On the Trail of Criminals with Blockchain
suppliers on the subject
With blockchain, transactions with cryptocurrencies can be traced. This way, investigations against criminal hacker gangs can be supported, but it also gives ransomware victims the chance to recover the money that was extorted from them.
Analyzing raw blockchain data can help ransomware victims recover at least some of their ransom money, but it can also uncover other criminal activity such as financial fraud or even cases of removal. For example, blockchain intelligence firms are able to track Bitcoin and other cryptocurrency transactions to help authorities or ransomware victims identify attackers and possibly obtain the ransom. However, such surveys often require weeks of work, specialized technical knowledge and often a bit of creativity. The chances of success are not negligible.
Anatomy of a Blockchain Discovery
The first point of reference for investigators is the cryptocurrency address given by the hackers, to which the payment was made. As a rule, the money does not stay there for long. It is moved to different addresses, split into different wallets, and converted from Bitcoin to other cryptocurrencies.
Hackers use these methods to cover their tracks or to pay the partners involved. Some of these criminal groups even use professional money launderers. Whatever happens after a ransom is paid, all transactions are transferred to a blockchain. It shows transaction hashes, bitcoin and other cryptocurrency addresses, but there is no way to see how these addresses are connected.
While anyone can access a blockchain’s public ledger and see this raw data, deriving concrete insights from it is problematic. But there are ways to get important information. For example, by having investigator group addresses to identify the entity controlling them, such as individuals, cryptocurrency exchanges, or ransomware groups.
For example, individual wallets can hold five or six addresses, while some services that run on a specific blockchain allow millions of addresses to be aggregated. Knowing the exact entity behind a series of addresses can be crucial in a manhunt.
Linked to off-chain data
Blockchain intelligence companies typically collect information from a variety of sources and often use off-chain data to combine it with existing data and draw additional conclusions. To do this, they consult, among other things, dark web forums, social media posts and court documents.
For example, Facebook users request bitcoin funds in conjunction with an address. This address may be associated with a cybercriminal network, terrorist organization or other illegal organizations, as the case may be. This information is collected by blockchain intelligence companies and stored for future reference. This is how huge “blacklists” of cryptocurrency addresses are created.
In order to lose track of money, hackers usually move their bitcoins from address to address over a long period of time. But at some point, they have to exchange their cryptocurrency for a hard currency. Law enforcement authorities can use the collected data to find out who owns the wallet address or who was connected to this address.
The chances of ransomware victims getting back the ransom money depend on the following parameters:
- Time between payment and preliminary follow-up.
- Cryptocurrency movement speed.
Often, when law enforcement is involved, the chances of success tend to be higher. However, each case is different and the chances of recovering at least part of the ransom can vary considerably. Not only are ransomware hackers constantly honing their skills, but their numbers have also multiplied in recent years. Therefore, tracing bitcoin transactions remains a complex undertaking that needs to be done by experts.
Warning signs of a money laundering scheme
Through their work, blockchain intelligence firms can help create a foundation of trust for cryptocurrencies. The same goes for sensible regulations to contain cybercrime. Here are some red flags cryptocurrency service providers should use for monitoring/verification:
- Incoming funds from a platform with relaxed regulations.
- A single crypto wallet linked to multiple bank accounts and credit cards (indicating a group of people using the same wallet to move funds).
- Very frequent inbound transfers from multiple crypto wallets to a single account.
- Linked crypto wallets that barely match client profiles.
- Transactions just below the reporting threshold.
- Continuous high-value transactions in a short period of time.
Ultimately, spreading cryptocurrencies to different addresses is no different than money laundering a few decades ago, when funds were deposited into a traditional bank account, then withdrawn, transferred to another bank account and finally sent abroad.
New techniques and tools are constantly being developed for blockchain analysis to help law enforcement. This is already an important but currently underused opportunity to investigate criminal activity.