How to Become a Certified Crypto Investigator
Merkle Science
What is a crypto investigator?
Crypto has long been a haven for criminals and criminal groups. Crypto can be a direct part of a crime, such as in a hack of an exchange, or a convenient conduit, such as when terrorist groups launder money with it to finance other activities.
Traditional investigators may not be suited to investigating this type of crime. They may not have sufficient knowledge in blockchain or digital assets, and most crucially, the ways that criminals deploy these technologies to evade detection and capture.
The role of crypto investigator has arisen to address this gap. Crypto investigators work across the industry and use their expertise in blockchain analytics and adjacent areas to assist in tracking the flow of illicit funds, identifying criminals, and bringing them to justice through evidence gathering and enforcement action.
Apart from being an in-demand role in both the private and public sectors, crypto investigators are essential to cryptocurrency as a whole. They bring criminals to justice, deter other would-be perpetrators, and increase security in an industry that needs it for mainstream adoption.
How do crypto investigations work?
Crypto investigations begin when a crime is detected or reported. For example, perhaps an exchange notices that funds have been stolen from a custodial wallet, or a victim informs police that they have been hacked.
The report or detection of a crime initiates a crypto investigation, which follows this broad pattern.
1. Incident response - Unlike some crimes, which may be reported long after the fact, crypto criminals may still be in the process of hacking or laundering funds. Timeliness is thus of the essence. Crypto investigators must figure out how the crime was executed, so that they can take short-term steps to cover the vulnerability. They must also track the illicit funds to identify criminals and recover funds. This trail may be complicated through deliberate obfuscation techniques, such as chain-hopping or coin mixing.2. Enforcement action - Once suspects are identified, crypto investigators may work with relevant authorities to take enforcement action. These actions may pertain directly to the stolen funds. For example, crypto investigators may require an exchange to freeze the assets linked to the suspected criminal, keeping them temporarily in place. Enforcement action may also extend to other matters, such as a government blocking use of a passport, so that suspects cannot flee.
3. Legal proceedings - Crypto investigators need to build a strong case against suspects, which will include the task of attribution: They must link wallets or accounts involved in a crime to the real-world identity of suspects. After gathering this evidence, crypto investigators will then work with relevant authorities to apprehend criminals, charge them in a court of law, and if all goes according to plan, sentence them to prison, levy fines, or execute other punishments.
Who hires crypto investigators?
Crypto investigators work in both the private and public sector. Professionals who pursue this line of work thus have a broad range of organizations they can work with, depending on their exact preferences.
In the public sector, crypto investigators may be hired by local police organizations. At the national level, they may be employed by agencies like the Federal Bureau of Investigation or the Central Intelligence Agency. Crypto investigators may also be brought onto special task forces assembled on an ad hoc basis to take down a particular syndicate or investigate a certain crime. Some may even work at regulators, providing insight into crime that can be used to inform policy-making.
In the private sector, crypto investigators are generally found at two types of organizations. The first are organizations that can be attacked by cyber criminals. For example, an exchange may keep a crypto investigator in-house as a first line of defense against suspected attacks, who can also collaborate with external investigators for any investigation. The second are organizations that provide services or products to potential targets, such as providers of blockchain analytics or consulting companies that specialize in fund recovery.
In short, the role of a crypto investigator is in wide demand, and will continue to be as crypto continues to see mainstream adoption.
How to become a crypto investigator?
Becoming a crypto investigator is challenging. Professionals who aspire to this role must master a variety of widely different skills and domain areas. Additionally, because the nature of crypto crime is always evolving, they must have excellent soft skills. They must be always curious about the latest trends, determined to learn new technologies, and dogged in pursuing hard-to-catch criminals who employ the latest obfuscation techniques.
The professionals who display this rare mix of both technical ability and soft skills will succeed as crypto investigators.
- Mastery of available intelligence sources - For crypto investigators, the most basic form of evidence is the blockchain itself. As a public ledger, blockchains provide substantial information on transactions, senders and recipients, and the various financial relationships between accounts.
To interact with blockchains, most investigators will need technical ability. Some crypto investigators will write queries using structured query language (SQL) to seek out certain transactions or wallets that meet different attributes. For example, a crypto investigator may write an SQL query to look for all transactions in the month of December that were over US$10,000 and terminated in a high risk country.
Crypto investigators increasingly have access to blockchain analytics tools that streamline this task. Rather than write SQL queries from scratch, crypto investigators can simply interact with the user interface of the solution to find the transactions or accounts with the attributes they are looking for.
Crypto investigators must also know how to seek open-source intelligence. This category of intelligence is broad, encompassing everything from news articles about enforcement action against criminal groups to forums on the dark web. The very nature of open-source intelligence makes it easy to overlook: Investigators may discount the value of publicly available information. The best crypto investigators will be dogged in their use of open-source intelligence, and may even rely on blockchain analytics tools to assist in its gathering.
Merkle Science’s Tracker assists with both types of intelligence: They can gather on-chain data from popular chains like Ethereum and open-source intelligence from the dark web. - Knowledge of crypto crime typologies - While each instance of crime is of course unique, there are generally patterns. Crypto investigators must therefore be well-versed in different types of crypto crime, how they work, and who they target.
For example, criminal operations that conduct pig butchering generally follow the same modus operandi. An agent from the pig butchering operation will pose as an attractive male or female on a social media platform or messaging channel, engage with a target and move the conversation to a secure channel like Telegram. From there, the agent will build rapport with the target and eventually ask them to invest in some scheme, often related to crypto like mining. When the victim tries to withdraw the money, they will be blocked from doing so, and often asked to pay additional fees for withdrawal.
And that is just pig butchering. Crypto investigators must be intimately familiar with a broad range of crimes including hacks and ransomware to rug pulls and financial fraud. While these crimes may be wildly different from one another, they are united in how they leverage the anonymity of crypto to move illicit funds for buying, selling, stealing, or laundering. Crypto investigators must be aware of all these crime typologies to accelerate their investigative process.
In addition to providing the best-in-class tool in Tracker, Merkle Science also offers law enforcement agencies with training about the latest crypto crime typologies, so that they can maximize use of the technology.
- Skill to track transactions and monitor activity - There are many skills that a crypto investigator must be able to do. On a basic level, they should be able to read and understand different data related to each transaction, including input and output data, sender and recipient address, timestamp, transaction ID, signature, nonce, and other metadata.
On top of this ability, crypto investigators should be able to trace transactions at both the address and entity level. As nearly every crypto criminal uses a growing toolbox of obfuscation techniques, crypto investigators must be able to track not only on-chain activity, but across multiple chains.
Merkle Science’s Tracker can facilitate this gargantuan task. The solution supports compatibility with multiple blockchains, including even layer 2 chains, making it is easy to track criminals that engage in chain-hopping. Following particular transactions is also easier than ever with Tracker’s intuitive UI: Crypto investigators can search by address, identify suspicious activity, and visualize movement of illicit funds.
Get your crypto investigator certification
Given the recent emergence of cryptocurrency, most professionals fell into the role of crypto investigator. For example, a blockchain expert at an exchange may have done one initial crime investigation, and subsequently did more and more until it was enough to justify full-time work. Unfortunately, this organic rise makes it hard for other professionals to break into the field, or for professionals to get the credentials they need to be trusted beyond their initial company.
Merkle Science aims to solve this problem with our crypto investigator certification. This program will upskill students with all the knowledge and skills they need to succeed as a crypto investigator, contribute to their professional development, and most importantly, make them more desirable to prospective employers. Interested participants can now take the course for US$600, a 50% discount available on a limited time basis.
To learn more about the certification, please proceed to our program page.