August 10, 2022
With headlines about crypto scams and hacks as well as new designations in the crypto space dominating recent headlines, TRM launched a timely new webinar series titled TRM Talks Investigations, exploring the latest cases, trends and typologies in crypto investigations.
In its inaugural episode, Ari Redbord, TRM’s Head of Legal and Government Affairs, sat down with some of TRM’s Global Investigations Team, former FBI investigators Jennifer Vander Veer, Taylor Windemuth and Lisa Wolk; former United States Secret Service Agent Rita Martin, and threat intelligence expert Monika Laird.
Watch the full session here.
Read the full summary below, looking at bridges, pig butchering scams and their investigations, NFT Discord hacks and subsequent investigations, and wash trading.
What is the latest in the cross-chain ecosystem, particularly in terms of bridges and swaps?
As Jennifer Vander Veer explained, over the past year we have been seeing tremendous growth in the number of bridges that are being developed to connect blockchains. There are at least 100 bridges out there connecting blockchains to each other.
This dramatic growth is important because bridges allow people to easily transfer value from one chain to another. While this can also be done through exchanges and trading services, these require multi-step processes with a fair amount of friction, and face well-established AML practices. Bridges, on the other hand, are quick and often pseudo-anonymous because of their architecture. Jennifer explains that this is both good and bad – for web3 and the blockchain ecosystem to grow and thrive, we need blockchains to talk to each other and be connected, with bridges playing a critical part in this interoperability. However, bridges have been vulnerable to threat actors.
Bridges are a target because they often store a lot of value which helps the bridge function. Four bridges were hacked just this year to the tune of over $1 billion in crypto (the Ronin Bridge compromise was over $600M, and hackers used bridges extensively to access mixing services on a variety of blockchains).
The recent spate of attacks on bridges - which natively move funds between blockchains - mean that it is more important than ever to have next generation tools like TRM that seamlessly trace across blockchains.
A deeper look at cross-chain flows
Traditionally, bad actors would move proceeds of financial crime through a single blockchain. Mono-chain blockchain analytics could be used to trace the flow of funds and detect risk exposure.
As liquidity on other cryptocurrencies increased, so did the use of those cryptocurrencies to launder proceeds of financial crime. Bad actors are increasingly "Chain-Hopping" to swap cryptocurrencies from one to another as a way of obfuscating the flow of funds. Cross-chain blockchain analytics is required to detect these cross-chain transfers and understand the activity of an entity across different blockchains.
The importance of cross-chain analytics for cross-chain investigations
Cross-chain analytics enables cross-chain tracing of source and destination of funds. This ability is increasingly important as crypto users diversify their crypto assets, utilizing multiple blockchains. In addition, there are services available that offer "swapping" or "chain-hopping," both of which may be potential indicators of money laundering.
Why investigators turn to TRM
Blockchain intelligence that includes cross-chain analytics is integral to successful investigations in today’s cryptocurrency ecosystem. TRM Labs currently enables tracing of crypto flows across 23 blockchains in a single graph environment — including automated tracing through the most popular cross-chain bridges and services.
What are “pig butchering” scams and what does an on-chain investigation into this type of scam look like?
Lisa Wolk explains that pig butchering scams have been making the news lately, and for good reason, with individual victims losing extraordinarily large amounts of money, up to over $3 million.
Pig butchering scams can take several forms, but all involve the threat actor befriending the targeted victim and gradually increasing the amount of money scammed from the victim over time, eventually “leading the victim to slaughter.”
According to Lisa, we are seeing a huge spike in “wrong number” type scams lately, where individuals will pretend they have contacted the victim by mistake via LinkedIn, Facebook, dating websites and other social networking platforms, but then attempt to get to know the victim. Often, the conversation is steered towards investing and cryptocurrency fairly early on in the relationship.
Once the scammer has made a way in with the victim, the scams take several forms:
- ETH liquidity mining scams, where victims are led to participate in mining pools with the promise to earn back their investment
- Broker platform scams
Once they have invested, victims are unable to withdraw their funds from these platforms. At this point, they realize that they have been scammed.
Lisa then explains how investigations into these scams are approached.
According to Lisa, these investigations are complex. Victims are being scammed out of hundreds of thousands, even millions, of dollars each, and these funds are being commingled into common wallet addresses, leading to enormous amounts of funds entering these addresses. While the average amount of funds per address is 10-20 million, Lisa has seen cases where addresses hold over 60 million.
In cases like this, the investigation’s complexity intensifies, as the funds within the address may not all be from pig butchering scam proceeds.
In these investigations, Lisa explains that there are two layers that need untangling on-chain: the scammers’ wallets and the money laundering network’s wallets (which are likely to have strong overlaps with more traditional Asia-based fiat money laundering networks).
While investigators can make educated guesses as to change of ownership from scammer to money launderer, this is where partnerships with exchanges and law enforcement come into play. By working with exchanges, as well as from prior history with the FBI, Lisa knows that the common pattern in these scams is as follows:
What is happening in the world of NFT-related Discord hacks and how do investigations into Discord hacks take shape?
As Monika Laird explains, Discord is arguably the primary communication platform utilized by Web3 developers and has emerged as the preferred platform among builders and creators in the crypto space.
Discord enables users to assign community roles, adjust user interfaces, and gamify channels by incentivizing users to contribute enough value to become high-ranking members. NFT projects, in particular, have flocked to create Discord servers in order to host community hangouts and advertise minting giveaways around their projects.
Because of this, scammers have also treated Discord as a channel ripe for exploitation and have developed deception tactics to target Discord users in what appear to be a series of related attacks threatening NFT projects on Discord.
According to TRM analysis, since May 2022, Discord users in the NFT community have lost an estimated $22 million and counting from the distribution of malicious links through the promotion of fraudulent NFT minting giveaways. On Chainabuse, a community-led scam reporting platform operated by TRM labs, over 100 reports of Discord channel hacks have been filed in the past two months.
Monika explains how these hacks occur:
- First, threat actors start by compromising the social media accounts of employees within an organization
- The threat actors then send messages from the compromised employee’s social media account to the community server on Discord, which falsely claims their NFT project is promoting a limited NFT giveaway. These messages will include a link to a malicious domain, prompting a victim to connect their wallet and send an initial minting fee.
- In doing so, the victim unknowingly is phished and the connection triggers a setApproveAll call targeting ERC-721 tokens (aka NFTs) out from the victims compromised wallet
Staying on the topic of NFTs, let’s take a closer look at wash trading in this space.
As Taylor Windemuth explains, wash trading has traditionally referred to a trader buying and selling a security for the explicit purpose of misleading the market and manipulating prices. Sometimes, a trader and a broker are colluding together, and other times an investor is acting as both the buyer and the seller. Either way, the goal is to quickly make money or potentially use the washing as a mechanism for laundering.
The process works similarly with NFTs, for which Taylor provides the following example:
To an outside observer, especially someone who hasn’t conducted due diligence, the transaction probably seems legitimate and could just be chalked up to a very successful NFT project.
In a recent real-world example, Taylor explains how in late 2021, someone bought a CryptoPunk from themselves with a flash loan and repaid the loan in the same transaction. The purchase price was over 124k ETH, which was worth $532M at the time. Prior to the wash trading/flash loan, the same CryptoPunk had been trading for closer to $300-400K.
The anomaly was so large that it led to a Tweet from the NFT creator stating that bids like these could not be accepted and that enhanced filtering would be created to avoid wash trading in the future.
NFT wash trading is a concern for legitimate investors, collectors, and the general public because of inflated price comparisons and statistical outliers that are making the market murky.
While still early in the space, there has been government action regarding crypto-related wash trading. For example, the CFTC issued a $6.5M penalty last year to an employee of a large exchange for wash trading and making reckless, false, or inaccurate reporting. In addition, the EU’s Markets in Cryptoassets (MiCA) legislation, a comprehensive regulatory framework, will make crypto wash trading illegal. The House Committee on Ways and Means have also discussed expanding the tax wash rule to NFTs and cryptocurrency.
So, what can we do about wash trading?
Taylor stresses the importance of blockchain intelligence and due diligence checks.
“At TRM, our Global Investigations team conducts risk assessments on NFTs to mitigate risk for investors and to identify any outliers or other suspicious activity. Using both on and off-chain data, it is important that we check for things like the token and creator provenance, as well as current ownership of an NFT. The same immutable ledger technology that is being used to potentially manipulate the market can provide a wealth of historical data when analyzed further. With TRM, you can see a wallet's current holdings (including NFTs), transaction history, risk indicators and more.”
Some things to look out for:
- Do the owners seem to have an unusually tight transaction network?
- Do the owners appear to transfer the NFT between each other, with discrepancies between bid, sale, and floor prices?
- Does there appear to be a price anomaly?
Finally, Taylor emphasizes the importance of reporting these hacks and scams on Chainabuse.com, a multi-chain platform where you can alert others, including law enforcement, to suspicious or illicit activity.
Finally, we took a look at ransomware and latest trends and typologies.
Rita Wilson explains that things have changed significantly in the world of ransomware since 2018:
As we have seen, Rita explains the benefit of VASP due diligence on-chain, particularly as bad actors employ tactics such as chain-hopping and using stablecoins on alternative chains like TRON. Rita stresses the importance of focussing on bad actors rather than variants, building cases against individuals when and where possible.
The importance of training
Our panel agrees that having highly skilled investigators with robust training is critical for successful investigations.
TRM users get complimentary access to TRM Academy, an extensive self-serve digital course library that is continuously updated with content, including practice investigations led by investigators like the panelists featured here.
In addition, TRM Academy currently offers four certifications, with TRM-Certified Investigator being the most popular for getting learners up to speed on the crypto economy and the basics of blockchain intelligence investigations. All certifications are tool agnostic, with options for live training with us as your instructors and/or self-paced classes.
To find out more, contact TRM on firstname.lastname@example.org
Want more content like this?
- Follow us on social: LinkedIn | Twitter
- Subscribe to our newsletter
- Subscribe to our YouTube channel
- Sign up for future virtual events
Access our coverage of TRON, Solana and 23 other blockchains
Fill out the form to speak with our team about investigative professional services.