skip to Main Content
Home » Analysis » Crypto Red Flags for Law Enforcement—How to know if your investigation involves cryptocurrency

Crypto Red Flags for Law Enforcement—How to know if your investigation involves cryptocurrency

According to the US Department of Treasury, since 2013 there has been a consistent decrease in reported bulk cash seizures by agencies throughout the United States. This could be indicative of increased cryptocurrency use by criminals in favor of cash. The lack of cash seizure for known cash intensive activities should be an automatic red flag for potential cryptocurrency usage to obfuscate and move funds. 

The signs of cryptocurrency usage, however, can easily be overlooked by investigators unfamiliar with what to look for. Investigators should be weary of the following signs that may indicate cryptocurrency is being used to hide criminal funds.

Phones and Computer: 

Check phones and computers for cryptocurrency-related applications and bookmarks. These could either be software wallets or cryptocurrency exchanges they are accessing through their devices. Old, disconnected, and seemingly non-functioning computers could hold the private keys to cryptocurrency wallets.  These devices should be evaluated for the following:

 

Figure 1: Popular crypto Apps listed available for download from the Apple App Store 

Mobile Wallets 

 Many mobile wallets are compatible for both Android and iOS devices, including iPads and other tabletsExamples include, but are not limited to: 

Exchanges: 

  • Abra 
  • Binance 
  • BitPay 
  • Blockchain Wallet 
  • CashApp 
  • Cex.io 
  • Circle 
  • Coinbase 
  • Crypto.com 
  • Gemini 
  • Huobi 
  • Paxful 
  • Remitano 
  • Uphold 
  • Changelly 
  • Shapeshift 

Private Wallets: 

  • Atomic Wallet 
  • BRD 
  • Exodus 
  • Ledger Live 
  • LiteWallet (Litecoin only) 
  • Metal Pay 
  • MyMonero (Monero only) 
  • Trust 
  • ZenGo 

 Bitcoin ATM Finders 

  • CoinATMRadar 
  • LibertyX 

Mobile wallets can be found by searching through a person’s applications or in the search bar. A search for “crypto” or “bitcoin” can often times reveal associated applications available on a user’s mobile device.  

Web Wallets 

Web wallets must be accessed through a web browser such as Chrome, Safari, or Brave. Web wallets can be hosted or unhosted depending on a user’s needs and security preferences. Web wallets can be found by looking through a person’s open tabs in their browserbookmarks, search history, or even saved passwordsMany of the aforementioned mobile wallets also have corresponding web wallets.  

Desktop Wallets 

 Desktop wallets are available as downloadable applications that can be run on computer instead of through a web browser. These wallets are installable on operating systems such as Mac, Windows, and Linux. Below are some of the most common desktop wallets as noted by https://coinswitch.co/news/desktop-wallet  

Pocket Litter: 

  • Pocket litter” or any other random papers should be evaluated for lists of seemingly random words—typically 12, but some wallets can support seed phrases up to 33 wordsthat, if used in the correct order, could be used to recover a crypto wallet. 
  • Recovery seeds can also be hidden within books, planners, and unrelated notes, or in plain sight as clear lists or metal backups. 

 

Figure 2: Recovery Seed written on a notecard  (image source: https://wiki.trezor.io/User_manual:Filling_out_your_recovery_card)

 

Figure 3: Steel Wallet Recover Seed (image source: https://blog.trezor.io/steel-bundle-trezor-one-cryptosteel-e02cadaeb4dc)

 

Figure 4: Recover seed written hidden in a daily planner.  (image source: https://www.justice.gov/usao-or/page/file/1232626/download)

 

  • Pocket litter should also be evaluated for Bitcoin ATM receipts. While many BATM receipts will say bitcoin, or some “bit” derivative thereof, some bitcoin ATM receipts are less conspicuous than others. In more inconspicuous cases, phrases such as “ledger balance” can tip you off to crypto usage. 

 

Figure 5EasyBit Bitcoin ATM Receipt (image source: https://coinatmradar.com/blog/using-a-bitcoin-atm-satoshi1-machine-at-vape-dynamiks-in-athens-ga/)

 

Authenticator Apps: 

  • 2-Factor Authentication is common practice to secure user accounts at cryptocurrency exchanges. Looking through authenticator apps can reveal ties to specific exchanges. 

 

Figure 6Google Authenticator codes indicate association with cryptocurrency exchange Coinbase 

Photos and Screen Shots: 

  • Looking through a suspect’s photos can reveal valuable information such as recovery seeds, specific transactions or wallet and exchange services used.  

Figure 7: Figure 7: Screenshots from BTC transaction sent through BRD App 

Hardware Wallets: 

  • Hardware wallets can come in all shapes and sizes, with some even looking like simple USB drives. 

 

Figure 8: Hardware wallets compared (image source: https://www.reddit.com/r/Bitcoin/comments/80m8dy/just_a_quick_sizeform_factor_comparison_of_4/)

 List of Common Hardware Wallets 

The following list consists of common hardware wallets investigators may run into: 

Make  Model  Link 
Archos  Safe-T Mini  https://shop.archos.com/fr/hardware-wallet/588-archos-safe-t-mini.html 
Archos  Safe-T Touch  https://shop.archos.com/us/hardware-wallet/719-archos-safe-t-touch-0690590037359.html 
BC Vault  One  https://bc-vault.com/shop/bc-vault/ 
Bitfi    https://bitfi.com/ 
Bitlox    https://www.bitlox.com/ 
Cobo  Vault Essential  https://shop.cobo.com/products/cobo-vault-essential 
Cobo  Vault Pro  https://shop.cobo.com/products/cobo-vault 
Cobo  Vault Ultimate  https://cobo.com/hardware-wallet/hardware-wallet-comparison 
Coinkite  ColdcardMk3  https://store.coinkite.com/store/coldcard   
Coinkite  Opendime  https://opendime.com/ 
Cool Wallet  S  https://www.coolwallet.io/product/coolwallet/ 
D’CENT  Biometric Wallet  https://dcentwallet.com/Shop/detail/b15125cd52814be19a3f0edf54c8bc17 
Ellipal  Titan  https://www.ellipal.com/products/ellipal-titan 
Elliptic Secure  MIRkey  https://ellipticsecure.com/order.html 
Elliptic Secure  eHSM  https://ellipticsecure.com/order.html 
Hash Wallet    https://gethashwallet.com/ 
KeepKey  Hardware Wallet  https://keepkey.myshopify.com/collections/frontpage/products/keepkey-the-simple-bitcoin-hardware-wallet 
Keevo  Model 1  https://www.keevowallet.com/collections/choose-your-keevo-wallet 
KeyCard    https://get.keycard.tech/ 
Ledger  Blockchain Lockbox  ttps://www.blockchain.com/lockbox 
Ledger  Nano X  https://shop.ledger.com/products/ledger-nano-x?r=9621 
Ledger  Nano S  https://shop.ledger.com/products/ledger-nano-s 
Ledger  Blue  https://shop.ledger.com/products/ledger-blue?r=5c71&path=/products/ledger-blue&tracker=FINDERGX 
Ledger  Blockstream Nano S  https://store.blockstream.com/product/blockstream-ledger-nano-s/ 
Ngrave  Zero  https://www.ngrave.io/products/zero 
SafePal  S1  https://shop.safepal.io/products/safepal-hardware-wallet-s1-bitcoin-wallet 
Secalot  Dongle  https://www.secalot.com/product/secalot-dongle/ 
SecuX  V20  https://shop.secuxtech.com/ 
SecuX  W20  https://shop.secuxtech.com/ 
SecuX  W10  https://shop.secuxtech.com/ 
Shift Crypto  BitBox02 Bitcoin-only edition  https://shiftcrypto.shop/en/products/bitbox02-bitcoin-only-edition-4/ 
Shift Crypto  BitBox02 Multi edition  https://shiftcrypto.shop/en/products/bitbox02-multi-edition-2/ 
Trezor  Model T  https://shop.trezor.io/product/trezor-model-t 
Trezor  One  https://shop.trezor.io/product/trezor-one-white 
Trezor  Gray Corazon Titanium  https://gray.inc/collections/corazon-wallet 
Trezor  Gray Corazon Stealth  https://gray.inc/collections/corazon-wallet 
Trezor  Gray Corazon Gold  https://gray.inc/collections/corazon-wallet 
XZEN  Wallet  https://xzen.io/wallet 

 

The signs of cryptocurrency use can be easily overlooked by investigators; hardware wallets can look like inconspicuous USB sticks and recovery seeds are just random works on a page.  The preceding signs may indicate cryptocurrency is being used to hide criminal funds—especially when there is a lack of cash seizure for known cash intensive activities. Investigators must remain diligent to the presence of these red flags upon evidence collection. Blockchain analysis tools like CipherTrace Inspector can then be used to easily verify the source of funds and detect any association with dark markets or other criminal activity.  

Subscribe to Blog

Recent Posts

Glossary

Back To Top