" I did organize and plan this project. I want to know how you found the operator behind it. From what I understand, it's impossible for you to find me. What did you rely on ?"
The above are the case details disclosed by the Shen County Public Security Bureau in handling the "12.04" virtual currency pyramid scheme case. During the interrogation, the criminal suspect and pyramid scheme leader Zhang asked the police officer this question in great confusion.
When Lawyer Shao handles criminal cases involving black and gray industries and virtual currencies on a daily basis, many parties will have such questions. For example, they will ask me: "Lawyer Shao, when I was doing this, I was abroad, and my boss was also abroad. We usually communicated using TG (Airplane software), which is burned after reading. Aren't virtual currency transactions anonymous? How can the police catch me ?"
So let’s talk today about how the police track the transaction process of virtual currency and identify the suspects in virtual currency criminal cases?
1. Cryptocurrency Trading
Is it really anonymous?
As one of the applications of blockchain technology, virtual currency has the advantages of decentralization, privacy protection, reduced transaction costs, and high return rate. But at the same time, due to its certain degree of anonymity, it is often exploited by some criminals to use virtual currency as a tool for money laundering and other gray and black industry related transactions.
But virtual currency is not completely anonymous, because the transaction process is public on the chain, but the address is not directly associated with the identity. In addition, since virtual currency exchanges need to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, it also makes it easier for law enforcement agencies to track transactions on the blockchain.
Since there is a public and tamper-proof ledger behind virtual currency, virtual currency transaction evidence collection is actually very friendly to the public security organs.
How do public security agencies track currency flows?
To identify the suspect?
Perhaps in the early years, local public security organs lacked understanding of currency-related cases, the number of cases filed for investigation was small, and many victims had no way to protect their rights.
However, as the case-handling units have a deeper understanding of virtual currencies, their ability to track and analyze the flow of virtual currencies on the chain is also increasing. Here are a few common methods:
1. On-chain address association analysis
By analyzing the transaction graph through blockchain browsers (such as Tronscan and OKEx), it is possible to identify the common input and fund collection patterns between addresses. For example, if multiple addresses frequently transfer funds to the same target address, it can be inferred that they are controlled by the same entity.
Based on Lawyer Shao’s experience in representing currency-related cases, this analysis method is often used in virtual currency pyramid scheme crimes and casino opening crimes .
In the Liaocheng "12.04" virtual currency pyramid scheme case mentioned above, the police found that the pyramid scheme platform generated multiple addresses through the TokenPocket wallet to collect funds, and eventually transferred the funds to the main address and withdrew them through the exchange. By analyzing the transaction frequency and fund size of these addresses, the mastermind was identified.
In many casino-related cases represented by Lawyer Shao, the profit settlement process between the casino and the payment settlement personnel also used the collection address as a breakthrough point to lock down the identities of the people involved.
2. Exchange KYC verification
At present, most mainstream virtual currency exchanges (such as Binance, OKX, Huobi HTX) and digital wallet platforms (such as ImToken) will publicly disclose policy rules for cooperating with law enforcement and special channels for cooperating with mainland public security law enforcement on their official websites.
Law enforcement officers can send a letter of cooperation to the exchange by email, requesting the retrieval of the suspect’s registration information, facial photos, financial information, deposit and withdrawal transactions, wallet locations of various currencies, fiat currency transactions, currency-to-currency transactions, contract transactions, login IP, MAC and other device information.
In addition, the exchange will also freeze the virtual currency in the suspect's account at the request of law enforcement agencies. The freezing period will be one year, but the law enforcement agency can apply for renewal before the expiration.
3. Handling Fees (Gas Fees), Transaction Hash Tracking
Every successful transaction of virtual currency requires the payment of Gas fee (TRX/ETH, etc.). When tracing the wallet address where the suspect received the stolen money, the suspect's record of purchasing Gas fee from the exchange can be traced. For example, the police analyzed the source of Gas fee of the address involved in the case and found that the transaction fee was paid by purchasing TRX through the Binance account, thereby locking the exchange account.
In virtual currency transactions, transaction hash can ensure the uniqueness and immutability of transactions. The hash value generated by each transaction is unique. The transaction hash can be used to show transaction details, such as the sender's address, the receiver's address, the transaction amount, the transaction fee, etc.
Investigators can obtain the suspect's KYC information (such as passport, ID card, email address, mobile phone number, etc.) by providing gas fee transaction records and transaction hashes to the virtual currency exchange.
4. Device fingerprint and IP association
Investigators use the login IP and device ID (such as mobile phone IMEI and MAC address) of the exchange or wallet to associate the operation behaviors of multiple addresses and thus lock in the target.
For example, in the case of the MIT hacker brothers, the FBI analyzed the VPN logs and device fingerprints used by the suspects and discovered that they had logged into the same exchange account multiple times, ultimately locating their physical location[i].
5. Cross-chain exchange and currency mixing cracking
Many suspects think that cross-chain transactions or the use of coin mixers can better conceal their identities, but this is not the case.
Cross-chain tracking : Track the path of fund transfers through transaction hashes across cross-chain bridges (e.g. Bitcoin → Ethereum).
Mixer analysis : Use on-chain fingerprinting techniques (such as transaction time and amount patterns) to identify the input and output addresses of mixers (such as Tornado Cash).
For example, when the U.S. Department of Justice was recovering the ransom of the Colonial Pipeline, it analyzed the hacker’s “chain money laundering” path and ultimately intercepted a string of private keys for a key address ending with the characters “dh77gls”[ii].
6. International cooperation and stablecoin freezing
For stablecoins such as USDT, the public security can require the issuer (such as Tether) to freeze the funds at the addresses involved . International cooperation is also possible.
For example, the police in Jingmen, Hubei, cracked a cross-border online gambling case involving a turnover of 400 billion yuan (the country's "first virtual currency case"). According to reports, "because the platform used virtual currency for all settlements, the public security organs connected with the virtual currency issuer and froze the relevant virtual currency accounts involved in the case."
For example, in the case of the theft of 55 million Ethereum in Neijiang, Sichuan, it was reported that "in order to solve this case, the Sichuan police conducted 14 international cooperations with Singapore, the United States, and the Netherlands. In actual combat, they refined a set of techniques and tactics for analyzing blockchain addresses, retrieved data from overseas virtual currency exchanges more than 70 times, and traced more than 20,000 blockchain addresses"[iii].
7. Trace back from the final withdrawal flow
The virtual currency held by the suspect cannot be used directly for daily consumption in most countries, so there is always an outlet for black and gray industry transactions, that is, to exchange virtual currency for legal currency. The person who helps to exchange legal currency becomes a breakthrough in tracking down the identity of the upstream criminals.
8. Abnormal transactions trigger risk control
The reason why many people’s bank cards are frozen is that frequent fast-in and fast-out transactions trigger the bank’s risk control system. The same is true in the Web3 world.
Generally speaking, ordinary cryptocurrency traders will place their funds on the platform for trading, rather than frequently and frequently making large amounts of funds in and out. Therefore, when tracking the flow of coins, if an address is found to have funds in and out quickly, it will be considered a suspicious address.
Conclusion
Criminals may mistakenly believe that: virtual currency transactions are anonymous, so investigators cannot identify their real identities; virtual currency exchanges are all overseas, so it is certainly difficult for domestic police to investigate and collect evidence; cross-chain and coin mixers cannot be traced, etc. Therefore, they will unscrupulously engage in black and gray industry transactions. However, this fluke mentality will only put them in a deeper predicament in the end.
However, after being arrested, some parties would discuss with me how much they regretted their actions. However, what they regretted was not that they had violated the law, but that they had not designed the transaction chain to be more secretive.
When faced with such a person, sometimes I don’t know what to say and can only sigh in response.
[i] Two hacker brothers who graduated from MIT were arrested for stealing $25 million worth of cryptocurrency in 12 seconds http://note.f5.pm/go-240378.html
[ii] The U.S. Department of Justice seized 63.7 bitcoins from hackers’ extortion, and bitcoin fell more than 10% in a single day | Jiemian News https://m.jiemian.com/article/6209923.html
[iii] The 55 million blockchain asset theft case in Neijiang, Sichuan was solved! https://xinjiapo.news/news/215601/
Can the frozen virtual machine be enforced?
After a thorough investigation, the Xin County Public Security Bureau successfully cracked the city’s first major virtual currency pyramid scheme https://mp.weixin.qq.com/s/KduRfmY5hk8r6xLO5t_epQ
