The Blockchain Investigator’s Flip Book is an essential go-to resource for investigators, prosecutors, and other law enforcement professionals who require a quick reference guide when identifying and mitigating illicit crypto transactions on the blockchain.

Objective

The objective of blockchain tracing is to identify, report, and disrupt illicit virtual currency transactions and the actors conducting the transactions. This digital flip book provides explanations, techniques, strategies, and resources for conducting block-chain tracing. Its contents should be considered law enforcement sensitive, but appropriate for all levels of blockchain intelligence investigators from first responders to subject matter experts.

Contact

Please reach out to lerelations@trmlabs.com for additional information and resources for blockchain investigations.

{{premium-content_chapter-divider}}

Definitions and purpose of blockchain disruptions

Attribution: The process of labeling or assigning specific addresses to specific entities; (e.g. bc12345 is an address at Binance, an exchange).

Bitcoin: A decentralized virtual currency with transactions confirmed by open-source network nodes where transactions are recorded in the Bitcoin blockchain. Abbreviated “BTC,” addresses generally are 27-34 alphanumeric, case sensitive characters, many times beginning with a 1, 3, or bc1 (e.g. 1BvBM-SEYstWetqTFn5Au4m4GFg7xJaN-VN2).

Blockchain: Refers, generally, to a publicly available ledger of completed transactions between two or more cryptocurrency addresses.

Blockchain Tracing: Tracking the source and destination of cryptocurrency transactions recorded on the currency’s blockchain.

Chain-Hopping: The process of moving assets between different blockchains or cryptocurrencies many times in an effort to obfuscate the control of the assets (e.g. sending known illicit Bitcoin to a bridge in exchange for clean Ether).

Counterparty: The party that is on the opposite side of a transaction (e.g, if “A” sends Bitcoin to “B,” “B” is the counterparty to “A”).

Ethereum: A decentralized blockchain with smart contract functionality. Ether (abbreviated “ETH”) is the native cryptocurrency on the platform, though there are thousands of other virtual currencies that run on top of the Ethereum network, generally called “Layer 2” assets (which are completely separate virtual urrencies from ETH). ETH addresses generally are 42 alphanumeric, case sensitive characters beginning with 0x (e.g. 0x71C7656EC7ab88b098defB751B7401B5f6d8976F).

Block Explorer: A software tool that enables an investigator to sort blockchain data, generally including visually organizing transactions into link-charts or graphs.

Exposure: A measure of how direct proceeds may have traveled from one address to another. If “A” sent Bitcoin directly to “B,” “B” has direct exposure to “A.” If “A” sent Bitcoin to “B,” and “B” sent Bitcoin to “C,” “C” has indirect exposure to “A” and direct exposure to “B.”

Know Your Customer Information: Commonly abbreviated as “KYC”, is the real-world identification that an entity may collect in order to do business with an individual.

Mixers & Tumblers: Services that obfuscate the origins and association of funds by creating commingled pots of funds, which then send proceeds to a destination address, breaking a linear chain of association.

Token: A virtual currency asset, often associated with a virtual currency that runs on another virtual currency’s blockchain (e.g. an ERC-20 token such as USDT on Ethereum).

Transaction Hash: Also known as a “Transaction ID”, this is a unique, alphanumeric sequence associated with a transaction on a blockchain. An investigator can identify specific transactions based on the transaction hash.

Virtual Asset Service Provider (VASP): A platform used to buy, sell, trade, or exchange virtual currency. For a blockchain investigator, many VASPs, whether centralized or decentralized, may maintain attribution records which enable the investigator to secure real-world attribution of the controller of an address. Though VASPs are located throughout the world, and some claim to have no geographic domicile, many VASPs, regardless of physical location, will comply with law enforcement requests for production of records and freezes/seizures. “VASPs” is the nomenclature used by interna- tional organizations such as the Financial Action Task Force (FATF). However, many blockchain investigators use the term “exchanges” synonymously with VASP (despite VASP technically including more than just centralized exchanges).

{{premium-content_chapter-divider}}

An introduction to blockchain tracing

The investigative goal of “blockchain tracing,” generally, is to identify the actual controller of an otherwise pseudo-anonymous address. To do so, an investigator may be able to trace blockchain transactions and find counterparty exposure with an entity or individual that can provide the identity of the beneficial controller of an address. More simply, an investigator should follow the money to or from an entity that can provide real-world identity.

While free and open source tools can be used to trace flows of potentially illicit funds, TRM’s Graph Visualizer enriches blockchain data and models transactions in easy-to-build and understand graphs. These features allow the investigator to quickly identify exposure to entities that may be able to provide identification data in response to legal process submitted by a law enforcement officer.

One primary strategy for identifying the beneficial controller of an address is to find exposure to a VASP, website, commercial or retail entity, or other third party that may require KYC information to use a platform.

For example, a virtual currency exchange usually requires a customer to provide personally identifying information in order to use the exchange. If an investigator traces the flow of illicit assets to or from an address held at an exchange, the investigator may be able to secure the KYC documents from the exchange in order to identify the beneficial controller of the illicit assets.

Terrorism financing example:

Where an investigator becomes aware that an illicit entity such as “Al-Sadaqah” is fundraising on behalf of designated terrorist groups using Bitcoin (e.g. address published on “Al-Sadaqah’s social media account), the investigator can input the address into a blockchain analytic tool to look for exposure to a third party that may have information associated with the controller of the address:

{{premium-content_chapter-divider}}

Blockchain tracing

In the “Al Sadaqah” example, which was identified by US DOJ, the address associated with “Al-Sadaqah” (15K9Zj...) sent Bitcoin directly to a compliant exchange. An investigator could request records from the exchange to learn who is the named controller of the address (e.g. who is “cashing out” for “Al Sadaqah”).

The investigator should request not only KYC documents, but also:

• Account balances
• Subscriber information
• Email address association
• IP address information
• Full transaction history
• Device ID information
• Identification of associated accounts
• An omnibus “all records associated with the account and registrant.

Once an investigator has secured these records, the investigator may be able to pursue leads based on what was received from the VASP (e.g. email search warrants, IP lookups, seizure potential).

{{29-blockchain-investigators-flip-book-callout-1}}

{{premium-content_chapter-divider}}

Blockchain tracing strategies

An investigator’s goal in blockchain tracing is to identify and then disrupt illicit activity.

1. Identify illicit conduct
2. Trace proceeds
3. Seek disruption

1. Identify illicit conduct

An investigator can identify illicit conduct in several ways:

• Victim complaints, consumer complaint databases
• Suspicious Activity Reports (SARs) / Suspicious Transaction Report (STRs)
• Confidential sources or informant communications
• Open source activity (such as social media, academic research, and threat intelligence)
• Digital forensic examinations
• Crime scene exhibits

Once an investigator identifies the illicit conduct, the investigator can use a blockchain tracing tool to quickly and easily determine the potential scope of the investigation. Public blockchains record every transaction ever conducted. Therefore, a blockchain tracing tool such as TRM Labs Graph Visualizer is able to show graphical representation of associated transactions based upon a simple copy/paste of a single address pulled from a complaint.

After an investigator performs an initial query, they may be able to prioritize or deprioritize an investigation based upon a number of characteristics which become evident even in a preliminary search (e.g. number of associated entities, aggregate dollar amount, connections to compliant VASPs). The investigator can use a screenshot of the initial query results to explain the investigation’s potential to a manager or prosecuting attorney.

2. Trace proceeds

The most common way an investigator can disrupt the illicit use of virtual currency is by tracing the illicit flow of funds to or from a third party which maintains identifying information or custody of assets.

Typical steps for blockchain tracing:

• A. Input transaction hash, incoming/outgoing addresses, or other information into blockchain tracing software such as TRM Labs Graph Visualizer.
• B. Identify any obvious leverage points by mapping out the transaction network.
• C. Identify third parties which may retain information about the controller of the addresses.
• D. Use legal process to obtain information about the controller of the address from the third parties.

A. Input transaction into blockchain tool

An investigator can acquire the address or transaction information regarding illicit transaction in a number of ways (e.g. SAR, complaint, OSINT, Source). As a best practice, the investigator should attempt to acquire the address electronically in order to copy/paste into a blockchain tracing tool. Many tools, including TRM Labs Graph Visualizer, will auto-populate an address or transaction hash with a small number of characters (e.g where you only have first seven characters of a 34 character Bitcoin address such as 15K9Zj1AU2hjT3ebZMtWqDsMv3fFxTNwpf):

B. Identify obvious leverage points, map the network

When an investigator plots a transaction or entity into a blockchain investigation tool, the investigator should first endeavor to understand the basic details of the transaction. The investigator will want to know:

1. How many transactions was the address involved in?
2. When were the most recent transactions?
3. How much value is held in the address?
4. Is the address part of a larger network of addresses?
5. Does the address have attribution as risk?
6. Does the address have exposure to a third party that keeps records or assets (either beneficiary, or sender)?

By answering these typical questions, the investigator is trying to determine where in a potential network of transactions this transaction is affiliated and what the potential disruption measures are potentially available.

Many blockchain tracing tools, such as TRM Labs’ Graph Visualizer, answer most of these questions upon querying an address (e.g. bc1q5spf8v3lwxcnxy9ep0mcxppy3qzdynk53vs9k7, an address known to be part of a romance fraud scheme).

Using TRM for blockchain tracing

In the “Overview” tab, an investigator would see that the address has only had two transactions (one in and one out), that the transactions were sizable ($154,814 in then out), that the address is part of a large cluster of addresses, and that it currently has a $0 balance.

An experienced investigator would suspect this address as a “pass through” address as the entire sum that came into the address was then sent out of the address. A “pass through” address could be a red flag of an illicit transaction as it is generally seen as a non-economic trade (meaning the controller of the address paid a transaction fee for an unnecessary transaction).

The final preliminary step in blockchain tracing is to graph the transactions in order to obtain a comprehensive view. Where the investigator knows an address to be the recipient of fraud proceeds, the investigator may only want to track where the proceeds went in subsequent transactions (e.g. bc1q5spf8v3lwxcnxy9ep0mcxppy3qzdynk53vs9k7, an address known to be part of a romance fraud scheme).

The “Transactions” tab shows the investigator the date and the time of the transactions, which occurred on the same date only 39 minutes apart. The rapid movement of the funds into and out of the address is another indication of the address being a “pass through” address as most retail users and investors do not quickly move entire balances of addresses.

Importantly, the “Transactions” tab also shows the investigator that counterparties to the address appear to be compliant, centralized VASPs– Binance and Coinbase.

C. Identify third parties for service

After an investigator plots an address and its direct counterparties, the investigator may be able to screenshot the graph for easy explanation to a prosecutor or executive about why service-of-process should be served upon a third party.

D. Serving legal process

One way an investigator can identify and prosecute an individual for illicit activity is by identifying the controller of an address which received proceeds of the illicit activity. Though there are many exceptions (such as where an account was opened with a stolen identify, by a straw person, or by a third party money launderer or money mule), an investigator can frequently identify the controller of an address by issuing a subpoena to a third party which hosts an address that received illicit proceeds.

{{premium-content_chapter-divider}}

Issuing legal process to VASPs

When issuing legal process to a VASP, an investigator may be able to obtain KYC information, subscriber information, associated email accounts, transaction records, IP addresses, IMEI, and device ID information. Thereafter, an investigator may be able to further their investigation based upon the information gleaned from the initial process (e.g. obtaining a search warrant for associated email addresses as most VASPs provide confirmations of executed transactions via email, which may be sufficient to establish that it is more likely than not that evidence of an underlying crime may be held within the content of the associated email facility).

Many VASP's will accept requests for data if a legal process has been followed, regardless of jurisdiction, provided it is lawful and clearly communicated. One way to quickly identify how to and where to serve process is to use a blockchain investigation tool such as TRM Labs “Know Your VASP” which includes information such as location, contact information, KYC availability, and financial profile.

{{premium-content_chapter-divider}}

Effectuating a disruption

3. Using evidence to effectuate a disruption

A blockchain investigator’s goal is to identify and prosecute the subject conducting the illicit activity and seize proceeds and/or facilities associated with the illicit activity.

Charging

Where an illicit activity has occurred and proceeds of that activity are transferred via virtual currency, there are potential violations of law with each transaction. Where an investigator identifies an illicit crypto address associated with the activity (e.g. a facially anonymous online scam), the investigator traces the proceeds of the online scam in order to identify the perpetrators.

Once the investigator identifies the alleged perpetrator, the investigator could consider pursuing charges for:

• Money laundering
• Fraud/Theft
• Narcotics
• Terrorism/Financing terrorism
• General cybercrime/hacking
• Extortion/blackmail
• CSAM

Each court of competent jurisdiction, worldwide, will have varying criminal statutes and elements to prove for each statute.

Seizing / forfeiting

Where there are virtual currency assets involved in the effectuation of a crime, an investigator should endeavor to seize and forfeit those assets (also known as pursuing confiscation in many regions). The multi-pronged purpose of asset forfeiture is to punish criminal behavior, return assets to victims, deter illegal activity, remove tools that facilitate illegal behavior, disrupt criminal organizations, and protect the community¹.

¹ United States Department of Justice, Asset Forfeiture Program, https://www.justice.gov/afms/about-asset-forfeiture-program-afp)

(I) Theories of forfeiture

In order to seize and forfeit assets, the government must rely upon a forfeiture statute which details when the asset can be seized. Some statutes are straightforward (such as New York State’s felony forfeiture law, which states that “when any person is convicted of a felony offense[...] property constituting the proceeds[...] and instrumentalities are subject to forfeiture”). On the other hand, some statutes can be rather complicated to apply (such as the US federal North Korea financing civil forfeiture statute, 18 USC 981(a)(1)(I)).

With this in mind, an investigator should work with a prosecuting attorney on forfeiture, concurrent with the investigation into proving criminal activity.

For example, where an investigator is investigating an online darknet marketplace for narcotics trafficking, the investigator should also be thinking about developing foreiture theories for assets associated with the marketplace. Governments have seized billions of dollars worth of illicit cryptocurrency which has been returned to victims, used to fund task forces, used to procure equipment and tools for law enforcement, and been made available for victims of terrorism.

Typical statues, that can be used by the government to pursue forfeiture are:

• Proceeds of crime
• Money Laundering & Unlicensed Money Service Business
• Racketeering
• Child Sexual Abuse Material
• Drugs
• Structuring
• Terrorism

(II) Practicalities of seizing and forfeiting virtual currency assets

Government agencies are split on the procedures and guidelines for restraining assets, holding assets, and disposing of assets. Prior to undertaking seizure and forfeiture, it is advisable that the seizing agency consider:

• A. What type of facility the government agency will use to custody the seized asset
• B. Who at the agency will have access to the value underlying the seized asset
• C. What form the agency will accept the seized asset
• D. What contingencies the agency will have if/when there are assets that present unique issues
• E. When/how/if the government will liquidate the asset prior to its final disposition

A. Providing custody of the asset

The type of custodianship of a seized virtual currency asset varies by venue and jurisdiction. Some agencies take immediate custody of an asset using an electronic wallet, some agencies take custody of an asset using a “hardware” wallet, some agencies use existing accounts at reputable VASPs, some agencies open new accounts at VASPs where funds are seized, while some agencies immediately send a seized asset to third party agencies that maintain the asset on behalf of the seizing agency. Each strategy has positives and negatives that an agency must weigh prior to engaging in seizures and forfeitures.

For example, online wallet software generally allows for quicker, cheaper seizures and an ability to hold a wider variety of assets, including thinly traded virtual currencies. However, using online wallets creates a greater risk of having funds stolen by intrusions into the wallet software. A hardware wallet is more secure than an online wallet, but it does have an initial upfront cost to purchase the hardware and may not custody certain assets (particularly those that are thinly traded).

Using a VASP to custody assets can be very efficient for transferring assets, particularly when seizing from that VASP. However, assets held in VASPs are often commingled, not segregated, and have previously been stolen from VASPs. It is important for the seizing agency to work with the VASP to ensure confidentiality, ensuring that data pertaining to the case, especially the defendant, is securely managed.

Using a third-party agency with expertise in custodying assets can be advantageous to ensure security; however, transferring to and from agencies can become monotonous, particularly if the custodying agency itself has limits. Each of the available strategies can be successful and safe provided the agencies have procedures for mitigating risk.

B. Who has access to the source of funds?

Some agencies place seized assets into typical evidence control rooms with valuable evidence. Some agencies keep assets (particularly hardware wallets) in locked facilities with limited access. Some agencies use units within the agency, like an asset forfeiture unit, to store the assets. One general guideline is to identify who at the seizing agency will have access to the funds and what steps the agency will take to limit and track who at the agency can access the assets whilst not having a single point of failure and ensuring business continuity plans.

C. What form of asset will the agency accept custody?

Some agencies will only accept custody of assets as they were seized (e.g. if the agency seized Bitcoin, it will take custody of the Bitcoin). However, because some agencies lack capacity to eventually forfeit virtual assets, some agencies prefer to take custody of the fiat equivalent of an asset. A seizing agency should consider what the effects of price fluctuation would have on an asset and subsequent ability to forfeit an asset (e.g. a very thinly traded virtual currency may be difficult to liquidate) prior to deciding how the agency will take custody of an asset.

D. Contingencies for unusual circumstances

Because virtual currencies are in a nascent stage, an agency should consider developing the ability to quickly modify procedures and policies for seizing and forfeiting virtual currency assets. Software becomes obsolete, VASPs are hacked or liquidated, new virtual currencies are created, some virtual currencies fork. Therefore, it is prudent to have a “living document” controlling how to seize and forfeit virtual currency assets.

E. How to forfeit and liquidate

Once the government secures authorization to forfeit and liquidate an asset, the seizing agency must plan how the assets will be liquidated (or returned as-is). If the seizing agency plans to liquidate, will it use a VASP, third party, or perform an auction-style sale of the asset. Each of these plans comes with inherent advantages and risks. Returning the assets “as-is” can be very troublesome if the recipient of the funds (e.g. a fraud victim) is unfamiliar with the use and mechanism of virtual currency. Using a reputable VASP ensures securing “market rate” for the sale of an asset, but may demand bureaucratic hurdles for choosing and supporting a VASP partner. Providing an auction can present its own bureaucratic hurdles as the agency must arrange and provide security for the virtual assets.

{{premium-content_chapter-divider}}

About TRM Labs

TRM Labs provides blockchain analytics solutions to help law enforcement and national security agencies, financial institutions, and cryptocurrency businesses detect, investigate, and disrupt crypto-related fraud and financial crime. TRM’s blockchain intelligence platform includes solutions to trace the source and destination of funds, identify illicit activity, build cases, and construct an operating picture of threats. TRM is trusted by leading agencies and businesses worldwide who rely on TRM to enable a safer, more secure crypto ecosystem.

TRM is based in San Francisco, CA, and is hiring across engineering, product, sales, and data science. To learn more, visit www.trmlabs.com.