On Wednesday, November 6, Merkle Science hosted a three-hour webinar, A 3-Hour Crash Course in Mastering Crypto Investigative Strategies.
Featuring Merkle Science’s Director of Law Enforcement Affairs Robert Whitaker, who is a retired Homeland Security Investigations special agent, and independent blockchain investigator and detective Scott Simons, the webinar attracted hundreds of law enforcement officials, compliance officers, and other professionals who want to strengthen their organization’s security profile against crypto crime.
The full seminar can be watched on-demand here.
This article will cover the main topics of the webinar, with some of the basics of Bitcoin, Ethereum, and other coins; common scams in the industry; and how to use a tool like Tracker to prevent and track crypto fraud.
The State of Crypto Crime
According to Simons, crypto crime is heavily concentrated around two coins: Bitcoin and Ethereum. “If you understand these two, you're going to be able to work 90% to 95% of your investigations since this is going to be what the criminals are [using],” he said, adding later that stablecoins are also increasingly popular among criminals.
Simons said that most crimes are being reimagined with crypto. “You can insert cryptocurrency into that and it's being done,” he said. These include ransomware, rug pulls, pig butchering, hacks, money mules, crypto ATM scams, false recovery services, and dark web marketplaces.
Some of these schemes are especially inventive. Simons spoke about the trend of SIM swapping, wherein a suspect will contact a cell phone provider and ask that the service be transferred from the victim’s phone to one in their possession.
“Once that's done, the suspect with the active or live device starts getting all the alerts, [including] two-factor authentication sent to their phone, and they can start accessing a lot of their accounts, which includes the crypto wallets,” he said.
Even law enforcement authorities are not immune from attacks. According to Simons, when DEA agents seize funds, they will first send a small amount to the US Marshals Service to avoid any problem with disbursing the full amount. When the hacker observes the transaction on the blockchain explorer, he will conduct address poisoning by creating a vanity address that matches the first five and last five letters of the US Marshals’ address.
This modus has led to fairly serious hacks, as in this instance recounted by Simons:
“So had the agent followed policy, he would have copy and pasted the address from the marshal’s email or documents and put it into the sending address. Unfortunately, he thought, well, I had just sent funds to the marshals. Let me just go to the history of my wallet,” said Simons, which resulted in the agent sending$50,000 to the address poisoner.
Fighting Crypto Crime with Blockchain Analytics
Fortunately, law enforcement agencies do not have to go it alone when combatting crypto crime.
“Of course, tools like Merkle Science’s Tracker —they make our job so much easier to do. They provide us information that we necessarily wouldn't be able to get on our own most of the time,” said Simons.
For the second half of the seminar, Whitaker provided a hands-on overview of Tracker. He explained how to use the tool to look at different pieces of data, such as balances, deposits, withdrawals, parties, counter-parties, and clusters.
More crucially, he gave insight into why certain data types matter. “Time after time, I see investigators doing good work, but for some reason, they've not isolated those times and dates of their activity and they end up clustering or tracing either before the event occurred or well after the event occurred,” he said as an example.
He also gave rules of thumb for how to look at actual data. “If you see, say, 50 to 100 transactions within an address, it's probably some type of service address or something's being paid in there for a reason,” he said, citing a wallet that had an extraordinary 25,000 deposits and 7,000 withdrawals.
Beyond these heuristics, Tracker makes it easy to identify wallets affiliated with criminal organizations. For example, Whitaker input an address that was labeled within Tracker as being affiliated with Hamas, the terrorist organization.
“We scour the OFAC list for addresses being sanctioned by the U.S. Treasury, and that's where we get that information from,” explained Whitaker, who shared details pertaining to the wallet’s withdrawals and period of activity.
Visualizing crime through Tracker will naturally be complex. Criminals employ all sorts of obfuscation and evasion techniques to launder money, resulting in a graph that may resemble an indecipherable web.
Whitaker thus spoke on the importance of graph hygiene. “It’s simply a concept related to maintaining the quality and accuracy and usability of the graph,” he said. He explained that graph hygiene may be useful for sharing this information with stakeholders, such as prosecution.
Law enforcement agencies that also want to fight the growing diversity of crypto crime with a powerful end-to-end tool like Tracker are encouraged to reach out to Merkle Science for a free demo.
To listen to the full webinar with Scott Simons and Robert Whitaker, click here.