Best practices for digital asset seizures
Any high value goods, from supercars to antiques and works of art, can be acquired through theft or be used for money laundering. Crypto assets are no exception. Ensuring that they are correctly identified and lawfully seized by law enforcement requires an understanding of best practice and risk mitigation by all those working on a case, from senior police leaders to front line investigators.
Seizing assets held in custodian wallets operated by virtual asset service providers (VASPs) such as crypto exchanges can be relatively straightforward, providing law enforcement has the necessary legislative powers or a court order and the VASP recognizes the legal process.
Yet assets held in non-custodian, or personal, wallets often present a greater challenge. Their successful seizure requires significant preparation, careful handling of the data and its meticulous analysis. Below we outline the four key steps to a successful asset seizure.
Whether it involves a spontaneous incident or planned enforcement, law enforcement must be prepared for the eventuality of a digital asset seizure. This involves creating and managing standard operating procedures (SOPs) and policies that govern how the organization will approach seizing assets, including understanding and mitigating against financial, operational, reputational and legal risks. It is best practice to appoint a strategic lead to take responsibility for the process.
A good policy should clearly articulate the following:
- The legislative powers available to seize assets
- The command structure and reporting obligations for investigators
- The approved software and hardware
- The training required for staff to conduct seizure activities
- A process granting internal approval for urgent, unplanned action.
All digital asset wallet software and hardware must maintain the latest security patches and firmware, undergo robust testing, and crucially, adhere to widely adopted protocol standards such as BIP 39. Known as Bitcoin Improvement Proposal, BIP 39 is a design document for introducing features or information to Bitcoin. The use of widely adopted standards ensures that, should support for the wallet be discontinued, another wallet running the protocol standard can be used to recover the funds.
The most important part of any preparation stage is having law enforcement-controlled wallets configured and ready to be deployed for future use: creating and configuring wallets at the scene of a seizure should always be a last resort. Due to their utmost sensitivity, access to private keys and recovery seeds should be strictly protected but given to at least two people in a team in order to prevent a single point of failure. Shamir backups of seed phrases serve a similar purpose. Shamir is a security protocol process where 12 to 24 seed words are split into three or more separately recorded collections that can be held in separate safes across different locations. To restore the wallet, the phrases must be brought back together.
Public-private partnerships with VASPs and custodian storage providers that understand law enforcement objectives and operations should also be considered during the preparation phase. Law enforcement may need to purchase and hold native assets, for example Ethereum to pay for gas fees should a suspect’s wallet contain a large token portfolio but no native Ethereum. Public private partnerships may also help law enforcement conduct subsequent sales or auctions of confiscated assets through a reputable and regulated entity.
Identifying digital assets at the point of enforcement is a skill that everyone in a law enforcement organization should possess, at least to some degree. Frontline officers should be briefed to look out for hardware wallets, paper wallets and recovery seeds, as well as the methods by which these items can be hidden. Compact and unassuming, cold storage wallets can be easily mistaken for stationery and overlooked during a search. Staff should also be very careful in handling identified items: as they may contain extremely sensitive information, such as raw private keys or recovery seeds, they should be placed inside opaque packaging to prevent inadvertent capture on body-worn cameras or other recording devices.
Senior staff and those experienced in digital forensics should be prepared to conduct live examinations of laptops, desktops and mobile devices on site, looking to capture volatile data and identify applications that could indicate the self-custody of assets or a recent history of accessing VASPs. More complete and thorough digital forensics examinations should subsequently be conducted in a forensic lab. Because identifiers may be uncovered some time after enforcement action, tools like TRM Tactical can help examiners assess the value and risk of funds that have either passed through the wallets, or remain held inside them.
With digital assets, securing the physical item does not always mean seizing control of the underlying digital assets. For a seizure to be completed, law enforcement must sign transactions and take possession of the private keys.
The point of seizure presents the greatest operational risk: mistakes, such as sending assets to the wrong address or mistaking them for a gas fee, can be irreversible. To guard against such risks, the seizure process should be conducted through a “buddy system”, with two staff members agreeing on each step of a predetermined checklist as outlined in organizational policy. To ensure high standards are maintained, each member should be empowered to freely challenge their peer, regardless of rank or seniority.
The seizure process should be meticulously recorded, both in writing and, where possible, using audio and visual recording devices, which could be referred to later or used in evidence. Such recordings would also capture the rationale behind particular decisions. Due to their extreme sensitivity, separate considerations must be afforded to recording recovery seeds or private keys.
Although the above principles can be broadly applied across different mechanisms, not all seizures are the same, and the processes used will differ significantly depending on what has been identified. For example, finding a private key on a paper wallet will require a different approach to rebuilding a wallet from recovery seeds. While SOPs cannot cover all current and future applications, they must clearly identify processes by which digital assets cannot be seized at the scene due to technical difficulties and what preservation options are available.
Any assets seized directly from suspect devices, such as desktops, laptops and mobile devices, require the greatest care. Due to the importance of preserving digital evidence, they should only be handled by staff trained in the live triage of digital devices. The balance between securing digital assets and preserving evidence must be controlled and managed with caution. The integrity of this process is critical both to a disruption of criminal plans and a successful prosecution.
Storing digital assets while awaiting a criminal justice or civil outcome is fraught with risk. Much of the online discussion concerning the storage of digital assets is limited to consumer-grade software and hardware. As such, it does not reflect the unique requirements of law enforcement and government agencies, where organizational access controls, audit capabilities and indemnification of these assets are priorities. Notwithstanding the judicial requirements around chain of custody rules, consumer grade software and hardware often create single points of access, which risk becoming single points of failure.
Using VASPs and dedicated custodians - entities that provide secure, long-term storage of cryptocurrencies on behalf of institutions - can mitigate these risks. Custodians in particular often have robust provisions to deal with institutional investors whose requirements of a service provider are similar to those of law enforcement.
“Not your keys, not your crypto” is a common mantra, and using custodial services does mean relinquishing some control over the assets. However, law enforcement routinely relies on secure third parties: after all, cash seized by police in large quantities is held not in law enforcement safes but in banks and financial institutions.
The choice of preservation method should not be made lightly, and one size does not fit all. Organizations will find different solutions that work well for their objectives and legal obligations. Yet what is key is that decisions on how to preserve digital assets are informed by input from a broad range of stakeholders and adopted as part of organizational policy.
Once you seize and preserve digital assets in the field, you will want to have the correct tools to investigate and disrupt. For more information on TRM tools available to field officers processing crypto in the field, check out our mobile blockchain investigations tool, TRM Tactical.
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.