How our Cryptocurrency Private Investigators trace stolen crypto and find out who is behind crypto accounts

In 2020, consumers lost more than $2.6 billion to cryptocurrency scams, according to a Chainalysis report. Ransomware attacks more than quadrupled, and darknet market activity rose despite COVID-19 difficulties. 

Hackers are getting smarter. But cryptocurrency investigators are also getting better at tracing stolen crypto on blockchains and through sophisticated software, to identify the individual(s) behind specific accounts. 

There are hundreds of cryptocurrencies with hundreds of blockchains. These blockchains contain public records of every crypto transaction. However, these records provide limited public user data and the massive documents require specialized skills and terabytes of computer storage to download and go through. Because of this, criminals can hide behind cryptic account numbers and hide their assets by quickly moving them around, laundering them through “mixers”, or spreading them across multiple wallets. 

But our cryptocurrency private investigators scrape transactional data on the blockchain through software and analyse it for suspicious activity, such as illicit behaviour on the Dark Web, to track stolen funds. 

Learn more about our crypto investigations.

Trace Stolen Crypto through Blockchain and Forensic Tools

Every transaction starts with an account number.

All crypto transactions are linked to at least one public crypto address with a string of more than 25 characters. This includes ransomware payments and stolen funds. A crypto address is like a public bank account number that can lead investigators to a variety of information that can lead them to the person behind it. By tracing the money, investigators can find other transactions that the person made and identify involved exchanges and wallets of the account holder. If a third-party firm manages these exchanges or wallets, the assets are “centralized” and can be frozen and seized. Well-known centralized cryptocurrency exchanges include Coinbase, GDAX, Kraken, and Gemini.  These exchanges also hold KYC (Know-Your-Customer) information and will generally cooperate with subpoenas from law enforcement. 

Decentralized protocols are controlled by code, instead of a central entity. Therefore, their assets cannot be frozen unless they are in a compliant exchange.

Criminals sometimes unintentionally convert decentralized assets like Bitcoin into digital tokens controlled by a company when moving funds. If a cryptocurrency is converted into a coin controlled by a single entity, that company can freeze or burn the tokens. This is what happened in August 2021, when hackers stole over $600 million from blockchain addresses controlled by Poly Network, and transferred some of the funds to Tether. Tether detected these funds and froze them immediately to prevent the hacker from moving the funds. 

Blockchains list the transaction history for every coin, not the owner’s information. That is why investigators use sophisticated software to trace the flow of funds. 

Tracing Stolen Crypto through Chainalysis Reactor

Our cryptocurrency investigators use, among other digital forensic tools, Chainalysis. Tools like Chainalysis Reactor enable investigators to trace cryptocurrency movements between addresses.

Through Chainalysis, our investigators can tell if an account number has been active on the Dark Web or a gambling website. Investigators can sometimes find a home address from an IP address by serving the Internet Service Provider with a subpoena. 

Investigators can obtain useful information to identify an account holder by subpoenaing crypto exchanges and custodians who require users to provide KYC information to sign up.

When the information is stored online, it’s more accessible because authorities can subpoena the exchange, or wallet operator, to obtain information about the account holder. If authorities can’t get into an account, they wait for the hacker to cash out, or move the funds. When they move it from a private wallet into an exchange, hoping to cash out into their bank account. Then the investigators subpoena the exchange to find out who owns the bank account and catch the criminal. 

Some tactics can throw investigators off the trail. When criminals put the stolen money into “mixers,” which are wallet addresses that mix the coins with other transactions, it becomes much harder to track the funds. Some cybercriminals store their cryptocurrency keys in “cold” wallet devices. These are not connected to the Internet. They move the digital tokens in online wallets to addresses linked to their desktops or save the account information and private keys on thumb-drive-like devices.

Our Cryptocurrency Private Investigators can help you recover your stolen crypto and stolen Bitcoins.

Contact crypto investigators