skip to Main Content
CipherTrace is hiring! See our current job openings.

Crypto Red Flags for Law Enforcement—How to know if your investigation involves cryptocurrency

Analysis, bitcoin

According to the US Department of Treasury, since 2013 there has been a consistent decrease in reported bulk cash seizures by agencies throughout the United States. This could be indicative of increased cryptocurrency use by criminals in favor of cash. The lack of cash seizure for known cash intensive activities should be an automatic red flag for potential cryptocurrency usage to obfuscate and move funds. 

The signs of cryptocurrency usage, however, can easily be overlooked by investigators unfamiliar with what to look for. Investigators should be weary of the following signs that may indicate cryptocurrency is being used to hide criminal funds.

Phones and Computer: 

Check phones and computers for cryptocurrency-related applications and bookmarks. These could either be software wallets or cryptocurrency exchanges they are accessing through their devices. Old, disconnected, and seemingly non-functioning computers could hold the private keys to cryptocurrency wallets.  These devices should be evaluated for the following:

 

Figure 1: Popular crypto Apps listed available for download from the Apple App Store 

Mobile Wallets 

 Many mobile wallets are compatible for both Android and iOS devices, including iPads and other tabletsExamples include, but are not limited to: 

Exchanges: 

  • Abra 
  • Binance 
  • BitPay 
  • Blockchain Wallet 
  • CashApp 
  • Cex.io 
  • Circle 
  • Coinbase 
  • Crypto.com 
  • Gemini 
  • Huobi 
  • Paxful 
  • Remitano 
  • Uphold 
  • Changelly 
  • Shapeshift 

Private Wallets: 

  • Atomic Wallet 
  • BRD 
  • Exodus 
  • Ledger Live 
  • LiteWallet (Litecoin only) 
  • Metal Pay 
  • MyMonero (Monero only) 
  • Trust 
  • ZenGo 

 Bitcoin ATM Finders 

  • CoinATMRadar 
  • LibertyX 

Mobile wallets can be found by searching through a person’s applications or in the search bar. A search for “crypto” or “bitcoin” can often times reveal associated applications available on a user’s mobile device.  

Web Wallets 

Web wallets must be accessed through a web browser such as Chrome, Safari, or Brave. Web wallets can be hosted or unhosted depending on a user’s needs and security preferences. Web wallets can be found by looking through a person’s open tabs in their browserbookmarks, search history, or even saved passwordsMany of the aforementioned mobile wallets also have corresponding web wallets.  

Desktop Wallets 

 Desktop wallets are available as downloadable applications that can be run on computer instead of through a web browser. These wallets are installable on operating systems such as Mac, Windows, and Linux. Below are some of the most common desktop wallets as noted by https://coinswitch.co/news/desktop-wallet  

Pocket Litter: 

  • Pocket litter” or any other random papers should be evaluated for lists of seemingly random words—typically 12, but some wallets can support seed phrases up to 33 wordsthat, if used in the correct order, could be used to recover a crypto wallet. 
  • Recovery seeds can also be hidden within books, planners, and unrelated notes, or in plain sight as clear lists or metal backups. 

 

Figure 2: Recovery Seed written on a notecard  (image source: https://wiki.trezor.io/User_manual:Filling_out_your_recovery_card)

 

Figure 3: Steel Wallet Recover Seed (image source: https://blog.trezor.io/steel-bundle-trezor-one-cryptosteel-e02cadaeb4dc)

 

Figure 4: Recover seed written hidden in a daily planner.  (image source: https://www.justice.gov/usao-or/page/file/1232626/download)

 

  • Pocket litter should also be evaluated for Bitcoin ATM receipts. While many BATM receipts will say bitcoin, or some “bit” derivative thereof, some bitcoin ATM receipts are less conspicuous than others. In more inconspicuous cases, phrases such as “ledger balance” can tip you off to crypto usage. 

 

Figure 5EasyBit Bitcoin ATM Receipt (image source: https://coinatmradar.com/blog/using-a-bitcoin-atm-satoshi1-machine-at-vape-dynamiks-in-athens-ga/)

 

Authenticator Apps: 

  • 2-Factor Authentication is common practice to secure user accounts at cryptocurrency exchanges. Looking through authenticator apps can reveal ties to specific exchanges. 

 

Figure 6Google Authenticator codes indicate association with cryptocurrency exchange Coinbase 

Photos and Screen Shots: 

  • Looking through a suspect’s photos can reveal valuable information such as recovery seeds, specific transactions or wallet and exchange services used.  

Figure 7: Figure 7: Screenshots from BTC transaction sent through BRD App 

Hardware Wallets: 

  • Hardware wallets can come in all shapes and sizes, with some even looking like simple USB drives. 

 

Figure 8: Hardware wallets compared (image source: https://www.reddit.com/r/Bitcoin/comments/80m8dy/just_a_quick_sizeform_factor_comparison_of_4/)

 List of Common Hardware Wallets 

The following list consists of common hardware wallets investigators may run into: 

Make Model Link 
Archos Safe-T Mini https://shop.archos.com/fr/hardware-wallet/588-archos-safe-t-mini.html 
Archos Safe-T Touch https://shop.archos.com/us/hardware-wallet/719-archos-safe-t-touch-0690590037359.html 
BC Vault One https://bc-vault.com/shop/bc-vault/ 
Bitfi  https://bitfi.com/ 
Bitlox  https://www.bitlox.com/ 
Cobo Vault Essential https://shop.cobo.com/products/cobo-vault-essential 
Cobo Vault Pro https://shop.cobo.com/products/cobo-vault 
Cobo Vault Ultimate https://cobo.com/hardware-wallet/hardware-wallet-comparison 
Coinkite ColdcardMk3 https://store.coinkite.com/store/coldcard   
Coinkite Opendime https://opendime.com/ 
Cool Wallet S https://www.coolwallet.io/product/coolwallet/ 
D’CENT Biometric Wallet https://dcentwallet.com/Shop/detail/b15125cd52814be19a3f0edf54c8bc17 
Ellipal Titan https://www.ellipal.com/products/ellipal-titan 
Elliptic Secure MIRkey https://ellipticsecure.com/order.html 
Elliptic Secure eHSM https://ellipticsecure.com/order.html 
Hash Wallet  https://gethashwallet.com/ 
KeepKey Hardware Wallet https://keepkey.myshopify.com/collections/frontpage/products/keepkey-the-simple-bitcoin-hardware-wallet 
Keevo Model 1 https://www.keevowallet.com/collections/choose-your-keevo-wallet 
KeyCard  https://get.keycard.tech/ 
Ledger Blockchain Lockbox ttps://www.blockchain.com/lockbox 
Ledger Nano X https://shop.ledger.com/products/ledger-nano-x?r=9621 
Ledger Nano S https://shop.ledger.com/products/ledger-nano-s 
Ledger Blue https://shop.ledger.com/products/ledger-blue?r=5c71&path=/products/ledger-blue&tracker=FINDERGX 
Ledger Blockstream Nano S https://store.blockstream.com/product/blockstream-ledger-nano-s/ 
Ngrave Zero https://www.ngrave.io/products/zero 
SafePal S1 https://shop.safepal.io/products/safepal-hardware-wallet-s1-bitcoin-wallet 
Secalot Dongle https://www.secalot.com/product/secalot-dongle/ 
SecuX V20 https://shop.secuxtech.com/ 
SecuX W20 https://shop.secuxtech.com/ 
SecuX W10 https://shop.secuxtech.com/ 
Shift Crypto BitBox02 Bitcoin-only edition https://shiftcrypto.shop/en/products/bitbox02-bitcoin-only-edition-4/ 
Shift Crypto BitBox02 Multi edition https://shiftcrypto.shop/en/products/bitbox02-multi-edition-2/ 
Trezor Model T https://shop.trezor.io/product/trezor-model-t 
Trezor One https://shop.trezor.io/product/trezor-one-white 
Trezor Gray Corazon Titanium https://gray.inc/collections/corazon-wallet 
Trezor Gray Corazon Stealth https://gray.inc/collections/corazon-wallet 
Trezor Gray Corazon Gold https://gray.inc/collections/corazon-wallet 
XZEN Wallet https://xzen.io/wallet 

 

The signs of cryptocurrency use can be easily overlooked by investigators; hardware wallets can look like inconspicuous USB sticks and recovery seeds are just random works on a page.  The preceding signs may indicate cryptocurrency is being used to hide criminal funds—especially when there is a lack of cash seizure for known cash intensive activities. Investigators must remain diligent to the presence of these red flags upon evidence collection. Blockchain analysis tools like CipherTrace Inspector can then be used to easily verify the source of funds and detect any association with dark markets or other criminal activity.  

Back To Top