skip to Main Content

Crypto Red Flags for Law Enforcement—How to know if your investigation involves cryptocurrency

According to the US Department of Treasury, since 2013 there has been a consistent decrease in reported bulk cash seizures by agencies throughout the United States. This could be indicative of increased cryptocurrency use by criminals in favor of cash. The lack of cash seizure for known cash intensive activities should be an automatic red flag for potential cryptocurrency usage to obfuscate and move funds. 

The signs of cryptocurrency usage, however, can easily be overlooked by investigators unfamiliar with what to look for. Investigators should be weary of the following signs that may indicate cryptocurrency is being used to hide criminal funds.

Phones and Computer: 

Check phones and computers for cryptocurrency-related applications and bookmarks. These could either be software wallets or cryptocurrency exchanges they are accessing through their devices. Old, disconnected, and seemingly non-functioning computers could hold the private keys to cryptocurrency wallets.  These devices should be evaluated for the following:


Figure 1: Popular crypto Apps listed available for download from the Apple App Store 

Mobile Wallets 

 Many mobile wallets are compatible for both Android and iOS devices, including iPads and other tabletsExamples include, but are not limited to: 


  • Abra 
  • Binance 
  • BitPay 
  • Blockchain Wallet 
  • CashApp 
  • Circle 
  • Coinbase 
  • Gemini 
  • Huobi 
  • Paxful 
  • Remitano 
  • Uphold 
  • Changelly 
  • Shapeshift 

Private Wallets: 

  • Atomic Wallet 
  • BRD 
  • Exodus 
  • Ledger Live 
  • LiteWallet (Litecoin only) 
  • Metal Pay 
  • MyMonero (Monero only) 
  • Trust 
  • ZenGo 

 Bitcoin ATM Finders 

  • CoinATMRadar 
  • LibertyX 

Mobile wallets can be found by searching through a person’s applications or in the search bar. A search for “crypto” or “bitcoin” can often times reveal associated applications available on a user’s mobile device.  

Web Wallets 

Web wallets must be accessed through a web browser such as Chrome, Safari, or Brave. Web wallets can be hosted or unhosted depending on a user’s needs and security preferences. Web wallets can be found by looking through a person’s open tabs in their browserbookmarks, search history, or even saved passwordsMany of the aforementioned mobile wallets also have corresponding web wallets.  

Desktop Wallets 

 Desktop wallets are available as downloadable applications that can be run on computer instead of through a web browser. These wallets are installable on operating systems such as Mac, Windows, and Linux. Below are some of the most common desktop wallets as noted by  

Pocket Litter: 

  • Pocket litter” or any other random papers should be evaluated for lists of seemingly random words—typically 12, but some wallets can support seed phrases up to 33 wordsthat, if used in the correct order, could be used to recover a crypto wallet. 
  • Recovery seeds can also be hidden within books, planners, and unrelated notes, or in plain sight as clear lists or metal backups. 


Figure 2: Recovery Seed written on a notecard  (image source:


Figure 3: Steel Wallet Recover Seed (image source:


Figure 4: Recover seed written hidden in a daily planner.  (image source:


  • Pocket litter should also be evaluated for Bitcoin ATM receipts. While many BATM receipts will say bitcoin, or some “bit” derivative thereof, some bitcoin ATM receipts are less conspicuous than others. In more inconspicuous cases, phrases such as “ledger balance” can tip you off to crypto usage. 


Figure 5EasyBit Bitcoin ATM Receipt (image source:


Authenticator Apps: 

  • 2-Factor Authentication is common practice to secure user accounts at cryptocurrency exchanges. Looking through authenticator apps can reveal ties to specific exchanges. 


Figure 6Google Authenticator codes indicate association with cryptocurrency exchange Coinbase 

Photos and Screen Shots: 

  • Looking through a suspect’s photos can reveal valuable information such as recovery seeds, specific transactions or wallet and exchange services used.  

Figure 7: Figure 7: Screenshots from BTC transaction sent through BRD App 

Hardware Wallets: 

  • Hardware wallets can come in all shapes and sizes, with some even looking like simple USB drives. 


Figure 8: Hardware wallets compared (image source:

 List of Common Hardware Wallets 

The following list consists of common hardware wallets investigators may run into: 

Make Model Link 
Archos Safe-T Mini 
Archos Safe-T Touch 
BC Vault One 
Cobo Vault Essential 
Cobo Vault Pro 
Cobo Vault Ultimate 
Coinkite ColdcardMk3   
Coinkite Opendime 
Cool Wallet S 
D’CENT Biometric Wallet 
Ellipal Titan 
Elliptic Secure MIRkey 
Elliptic Secure eHSM 
Hash Wallet 
KeepKey Hardware Wallet 
Keevo Model 1 
Ledger Blockchain Lockbox ttps:// 
Ledger Nano X 
Ledger Nano S 
Ledger Blue 
Ledger Blockstream Nano S 
Ngrave Zero 
SafePal S1 
Secalot Dongle 
SecuX V20 
SecuX W20 
SecuX W10 
Shift Crypto BitBox02 Bitcoin-only edition 
Shift Crypto BitBox02 Multi edition 
Trezor Model T 
Trezor One 
Trezor Gray Corazon Titanium 
Trezor Gray Corazon Stealth 
Trezor Gray Corazon Gold 
XZEN Wallet 


The signs of cryptocurrency use can be easily overlooked by investigators; hardware wallets can look like inconspicuous USB sticks and recovery seeds are just random works on a page.  The preceding signs may indicate cryptocurrency is being used to hide criminal funds—especially when there is a lack of cash seizure for known cash intensive activities. Investigators must remain diligent to the presence of these red flags upon evidence collection. Blockchain analysis tools like CipherTrace Inspector can then be used to easily verify the source of funds and detect any association with dark markets or other criminal activity.  

Back To Top