It’s no shock that with the rise of cryptocurrency, its popularity as the preferred currency for illicit activities grew exponentially. Like fiat currency, cryptocurrency has been linked to crimes like scams, ransomware, money laundering, child exploitation, and terrorist financing, to name a few. In 2023, US$24.2 billion of total crypto transaction volume was associated with illegal activities.
With the increasing number of cryptocurrency crimes being reported at local police stations across the country, it has become increasingly important for local law enforcement agencies and investigators alike to be equipped with the knowledge and capabilities to combat crypto crime. There is a common misconception that the investigation of cryptocurrency related crimes is the sole responsibility of national-level law enforcement agencies such as the Hawks.
However, many individuals fall victim to crimes such as “pig butchering” – a unique social engineering scam in which scammers build trust with victims via social media apps and text messages and trick them into investing their money on fake platforms. Although the impact of these scams has been devastating, with some victims losing pensions and lifetime savings, the Rand values associated with these scams often fall outside the scope and mandate of national-level law enforcement agencies, which means that the victims report the matters at their local police stations and place reliance on the local detectives to investigate their matters.
Understanding Cryptocurrency Crimes
To understand cryptocurrency crimes, it is important to differentiate it from traditional financial crimes. In a typical scenario, an offender demands payment, usually in cash or via bank transfer. If the payment is to be made via bank transfer, the offender must supply a bank account number to the victim where funds should be deposited or transferred to. Similarly, when cryptocurrency is involved, the offender provides the victim with a unique wallet address (think of it as a bank account number). This wallet address serves as a critical identifier for tracking the flow of funds on the blockchain.
The Role of the Wallet Address
A cryptocurrency wallet address is a unique alphanumeric string that directs transactions to a specific account on the blockchain. Unlike traditional banking, where funds can be frozen or traced by intermediaries, cryptocurrency operates under different principles:
Custodianship: In traditional finance, banks act as custodians of funds. If a victim deposits money into a bank account, the bank holds the funds, and regulatory authorities can intervene if necessary. In contrast, a cryptocurrency wallet grants full custody of the assets to the wallet owner. This means that once funds are sent to the offender’s wallet address, they are beyond the reach of traditional banking regulations.
Access and Control: With a bank account, access can be restricted by bank policies, while cryptocurrency transactions can occur anytime, anywhere, and anywhere in the world without needing permission from an intermediary. This immediacy can empower offenders, making it harder for victims to recover funds. However, one of the biggest benefits of cryptocurrency is that, unlike fiat, crypto transactions are fully traceable on free and readily available Web based platforms, which makes solving crypto-related crime far less onerous than crime committed using traditional currencies.
Key Terms
Blockchain: Traditional financial transactions require banks or other intermediaries to facilitate transactions. Blockchain is a digital ledger that records cryptocurrency transactions across many computers globally. Each individual computer validates and store each transaction, ensuring there’s no central point of control or failure. Blockchain could be described as a publicly available detailed bank statement which contains a record of all transactions ever made, viewable by anyone. Once a transaction is added to the ledger, it cannot be altered or deleted, making every transaction traceable and uniquely identifiable (which is great for investigators).
Blocks: These are the individual records on a blockchain, containing transactions and their details. They are securely linked to the previous block, creating a chain that is impossible to tamper with, in theory at least.
Wallets: These can either be hosted and the private keys are maintained by a third party (e.g., Coinbase, Binance, Gemini), or un-hosted, where the user maintains control of the private keys (e.g., Trust Wallet, Electrum, Exodus). Hosted wallets are comparable to email service providers like Gmail. They generate and securely store private keys and communicate with a blockchain network to facilitate transactions. Private keys are comparable to passwords that unlock email accounts and create unique identifiers called addresses (comparable to email accounts). Private keys therefore unlock funds for wallet addresses.
Wallet Address: The first step is to secure the wallet address provided to the victim by the offender. This address is crucial for tracing any transactions linked to the crime. Investigators can use blockchain explorers—tools that provide real-time data on transactions—to monitor the wallet’s activity.
Transaction History: By analysing the wallet’s transaction history, investigators can trace funds transferred from the victim and identify subsequent transactions. This may lead to other wallets involved in laundering the funds or spending them.
Identifying Cryptocurrency Type: Different cryptocurrencies have varying levels of anonymity and traceability. Bitcoin, for example, is pseudonymous, while others like Monero are designed to enhance user privacy. Understanding the type of cryptocurrency used can guide the investigation, as some blockchains are more challenging to trace than others.
Transparency and Privacy: Transactions on public blockchains are transparent; anyone can view transaction details, including amounts and wallet addresses. However, while this transparency aids investigations, the anonymity provided by cryptocurrencies can still complicate matters.
Investigating Cryptocurrency Crimes
When a victim reports a crime involving cryptocurrency, law enforcement must gather specific information to initiate a thorough investigation. Here’s a practical breakdown of what is needed:
Tracing the Funds (Follow the Money)
To enable a victim to send cryptocurrency to an offender, the offender must provide his public address to the victim to perform the transaction. The following are key pieces of evidence to start tracing cryptocurrency:
- The offender’s public address which he provided to the victim.
- Type of cryptocurrency (Bitcoin (BTC), Ethereum (ETH), etc)
- The transaction amount.
- Transaction date and time stamp.
- Transaction ID.
Once the wallet address, the transaction amount and the transaction ID are obtained, investigators could employ various techniques to trace the flow of funds. One of the techniques frequently used by forensic firms, such as Nexia SAB&T, is blockchain explorers. A Blockchain explorer is a search engine that allows users to view cryptocurrency transactions, including wallet addresses, transaction amounts, and times. To track a transaction, investigators would need the transaction ID.
A blockchain explorer could provide the following information:
- View the transaction history of any wallet address. (This is why obtaining the offender’s wallet address from the victim is important)
- View receiving addresses and change addresses.
- View unconfirmed transactions.
- View double-spend incidents.
- View orphaned blocks.
- View who mined/validated a particular block.
View fees, hash rate, difficulty, and other information associated with a given block or transaction
Example of a “Block” on Blockchain.com
On each block page, you will find information about that block, including every transaction ID, the average transaction value, the total value of all transactions in the block, and other information. Each transaction can also expand to find more information, such as the wallet addresses involved. The investigator can then click on a given wallet address to view information relating to that wallet.
However, if investigators are searching for a specific transaction, block, or wallet, he can simply input the block or transaction ID or address into the explorer’s search field to find information specific to the input information.
As discussed earlier, crypto transactions are facilitated through the interaction of wallets, keys, and addresses. A wallet generates keys that allow access to cryptocurrency and may be found on phones, tablets, computers, and web browsers.
The public ledger facilitates a unique form of transaction analysis, making crypto inherently more traceable than fiat transactions. Investigators can track and trace crypto transactions tied to illicit activities, freeze funds obtained through ill-gotten gains, and apprehend cyber criminals.
Example of a Wallet on Blockchain.com
Example of Transactions in a Wallet
Linking Offenders to Crimes
Identifying the offender involves more than just tracing wallet addresses. Investigators can use additional techniques:
Bitcoin Address: A Bitcoin address alone is not traceable because no personal information of the Bitcoin address is stored on the blockchain. However, there are ways to link addresses to individuals, such as information gathered from centralised crypto exchanges that may have both KYC data and addresses stored.
Cell Phone Technology: Modern technology plays a vital role in tracing cryptocurrency in criminal cases. Investigators can collect cell phone numbers, IMEI numbers, and GPS coordinates from the victim’s devices to establish a timeline of events. If the offender communicated through a specific phone number, this could be pivotal in identifying them.
Transaction Timing and Patterns: Analysing the timing of transactions can reveal behavioural patterns. For instance, if the funds were quickly moved to an exchange shortly after being received, this could indicate an attempt to launder the money. Collaborating with exchanges to analyse their records can help trace the funds back to the offender.
Physical Wallet Recovery: In cases where the offender is apprehended, investigators may find physical wallets—hardware devices that store cryptocurrency. If a suspect is found in possession of a wallet containing the identified wallet address, it provides a direct link to the crime. Law enforcement can then extract transaction data from these devices to further bolster their case.
Physical Wallet Recovery combined with Cell Phone Technology: Perpetrators found in possession of both the wallet and the cell phone data (sim card, handset, etc) will have a hard time explaining that he was, or is not the perpetrator, especially when more than one wallet, is found in the perpetrator’s possession, or multiple illicit payments were received in the wallet found in his possession, or multiple calls, or communication on the cell phone in the offender’s possession directs the investigators to other victims.
Cross-border use: Cryptocurrencies are used to launder money from a variety of crimes, including drug trafficking, fraud, and cybercrime around the world. Cryptocurrency crimes are therefore not restricted within South African borders. The offenders can be anywhere in the world.
Public-private cooperation: South African and international law enforcement agencies, private sector investigators, and cryptocurrency exchanges can work together to investigate and recover assets.
Conclusion
The rise of cryptocurrency has introduced new challenges in the investigation of various crimes. Understanding the mechanics of cryptocurrency transactions, including the significance of wallet addresses and the capabilities of tracing technology, is essential for investigators. By leveraging modern tools and techniques, investigators can navigate the complexities of cryptocurrency crimes and work towards holding offenders accountable. As the landscape of digital finance continues to evolve, staying informed and adaptable will be crucial in the fight against cryptocurrency-related crimes.
Sources:
The author drew upon a broad-based understanding of cryptocurrency, combined with 37 years of experience in investigative techniques and law enforcement.
However, the author can recommend the following credible and verifiable sources on cryptocurrency investigations and crime:
- Chainalysis (Crypto Crime Reports) – https://go.chainalysis.com/crypto-crime-2024.html
- Elliptic (Whitepapers and Case Studies) – https://www.elliptic.co/
- Interpol’s Cybercrime Reports – https://www.interpol.int/en/Crimes/Cybercrime
- Europol’s Internet Organised Crime Threat Assessment (IOCTA) – https://www.europol.europa.eu/publications-events/main-reports/iocta-report
- South African Police Service (SAPS) Press Releases and South African Cybersecurity Advisory Reports – https://www.saps.gov.za/
- Koinly – https://koinly.io/blog/blockchain-explorers/
