Using crypto forensics to track down lost and stolen digital wallets
Investigators use a variety of advanced techniques to track down stolen, hidden, or inaccessible cryptocurrency assets, according to a recent thought piece by HKA partner Richard Peters.
Peters, a cybersecurity and crypto asset forensic expert with 25+ years of experience, notes in the article that crypto forensics is now a key component in solving a growing number of disputes and investigations relating to bitcoin, Ethereum, and other crypto assets.
There are now approximately 861 million cryptocurrency users, and a growing number of organizations are using it for investments and transactions.
Although crypto transactions are anonymous – and thus a long-favored avenue for criminals – their blockchain-basis means transactions are permanently recorded and visible to all.
As such, skilled investigators can follow digital breadcrumbs to connect cryptographic addresses with real-world people.
They use advanced forensic techniques such as clustering algorithms to group related addresses, machine learning to identify suspicious patterns, and graph analysis to visualize money flows. Peters says these tools can uncover laundered and stolen funds even as they go through mixing services to obscure transaction trails.
Investigators can also watch stolen funds move in real-time (instead of waiting for subpoenas for a regular bank) and can even predict where criminals can try to cash out. When Colonial Pipeline Co. paid a $4.4 million ransom in 2021, the FBI was able to track bitcoin payments through multiple wallets to eventually recover $2.3 million in a matter of weeks.
Investigators can also counter privacy technologies, using statistical analysis to de-anonymize mixed coins, for example.
A crypto transaction history, although anonymized, ultimately tells a story and leaves a trail of evidence. Peters says smart contract interactions, token swaps, and failed transactions create a wallet’s digital fingerprint – revealing patterns, preferences, and connections.
Peters outlines how crypto forensics can be applied to several example cases, including a divorce case and an estate administration.
In one example, a family law attorney suspects the opposing party in the divorce case is hiding crypto holdings. Starting from a single wallet address discovered in email metadata, the investigator can use clustering algorithms to identify related wallets based on common spending patterns, and then trace transactions to centralized exchanges that have Know-Your-Customer records to enable subpoenas.
In another example, a probate attorney administering an estate says the decedent was known to hold cryptocurrency, but left no clear documentation, wallet addresses, or keys. The forensic examination can start with looking at computers, phones, and other devices for wallet applications, browser history showing exchange logins, and password manager entries. Exchange account statements and transaction confirmations in emails are another starting point for the investigation.
Once addresses are identified, the investigator can analyze the blockchain for current balances as well as historical levels for estate valuation and tax purposes.
“The cryptocurrency landscape continues to evolve rapidly, with new tokens, protocols, obfuscation techniques, and artificial intelligence (AI) applications emerging every day,” the HKA partner concludes. “What remains the same is the core transparency of blockchain technology, an immutable record that makes every digital wallet a potential source of evidence.”
