Techniques for tackling the challenges of forensic investigation in cryptocurrency liquidations.
The decentralised nature of cryptocurrency and other digital assets can enhance transactional ease, speed and confidentiality. However, it can also increase the risk of fraud, theft and loss by enabling ‘bad actors’ to use pseudonyms, mixers and decentralised exchanges to cover their tracks. As explored here, there are techniques that specialist forensic investigators can use to trace and uncover misappropriated digital assets. While there are still limitations to the types of information these techniques can produce, investigation capabilities and recovery strategies are progressing.
In the complex world of recovering digital assets, specialist investigation teams bring together blockchain tracers and investigative forensic accountants, who seek to trace, analyse and recover assets by uncovering complex blockchain transactions to identify fraud. For example, in a cryptocurrency liquidation where bad actors were suspected of being behind the losses or failure, the investigation team would be called in to trace cryptocurrency transactions from their source to the ultimate beneficiary. This is with the aim of supporting the recovery of any misappropriated assets from the liquidation estate. An investigation team could also be engaged to identify fraudulent activities and assist with tracking down the perpetrators.
Lifting the veil
A common misconception is that cryptocurrencies are completely anonymous and untraceable. While the decentralised and pseudonymous nature of blockchain holdings afford blockchain users a higher degree of privacy compared to traditional financial systems, most blockchains show information such as the wallets involved and the transaction amounts. Such transactions are recorded on a public ledger and are traceable. The challenge is linking these transactions to real-world entities that can be targeted for the recovery of misappropriated assets. Investigations can expose information that could help. Three key tracing techniques are typically deployed:
- Blockchain analysis
Tracking the flow of funds on a public blockchain ledger. - Cluster analysis
Deploying specialist blockchain forensics tools to group together wallet addresses that are likely to belong to the same user. Investigators can then seek to obtain the user’s identity, particularly if they have transacted within exchanges that require Know Your Customer (KYC) verification. - Transaction graph analysis
By mapping the flow of funds between wallets, investigators can find out how the assets we are looking to trace move through the blockchain, identify patterns and define illicit or fraudulent behaviour.
These methods are complemented through a combination of open-source investigations to support real-world attribution of blockchain entities, as well as any documents or records obtained during other legal proceedings or a liquidation scenario.
Covering the tracks
However, these investigative techniques are not always entirely effective on their own, especially when facing sophisticated perpetrators. While transactions are public, they are tied to wallet addresses, rather than human identities. The resulting ability to operate under a pseudonym makes it difficult to link a specific person to a wallet without additional investigative steps.
In turn, fraudsters can obscure the origin and destination of transactions through various methods. The transaction trail can be obscured through the use of mixing software such as Wasabi, which jumbles up blockchain data from multiple users. A further example includes a fraudster’s use of ‘privacy coins’ like Monero and Zcash, which can have a impede tracing efforts. Monero allows users to create anonymous ‘ring signatures’ and unique one-time ‘stealth addresses’ for each transaction. These methods allow blockchain transactions to be verified without revealing specific details about the participants or amounts. Further, Zcash uses ‘zero-knowledge proofs’ to allow for completely private transactions on an otherwise public blockchain.
Falling through the cracks
These challenges are compounded by the fact that digital assets have no borders in the traditional sense. Criminals wishing to steal and conceal assets can also (and typically do) exploit gaps in regulation by making transfers via exchanges and platforms that do not require KYC. The investigation of cryptocurrency flows can be further hampered by differing jurisdictional regulations, ineffective or slow court systems, or a lack of knowledge sharing or cooperation with relevant authorities.
Recovering funds in a cryptocurrency platform’s liquidation
Recovering digital assets from insolvent enterprises presents a fresh set of challenges, especially if the people behind the venture seek to conceal or siphon off a cryptocurrency platform’s treasury assets prior to its collapse.
Blockchain data is a foundation of every cryptocurrency-oriented forensic investigation. The data three steps described above (blockchain, cluster and transaction graph analysis) enables investigators to create a chain of custody for the cryptocurrency they are seeking to locate and recover.
The blockchain data can be supplemented and cross-checked using other types of Open-Source Intelligence (OSINT) drawn from social media, public databases and also dark web activity.
Further, the appointment of liquidators often attracts investigation and discovery powers that can enable the recovery of critical data assets of the cryptocurrency enterprise. This can include email and communication data, as well as server stored data. Investigators can feed these data assets into an ‘eDiscovery’ platform to enable them to review and extract information that will help towards identifying wallets, keys and any other information about residual value that can be targeted for recovery.
The resulting overlay of intelligence determined from blockchain, open-source and data can be used to help connect digital addresses with the real-world identities, identify location and contact information for the perpetrator(s), and inform a recovery strategy with robust evidence suitable for legal proceedings.
Uncovering concealed assets
The big question is how to apply these techniques when investigators come up against deliberate concealment using mixers or private exchanges. The development of such approaches typically happens on a case-by-case and fact-specific basis.
Although mixers obscure the flow of funds, forensic tools can sometimes analyse the ‘before and after’ of the mixing process to identify patterns in transaction size, timing and destination. Even if perpetrators try to cover their tracks by switching funds from different cryptocurrency exchanges (‘chain hopping’), investigators can still use multi-chain analytics tools to follow funds across various blockchains.
In some cases, the bad actors can leverage blockchain-enabled smart contracts to divert funds. But again, this can be detected by analysing the rules governing transactions and how the assets are managed. While decentralised exchanges, liquidity pools and lending platforms might not have the centralised oversight of traditional financial systems, the blockchain ledgers mean that investigators can (notwithstanding limitations associated with privacy coins, described above) still see when, where and how transactions occur.
Once investigators have identified where the funds are held and by whom, they can seek cooperation from exchanges to impose a ‘soft freeze’ and pursue court granted injunctions to prevent assets from being transferred. When the wallet is private, or ‘cold’, this can be more challenging.
Working closely with multidisciplinary teams
Close collaboration between investigation and legal teams is a critical part of the successful recovery process. This includes ensuring that the data collected is presented and understandable for admission to court. As investigators, we also work closely with lawyers to pursue claims and ensure the integrity of the digital evidence by demonstrating the clear connections in the blockchain data that have determined our conclusions.
Gaining the edge in a fast-evolving field
A combination of legal developments and investigative methodologies is increasing the ability to trace and recover digital assets. Advances in blockchain forensic tools are enabling investigators to overcome complex concealment techniques. Further, many governments are increasingly regulating cryptocurrency exchanges and transactions, which should result in greater transaction scrutiny by cryptocurrency exchanges and a reduction of the illicit movement of cryptocurrency, allowing for civil recovery practitioners to intervene before assets are dissipated into blockchain ether.
Looking ahead, the growing integration of artificial intelligence and machine learning into blockchain forensics will not only enable faster analysis of more data, but also detect anomalies and uncover patterns that manual blockchain investigations might miss.
This will remain a game of cat and mouse as perpetrators continue to develop blockchain laundering methods. Nonetheless, a combination of technology and specialist expertise means that cryptocurrency has ceased to be a black hole for fund misappropriation, and investigators and recovery professionals are continuing to gain the edge.
This article is based on a technical panel discussion held at the Crypto Fraud and Asset Recovery (CFAAR) network event on 9 October 2024 at the George Town Yacht Club, Grand Cayman.
Here to help
We work directly with victims of high-value fraud to determine a strategy to seek the recovery of misappropriated assets. If you would like to discuss any of the issues raised in this article or find out how we could help establish claims against potential fraudsters, please get in touch.
Jamie Roberts
Associate Director
Investigations & Cross-Border Asset Recovery
jamie.roberts@quantuma.com