Digital Intelligence Produces Crucial Clues To Trace Cryptocurrencies

Yohai: In this webinar, Digital Intelligence Produces Crucial Clues To Trace Cryptocurrencies. And today we have an amazing group of speakers. Instead of myself reading off their impressive bio, I’m going to let you guys introduce yourselves. So let’s start with you, Pam. Why don’t you go ahead.

Pamela Clegg: Great. Thank you. Hello, welcome everyone. My name is Pamela Clegg. I’m the Director of Financial Investigations and Education for CipherTrace. Basically what that means is I’m either doing the investigations myself or I’m training individuals on cryptocurrency and investigations of them. So I’ve been with CipherTrace for two years now; prior to that, I was a BSA AML officer in private banking. And then prior to that time, I spent over a decade as a US intelligence officer, primarily working narcotics and terrorism. Thanks.

Yohai: Thanks Pam. You’ve all got a hard act to follow. 

Yuval Ben-Moshe: Yeah, that’s a high bar for me to mess with. I’m not even gonna try. My name is Yuval Ben-Moshe. I’m the Vice President for Business Development for Cellebrite. I’ve been with the company a little over eight years, and pretty much responsible for enriching the portfolio and the value that Cellebrite brings to the community. And through whatever for identifying the areas that need to be addressed and working strategic partnerships as we have right now with CipherTrace. And this is quite an exciting topic for me to discuss because we’ve been looking into it for quite a while, and think of it’s an interesting one to to address. 

Yohai: Yep, thanks, Yuval and Pam. So my name is Yohai West, Senior Product Marketing Manager at Cellebrite, and I will be your host. Just to get things started, I want to borrow a phrase, “two sides of the same… let’s say, Bitcoin” to sort of tee up the idea that two things that seem the same, but are different cryptocurrencies is the main subject that we’re addressing at the start of this webinar, but understanding what cryptocurrencies mean in your broader digital intelligence strategy is what we will address as well. 

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So it’s important to understand cryptocurrencies, how that is new in investigations to in your organization, how to ramp that up, but also where does that fit into your general digital intelligence strategy as you’re building that out, to go along with anything from your mobile forensics to computer forensics, to your overall analytics investigation workflow?

So with that, I’d like to first kind of get a feel for where everyone is on this webinar. So I’m going to do a quick poll, if you guys are willing to do this quickly with me. And I want to ask everyone on the call right now: how often do you come across crypto in your investigations? So if you guys can choose through ‘not often,’ ‘occasionally’ or ‘very often’, I’ll give you a second or two to go through that. That will help us understand how much this is taking up of your time, how much it hurts you now, and how much you’re looking into just understanding this is coming and how much we need to ramp up your capabilities. So just give us a few seconds to go ahead. 

Oh, thank you very much. You guys are doing great, that percentage is really fast. And then we’ll show that. Hold on a second. Okay. Excellent. So let you guys still go ahead with that. And one more second, and now let’s see those results. 

Not often 56.3%, occasionally 33.5% and very often 10.2%. So Pam, does that surprise you? Does that shock you, those numbers right now?

Pam: The ‘not often’ surprises m, especially given that I think we have a large audience from the US today. We do see with law enforcement — specifically in the US — that a lot of times they are not finding cash or bank transfers. They’re actually finding that everything has moved into cryptocurrency. So yeah, I expect that that will continue to diminish, the ‘not often’ part, it will start listing more towards that ‘occasionally’ and ‘very often.’

Yohai: And Yuval, since you’re the veteran from the origins of mobile forensics, imagine this was mobile forensics back in the day when it just kind of started getting…  they’re asking the question, you know, how often did you come across as does this sort of resonate to those beginning stages of mobile forensics? 

Yuval: It does. It does. And I think if we would have asked this question I don’t know, three, four years ago the numbers would have been a significantly different in a sense of ‘not often’ being higher numbers. I think the trend that we see is clearly on the positive and growing week to week, day to day. 

Yohai: Excellent. All right. So with that, we’re looking to now segue, I’ll hand this over to you, Pam, to take us through some of these fascinating use cases that you’ve come across.

Pam: Great. Thank you. So the first case we’re actually gonna look at here… well actually, we’re going to do a poll question first. That’s right. We’re going to do a poll question on: is Bitcoin anonymous? I find this one is highly interesting to always ask: is Bitcoin anonymous? True or false, very simple. Just give us your best guess if you don’t, if you’re not… 

Yohai: I think you stumped them. It wasn’t going as fast as other one. 

Pam: Alright, that response is filing in now. Let’s see what we get. All right. We’ve got over half of the audience that’s answered now. We’re almost close to complete… couple more seconds there, and I think we’ll get the majority of everyone locked in. All right. I’m going to go ahead and push the answers out to you guys. 

False! All right. We have a fairly savvy audience today. 70% of you said that Bitcoin is not anonymous, which is the correct answer. Cryptocurrency — Bitcoin being the the primary leader within the cryptocurrency ecosystem — is actually pseudonymous. So we refer to it as a pseudonymous currency it’s pseudonymous because we can actually see all the transactions, we can see all the addresses, and we can see the amounts that each address is holding out there on the blockchain. So therefore we refer to it as a pseudonymous currency. And then you guys are also going to see how we can de-anonymize that even further within the CipherTrace tool.

Great. Alright, so let’s get started with our first case here. I see some people say it was a trick question. All right. So we’re going to start today with the Twitter hack. Most of you, I am sure, are familiar with the Twitter hack that occurred in July of this year. This was a very high profile case, given that the Twitter hack actually gained access to some very high profile Twitter accounts, to include Bezos. You can see pictures down there on the bottom right, Bezos; Kanye West — I’m not sure that he qualifies this high profile anymore, but — Biden, Elon Musk, Obama, Warren Buffet was also accessed. So this was a really high profile attack, and it was a two-part attack, in that it included the actual breach of Twitter, and then it also included a Bitcoin scam. That was the end goal of the actual Twitter breach. 

So we’re going to walk through this today and talk about how blockchain analytics were instrumental in identifying these individuals; how the swift actions of the crypto industry actually helped limit the damage of this Twitter attack; and then also, you know, just the security breach itself at the centralized service provider, and how we kind of move from the cyber world into the crypto world, into the real world where we identify the individuals and then how all that information flows together to apprehend these individuals within 16 days, which is quite swift on the part of law enforcement. So 16 days after the actual hack, there were three individuals identified and in custody. 

So let’s walk through this, what we’re going to look at first, and which is really important, the case actually began before July 15th, which was the day of the actual high profile Twitter account hack. And what we’re looking at here is really something that takes place quite often, I wasn’t as aware of it until the Twitter hack occurred, but it’s the selling of what they call OG accounts, right? 

So these OG Twitter accounts that are, you know, letter or one number or a very catchy name, these accounts that were obviously set up in the early days of Twitter, these are highly coveted accounts; they’re called OG — original gangster — accounts. And there’s actually a forum for this, right? The OG forum where they actually buy and sell this underground market of these OG accounts. And why this is important is because the individual — Kirk was his username — responsible for most of the work in the Twitter hack was actively selling Twitter accounts via these forums, and he was utilizing middlemen.

And so we can see here, some of his conversations with these middlemen: two of his middlemen were lol and eversoanxious. And these individuals were out there brokering these accounts on behalf of Kirk. Kirk originally claimed that he had access to Twitter employees to modify or seize control of these prized Twitter accounts. It turns out in the aftermath that that wasn’t actually the case; that he originally actually claimed that he himself was a Twitter employee. And that wasn’t actually the case as the investigation went on. Nonetheless, he somehow had access to Twitter and was able to to broker these accounts. And these accounts go for sometimes thousands of dollars. So we can see some of his messages here, taking place out there on the communications forum of Discord, where he was communicating with eversoanxious.

And what’s important here is that Kirk, in dealing with eversoanxious and alive, which was also another username for lol, he’s given this address, his Bitcoin address 1AI52, in order to receive payment for these Twitter accounts, that he is brokering to the buyers, right? So this Bitcoin address 1AI52 was put out there by Kirk. And this was where he received payment for all the Twitter accounts that he was brokering out there: July 2nd, or July 12th, I’m sorry, July 12th earlier in the day on July 15th, he was actively brokering these and getting paid to this account that we see on the screen here. 

So why that’s important: we can see there, he’s using that again. You know, on this particular one he’s selling @vampire, right? So all these accounts: @dark, @XX, highly coveted accounts, $5,000, right?

So he’s got this address out there, and it’s important to note this address, because this is really what’s going to immediately lead us to identification of Kirk once he launches the Twitter hack. And we’ll see how that happens once the Twitter hack is launched. So here we see, this is actually a screenshot that Kirk has given showing customers the Twitter backend, right? That he has access to, Twitter. This is for an account called R9. So he’s actually demonstrating his access to Twitter’s backend here. 

And so when we look at the payments that Kirk had received to his 1AI52 address, right, a Bitcoin address, we can see some really important information. And as I said, this is going to be key in identifying Kirk, identifying his real-world identity.

We can see in these two transaction shots here, we see on the left side, we see inputs that are red. That’s because those inputs, those addresses — those are Bitcoin addresses — those addresses have been identified as associated with the Twitter hack in our tool. So those show up as red, which is criminal. We see the square in the middle, which represents the transaction. So the hexadecimal code down there in the bottom half of the square is the actual transaction ID, or the hash. 

And then we see on the right side, the outputs. And in both of these shots, we see outputs that are blue; those identify as an exchange within our tool. And what’s important about these particular outputs is that these particular outputs are Coinbase. So Kirk received payment for these OG Twitter accounts, right, to his 1AI52 address, and then he transferred that Bitcoin on July 12th to an account at Coinbase. 

This is really important because Coinbase has KYC. What’s KYC? For those of you that don’t typically work financial crime, KYC is ‘know your customer.’ So in order for someone to open an account at Coinbase, it’s very much like opening an account at a bank. So Kirk had to give identification, he had to do a ‘know your customer,’ or CIP, which is customer identification process, right? So he had to give his identifying information in order to open an account at Coinbase. 

So this is really key for law enforcement right here, because law enforcement can now go to Coinbase with those two transactions that we have on the screen and request account information on the individual or individuals or entity that received those two Bitcoin transactions. All right. So now we’re moving out of this cyber realm and we’re moving into the real world. We’re moving into actual PII, right? Some identifiable information about Kirk. 

And at least if it’s not Kirk, it’s at least going to be somebody that he’s working with. Right? So this is really crucial. He did this, again, before the actual Twitter hack. This is on July 12th. Twitter hack happens on July 15th. All right. 

So let’s move in to the Twitter hack and talk about the progression of events with this. So the first public sign of the intrusion came around 3:00 PM Eastern. Okay. And this is when the Twitter account for Binance, right. tweeted a message for crypto for health. All right. So this is where we’re moving now into the Bitcoin scam piece of this, right? So ‘crypto for health’ sounds like a scam to most of us, right, in law enforcement. This obviously sounds very fishy. In this announcement that they’re partnering with crypto for health to give back 5,000 Bitcoin to the community. 

After Binance. then we see a lot of other crypto exchanges. We see Coinbase, we see Gemini, Q coin, Bitfinex. Okay. These are large crypto exchanges. They definitely… all of these guys fall within the top 20 crypto exchanges in the world. So these are large global exchanges. And now here they are kind of announcing this this Bitcoin scam apparently from their Twitter accounts, right? Kirk doesn’t really get the reaction that he’s looking for. And I would say, you know, in my experience, that’s probably because in the crypto world, individuals who actually follow these accounts to crypto exchanges are pretty savvy about these types of things. Right? We see Bitcoin scams quite often. So not so many individuals fall for this and actually send Bitcoin in. 

So what do we see come up next? This is where we start to see then the high profile accounts, and this happens about an hour or so after the Binance and the Coinbase accounts have been hacked. Kirk, by the way, on Discord, takes credit for particularly the Coinbase hack, as well as the others he specifically mentioned “CB has been hit.” Coinbase, CB is Coinbase. So he is taking credit for for these intrusions on the Discord communication platform. 

So then we start to see these high profile accounts come out. Now, this is a little different scam, right? This is just talking about giving back to the community we support. We support Bitcoin, and that they’re going to double the amounts that are sent in. And so we see this again, as I mentioned, we see this across Apple. So we see some business accounts that are actually tweeting this out, as well as the high profile individuals that I mentioned. We’re talking dozens of accounts that have been compromised for this. 

And in the announcement — in the Bitcoin scam announcement — we see this address BC1QXY, right? So all of these announcements have this address as the receiving address. This is to where you need to send your crypto in order to participate in giving back to the community. Right? 

And so as we start to look at the flow of funds as these account intrusions happen, we see, first of all, that 1AI52, the address that Kirk was using prior to the to the high profile intrusions, these funds from 1AI52 are being co-mingled with BC1QXY, the address that was just tweeted out. What does that mean? In very simplistic terms, in the crypto world, they’re being clustered together. Okay. Which basically means that they are controlled by the same individual or same entity. All right. 

So this all comes down to the private keys. Again, a little bit more technical than we’re getting into today. We’re really kind of covering the surface, but the point is that we can now see that these funds that were that are being sent to the BC1QXY — the one that was tweeted out on the high profile accounts — are being co-mingled with Kirk’s funds at 1AI52, which then indicates that Kirk is controlling both of these addresses, right. He has the private key to both. 

So we see on this particular flow of funds, we see some of the Bitcoin from the Bitcoin scam, moving into, the blue circles on the far right there; again, blue are the exchanges. What does that mean in the crypto world? That is where they hold personal identifiable information, right? It’s another gateway for us to move out of the cyber area into more real world identifiable information for Kirk. 

Okay. Now Kirk realizes, I’m sure, I would assume, that his funds are easily traceable, and what we begin to see now with the funds that begin to flow… so let’s say in the first 24 hours of this Twitter hack, there are 13 Bitcoin sent via hundreds of transactions to that BC1QXY address. 13 Bitcoin guys, the current price of Bitcoin as was in July is about 10 grand, right? We’re talking about $10,000 a Bitcoin. So not too shabby, we’re talking about you know, almost $130,000, depending on the price, in 24 hours. Okay. 

So these 13 Bitcoin that come in, these are already marked. This address has already been blacklisted within the crypto community. All right, this BC1QXY address is completely blacklisted. What does that mean? It’s blacklisted in that should an exchange receive a transaction from BC1QXY, which has been identified as a scam address, any exchange out there that is cooperative within the crypto community, which quite honestly is the majority — that’s the majority of the exchanges out there — they would freeze those crypto funds and they would very likely report that via some different communication channels that we have. 

So because he knows this, or he’s already tried to deposit some of those funds, he now begins to send these funds into ChipMixer, right? So on this transaction flow that we see on the screen here, we see all these red dots, which remember those are the Twitter hack addresses. Those are addresses that are now associated with the Twitter hack. And then we see a lot of yellow dots, right? The yellow circles are the mixer addresses. So that is Kirk moving those funds into mixers. 

What’s a mixer? A mixer is just a place where you can send in your Bitcoin and mix it up with all kinds of other Bitcoins, and then kind of bring it out on the other side. And it cuts that ability in a lot of cases, it cuts the ability to trace through that mixer and continue to follow the trail. All right. 

So he’s attempting to obfuscate the trail of his Bitcoin at this point. Okay. So that’s very key and very important to remember here. So he realizes that he had already committed sins before the attack even happened. Right. He had already committed those mortal sins of sending two identifiable accounts before the attack. And that’s the beauty of the blockchain. All right. The beauty of blockchain is that those transactions never go away. Right. Those transactions are there. They’re always going to be there, perpetuity, we can go back and look up all the transactions that his 1AI52 address ever had. And that is key in this particular case in getting us that identification lickety split. All right, great. 

So we are going to move out of the Twitter hack case here, and we’re going to work backwards here, and we’re going to start with a little bit computer exploitation that we… a case in Canada actually led to the seizure of over 2 million in Bitcoin around $2 million or so in Bitcoin, depending on the price again. All right. 

So again, this was a case out of Canada that CipherTrace worked hand in hand with law enforcement on the case starts with an individual who is on Agora market, dark market, and he is on the prowl, on the lookout, to buy a pistol. Okay. So he’s looking to buy a handgun. And so he gets into some different forums. Come to find out, unbeknownst to him, he is actually engaging with an undercover US law enforcement individual to purchase this pistol. The buy goes through. We can see there, his order has an order number, status, all that kind of good stuff, how much he paid for the Glock 17, which is what he ended up purchasing.

And then this Glock 17 allegedly is going to be shipped to him to a particular address. You know, inoperable weapon, basically, is what’s sent to him, and law enforcement is waiting for him to come pick it up at the address PO box that he’d given. All right. 

So what ensues after that? Well obviously, arrest and then a search of his residence. A search of his residence uncovers drugs, illegal substances, packing material, right? Different types of equipment that is utilized to pack these drugs into smaller envelopes to be sent out to what appears to be his customers. Right. So drug trafficker, right. They discover a warehouse, a storage room, and they inventory that. So we’re talking about MDMA, we’re talking about ketamine, cocaine, marijuana. This was everything that was on his menu.

Right. So initially we suspect that he’s selling these illegal drugs, obviously via some method, most likely dark market. They also recover, in the residence, this really kind of torn up looking CPU. All right. It’s important to note here that they almost didn’t take it, because it didn’t look like it worked. Thankfully they did. And it did in fact function. 

And on that CPU that we are seeing in the picture there, there’s a wallet. So he had a Bitcoin wallet. The address, as we see on the left side, those 11 addresses, where the addresses that were within that wallet on that PC that they recovered. So 11 different addresses. They accessed this, and there are 288 Bitcoin sitting spread out amongst those 11 addresses there on that wallet.

Law enforcement does the right thing here, which is moves those Bitcoin — because they have access to the private key, because they have access to the wallet. Right. So we moved that Bitcoin to a law enforcement controlled account at Coinbase, which is what you see there on the right. Okay. Now 17ES is a Coinbase address. That is a Coinbase account. Again, that law enforcement had set up. 

So, what is the goal here? Right. We don’t know where this crypto came from. We don’t know if he obtained this crypto via mining. Did he obtain this crypto legitimately? Okay. How did he actually get and obtain the crypto that law enforcement has now just moved into a law enforcement controlled account? Again, 11 addresses, 288 Bitcoin. They were able to move that because they had his wallet. They had seized the PC. So therefore that’s the private key, right? Wallets are just a pairing of private keys and public keys, that’s it. But that private key is what gives you access to the crypto. Whoever holds the private key, owns the crypto. It’s very important. That’s what I teach to law enforcement. It’s probably the number one thing I I teach for law enforcement to understand: whoever holds the private key, owns the crypto. 

So they move it into Coinbase and then they come to us and they say, Hey, can you tell us where this Bitcoin originated from? So what do we begin to do here? We begin to trace that Bitcoin backwards. In the case of the Twitter hack, we were tracing the Bitcoin forward. We were going to see, where did those funds end up? In this particular case, we’re going to work backwards. We want to know the origination of that Bitcoin. Right? 

So we see here on the screen, on the far right, we see the blue circle, which is the Coinbase account. In the middle, we see the red circles, which are those 11 addresses that were on the suspect’s computer, in his wallet. And then we see on the far left, as we start to trace these back, we see the funds coming from those black circles, which as you might guess, in our tool represent dark markets, right? 

So in this particular case, we traced back, six of those 11 addresses receive direct payments from Agora market and Evolution market. Those direct payments into the suspect’s Bitcoin addresses totalled 281. So when we go to trial and we testify — because we do testify — and we testify on behalf of the prosecutor there, it’s quite simple for us to explain this to the judge and jury, which is dark market sales direct transactions into the suspect’s Bitcoin addresses. And then that the far right circle there was the 288 that had been moved out by law enforcement. So in this particular case the suspect was forced to forfeit 281 of his 288 Bitcoin.

All right. Just one really quick example here, before I turn it over to Yuval. And this is just one example of a case that you may be working. You come across an address, right? Whether that might be on a dark market, or you may be doing some type of digital forensics, some type of extraction, but you come across an address. You don’t even have to have all the address, because oftentimes we find that the addresses can be redacted, especially in the case of maybe a ransomware or a payment address until you actually engage in that individual to make the payment. 

And so we see here a portion, in the middle there, of a lightcoin address. Okay. So just another example here to show, you know, not just Bitcoin, but we’ll, we’re going to show lightcoin as well. We start typing in that address into the tool, and the tool is searching the blockchain for matches, right? So we’re finding addresses that match that exact string of characters. At about the seventh character, six character here, we’re able to narrow it down and identify this as the address. 

And now when we log into the tool, we have a couple of different avenues here to actually identify the user of that address. Okay. So we see the address there in the middle: MHUB. That was the address that we pulled off of that little screenshot. We can see that it has received payments from CREX24, which is an exchange. So again, PII, and then we can see that is also sent to another exchange, which is Binance. So again, possible PII; if they don’t have PII, if their KYC is weak or limited, then we can still get account information. We can get IP addresses that they’ve logged into from, we can get phone numbers or emails associated with that account. We can get transaction movements moving in and out of those accounts from that exchange. 

So a lot of good leads here, just from that one transaction, just from that one address. Okay. I am going to turn this over to Yuval, let him take over.

Yuval: Thank you very, very much Pam, really fascinating investigative work. And where I would like to take this discussion is maybe zoom out a little bit and try to understand and try to drill a few other elements of the investigations and others, at least in a concept. 

But before we start, let’s get to know our audience a little further. And let’s try to understand each one of you within your organization, who is the organization, or excuse me, who is the team that, or the profession, that is responsible for crypto investigations as it stands today? We’ll give you again, a few more seconds to answer. Did I move too fast?

Yohai: Yeah, yeah, you’re right there. 

Yuval: There we go. We mixed the order here.

All right. Who in your organization is responsible for crypto investigation? Go ahead and answer that, please. 

Yohai: While we wait, Yuval, I find this fascinating, just speaking to even customers right now on the Q&A, some of the classic forensic groups are looking to help support others in the organization who are primarily tasked with it. So I think everyone has a bit of an interest in being able to support throughout, wherever the investigation works through. So I’m curious to see where this is going to go. 

Yuval: Absolutely. I agree with you. So let’s see the answers for that. Almost 50% of you marked the detectives and investigators as the main people that are dealing with those investigations, and right after that is the cyber investigation team and and the digital forensic lab. I dunno, I mean, this has kind of reflects what I had as an observation of the market and I think I’m not extremely surprised from it. But I think what’s also important to know is that this is being a new domain. There is a lot of inconsistency between who’s doing it within eacy agency, and the fact that the investigators and detectives are doing it, just because these are the folks that are dealing with it and finding it, and coming across that. 

And nothing to provide anything new for all of us here, understanding that an investigation is a puzzle. At the end of the day, it is a puzzle work. And the fact that we are doing this webinar and speaking about cryptocurrency investigation does not put cryptocurrency investigation as an isolated area. And this is what I would like us all to understand and keep in mind. 

Cryptocurrency investigation is a piece in the puzzle, alongside many other pieces in the puzzle. So whatever we do, we should always look at it as a critical, important, and very, very significant element of the investigation, alongside many other things like digital forensics, like investigating other humans, interviewing humans, open source intelligence, warrant returns from various places, and many other elements of it. 

And to give you a few examples, Pam mentioned the about Discord that’s a platform for communicating, it’s unrelated to crypto directly. It’s just a matter of a forum, an online chat and communication area where one can obtain the content of it through various means, in this specific case in the Twitter hack account, the agency has approached Discord and obtained with their assistance, obtained the information and the chat messages through a warrant and cooperation of that specific company. 

So taking that information and cross referencing it with the information that we found on the web and on the blockchain, for example, those specific addresses that Pam has mentioned being mentioned on Discord chats, and cross-referencing the data from Discord, and what’s said there, and what we see on the blockchain is an important avenue to keep in mind. 

So in this case, again, Discord has nothing to do with blockchain or crypto investigation, but the connecting of those two points is what happened and is what provided the observations. 

Now, the other thing that in the Twitter account that was used, they have used an online forum called is a platform for selling and buying digital content, sometimes used for… mostly used for illegal digital content, such as usernames, such as passwords, and areas like that. And things like that. This is another platform on which the Twitter accounts was published for sale, again for Bitcoins. 

In this specific case, the law enforcement agency did not have access to whoever operated this this website, but they had access to a dump off this website that since then, I believe, became offline, but there was a dump of all the content of old users of that was kind of hacked and walking around and available somewhere along the internet. And in this in this specific case, law enforcement has obtained that, and we’re able to extract the content, which helped them later apprehend additional people that are involved in this Twitter account. 

And again, this is a source which is not directly related to blockchain or cryptocurrency, but the fact that this data was available and was able to cross reference helped in providing the broad picture.

Another tool that was used is a web archive. was published, as Pam has mentioned, as a website that later attracted people to donate something, donate some money over Bitcoin, which was basically going to the hackers or to the perpetrators. This website, by the time law enforcement started investigating, this website wasn’t available anymore, but law enforcement had access to a web archive — the Wayback Machine, in this case — which keeps recording of various websites and allows going back and actually recovering things that are no longer available right now, no longer alive. So yet another source of digital data that was used in this investigation to put together the broader picture. 

Moving along to something which is a little bit more close to home for us all here: mobile devices. Text messages, extracting text messages from mobile devices, is a great source for additional data that can later be used in the crypto investigation. And this specific example that you see in front of you is a text message with a Bitcoin address. So identifying this, searching for those Bitcoin addresses, or for addresses as a general, and extracting that and taking them and running them on the crypto investigation tool is again a step to provide additional information and taking the investigation from bits and pieces scattered around, and actually drawing a picture.

The what you see in front of you is a screenshot of a Cellebrite UFED in the midst of extraction. The ability to identify within the extraction time, the fact that this specific mobile device has a cryptocurrency wallet application on it should be sort of a red flag for us all, once we come across such an application or such a mobile device, because if a person that was apprehended has a wallet — a cryptocurrency wallet — on his mobile device, he has some something related to cryptocurrency. Now this may be something completely legitimate, but definitely something that we need to look into. 

So even this small thing of finding out that this specific mobile device that was seized within the hands of a person of interest, is an important lead to further investigate. And surfacing this lead is done through digital forensics, good old traditional digital forensics and mobile device forensics.

Something else to also keep in mind and keep a close eye to is this very, how should I call it, list… honestly looking list of 12 phrases that can be found written down on a piece of paper, but can also be found a photo, a copy of it, or a picture of it within a mobile device. These are recovery words or seed words, sometimes being referred to. These are code words that are being used to recover a wallet, a crypto wallet. And if we have access to those words, then we can duplicate the wallet and actually get access to the funds in it. 

So if through a house search, one comes across a piece of paper like that, or through investigating a computer or a mobile device, one comes across a picture of this, this is a lead. This is an important lead. And if you don’t know about that, if you’re not familiar with the concept of seed and recovery words, then you might say, well, it looks like a shopping list or something like that. Maybe not a shopping list, but something meaningless and maybe overlooked. 

These are the things that we all need to take a very close look into when doing our digital forensic investigations. And keeping in mind that, even when we’re investigating cryptocurrency, we should look on the broader picture. We should look into how to bring the tools of digital forensics, the extraction, the analysis, the application categorization, the analyzing of a mobile device content, or a computer, a file system content, for artifacts and leads that indicate cryptocurrency activity. 

As I said, it’s always a puzzle work, and we have to keep in mind that we have to look on all the pieces in order to build the bigger picture. I would switch now to trying to cover a few of the questions, Yohai. 

Yohai: Yes. Thank you so much again, Pam, for your segment, and Yuval. And for the few minutes that we have left, I see Pam, you’ve been pretty active. If you wanted to hit a couple of those questions that you’ve seen, sticking in the timeframe. I appreciate it.

Pam: Sure. Yeah, there’s a couple I said I would answer live because I think it will benefit the group as a whole. So one of the questions I had was: how did we identify, how did CipherTrace identify, the addresses in our tool that we said were dark markets? An individual noted that a lot of times the dark markets use one-time addresses, which is true. 

So this goes to our attribution. And our attribution is very, very curated. A lot of times when we’re on the dark market, you can’t just scrape addresses off of the dark markets, because of that very reason, that these addresses will only be used once, which basically means that until they receive a payment — so until you actually engage with the vendor to send a payment — then that address doesn’t even show up on the blockchain.

Now, once an address has received a payment, dark market vendors are still going to consolidate those funds at some point into an address. And so they’re going to cluster on behalf —  there’s different heuristics that are involved that allow us to cluster those addresses together to show common ownership — but it does involve a little bit of trickery. Sometimes we engage with the vendors. We have a team that actually works as CIs for law enforcement, so that they’re able to actually send payments oftentimes to the vendors so that we can get that Bitcoin address on the blockchain. And then we can actually see the funds move. So that is one way that we’re able to identify dark market addresses. 

As far as exchanges go, we open it counts at all the exchanges around the world. And then we flow funds through those exchanges to identify their addresses as well, and also get to know their KYC, which allows us to risk rate them. 

I did have another question about, would the use of privacy… I had a couple of questions about Monero. So I will just address Monero really quick, because it is such a relevant topic. And also because last week on Monday, exactly, we announced — CipherTrace announced — that we now have capability tracing Monero, which is huge. So for those that aren’t familiar, Monero’s a privacy coin, which means basically everything I told you about Bitcoin, that makes it pseudonymous because we can see the addresses. We can see the transactions and the amounts. 

Bitcoin, or I’m sorry, Monero, is private, which means that we can’t see that. So it still exists, the blockchain is still there, the ledger is still there. It’s just hidden, it’s cloaked, it’s obfuscated. So we have advanced our capabilities. We’ve actually been able to pierce through that, and we are proud to be able to announce that we have capabilities for tracing Monero as well. And if you’ll just… you can Google CipherTrace and Monero, and a lot of that will come up and there’s some actual screenshots, if you would like to see those capabilities. 

One last question, and then I’ll let Yuval… there were a couple of questions for you guys as well. Tracking through exchanges. I did have somebody said that they had used blockchain tools to actually trace and that it looks like the subject they were tracking was sending into an exchange, and then the coins got all mixed up.

That’s what an exchange does, right? So an exchange is really the best mixer in the world. The benefit of an exchange is that we can subpoena exchanges. We can send production orders to exchanges and legal requests. And this individual said that they had sent a subpoena, which was ignored. And this was three or four years ago. I can tell you now that exchanges are quite a bit more proactive. A lot of the… all the top US exchanges have to respond to law enforcement. They are considered an NBFI, a non-bank financial entity. They are an MSB. They have to be registered as a money service business. But even outside the US, Binance, Zappa, Bitflyer. There’s a lot of exchanges that respond to law enforcement as well. If you have any issues with that, we can help get you the right contacts for those as well. Yuval, you might want to… 

Yuval: Yeah. I actually want to address one or two of the questions that I see here that I think can be of interest. Well, one question was about extraction device, so like Cellebrite, what additional information do they provide for analysis of the blockchain? Well I’ll try to clarify that. 

Cellebrite extraction devices do not attempt to trace the blockchain. This is where we have partnered with CipherTrace and we offer a comprehensive solution that includes the Cellebrite extraction and analysis tools, together with CipherTrace product where CipherTrace products will do the actual blockchain analysis and the crypto investigation. And the Cellebrite side will provide the additional bits of pieces of the puzzle, as I’ve mentioned. 

For example, identifying that a specific mobile device have a crypto wallet application on it. For example, searching through the content of mobile device or computer for crypto addresses, for mentioning of crypto in a chat message, images of QR codes, or again, crypto addresses or seed words, as mentioned. 

So the Cellebrite part of it — and that’s really the complimentary element of this partnership — is where CipherTrace tools brings the crypto investigation capabilities, Cellebrite provides the digital forensic part of it together providing the the comprehensive digital intelligence suite of solution. And over the next probably several months, there will be additional capabilities that will be introduced into the Cellebrite various tools to accommodate specific elements of it and specific parts of it. 

The other question I wanted to ask I wanted to address is a little bit more tricky. There was a question about what patrol officers should be looking for when they come across… in order to find crypto? Is it only the seed words? Obviously it’s not only the seed words. There’s a long list. And I think this is probably a major gap, or a major issue, right now in the law enforcement community, is really the awareness. I guess we’ve all, we’ve all been used to finding the drug dealers with stashes of cash with them. And it’s no longer the case. 

So actually finding someone who’s suspicious without a stash of money is a lead by itself. But I don’t know to point onto specific things beyond what I’ve mentioned as to, you know, finding that he has an application of crypto, the fact that he has those seed words in his pocket, or the fact that it seems to be there’s QR codes, printouts somewhere, things like that. Pam, you may want to probably add to that. 

Pam: Yeah. I would say most certainly the seed words that you’ve shown, QR codes, those types of things, receipts for Bitcoin ATMs, that’s another thing that I look for in pocket litter. Right. but then also the hardware itself. So for those that aren’t familiar with hardware wallets, the best way I can describe them in a really short explanation is they look like a USB drive, but they have a screen on them. So they look like funny looking USB drives, but they have their own little screen because that’s actually where the transaction takes place. 

So hardware wallets, and then also on their devices. So apps, right. Software, wallets, you know, bread wallets, those types of things on their, on their smart phones. Right. So that would be the other place that you would most certainly look for evidence of crypto.

Yohai: Great. So thank you everyone. For the sake of everyone’s time, we’re at the top of the hour. I wish we had more time. There are a lot of questions still flying in, but we hope to follow back with you guys with with answers to that. You also receive a a link to be able to get the recording of this webinar. 

And of course at any given time, if you’d like to click on some of the engagement tools, to download some brochures, visit the website. And of course, reach out to us at any time. We’d be happy. Last but not least, as soon as hopefully this webinar comes to an end you will be hit with a survey. So please give us feedback. We hope to have many more of these and and we’re there trying to figure out some of the topics, as well as feedback for this webinar specifically. 

So thank you so much for taking an hour out of your day today to spend that with us. Hopefully it was informative and inspiring, and we hope to see you again soon. Thank you again to all our speakers, everyone be safe, be healthy. Bye, now.

Leave a Comment

Latest Articles