to be relevant for the investigation.

Clustering algorithms are used to identify blockchain addresses belonging to the same owner by analytical means. A good clustering algorithm could identify even hundreds of thousands of suspect’s blockchain addresses just based on one address confirmed as belonging to the suspect. This includes the determination of suspects’ addresses on different blockchain networks. In most cases clustering analysis gives the level of certainty sufficient to constitute evidence in the litigation phase.

E-discovery is a set of analyses aimed to extract blockchain addresses, transactions or private keys from the digital carriers preserved in the course of the investigation, such as servers and personal computers.

Parsing all collected on-chain and off-chain data together gives the foreground to complete the picture of the scheme with the use of different transaction tracing techniques. 

A Holistic Approach to Tracing Stolen Funds

Most blockchain analytics firms only provide a transaction tree, treating all consecutive transactions as dirty (tainted) funds (so-called ‘Poison’ method). The drawback of the Poison method is that the amount of evaluated tainted funds at its destination can be several times higher than the actual misappropriated amount and it does not distinguish between misappropriated and other funds, which could be easily undermined by a skilled attorney. This creates the risk of wasting years of investigation and related costs if grounds for the case were beset by gaps in the tracing method.

Wasted resources can cripple the effectiveness of end results and the combatting of a systemic issue. Hence the need of going a few steps further.

Coinfirm’s unique fraud investigation methodology uses multiple different tracing methods for the same investigation. This includes those widely adopted in bankruptcy law, such as first-in, first-out (FIFO), last-in, first-out (LIFO), pro-rata distribution (Proportional Distribution), lower intermediate balance rule (LIBR), with an additional comprehensive set of proprietary methods enhanced for the specifics of blockchain.

We take this holistic approach because courts tend to have different preferences when it comes to tracing methodologies. For example, pro-rata distribution may be preferred in cases of Ponzi schemes where multiple, similarly situated victims are being paid with other victims’ deposits. 

Well prepared, verifiable evidence of tracing analysis and impartial interpretation, such as multiple methods presenting similar findings, makes it far easier (and less costly) when it comes to court decisions. After all, in cases such as that of QuadrigaCX, victims have 190 million reasons to look for an effective solution.

subscribe to newsletter