Tracking the crypto underworld: law and order… and tech

At the time of writing, each bitcoin is worth just over US$50,000. With the right tools anyone, anywhere in the world, is unilaterally able to store or transfer crypto assets – whether peer-to-peer or via the numerous crypto exchanges – for real world currency with little to no oversight or regulation. Irrespective of one’s views about the long-term viability of cryptocurrency, it currently has a value and is being used to capture, store and transfer that value across the world.

It is perhaps inevitable that some proportion of the value being exchanged via these emerging technologies will arise from illegitimate activity and/or the laundering of the proceeds of crime. A crucial challenge for governments, lawyers and investigators is understanding how such assets can be retrieved in such a complex and dynamic environment.

Unlike cash, which is anonymous and hard-to-trace, crypto assets (e.g. Bitcoin, Ethereum, NFTs, etc) rely on blockchain technology, which is a pseudo-anonymous and permanent record of transactions, which typically enables anyone to trace and follow the crypto assets as they move between addresses. Crypto assets, by design, cannot be unilaterally seized, so an important step for investigators is to identify the owner of the wallet or account that holds the crypto assets.

Chain analysis

Attribution of crypto assets to a specific individual or business typically requires ‘chain analysis’. In its simplest form, chain analysis uses sites such as blockchain.info to follow specific bitcoin back through the blockchain to its origin. At the other – more useful – end of the scale, chain analysis combines visualisation tools, open-source intelligence, and other datasets to also deduce the location, behaviour or other details relating to the owner of the crypto assets. Such information can then form the basis of court orders or real-world investigations, often spanning jurisdictions.

A persistent and growing challenge for chain analysis is the existence of ‘privacy coins’. Crypto assets such as Monero were designed to be secure, private and untraceable and so resist chain analysis, by removing the ability to trace the flow of transactions on its blockchain. Perhaps in response to successful law enforcement activity in recent years, Monero may replace Bitcoin as the coin of choice on many illicit marketplaces on the Dark Web. It is much harder to trace, so much harder to seize.

The challenge also grows because other coins are implementing changes that will increase the privacy of transactions. For example, ‘Taproot’ – an upcoming update to the Bitcoin protocol – will make it far more difficult to identify the nature of any particular transaction, while the ‘Lightning Network’ will allow bitcoins to be exchanged without any record on the public blockchain.

Tracing & seizing crypto assets is complex

Against this backdrop, the successful tracing and seizure of crypto assets is a multidisciplinary and complex task requiring both legal and technical skills. Some examples follow:

• In August 2018, a Russian national was granted a freezing order by an English court against a cryptocurrency trading platform and its two directors due to her fears that large sums of Bitcoin and Ethereum she had deposited had been dissipated. By preventing the company or directors from disposing of assets, the blockchain investigation was given additional time and the claimant was reassured that if her cryptocurrency had been dissipated other assets would not be.[1]
• In December 2020, Mirror Trading International Limited (MTI) – an algorithmic trading platform based in South Africa – collapsed. During its operation the company had received about $1.45b in Bitcoin (at current value). It offered a highly-rewarding opportunity to investors – promising returns of up to 10% per month – but is suspected to have been an automated Ponzi scheme. South African liquidators have recovered approximately $450m in bitcoin that was channelled through the scam following analysis of MTI’s database and the wallets of its investors. For example, $65m was recovered from FX Choice, the Belize-based broker that froze MTI’s account in August 2020 due to compliance concerns.
• In June 2021, Binance revealed that it had worked with authorities from across the world – including Ukraine, South Korea, the USA and, Switzerland – to dismantle a ransomware gang nicknamed ‘FANCYCAT’, who were responsible for laundering over $500m in cryptocurrency gained from their various criminal activities. Binance described using a two-pronged approach: “(i) implementing [its] own detection mechanisms to identify and offboard suspicious accounts and (ii) collaborating with law enforcement to build cases and take down criminal groups”.
• Also in June 2021, the US Department of Justice announced that it had retrieved 63.7 bitcoins that were paid to cybercriminals following the Colonial Pipeline ransomware attack. The affidavit supporting the seizure was particularly interesting.[2] It detailed the various addresses that the bitcoin had been traced through. It then simply stated that ‘the private key for the address was in the possession of the FBI’. No explanation was given for how the private key was acquired. This case demonstrates that – in the ongoing battle between those who hide assets and those who trace them – operational secrecy is important for both sides; but for those who seek to effectively trace assets, at some stage the tracing exercise and the various steps may need to be fully articulated in court.

As demonstrated in the above examples, it is important for lawyers, investigators, and technical experts to work symbiotically. Blockchains generate huge amounts of data and are constantly being updated; assets are often moved and split several times. Swift and robust tracing and recovery exercises are underpinned by the strategic use of legal and regulatory frameworks and proactive information sharing.

Light-touch regulation offshore

Offshore financial centres with light-touch regulation are of particular interest to crypto asset investors and businesses; several of the world’s largest cryptocurrency exchanges are said to be based in such jurisdictions (e.g. Binance in Cayman, Tether and Bitfinex in BVI). The flow of illicit crypto assets through the offshore fintech sector has led to the implementation of specific crypto-related laws. For example, the Cayman Islands government enacted the Virtual Asset (Service Providers) Act 2020 to provide a technologically neutral and adaptable framework for the regulation of the provision of virtual asset services.

At present, crypto assets and associated technology can evolve faster than our legal frameworks can respond. Nonetheless, an understanding of the legal and technical tools available to those seeking to recover crypto assets (such as production orders in criminal cases or Norwich Pharmacal / Bankers Trust orders in civil cases) alongside familiarity with the latest techniques used by cyber criminals and money launderers, across multiple jurisdictions, is best practice in an effective risk-based approach.

[1] Vorotyntseva v Money-4 Ltd (trading as nebeus.com) [2018] EWHC 2596 (Ch)

[2] https://www.scribd.com/document/510927692/Seizure-Warrant