Market News

Their tools are software, and a nose for trouble

FOR THE criminally minded, the allure of cryptocurrencies is easy to grasp. Decentralised online ledgers called blockchains allow digital assets, in the form of “tokens”, to be moved without financial institutions monitoring what is happening for signs of money-laundering or other wrongdoing. Chainalysis, a crypto-investigations firm in New York, tallied more than $53bn in suspected crypto-laundering in 2022-23, nearly double its estimate for the previous two years. Nicholas Smart of the Dubai office of Amsterdam-based Crystal Intelligence, another investigator, quips that with blockchains, “Anyone can become a bank.”

Then there is the theft of cryptocurrency. As we report in our new podcast series “Scam Inc”, so-called pig-butchering cons play on legitimate crypto owners’ naivety and emotional vulnerabilities. John Powers, boss of Hudson Intelligence, in New Paltz, New York, says many of his clients have lost tokens worth north of $100,000—and in some cases $1m. They are not alone. This global industry is now worth over $500bn a year worldwide. Crooks, moreover, have surely noted that the potential pool is growing. Token values have soared following America’s election of crypto-friendly Donald Trump.

Against this backdrop, specialist firms are developing new forensic software to comb blockchain ledgers in search of stolen digital assets, and to flag possible money-laundering, terrorist financing, and other crimes. The market for such programs is booming. Kroll, an American financial risk and advisory firm, expects revenues from its crypto-sleuthing practice to have exceeded $10m in 2024, roughly double the figure for the previous year.

Making sense of the “data lake” of blockchain ledgers is challenging. Banks, even those in Switzerland, where numbered accounts were invented, are expected to know their account-holders’ identities. But blockchains move tokens instantaneously between unique alphanumeric addresses held in digital wallets that can be opened only by private software keys. Though records of the transactions themselves are public, the identities of those behind them are not. Nor is it even clear which addresses are controlled by a given wallet. That opens all sorts of possibilities for money-laundering and illicit payments.

The puzzle of crypto transfers can sometimes, however, be solved by appropriate analytic software. Creators of this are cagey about their tricks, but the frequency and timing of transactions provide clues. An especially fruitful approach is to identify multiple addresses that contribute to a single payment. The private keys to those addresses must be held, or at least controlled, by a single entity. Importantly, as Tom Robinson, chief scientist at Elliptic, a firm in London that develops such software, observes, these “co-spend heuristics” will stand up as evidence in court.

Money laundering and illicit payments are not the only shady activities which transaction patterns can illuminate. The use of “ransomware” is another. Ransomware is software installed illicitly on a computer that then locks valuable data held on it until a crypto payment is made. The proceeds, says Phil Larratt, who was once a financial investigator with Britain’s National Crime Agency and now works for Chainalysis, are then typically split about 70-30 between the gang’s negotiators and the ransomware’s developers.

Mr Larratt says pig-butchering scams involving romance also generate fingerprints. They involve “approval phishing”—fooling lonely hearts into authorising malicious transactions, often with help from a bogus crypto app. This lets a scammer withdraw the victim’s funds. Chainalysis has identified $2.7bn in such fraud since May 2021, passing relevant data to the police. In one case, this allowed the notification of a soon-to-be victim just in time.

Many of Chainalysis’s customers are crypto exchanges (places that convert digital assets into conventional currency, and vice versa) seeking to comply with the requirements of the Financial Action Task Force, an intergovernmental body based in Paris. In 2019 this outfit issued rules requiring exchanges in member countries, now numbering 36, to spot and report “sketchy crypto transactions”. Similar rules have been put in place elsewhere, too. Red flags include large conversions of digital assets into normal currency despite a high commission, and also the transfer of tokens purchased in cash to multiple exchanges in foreign jurisdictions, especially dodgy ones, like Russia.

“Obfuscation manoeuvres”, such as scattering funds into multiple wallets only to reconsolidate them elsewhere, or transfers through several cryptocurrencies, are another tip-off. The best software can now trace assets that have passed through hundreds of wallets. The objective is to identify the funds’ arrival in an exchange where they can be seized by a court. Some crypto exchanges even design trading apps to scan users’ devices remotely. One warning sign is when multiple accounts are controlled from a single mobile phone, says Azariah Nukajam, compliance boss in Britain for Gemini, an exchange in New York.

Developers of device-scanning software are understandably tight-lipped. But Jeremy Doyle, head of growth for anti-money-laundering analytics at SEON, based in Austin, Texas, and Budapest, says its software assesses things like a phone’s number, location, model, storage capacity and how data are entered. Human beings enter data slightly irregularly. Bots tend to be inhumanly precise in such matters.

“Off-chain” work enriches the picture. Many analytics firms send messages feigning interest to fishy exchanges and investment schemes, in order to obtain scammers’ crypto addresses. They also monitor online forums where scammers share tips and malicious code. Jeremy Sheridan of FTI Consulting in Washington, DC, says his firm has cracked blockchain investigations with titbits gathered this way. Following social media helps, as well. Mr Smart says he and his colleagues at Crystal Intelligence found a picture of “a box room in a suburb of Beirut” that revealed the QR code of a shady crypto outfit run from the place. Information from an Israeli intelligence service helped his team conclude that the operation had received more than $7m in cash from Hizbullah, a Lebanese terrorist militia.

For all this, the sleuths remain the underdogs. Ironically, the sort of artificial intelligence which might really help cannot be fully applied to crypto investigations. Its complexity means even its programmers and operators cannot know exactly how it arrives at its conclusions. Those conclusions thus do not stand up as evidence in court. Instead, the software used is “rules-based”, so authorities can see how its conclusions have been drawn. With that unlikely to change, Mr Powers of Hudson Intelligence reckons crypto’s cat-and-mouse game is just getting going.