The amount defrauded in the crypto space has grown to more than $12 Billion and despite global efforts, 98% of cases have gone unsolved.
On the other hand – as in the case of QuadrigaCX, a cryptocurrency exchange which lost $190 Million in customer assets early last year after the apparent death of its founder Gerald Cotton, along with the loss of the cold wallet keys – well prepared and verifiable evidence makes it far easier to gain effective court action.
How can the difference in
outcomes be so vast? Assets like Bitcoin and Ethereum, before treated as
‘anonymous’ and ‘high risk’, are now at the front line of advancement in
anti-money laundering technology – usurping traditional finance at a fraction
of the cost. And some have woken up.
Blockchain investigators are now being turned to by law firms to negotiate a constantly morphing crypto crime environment. An advantage Miller Thomson has sought in the recent of our strategic partner Kroll, a division of Duff and Phelps, to collaborate alongside us in the QuadrigaCX matter.
In light of this sea change, read about the kind of battles in technology typical cases present – and how Coinfirm’s operation traces stolen crypto.
Crypto Mixing Schemes
funds related to hacks, scams, ransoms, drug and human trafficking and all
other types of illicit and criminal activities tend to be passed through complex
layering/mixing schemes aimed to conceal the trail of funds.
One scheme is by the use of
blockchain transaction mixers (also referred to as tumblers/anonymizers) –
services that attempt to confuse the trail of blockchain transactions. In most
cases funds are divided into smaller parts. These parts are then ‘mixed’ at
random with similar sizes of other users’ funds. As a result, the criminal
perpetrator receives the funds with a much lower ‘taint’ ratio (low
traceability to perpetrator’s initial blockchain addresses).
Some blockchain protocols like
Dash or Zcash have embedded anonymizing functions within their protocols. Although
according to existing regulations (e.g. 5th AML Directive of the EU) running a
mixing service may be illegal – it doesn’t stop the bad actors of the ecosystem. Mixing
services are useful to criminals if the amount of illicit funds is not
extraordinarily large. The higher the amount, the more difficult it is to
conceal the source of funds.
Afterwards, large and
sophisticated hacking and scam operations typically pass funds through a
deliberately designed chain of hundreds or thousands of ‘layering’ transactions
– similar to traditional finance money laundering methods.
The destination of illicit
funds are typically cryptocurrency exchanges. Most often those with no or low
KYC standards as well as reputable exchanges, owing to many of them still
missing truly effective, high-tech AML and Transaction Monitoring solutions such
as Coinfirm’s .
The other usual recipients of crime-related coins are various disreputable Clearnet and Deep Web blockchain services such as marketplaces, decentralized finance applications or gaming and gambling sites. All of these end points may serve criminals both to cash out illicit cryptocurrencies as well as a means of further hindering the trail of funds by exchanging them through several such services.
But despite the sophistication of the schemes’ route, the blockchain ledger is immutable. It can and is tracked.
The Blockchain System Counters
Crypto fraudsters and those in blockchain-driven compliance are forever in a technological arms race, but Coinfirm is always a step ahead of the nefarious actors.
Fraud investigation engines often
encompass several automatic analytical techniques allowing investigators to
overcome even very complex layering schemes. The basic typology distinguishes
three types of examinations – the destination of funds, source of funds and
fingerprints of activity.
Destination of funds is aimed to identify
blockchain addresses that hold or received funds originating from
misappropriated wallets, as well as evidencing transaction paths (chains of
consecutive transactions) between them.
Contrarily, the source of
funds is designed to identify addresses that send funds to
blockchain addresses related to criminal activity.
The purpose of fingerprints
of activity is to identify accounts of known blockchain services and
methods used by the perpetrators.
The aforementioned examinations
are supported with numerous data mining techniques such as ownership analysis,
clustering and e-discovery.
Ownership analysis is aimed to provide as many
possible ‘quality’ pieces of evidence and strong indications as to who is an
owner and who is a beneficiary of each blockchain address deemed to be
relevant for the investigation.
Clustering algorithms are used to identify
blockchain addresses belonging to the same owner by analytical means. A
good clustering algorithm could identify even hundreds of thousands of
suspect’s blockchain addresses just based on one address confirmed as belonging
to the suspect. This includes the determination of suspects’ addresses on
different blockchain networks. In most cases clustering analysis gives the
level of certainty sufficient to constitute evidence in the litigation phase.
E-discovery is a set of analyses aimed to
extract blockchain addresses, transactions or private keys from the
digital carriers preserved in the course of the investigation, such as servers
and personal computers.
Parsing all collected on-chain and off-chain data together gives the foreground to complete the picture of the scheme with the use of different transaction tracing techniques.
A Holistic Approach to Tracing Stolen Funds
Most blockchain analytics
firms only provide a transaction tree, treating all consecutive transactions as
dirty (tainted) funds (so-called ‘Poison’ method). The drawback of the Poison
method is that the amount of evaluated tainted funds at its destination can be
several times higher than the actual misappropriated amount and it does not
distinguish between misappropriated and other funds, which could be easily undermined
by a skilled attorney. This creates the risk of wasting years of investigation
and related costs if grounds for the case were beset by gaps in the tracing
Wasted resources can cripple the effectiveness of end results and the combatting of a systemic issue. Hence the need of going a few steps further.
Coinfirm’s unique fraud
investigation methodology uses multiple different tracing methods for the same
investigation. This includes those widely adopted in bankruptcy law, such as
first-in, first-out (FIFO), last-in, first-out (LIFO), pro-rata distribution
(Proportional Distribution), lower intermediate balance rule (LIBR), with an
additional comprehensive set of proprietary methods enhanced for the specifics
We take this holistic approach because courts tend to have different preferences when it comes to tracing methodologies. For example, pro-rata distribution may be preferred in cases of Ponzi schemes where multiple, similarly situated victims are being paid with other victims’ deposits.
Well prepared, verifiable evidence of tracing
analysis and impartial interpretation, such as multiple methods presenting
similar findings, makes it far easier (and less costly) when it comes to court
decisions. After all, in cases such as that of QuadrigaCX, victims have 190
million reasons to look for an effective solution.