There's No Such Thing as Crypto Crime E-Book

Table of Contents

Cover

Table of Contents

Title Page

Foreword

Introduction

1 A History of Cryptocurrencies and Crime

Where Did It All Start?

The Rise of the Smart Contract

The Next Targets?

The Future? More Crime!

2 Understanding the Criminal Opportunities: Money Laundering

There Is No Such Thing as Crypto Crime

Money Laundering

What Is an Investigator Looking For?

Peer-to-Peer Platforms

3 Understanding the Criminal Opportunities: Theft

Crypto Thefts

Social Engineering

Phishing

Hacks

Fraud

Rug Pull

Pig-Butchering/Romance Scams

Investment Scams

Support Scams

Simple Theft

Contract Manipulation

Phishing

Flash Loans

Playing by the Rules

Other Criminal Opportunities

Summary

4 Who Should Be a Cryptocurrency Investigator?

Individual Skills

Fraud Investigators

Open Source Investigations

Cybercrime Investigations

Setting Up a Cryptocurrency Investigation Department

Other Roles

5 The Role of Commercial Investigation Tools

Do You Need a Commercial Tool?

Two Is One and One Is None

The Future of Investigation Tools

6 Mining: The Key to Cryptocurrencies

What Really Is Mining?

Proof of Work (PoW) Mining

Proof of Stake (PoS) Mining

Does an Investigator Need to Understand Mining Technologies?

Cryptocurrency Mining Frauds and Scams

Will Cryptocurrencies Always Be Mined?

7 Cryptocurrency Wallets

When a Wallet Is Not Really a Wallet

Types of Cryptocurrency Wallets

Software Wallets: Functionality and Security

Hardware Wallets: Functionality and Security

Choosing the Right Wallet

Wallet Vulnerabilities

8 The Importance of Discovery

Premises Searching: Legal Framework and Search Powers

Search Strategies

Physical Clues

Questioning

Searching Digital Assets

Legal Framework and Warrants

Digital Forensics

Hardware Examination

Handling and Securing Digital Evidence

The Role of Exchanges

Senior Officers/Management

Summary

9 The Workings of Bitcoin and Derivatives

Bitcoin Is a Blockchain-Based UTXO Cryptocurrency

UTXO

What Does an Transaction Look Like?

How Does a UTXO Blockchain Help an Investigator?

Blockchain Explorers

What Else Can You Learn in a Transaction?

Summary

10 Bitcoin: Investigation Methodology

Building an Investigation in Bitcoin

Address Clustering

How Are Clusters Defined?

Some Other Things to Note

Investigating Bitcoin

11 The Workings of Ethereum and Derivatives

History of the Ethereum Cryptocurrency

Types of Tokens

Ethereum Transaction Types

One Address for All Tokens

A User’s Address Can Be the Same on Other Blockchains

Reading Basic Transactions

Transaction Methods

Transaction and Address Types

What Are These Contracts We Keep Mentioning?

Identifying Contract Transactions

Conclusion

12 Ethereum: Investigation Methodology

Following ETH-to-ETH Transactions

Smart Contracts Deep Dive

Methods, Functions, and Events

ETH-to-Contract Transactions

Token-to-Token Transactions

NFTs

Decentralized Exchanges

Reading Decentralized Finance Contracts

The Approve Transaction

Summary

13 Investigating Binance Smart Chain

What is Binance Smart Chain?

Investigating Funds on Binance Smart Chain

What Have You Learned?

14 Applying What You Have Learned to New Cryptocurrencies

Stable Coins Such as USDT, USDC, and Paxos

Tron

Layer 2 Chains

Bridges

Mixers

Privacy Coins

What Have You Learned?

15 Open Source Intelligence and the Blockchain

Mindset

Just “Search Engine” It

Attribution of Individuals

NFT Metadata

OSINT and the Dark Web

Summary

16 Using Wallets for Investigations

Understanding Cryptocurrency Wallets

Seed Words and Wallet Recovery

Step-by-Step Guide to HD Wallet Re-creation

What Can Be Seen?

The Benefits of Wallet Re-creation in Investigations

Understanding Derivation Paths in Cryptocurrency Wallets

To Sum Up

17 Crypto Seizure

What Do You Need to Carry Out a Crypto Seizure?

Recording Seed Words

Seizing to Your Own Wallet

Questions to Ask before Carrying Out a Crypto Seizure

Where to Store Seized Assets?

Note

Final Thoughts

Acknowledgments

About the Author

About the Contributors

Erin West, Foreword

Carole House, Final Thoughts

Erica Stanford, Author, Chapter 2 Contributor

Ari Redbord, Interview in Chapter 3

Phil Ariss, Chapter 4 Contributor

Iggy Azad, Chapter 10 Contributor

Helen Short, Chapter 10 Contributor

Luke Russell, Chapter 15 Author

Aidan Larkin, Chapter 17 Contributor

Chris Recker, Chapter 17 Contributor

Brian Pandya, Chapter 17 Contributor

Charlyn Cruz, Chapter 17 Contributor

Taylor Hertzler, Chapter 17 Contributor

About the Technical Editor

Index

Copyright

End User License Agreement

List of Illustrations

Chapter 2

Figure 2.1 Examples of Virtual land for sale

Figure 2.2 Example of traits that make up a generated NFT

Figure 2.3 NFT from a game for sale for a massive sum

Figure 2.4 Large link graph of mixed funds

Figure 2.5 Outputs of the same value identifying a coin-join transaction

Figure 2.6 Monero coin swap requiring no KYC information to be provided

Figure 2.7 Example of crypto ATM fees

Figure 2.8 A coin swap on the 1Inch service

Chapter 3

Figure 3.1: Graph showing the change in value of the MNGO token

Figure 3.2: Transactions with function calls that could indicate that the us...

Chapter 5

Figure 5.1: Etherscan showing an address attribution of Binance

Chapter 6

Figure 6.1: Example of an Antminer crypto-mining rig

Chapter 7

Figure 7.1: Examples of hardware wallets

Source: James Northcote/Royal Academ

...

Figure 7.2: Generating a seed word list on iancoleman.io

Source:

British Libr...

Figure 7.3: List of addresses (public keys) generated by the private key

Figure 7.4: A seed phrase split into different cards

Chapter 8

Figure 8.1 Captain Tobias Furneaux (August 21, 1735—September 18, 1781)

Figure 8.2 Image of the Martellus Map of 1490

Figure 8.3 Still from the U.S. police stop-and-search that revealed a person...

Figure 8.4 A Trezor hardware wallet with backup seed word document

Figure 8.5 Examples of applications supported by Magnet Forensics tools

Figure 8.6 File system and other artifacts mounted by memprocfs

Figure 8.7 List of Wallets Found on the Cryptoslate website

Chapter 9

Figure 9.1: An example of a multisig configured address

Figure 9.2: Example of a Bitcoin transaction with one input and two outputs...

Figure 9.3: Elements of the transaction

Figure 9.4: Example of a transaction

Figure 9.5: Diagram showing victims’ payments moving to a fraudster’s addres...

Figure 9.6: Diagram showing victim’s funds flowing to a single address, but ...

Figure 9.7: One address available on two blockchains

Figure 9.8: The forward and back arrows used to follow the flow of funds

Figure 9.9: Example of transaction and forward and back arrows in

Blockchair

...

Figure 9.10: Example of output from an API call

Figure 9.11: A transaction depicted on the Blockchair explorer showing a Coi...

Figure 9.12: An input value of $480.91

Figure 9.13: An input value of $481.16

Figure 9.14: Example of an OMNI transaction in

Blockchair.com

Chapter 10

Figure 10.1: Multisig transaction from a 2/3 wallet

Figure 10.2: Graph showing transaction counts over time

Figure 10.3: Graph showing distribution of transactions by hour of day

Figure 10.4: Graph from

Breadcrumbs.app

showing attribution

Chapter 11

Figure 11.1: iPhone highlight text feature

Figure 11.2: Crypto “burned” in the Genesis address

Figure 11.3: Using the vanity address generator to produce an address starti...

Figure 11.4: Overview of ETH and token holdings in this wallet address

Figure 11.5: Token being stored in the address

Figure 11.6: Heroes of MAVIA home page

Figure 11.7: Holdings on the Base Layer 2 chain

Figure 11.8: List of primary transaction fields

Figure 11.9: A variety of transaction methods

Figure 11.10: Examples of an inbound and an outbound transaction

Chapter 12

Figure 12.1: Example of an ETH-to-ETH transaction

Figure 12.2: Changing from the current value to the value on the day of the ...

Figure 12.3: Recorded time and date of the transaction

Figure 12.4: List of transactions for the destination address

Figure 12.5: Example of in- and outbound transactions (note, read from botto...

Figure 12.6: Whose funds have moved?

Figure 12.7: Image showing the contract creator

Figure 12.8: Image showing similar/exact contracts

Figure 12.9: Examples of contract icons

Figure 12.10: Functions from the contract

Figure 12.11: State logs

Figure 12.12: Flow of funds in an ETH-to-contract transaction

Figure 12.13: Filtered By Token Holder

Figure 12.14: Graph of transaction flow

Figure 12.15: Graph from

CoinMarketCap.com

showing all the time it has been ...

Figure 12.16: Search for Donald Trump 2024 tokens on February 19, 2024 for t...

Figure 12.17: Results for Donald Trump 2024 tokens on February 19, 2024 for ...

Figure 12.18: Details of NFT #658

Figure 12.19: Transaction history of NFT #658

Figure 12.20: Searching for the buyer’s Ethereum address on OpenSea

Figure 12.21: Results of search on OpenSea showing other owned NFTs

Figure 12.22: Finding an alias when searching on OpenSea for the seller’s ad...

Figure 12.23: Google search for alias

Figure 12.24: Uniswap Add Liquidity screen

Figure 12.25: Movement of funds in a contract

Figure 12.26: Example of Approve transactions followed by an Execute transac...

Chapter 13

Figure 13.1: BscScan looks almost identical to Etherscan.

Figure 13.2: Some of the funds held in various chains for address 0xC03F6a53...

Figure 13.3: Example diagram from commercial tools of transaction

Chapter 14

Figure 14.1: Chart showing total value locked in DeFi projects and amount in...

Figure 14.2: List of other DeFi projects and the total value locked in them...

Figure 14.3: Overview of Tron address TZ3mMDaZP7rnh8qC1MPzAMeHWJq4hTkAse

Figure 14.4: List of NFT tokens owned by 0x277e9d30d965eEbE0e30b989fE35aab2A...

Figure 14.5: The NFT bought in TXID

Figure 14.6: Burned NFT

Figure 14.7: NFT that is minted

Figure 14.8: List of token transfers for address 0x8f95d…on the Polygon chai...

Figure 14.9: Example of multiple mixing chains returning to exchange address...

Figure 14.10: Just some of the 96 outputs of the exact same value

Figure 14.11: The deposit screen for Tornado Cash

Chapter 15

Figure 15.1: A pile of sculpted trash casting a shadow depicting a man and w...

Figure 15.2: CSAM scam payment page

Figure 15.3: Google results for “3EGy678G659RnevCA1pmfzVrrC5DEaiqAt -block”...

Figure 15.4: An older website related to the Turing Trust, which displays a ...

Figure 15.5: 3EGy appearing on an archived version of

turingtrust.co.uk

Figure 15.6: Taylor.wtf on Etherscan.io

Figure 15.7: Taylor.wtf details

Figure 15.8: Taylor.wtf Twitter (X) page

Figure 15.9: CryptoPunks NFT

Figure 15.10: CryptoPunks OpenSea page

Figure 15.11: Deepak confirming ownership

Figure 15.12: Connection between Deepak and 0x69c48

Figure 15.13: 0x017A1653c0cB7B561c50717336c1F7fd912ed310 contract page

Figure 15.14: 0x017A1 tokenURI –

https://arweave.net/6c1KT6uwRZLhVuvGSisunoiU

...

Figure 15.15: NFT metadata on Arweave

Figure 15.16: ISIS NFT

Chapter 16

Figure 16.1: Entering seed words

Figure 16.2: Seed Options

Figure 16.3: Transaction history

Figure 16.4: Receiving addresses

Figure 16.5: Change addresses

Figure 16.6: Transaction screen

Figure 16.7: Adding a custom mnemonic

Figure 16.8: Selecting BIP39 seed type

Figure 16.9: Screen to scan for existing accounts

Figure 16.10: Detected accounts

Figure 16.11: Account0 transaction

Figure 16.12: Account1 transaction

Guide

Cover

Title Page

Copyright

Foreword

Introduction

Table of Contents

Begin Reading

Final Thoughts

Acknowledgments

About the Author

About the Contributors

About the Technical Editor

Index

End User License Agreement

Pages

i

xiii

xiv

xv

xvi

xvii

xviii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

139

140

141

142

143

144

145

146

147

148

149

150

151

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

355

356

357

358

359

360

361

362

363

364

365

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

483

485

487

488

489

490

491

492

493

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

ii

510

There’s No Such Thing as Crypto Crime

An Investigative Handbook

Foreword

Have you heard of pig butchering?

I sure hadn’t.

I also had no idea that those six words would change the course of my life.

We were about to level up our game.

I’m a prosecutor in Santa Clara County, California, and I have the pleasure of working with one of the smartest groups of local investigators in the world, known as the Regional Enforcement and Allied Computer (REACT) Task Force. During the eight years that we have worked together, we’ve investigated, prosecuted, and sent to prison some of the most devious and destructive bad actors who terrorize the world from behind their screens.

REACT Agent John Alldredge asked me about pig butchering because he had just received a report from a 30-year-old software engineer who had lost $300,000 in a romance scam/investment scheme. As Detective Alldredge dug into the facts, he came to understand that what happened to this engineer was happening to hundreds of other victims worldwide in a phenomenon known as pig butchering. The term is a literal translation of the Chinese sha zhu pan, denoting a specific fraud technique where victims are courted online and “fattened up” by scammers—and then their net worth is stolen from them during the slaughter. After the scammer establishes a trust, they introduce the opportunity to become wealthy by making cryptocurrency investments. Victims are shown a false online investment dashboard showing massive returns, which encourages further investment. What they don’t realize is that their money is long gone, lining the pockets of the scammers.

Never before had we seen a fraud typology specifically designed to steal every last penny from victims. Never before had we seen victims losing their entire nest egg, their retirement accounts, and their children’s college funds. And never before had we seen such an absolutely devastated group of people once they realized that they had lost their entire financial stability as well as someone they considered a beloved companion.

Embracing our “what if we could” philosophy, and at the direction of our District Attorney Jeff Rosen, who applauds innovation, REACT began a test case with that first victim. The team used blockchain investigative skills to follow the engineer’s investments, watching the money hop from wallet to wallet until it landed at an exchange that accepted a Santa Clara County search warrant. Creativity and a strong work ethic drove the successful retrieval of a good percentage of the engineer’s funds and the return of those funds to him. We replicated this procedure over and over and were able to help 25 victims recover stolen money.

The reports of victimization kept pouring in. A tidal wave of people from all over the world arrived (electronically) on REACT’s doorstep asking for the same type of assistance. As the team solved cases in other jurisdictions and tried to hand them over to local law enforcement, we were told on repeat, “We don’t do crypto.” It quickly became clear that we were facing a worldwide gap in the ability to solve cryptocurrency cases. Scaling efforts and teaching others our blueprint became the REACT workload for the foreseeable future. Our victims were entitled to exactly that.

We moved forward, building an international network (now numbering 1,800!) of active law enforcement worldwide just learning how to use the blockchain as an investigative tool. We quickly found that there was a thirst for learning this new technology and a camaraderie in helping pull our fellow officers toward crypto literacy. As we taught, shared, and collaborated, we saw crypto in more and more cases. Crypto isn’t just an element in fraud cases; it became how bad actors move money. Soon we were seeing it in narcotics, child exploitation, murder for hire, and even home-invasion robberies. It was imperative that local officers develop a baseline competence.

Finding resources for this educational gap wasn’t easy. Authors and experts were few and far between. Our victims needed law enforcement to understand how to locate, seize, and return their lost funds. Officers were often paralyzed by the idea of mastering crypto investigations. It seemed too complicated, too time consuming, and just really difficult. We all needed someone who could explain this technology to us in a way that even a layperson could understand.

Enter Nick Furneaux.

In his initial book, aptly named Investigating Cryptocurrencies: Understanding, Extracting and Analyzing Blockchain Evidence, Nick uses a tool-agnostic approach to demystify cryptocurrency. In an easily digestible format, he stays out of the deep weeds and educates how the blockchain works, why it’s a fantastic source of information, and how to use this tool to our advantage. Nick is able to do the unimaginable: convey complex concepts in such a manner that readers walk away with a deep understanding of both the technology and its utility.

By holding this book (or its electronic substitute) in your hands, you’ve acknowledged the value in learning this technology. This volume expands on Nick’s first, and truly provides a go-to resource for investigators. As new blockchains and coins have developed, so too has the education he conveys. Here you’ll continue to learn about Bitcoin and the methodology to investigate it, but you’ll also learn about Ethereum and how to apply different principles in its tracing, all in a tool-agnostic way.

Nick’s manner of education is revered by law enforcement and industry alike. He is universally respected for his clarity, and I hear over and over from peers how much they appreciate the training Nick provides. When I got a call from Nick asking me to write this foreword, I was incredibly humbled that the man I consider the gold standard for crypto education would ask for my contribution. It’s an immense pleasure to be able to illustrate the demand for an updated handbook as I relate stories from the ground floor of law enforcement, deluged by victims in need of this competence.

Law enforcement can no longer afford to turn its collective head from this means of moving dirty money by using cryptocurrency. Looking away allows an avenue for wealth transfer unimpeded by government. When we don’t have the opportunity to get handcuffs on overseas bad actors, we need to look to means of disrupting them. Seizing their funds is the win that our victims deserve. This book provides the jump start we all need.

Erin WestSanta Clara County, California

Introduction

I own hardly any crypto at all, just a bit of Bitcoin and some Ethereum. People always assume that since I’ve been around crypto for so long, I probably bought Bitcoin in 2010 for next to nothing and am now “crypto-wealthy.” Sadly, that’s not the case. I have never had any interest in the investment opportunities of cryptocurrencies. Just ask my friend Chris, who I advised not to bother buying Bitcoin when it was just $2,500! However, for almost a decade I have been fascinated by the technology that underpins crypto and how it can be exploited to track and trace those who would use blockchain-based funds to acquire or move criminal assets. Whatever I think about investing in crypto—and all the best to you if you have done well from it—I believe that the technology is sound and crypto is here to stay. If your work is as a criminal investigator, lawyer, legislator, compliance officer, or tax or financial investigator—really any career that touches on crime—you will come across crypto. You need to keep reading!

This book will help you to understand the ways that criminals utilize crypto in areas such as investment frauds, pig-butchering scams, money laundering, illicit financing, and more. You will learn the fundamental elements that make up different blockchains that underpin crypto such as Bitcoin, Ethereum, and the myriad of spin-off currencies, and how you can use the underlying ledgers to trace funds, attribute addresses, and seize proceeds of crime.

I suspect that you will find the first half of the book a fairly easy read, but the second half really digs into investigative methodologies, so you might want to pull your chair closer to a coffee machine! You do not need to be a computer scientist, a cryptographer, or a mathematician; you just need a good eye for patterns and a mind that can process information. I’m sure you will get on just fine.

I hope that you will also enjoy the included contributions and interviews with some of the world’s outstanding investigators in the crypto space. I thank them for entrusting me and this book with their knowledge, wisdom, and experience.

I’d like to ask you to consider something as you turn to Chapter 1. If you are working in the crypto investigations space, I urge you to focus on the victims. Investigation of areas such as fraud, pig-butchering, and other such scams ruins people’s lives. I’ve had people in tears on the phone and even reports of those who take their own lives as a result of losing all they had. Being an investigator is not all about the “tech,” the prosecution targets set by our bosses, or even “getting the bad guys.” First and foremost, you should focus on the victim, bringing them justice and hopefully the return of lost funds. Having a victim focus also helps to stop you from becoming jaded when wading through bureaucracy or intransigent criminal systems. Investigate for the person, rather than just the crime, and you will feel better about your life and the good you can do for others.

Use your powers for good.

1A History of Cryptocurrencies and Crime

Driving the Harbor Freeway north out of Los Angeles toward Pasadena, you pass by the densely populated residential areas of South Park and Vermont Harbor before likely noticing the huge sporting complex that includes the LA Memorial Coliseum and the Bank of California Stadium on your left. As you pass under the Santa Monica Freeway and swing to the northeast, the vast LA Convention Center comes into view and behind it the famous home of the LA Lakers basketball team. This arena had for decades been known as the Staples Center, named after its sponsor, the vast multinational office supplies organization. However, a person driving past around Christmas 2021 would have noticed the familiar Staples signs were gone and had been replaced by a name written in blue and white. Crypto.com Arena.

For many, this would have been the first time they had seen or heard of the name of one of the largest cryptocurrency exchanges in the world. Although just five years old when they took over sponsorship of the Lakers home, the Singapore-based company had tens of millions of customers around the world and represented just one of the many cryptocurrency exchanges dealing billions of dollars of virtual currencies every day.

A few months later, during the 2022 Super Bowl, arguably one of the most expensive sporting events in the world for a company to advertise their services, five cryptocurrency exchanges ran TV advertisements or social media campaigns to coincide with it. Crypto.com has gone on to become a sponsor of the FIFA World Cup, and Formula 1 cars in 2022 displayed the logos of Binance, Bybit, Tezos, FTX, and other cryptocurrency brands. Cryptocurrencies were now squarely in the public consciousness.

At a governmental level, having long ignored or simply criticized digital currencies, countries started to wake up to the fact that these new currencies were here to stay. Although much of their early use was arguably by a mix of hobbyists, conspiracists waiting for the new world order, and criminals, now middle-class people living in the suburbs were beginning to take an interest and buy into this new investment opportunity. Newspapers and social media were running stories of the vast profits to be made, and many with some spare cash wanted in, arguably driven by a new acronym, FOMO, or fear of missing out. Anecdotal accounts of people remortgaging property to buy Bitcoin appeared in the more sensationalist press, and futures contracts and shorting options began to be made available, often by brand-new, unregulated companies.

Legislation was badly needed, and suddenly governments became more aware of the issue and started to respond. First, bodies such as the Financial Crimes Enforcement Network (FinCEN), a bureau of the U.S. Department of the Treasury, and the Financial Conduct Authority in the UK began to react to the complex issues of companies trading cryptocurrencies. Second, the tax authorities started to consider the difficulties of tracking and charging tax on the highly volatile and anonymous nature of crypto assets. Lastly, central government caught up, and by 2022, President Biden had signed an executive order (Executive Order on Ensuring Responsible Development of Digital Assets—March 9, 2022), and legislation for the “regulation of stablecoins and cryptoassets” appeared in the British Queen’s Speech (https://lordslibrary.parliament.uk/queens-speech-2022-economic-affairs-and-business).

Other countries responded in a rather more binary way by either banning cryptocurrencies, as did China and Indonesia, or conversely welcoming them, including El Salvador, who made Bitcoin legal tender in 2021, followed by the Central African Republic.

It is notable that it is generally countries that are experiencing difficulties with their primary fiat currency that are reacting in these more contrasting ways to cryptocurrencies.

NOTE Fiat money is a government-issued currency that is not backed by a physical commodity, such as gold or silver, but rather by the government that issued it.

As mentioned earlier, El Salvador reacted to financial pressures by welcoming Bitcoin. Turkey, in the midst of crippling inflation (mid-2022) of the Turkish lira, banned the use of Bitcoin for paying for goods and services. People were turning to cryptocurrencies as a “stable” alternative to the lira, which is extraordinary when you consider how volatile the Bitcoin price can be. Governments will continue to struggle with this new challenge to their traditional centralized, government-controlled currencies for some time to come.

As I stated previously, arguably, cryptocurrencies are part of the public’s consciousness in many countries around the globe, but why is this of interest to criminal investigators? To answer this question, we need to briefly look at the history of cryptocurrencies, which will help us understand their appeal to criminality.

Where Did It All Start?

English words have an odd way of changing their meaning. In the 13th century the word “silly” was someone pious or religious; however, by the late 1800s the word carried the meaning we have today of someone or something being foolish. “Crypto” has become one of those words that used to mean one thing but is now generally recognized as referring to something else. If just two or three years ago, you had asked any technologist what the word “crypto” referred to, they likely would have all responded that it was a shortened form of the word “cryptography.” Cryptography has to do with the securing of data either in transit or at rest through, historically, the use of codes and ciphers, and in recent times something we will explain in more detail later known as public/private key cryptography. But as I’m penning this chapter, if you ask either a technologist or just a person on the street what “crypto” is, they will probably say Bitcoin, Ethereum, or cryptocurrencies, or something similar. Why has this change to the generally accepted meaning of the word happened? Certainly, in the English language we do love to shorten words (my actual name is Nicholas but the only person who ever called me that was my mum when I was misbehaving!) and crypto is much easier to say, and definitely easier to type, than cryptocurrency.

The reality is that the two meanings are closely linked. The crypto part of the word “cryptocurrency” comes from the fact that all cryptocurrencies have their transactions and transaction ledgers confirmed and protected by cryptography. In the case of Bitcoin and its derivatives, it uses a quite simple form of cryptography and it’s very secure but fundamentally straightforward. It’s a mistake to read online about all the hack attacks and losses of digital currencies like Bitcoin and think that there is something wrong with the code or the cryptography underpinning it. Bitcoin has never suffered from a successful attack against its source code or crypto. We will discuss in more detail how attacks against users and custodians of cryptocurrencies can fall prey to criminals in Chapter 2, “Understanding the Criminal Opportunities: Money Laundering,” and Chapter 3, “Understanding the Criminal Opportunities: Theft.”

Although you do not need to become a cryptographic scientist to understand how these systems work, it is still useful for an investigator to have a good idea of how cryptocurrencies are protected in order to better grasp some of the attacks against them. We will discuss this in more detail in several of the early chapters.

From a criminal perspective, cryptocurrencies offer opportunities that are difficult to achieve through the traditional banking network. We shouldn’t believe that crypto is anonymous—every transaction is recorded on the blockchain ledger for anyone to study. The issue for the investigator comes from the fact that it is difficult to connect a cryptocurrency address to a user. This pseudo-anonymity provides opportunities to hide movements of assets, pay for or receive payments for illicit goods, or target others’ crypto assets, in an environment that is challenging for the investigator to analyze. As this book will outline, difficult does not mean impossible.

Although this chapter is called “A History of Cryptocurrencies and Crime,” I wrote a deeper background of crypto assets in my book Investigating Cryptocurrencies (Wiley, 2018) and I won’t go into as much detail here. However, I think it’s worth the investigator being aware of the accepted stepping-stones of crypto up to the present day and how they relate to the changing shape of crimes that utilize cryptocurrencies.

Most articles and books written on the history of cryptocurrencies point back to a cryptographer named David Chaum, who created an early form of electronic money called DigiCash in 1989. Others believe that the 1998 Bit Gold concept by Nick Szabo was closer to our concept of a cryptocurrency, where a predecessor of the concept of “mining” by solving algorithmic problems was implemented. Interestingly, Nick also wrote a white paper in 1994 in which he described in significant detail the concept of a digital, or smart, contract, which was an agreement between parties based purely on a coded contract with no third parties involved.

But it’s the white paper published in October 2008 by the enigmatic Satoshi Nakamoto about an (arguably) new currency type that really starts the journey of crypto as we would recognize it today. Just over two months later, Nakamoto “mined” the first block, which was the genesis of a cryptographically connected series, or chain of blocks containing transaction data, which would eventually be known as a blockchain.

Although Bitcoin clearly is and was a brilliant piece of code, as most inventions do, it sat on the shoulders of others. We’ve mentioned Chaum and Szabo related to mining and cryptographically protected currencies, but the “cryptographically secured chain of blocks” was first described by Stuart Haber, W. Scott Stornetta, and Dave Bayer in papers published in 1991 and 1992 (www.researchgate.net/publication/2312902_Improving_the_Efficiency_and_Reliability_of_Digital_Time-Stamping and www.researchgate.net/publication/2312902_Improving_the_Efficiency_and_Reliability_of_Digital_Time-Stamping). Interestingly, the original Bitcoin white paper does not use the term “blockchain” anywhere. It uses the phrase in a sentence, “As later blocks are chained after it…,” but not the actual word “blockchain.” It is unclear who first used the phrase, but some evidence points to the forum BitcoinTalk.org, where posters discussed the issues of downloading the increasingly large “blockchain” of transactions for use in their wallets. The earliest Bitcoin wallet required the user to download a full version of the Bitcoin blockchain and act as a transaction distribution node on the network.

Bitcoin grew over the next few years, with predominantly technologists and hobbyists drawn to the interesting application of technology and the promise of an online-only currency. They were soon joined by conspiracists and “preppers” (those preparing for the world’s end and/or the collapse of society) who saw a kindred spirit in the decentralized, uncontrolled nature of the currency and its possibility to trade disconnected from the control and traceability of traditional banking. In those early days, the concept of a fiat currency value for Bitcoin was a bit of an anathema—it wasn’t really supposed to interact or exchange with other currencies but rather stand alone, a currency for its users by its users. However, perceived dollar values rose and fell but in fairly small amounts. (In mid-2022 there was the so-called crypto winter, where Bitcoin lost two thirds of its value from its 2021 high. In percentage terms this was nothing compared to 2011, where its value reduced from the giddy heights of $15 and crashed to just $3 in four months). However, in mid-2013 Bitcoin passed the $100 value and never fell back below it again, as of yet.

It is simply logical that criminals go where the money is, and as the Bitcoin/dollar value grew and its pseudo-anonymous nature began to be more broadly understood, there was an obvious attraction for criminality to start to use the currency to store, move, and launder assets. There were very few opportunities to steal Bitcoin, as there were very few Bitcoin whales (large holders of Bitcoin) that were actually worth anything in the real world, but it would not be long before targets began to appear.

In January 2010, just a year after Bitcoin had appeared, a user on the BitcoinTalk forum named “dwdollar” announced that they would set up a dollar-to-Bitcoin exchange to enable users to buy and sell Bitcoin using PayPal. The unregulated and uncontrolled nature of Bitcoin would change forever; Bitcoin now had a true, demonstrable dollar value and a very early example of a cryptocurrency “bank.” For various reasons dwdollar’s BitcoinMarket exchange didn’t last long, but in its place came a new exchange, easy to use, well constructed, and professional: Mt. Gox.

As previously stated, criminals go where the money is and arguably for the first time they had a valuable target on the Bitcoin network to focus on. The case has been reported on and written about ad nauseam, but in simple terms Mt. Gox suffered a series of successful attacks against its systems and eventually a hacker found a way to drain Bitcoin from wallets on the exchange. They managed to steal 650,000 Bitcoin over three years (850,000 Bitcoin is often reported, but around 200,000 were found in an old wallet). Attacks on exchanges had begun.

In the next few years, many exchanges would be set up; some of them were literally in the entrepreneur’s spare bedroom, often turning over eye-watering sums of money, much of it criminal. Sometimes the exchange owners were the criminals, operating the exchange as a Ponzi scheme, taking payments for Bitcoin, for example, but not actually fulfilling the order and just adding the appropriate number to a spreadsheet of what the user “owned.” If the user tried to cash in the crypto asset for cash, the exchange owner would use cash from another user to pay the first person, and so on. In one case I worked on, the exchange owner would often spend $60,000 of customers’ money in a single weekend at a top London hotel on what we can kindly describe as “fast living.” Perhaps the most notorious was an exchange in Canada called QuadrigaCX, where a reported 76,000 investors lost around C$169 million (the values vary with reports), but following the early death of founder Gerald Cotten it was discovered that he had been running the exchange as a Ponzi scheme and the company’s wallets were all but empty (https://news.sky.com/story/man-lost-500-000-life-savings-in-crypto-exchange-scam-after-trader-died-with-password-to-funds-12577397).

The true value of losses from exchanges is impossible to calculate accurately. I’ve personally worked on hacks against exchanges totaling hundreds of millions of dollars that were never reported to law enforcement and no legislation existed that required them to do it. The cryptocurrency reporting website hedgewithcrypto.com has kept an unofficial list of exchange hacks since 2012 that totals $3.2 billion of losses. None of the exchange hacks I’ve been involved with are mentioned (www.hedgewithcrypto.com/cryptocurrency-exchange-hacks). Another list from ChainSec (https://chainsec.io/exchange-hacks) suggests $2.4 billion. Whatever, the numbers are huge.

Some of the largest exchange thefts were reported around 2016–2018, with the vast losses from Bitfinex, CoinCheck, and others valued in the hundreds of millions of dollars for each hack. Certainly, security of exchanges has improved, although we still saw reports of a $150 million loss from BitMart at the end of 2021.

Most of these early losses were in Bitcoin, but a new cryptocurrency contender would soon appear with new opportunities for the criminal to exploit.

The Rise of the Smart Contract

At about the same time that the CEO of Mt. Gox was being put in handcuffs by the Japanese police (he ended up with a suspended sentence of four years), five entrepreneurs—Vitalik Buterin, Gavin Wood, Charles Hoskinson, Anthony Di Iorio, and Joseph Lubin—were switching on a brand-new cryptocurrency that would pave the way for a whole new paradigm in cryptocurrency use. Ethereum had arrived.

Ethereum did things differently. Bitcoin made use of a very simple programming language, known as a stack-based language, to enable the construction of transactions. It fundamentally allowed a programmer to design the method for unlocking existing transactions and approve the locking of new ones to change the ownership of the coin. Bitcoins are never really sent or received; rather, transaction scripts merely change the owner. Bitcoin uses a UTXO model, which stands for Unspent Transaction (TX) Output. There are some great online resources to understand UTXO, but in very simple terms if you want to calculate the balance of Bitcoins held by a Bitcoin address, simply look at the blockchain and add up all the UTXOs, the unspent transactions, where the target address was the recipient. If I want to spend some Bitcoin, I can only spend unspent transactions. This might sound obvious, but it means that I have to spend the entirety of a transaction I have received.

I’ll try to explain a little more simply. I assume you own a wallet or a purse? If someone gives you two $5 bills, you have a UTXO balance of $10 in your wallet. They do not magically turn into a $10 bill, but you can look in your wallet and add them up to get a wallet balance. If you want to carry out a transaction—let’s say you want to buy a burger for $7—you can’t tear a bill in half to try to get close to $7; you have to transact the entire value of both bills, the UTXOs, and then receive change of $3. Bitcoin works in the same way; if you have received 0.5 of a Bitcoin you have to transact that entire 0.5 and receive change.

How was Ethereum different? First, it used an account-based model. This was less like a wallet with bills and more like a bank account. Funds are paid into an address and create a balance, and then funds can be paid out in any amount up to the value of the balance. No change. No UTXOs. This is really important for an investigator to understand, and we will deal with this in more detail later.

Second, and most important, Ethereum provided a programming language called Solidity. This is known as a Turing-complete language, which afforded the ability for users to extend the functionality of the base Ethereum system, including building smart contracts. We will discuss smart contracts in much more detail in a later chapter, but for now know that they enable the building of other cryptocurrencies on Ethereum known as tokens and provide services and interactive systems. When we read about gambling using Ethereum and gaming such as Cryptokitties or Axie Infinity or even someone buying an NFT of an ape in a wedding dress for a huge sum of money, we are just talking about tokens and systems based on smart contracts built onto the Ethereum platform.

This platform was, and is, an amazing opportunity for entrepreneurs to enter the cryptocurrency market at a reasonably limited skill level and very low cost. Experienced coders could spin up a new token on Ethereum in several hours, and so often this was followed by massive social media campaigns about this new wonderful token and how great wealth and riches could be obtained by investing in it. Celebrities were paid and sometimes duped to promote these tokens before demand would usually dwindle, and the token would die a slow crypto-death (crypto-death is not a real term but I like the sound of it and so will start to use it!).

Some of these tokens were backed by genuine businesspeople and often venture capital money and have become significant businesses, but I will say it again, where the money is, the criminals will be right behind.

Smart contracts provided a rich environment for criminals, who up to this point had been enjoying the unofficial competition of seeing who could steal the most from exchanges. The small “spare bedroom” exchanges had all but disappeared, making way for the up-and-coming behemoths of Coinbase, Binance, and Kraken, to name a few. Although there continued to be some significant criminal successes against exchanges, such as the $275 million against KuCoin in 2020 and the $150 million loss from BitMart in 2021, the criminal fraternity now had many other targets to focus on.

Although we will be discussing smart contracts and how to investigate crimes that make use of them in several chapters of this book, it is worth noting at this juncture that this is something you will really need to get your head around if you intend to be involved in cryptocurrency investigations. It doesn’t matter if you are a financial investigator, a fraud specialist, a lawyer, or a digital forensics expert, having an understanding of smart contracts will be increasingly important as the market develops. I started investigating crimes involving crypto back in 2015 and it was 100 percent Bitcoin. By 2017 we were seeing hacks and losses involving Bitcoin Cash (after the hard fork that created it), Litecoin, and others, but always UTXO currencies. By 2019, some 20 percent of investigations were Ethereum/token based. In 2020 it was 30 percent, and by 2021, this had grown to around 50 percent. In the past few years I haven’t done one purely Bitcoin-based examination this year. Although I am by no means an investor in crypto—I literally have less than $10,000 in a total of three or four crypto assets—I do believe that Bitcoin is here to stay, but also that contract-based tokens are the future.

NOTE It is probably worth mentioning that you shouldn’t reach out to ask me anything about cryptocurrency investing. When I was writing Investigating Cryptocurrencies in 2017, a good friend asked me how much of this “Bitcoin thing” they should buy. The price was about $1,300 per Bitcoin at the time. I suggested that it was all criminal money and not to bother. As you can imagine, that friend had some choice words for me in 2024 when the price topped $69,000 per Bitcoin. The lesson here is not to take investment advice from an investigator!

Since Ethereum, almost all new cryptocurrency blockchains either are direct emulations of the code of Ethereum such as Binance Smart Chain or are based on a smart contract architecture such as Cardano, Tron, VeChain, Internet Computer, and a host of others. Just like Ethereum, these smart contracts have been exploited in a host of ways.

Initially, the smart contract feature in Ethereum was used to generate new tokens or coins based on a standard known as the ERC-20 protocol (ERC stands for Ethereum Request for Comment and is similar to the Bitcoin BIPs, or Bitcoin Improvement Protocols. You can find more information on ERCs at https://eips.ethereum.org/erc and on BIPs at https://github.com/bitcoin/bips). These new tokens were often called initial coin offerings (ICOs), which as previously mentioned ranged from the legitimate attempt at a business idea through deluded attempts at wealth generation to outright fraudulent coin offerings. We will discuss rug pull scams and what investigators should be looking for in more detail later.

It would be wrong to discuss the history of Ethereum related to criminality without mentioning the DAO hack in July 2016. This is another event for which hundreds of articles have been written, and it set the pattern for significant criminal hacking activity afterward. In simple terms, a hacker managed to extract 1.5 million ETH (Ethereum coins) from tens of thousands of users into a separate DAO (decentralized autonomous organization). Eventually Ethereum users voted overwhelmingly to “hard-fork” (more on forks later) Ethereum into a new blockchain. The resulting new chain was to retain the name Ethereum and the original, which many wrongly thought would die out, would be called Ethereum Classic. What I find the most interesting about this case is the absolute denial by the hacker that they had done anything wrong. In an online post they explained that they had used a feature built into the smart contract and that they had done nothing criminal, even explicitly threatening that they would take action against anyone who tried to get the ETH back! In part they wrote:

I am disappointed by those who are characterizing the use of this intentional feature as “theft.” I am making use of this explicitly coded feature as per the smart contract terms and my law firm has advised me that my action is fully compliant with United States criminal and tort law.

You can read the entire post here: https://pastebin.com/CcGUBgDG.

So, theft or not theft, that is the question. They even sign the post “The Attacker,” with the quote marks seemingly designed to engender a sarcastic tone.

Perhaps a better question is “When is a hack not a hack?” As we discussed earlier, English words have a way of changing their meaning over time, and “hacker” is one of the those words. (Actually, a “hack” was originally a horse in Old English, and a hacker was someone who would do unspeakable things with an axe!) Back in the 1960s and 1970s, a hacker was a person who would deconstruct some piece of technology and work to improve it or adjust it in some way. Hacker workshops still exist where people who are as comfortable with a soldering iron in their hands as a mouse gather to hack different products. There is no suggestion of theft or criminality. However, by the time the film Hacker was released in 2016 it definitely carried a nefarious meaning.

The website Deepgram.com carries an excellent list of “hack” words and indicates whether they are good or bad: (https://blog.deepgram.com/the-history-of-the-word-hacker-2):

Hack (coder), n./adj.—bad

Hacker, n.—good or bad

To hack (code), v.—ambiguously good or bad

Hacked (code), adj.—ambiguously good or bad

Hacky (code), adj.—usually bad

In the case of the DAO hack, the “feature” was there in the smart contract code but at the same time there wasn’t a big red button saying “Get free ETH here!”

I asked my friend and reverse-engineering expert (read—good guy hacker) Jesse D’Aguanno where the line is between a person simply using built-in code to do something the developer didn’t mean it to do and manipulating code to force an application to do something it wasn’t designed to do—is it ever okay? In Jesse’s view, which is likely the view of your local police department, taking something that isn’t yours is wrong, and in some ways it’s a shame that the assertions of “The Attacker” were not tested in court.

The reason for sharing some of these early losses of crypto is that it sets a basis for criminals exploiting code for profit. Sometimes, organizations that lose funds just shrug and move on, and I worked on a few of those; other times they engage with law enforcement, but the third way, which I always find fascinating, is where they reach out to the attacker and offer to pay them for the information on how the attack was done as a bug bounty. I guess it’s no different from the FBI employing the infamous “Catch Me If You Can” fraudster Frank Abagnale as he was simply very good at what he did.

How do you reach out to a hacker that has just stolen your coins? Well, you can follow the flow of funds to the receiving address and encode a message to that address. A good example was after the Wormhole Bridge hack in February 2022, when an attacker was able to mint, or create, new coins and then move/steal them.

Just after the attack the Wormhole administrator sent a message to the attacker offering $10 million to tell them how they carried out the attack! The message read:

This is the Wormhole Deployer:

We noticed you were able to exploit the Solana VAA verification and mint tokens. We’d like to offer you a whitehat agreement, and present you a bug bounty of $10 million for exploit details, and returning the wETH you’ve minted. You can reach out to us at <email>.

Notice that Wormhole framed this offer as a bug bounty. Bug bounties are normally paid to researchers who expose a vulnerability and notify the company and generally do not walk away and hide with $325 million of Ethereum (the value at the time of the theft). I don’t say this to criticize Wormhole in any way, but simply to highlight that paying criminals rather sends the wrong signal. If the Wormhole attacker accepted the payment, does this indemnify them from prosecution—does law enforcement now have to walk away because a deal has been done? Of course, this wouldn’t stop the police from investigating and taking action if they chose to, but if Wormhole now categorized this event as being a service to them, this means there is no complainant and hence they won’t engage with the police and provide evidence. If there is no expectation that the company will take this indemnified approach, then there is no reason for the attacker to comply and accept the bug bounty. This creates a tricky situation and sends a message to attackers that there is big money to be made.

NOTE Having “acquired” $114 million from Mango Markets in 2022, the stakeholders of Mango agreed with the “attacker” that they had played by the rules of the smart contract and allowed him to keep $67 million. The attackers was later found guilty of commodities fraud, commodities market manipulation, and wire fraud.

This chapter is supposed to be a history of crypto and its associated crimes, and I appreciate that the Wormhole hack was only in early 2022, thus hardly ancient history, but these events shape the future. They teach other would-be criminals what is possible, and the losses from exchanges, tokens, blockchains, and DAOs continue.

Of course, I have been remiss in discussing examples of money laundering, illicit payments for child sexual abuse material (CSAM), and the exchanges who were not victims of crime, as mentioned before, but rather active facilitators of crime. BTC-e, run by Alexander Vinnik, a Russian national, reportedly received $4 billion in payments between 2011 and 2017, with a significant percentage related to money laundering (www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-alleged). Indeed, it is only in the last few years that exchanges that are now household names were receivers of significant criminal funds and were very hesitant and sometimes downright obstructive in dealing with law enforcement. I’m not going to name anyone here; you know who you are!

Although we looked in shock at the $3.2 billion approximate losses in exchange hacks alone, this rather pales in insignificance when we look at DeFi exploits. DeFi, or decentralized finance, is a catchall term related to the ability to stake or deposit funds into contracts that promise a return on the investment. This will be discussed in detail later, but a simple example can be the ability to deposit funds into a liquidity pool that facilitates exchange from one token to another. When users use the exchange contract, a small exchange fee is paid and those with funds in the “pool” make some profits. Less popular token exchange contracts will tend to pay a higher rate and the primary tokens pay less.

People are often surprised to learn that the $3.2 billion losses from exchanges cover a 10-year period but that losses from DeFi contracts in just the past two and a half years as of this writing total $3.4 billion of disclosed losses. The values lost are eye-watering. In March 2022 the gaming-focused Ronin network related to the crypto-based game Axie Infinity announced a loss of $625 million from a single hack against its DeFi environment. Remember that these are just the disclosed losses, although thefts from these contracts are harder to hide.

The Next Targets?

Many reports are written every year on the state of cryptocurrency crime. Good examples are by Europol, the U.S. Department of Justice, and investigation companies such as Chainalysis and TRM Labs. All these reports detail vast sums of cryptocurrencies laundered, drug financing, CSAM, hacks, and thefts—the list is almost endless. In many ways, the numbers are meaningless; the concerning reality is that there are an increasing number of ordinary people who are victims. In the early days of crypto, criminals stole from criminals and illicit payments were just another form of the traditional envelope full of cash between lawbreakers. Many of the crypto assets stolen from exchanges were funds that were already related to criminality. In the past five years I’ve been involved in the investigation of over $21 billion of cryptocurrencies related to criminality, and one of the most concerning developments is not the “calculator numbers” from each hack and theft, but how the victims are increasingly normal people.

We stated earlier how criminals go where the money is, and as cryptocurrencies began to impress themselves on society’s consciousness and newspaper articles detailed the vast profits being made as Bitcoins’ value grew beyond imagination, ordinary people began to invest. The problem? I believe that 99 percent of them didn’t understand how the technology worked that they were investing in. This made them easy targets.