Crypto Red Flags for Law Enforcement—How to know if your investigation involves cryptocurrency
According to the US Department of Treasury, since 2013 there has been a consistent decrease in reported bulk cash seizures by agencies throughout the United States. This could be indicative of increased cryptocurrencyA cryptocurrency (or crypto currency) is a digital asset des... More use by criminals in favor of cash. The lack of cash seizure for known cash intensive activities should be an automatic red flag for potential cryptocurrency usage to obfuscate and move funds.
The signs of cryptocurrency usage, however, can easily be overlooked by investigators unfamiliar with what to look for. Investigators should be weary of the following signs that may indicate cryptocurrency is being used to hide criminalA Criminal is an individual or group who has been convicted ... More funds.
Phones and Computer:
Check phones and computers for cryptocurrency-related applications and bookmarks. These could either be software wallets or cryptocurrency exchanges they are accessing through their devices. Old, disconnected, and seemingly non-functioning computers could hold the private keys to cryptocurrency wallets. These devices should be evaluated for the following:
Figure 1: Popular crypto Apps listed available for download from the Apple App Store
Many mobile wallets are compatible for both Android and iOS devices, including iPads and other tablets. Examples include, but are not limited to:
- BlockchainA blockchain is a shared digital ledger, or a continually up... More WalletA wallet is a device (a hardware device, a program, or servi... More
- Atomic Wallet
- Ledger Live
- LiteWallet (Litecoin only)
- Metal Pay
- MyMonero (MoneroMonero (XMR) is an open-source cryptocurrency created in Apr... More only)
Bitcoin ATM Finders
Mobile wallets can be found by searching through a person’s applications or in the search bar. A search for “crypto” or “bitcoinThe term "Bitcoin" can either refer to Bitcoin the network, ... More” can often times reveal associated applications available on a user’s mobile device.
Web wallets must be accessed through a web browser such as Chrome, Safari, or Brave. Web wallets can be hosted or unhosted depending on a user’s needs and security preferences. Web wallets can be found by looking through a person’s open tabs in their browser, bookmarks, search history, or even saved passwords. Many of the aforementioned mobile wallets also have corresponding web wallets.
Desktop wallets are available as downloadable applications that can be run on a computer instead of through a web browser. These wallets are installable on operating systems such as Mac, Windows, and Linux. Below are some of the most common desktop wallets as noted by https://coinswitch.co/news/desktop-wallet.
- “Pocket litter” or any other random papers should be evaluated for lists of seemingly random words—typically 12, but some wallets can support seed phrases up to 33 words—that, if used in the correct order, could be used to recover a crypto wallet.
- Recovery seeds can also be hidden within books, planners, and unrelated notes, or in plain sight as clear lists or metal backups.
Figure 2: Recovery Seed written on a notecard (image source: https://wiki.trezor.io/User_manual:Filling_out_your_recovery_card)
Figure 3: Steel Wallet Recover Seed (image source: https://blog.trezor.io/steel-bundle-trezor-one-cryptosteel-e02cadaeb4dc)
Figure 4: Recover seed written hidden in a daily planner. (image source: https://www.justice.gov/usao-or/page/file/1232626/download)
- Pocket litter should also be evaluated for Bitcoin ATMA Bitcoin ATM (Automated Teller Machine) is a business who o... More receipts. While many BATM receipts will say bitcoin, or some “bit” derivative thereof, some bitcoin ATM receipts are less conspicuous than others. In more inconspicuous cases, phrases such as “ledger balance” can tip you off to crypto usage.
Figure 5: EasyBit Bitcoin ATM Receipt (image source: https://coinatmradar.com/blog/using-a-bitcoin-atm-satoshi1-machine-at-vape-dynamiks-in-athens-ga/)
- 2-Factor Authentication is common practice to secure user accounts at cryptocurrency exchanges. Looking through authenticator apps can reveal ties to specific exchanges.
Figure 6: Google Authenticator codes indicate association with cryptocurrency exchangeA cryptocurrency exchange is a business that allows customer... More Coinbase
Photos and Screen Shots:
- Looking through a suspect’s photos can reveal valuable information such as recovery seeds, specific transactions or wallet and exchange servicesGeneral services, including non-profits, forums and news sit... More used.
Figure 7: Figure 7: Screenshots from BTC transaction sent through BRD App
- Hardware wallets can come in all shapes and sizes, with some even looking like simple USB drives.
Figure 8: Hardware wallets compared (image source: https://www.reddit.com/r/Bitcoin/comments/80m8dy/just_a_quick_sizeform_factor_comparison_of_4/)
List of Common Hardware Wallets
The following list consists of common hardware wallets investigators may run into:
The signs of cryptocurrency use can be easily overlooked by investigators; hardware wallets can look like inconspicuous USB sticks and recovery seeds are just random works on a page. The preceding signs may indicate cryptocurrency is being used to hide criminal funds—especially when there is a lack of cash seizure for known cash intensive activities. Investigators must remain diligent to the presence of these red flags upon evidence collection. Blockchain analysis tools like CipherTrace Inspector can then be used to easily verify the source of funds and detect any association with dark markets or other criminal activity.