Dirty Crypto Takedown: How Gov’ts Deanonymize Crypto Transactions to Fight Crime

It’s a common belief that the anonymity of cryptocurrency is nearly absolute, making it harder for law enforcement agencies to trace furtive transactions and apprehend criminals. However, there are examples when government agencies managed to seize criminals by analyzing crypto transactions to the point of deanonymizing crypto users’ identities. Federal Bureau of Investigation Assistant General Counsel Brett Nigh said back in 2015 that “investigators can follow the money.” As arrests have led to convictions, “there’s a steady shift toward seeing cryptocurrency as a tool for prosecuting crimes,” Nigh claimed. With crypto-related fraud and unlawful transactions on the rise, law enforcement around the world are developing solutions that deanonymize fraudulent crypto users, but what does this mean for the majority of lawful crypto users?

Covering up Crimes With Crypto and Anonymous Money Sending Services

In 2019, United States law enforcement agencies were able to track down 23-year-old South Korean man Jong Woo Son by tracing his Bitcoin (BTC) transactions to his home and shut down his global child pornography website called Welcome 2 Video, reportedly the largest child pornography website in history. Law enforcement uncovered eight terabytes of child exploitation videos, which lead to 337 arrests. They were able to trace BTC payments made to Son to his website operating on the dark web by following the flow of transactions recorded on the blockchain. To track Bitcoin blockchain transactions, the authorities used software developed by blockchain analysis firm Chainalysis. Recently, Spanish authorities arrested three individuals connected to the Welcome 2 Video platform, as part of the so-called Jekyll operation. To access the content of the website, customers made payments using cryptocurrencies, tokens or anonymous money sending services in order to make it more difficult to trace them. To identify the addresses associated with the platform, the Spanish law enforcement authorities in collaboration with U.S. Homeland Security Investigations analyzed thousands of cryptocurrency transactions. Ultimately, they detected the recipients of the payments located mainly in the Philippines. The element of cryptocurrency anonymity comes from the addresses generated by a user’s wallet, the cryptographic keys and the transactions a user make. When the user receives an incoming payment to their public address key, their wallet automatically generates a new cryptographic address. Additionally, the user’s IP address isn’t stored in the blockchain nor is it a part of the transaction. Since every Bitcoin transaction ever made is recorded on the blockchain — a public ledger storing records of all the transactions ever processed and every balance of every address — this information can then be accessed by anyone because transactions are stored publically. For this very reason crypto transactions aren’t absolutely anonymous, in a sense, though the stored transactions in the blockchain are in fact encrypted with a public key. This is why crypto criminals sometimes use cryptocurrency tumblers, also known as a cryptocurrency mixing service, which allows them to essentially obfuscate crypto transactions by blending it into a pool of other illicit transactions, so they can conceal the source where the transaction originated. However, not every mixer is 100% efficient. According to a report released by crypto-intelligence company CipherTrace, within the first five months of 2020 crypto criminals already netted $1.36 billion dollars in illicit transactions. The trend is expected to exceed last years’ loss, which amounted to $4.5 billion dollars. The year prior, only 1.1% of all crypto transactions were involved in illegal transactions, which still totaled a whopping $11.5 billion.

The International Race Is on for Blockchain Analytical Tools

Government agencies globally have been pushing to acquire state-of-the-art blockchain analytical tools in their pursuit to deanonymize dirty crypto transactions and stop the threat actors involved. The Japanese National Police Agency teamed up with a private company to assist them with the capability to extract blockchain data and visualize transaction patterns. The software in question reportedly can “extract transaction data needed for an investigation from an enormous volume of data, making cyber investigations more effective. […] The software can also show information of virtual currency exchange operators, information that is not found in blockchain databases.” In the U.S., the Department of Homeland Security, Internal Revenue Service, Drug Enforcement Agency, the Secret Service, and the Department of the Army at the Pentagon headquarters are looking for outsourced solutions from private companies to partner with them by supplying crypto investigational resources. This July, the Army Contracting Command issued the following statement:

“The U.S. Army Contracting Command-New Jersey (CC-NJ) located at Fort Dix, NJ is surveying the market for potential contractors capable of providing one license for one user of a cloud, web based application capable of assisting law enforcement to identify and stop actors who are using cryptocurrencies for illicit activity such as fraud, extortion, and money laundering. Application must enable users to conduct in-depth investigation into the source of cryptocurrency transactions and provide multi-currency analysis from Bitcoin to other top cryptocurrencies.”

Earlier this year, the Ukrainian Ministry and Committee of Digital Transformation announced a cooperation with Crystal Blockchain, a manufacturer of software for monitoring cryptocurrency transactions. The software will ostensibly be used by the country’s banks and private and government agencies. Moreover, the Federal Service for Financial Monitoring of Russia announced plans to develop its own system dubbed “Transparent Blockchain” to track cryptocurrency transactions and identify crypto users. Officially, the software is set to be used to investigate illegal deals related to money laundering and terrorist financing.

How Government Agencies Use Analytics to Deanonymize Transactions

The analytical software already exists and is already in use. CipherTrace, Elliptic and Chainalysis are among leading specialized blockchain analytical intelligence firms that are already active players on the market. Generally, such firms provide their products to governmental agencies, financial institutions, and exchanges around the world to help them analyze what’s happening on blockchain in a bid to unmask real-world threat actors behind cryptocurrency transactions. To further elaborate on the subject, Madeleine Kennedy, senior director of communications at Chainalysis, provided BeInCrypto with some insights:

“We have mapped those addresses [in the Welcome 2 Video case] to real-world entities. So that means, when you are in our product you can see that someone at Coinbase just sent X number of Bitcoin to someone at Kraken, or to a darknet market or to a child pornography site, or any number of services or entities on the blockchain. The way that we map it is through proprietary heuristics. It’s a combination of technology […] and actual people who work at our company and validate certain services.” 

Chainalysis Reactor, the software described by Kennedy, utilizes curated open source-intelligence (OSINT) in conjunction with enriched visual graphs to help contextualize the flow of dirty crypto transactions. For example, during the Welcome 2 Video investigation, Chainalysis Reactor allowed law enforcement to literally “follow the money” on the blockchain and determine where the IP address of Welcome 2 Video was located. Kennedy continued:

“They could trace all the activity coming and going from Welcome 2 Video. […] That enabled them [the law enforcement] to see that Welcome 2 Video was getting money from mainstream cryptocurrency exchanges that collect Know Your Customer data, so they could then go and subpoena those exchanges and find out who was transacting with Welcome 2 Video.”

Kennedy claimed that Chainalysis doesn’t know who the actual threat actors are, and they do not collect personally identifiable information. Nonetheless, the firm knows the services that threat actors use, which Chainalysis Reactor can generate into a visual comprehensive data matrix, providing a visual link that law enforcement and government agencies can follow in their investigations to track down and unmask the culprits. However, due to the majority of mainstream cryptocurrency exchanges being required to comply with a legislative policy known as  Know Your Customer (KYC) which requires that all businesses confirm the identities of everyone subscribing to their service, especially when it involves monetary transactions, there is a point of exposure between the threat actors and the cryptocurrency exchanges they use. As Robert Schwinger, a trial lawyer, said in the “A little less privacy: Cryptocurrency transactions under the fourth amendment” article in his Blockchain Law column: “[…] the expectation of a greater privacy in cryptocurrency transactions may be unwarranted, especially where transactions-related information is voluntarily shared with third parties like a cryptocurrency exchange.” While this blockchain analytics technology seems to have become the gold standard for law enforcement and government agencies around the world in the fight to stop crypto abuse, what does this mean for the privacy of the vast majority of legitimate law abiding cryptocurrency users? The potential for abusing this technology is apparently there.

The Potential of Abusing the Tech

Last year a current or former employee of Chainalysis anonymously leaked a trove of revealing information in an Ask-Me-Anything session on social media platform Reddit. The whistleblower seemed to have second thoughts about the exclusive expose and attempted to remove the posts, however the interview was backed up. The leaker was asked if Chainalysis creates dusting attacks for tracking purposes. Dusting attacks pertain to a new form of pernicious activity where hackers and fraudsters send tiny amounts of digital coins to wallet holders in an attempt to deanonymize who the owners are. He or she stated:

“It has been discussed a few times, but no one has ever admitted to it. It doesn’t seem like there is much utility in it, because if the address exists on the blockchain, it can already be tracked. And if it doesn’t, a single payment to it will make it appear in the software, so no need for dusting. It wouldn’t improve IP tracking capabilities.”

When asked whether their colleagues consider themselves the “good guys” or is there at least some thought given on the ethics of their work, the whistleblower said that “they definitely think they are the good guys,” and that he or she did not assign any malice to their intentions. However, the whistleblower continued saying: “Not a single person in the company has displayed any sort of concern over the ethics of our software except for one person being concerned that law enforcement would use our software and abuse their authority in enforcing the laws. And none of that could have happened without Reactor providing investigative leads to the cops.” Virtually every major government entity in the U.S. is using Reactor, according to the whistleblower. Among those who deploy the tech ostensibly are the Central Intelligence Agency, The National Crime Agency in the United Kingdom, the Royal Canadian Mounted Police, and the European Union Agency for Law Enforcement Cooperation better known as Europol. He or she also explained that once a cryptocurrency user logs into certain software, their IP is logged. “Addresses will have a list of IP that logged into the wallet. There is a tiny bit more to it than that, but I don’t want to give you proprietary data.” Having analyzed the Gratkowski case, where U.S. federal agents also investigated a child pornography website which accepted payment in Bitcoin, Schwinger concluded: “[…] cryptocurrency transactions become more common or pervasive, particularly if they can reach a point where they can paint a fairly comprehensive picture of a person’s daily activities. Even then, however, ‘good faith’ exceptions to the exclusionary rule might still leave criminal defendants without Fourth Amendment protection until privacy protections in such transactions are more firmly judicially recognized. It thus may be some time, if ever, before criminal defendants may be able to count on cryptocurrencies as a legally effective means to hide their activities from the government’s detection.”