The inherent transparency of blockchains or distributed ledger tech (DLT) networks makes crypto-related investigations a lot easier for law enforcement agencies, when compared to financial investigations involving fiat currency.
Blockchains or DLT networks serve as a permanent, publicly viewable ledger of almost all crypto transfers, which makes it possible for investigators to reliably track funds’ movements between different addresses, something that “simply isn’t possible with fiat currency,” the team at Chainalysis writes in a blog post.
But crypto addresses are pseudonymous, which means investigators require reliable data “attributing those addresses to services and organizations in order to draw actionable insights from blockchains’ transaction records,” Chainalysis explains.
They also mentioned that incorrect or absent address attributions and “misunderstandings of how cryptocurrency businesses handle funds can lead investigators to false conclusions, so it’s important that investigators use best-in-class blockchain analysis tools to limit these mistakes and carry out successful analyses.”
As noted by Chainlalysis, mixers are services that aim to “obfuscate the path of funds by pooling cryptocurrency from multiple users, and giving each one back an amount from the pool equal to what they initially put in, minus a small service fee.”
The blockchain analysis firm also noted that “everyone ends up with a ‘mix’ of the funds everyone else put in, which makes it more difficult to connect the inputs to an output on the users’ transactions.” Criminals tend to use mixers quite often in an attempt to cover up the illicit origins of their crypto funds, the company adds.
As explained in the blog post by Chainalysis, mixers aren’t “a dead end in blockchain analysis — investigators can often continue to follow funds even if they’ve moved through these obfuscatory services.”
But investigators need to be aware they’re “dealing with a mixer in the first place in order to do that, but they can’t unless they’re using a blockchain analysis tool that’s tagged the addresses in question as belonging to a mixer.”
The Chainalysis Reactor graphs are able to show recent transfers performed by administrators of DarkSide, the ransomware strain behind the May 2021 attack on Colonial Pipeline.
Following this attack, the administrator had moved funds to an intermediary wallet they’ve labeled “DarkSide Dormant Funds,” where they “sat until October 21, 2021.” On that date, the funds were “moved to a second intermediary wallet (DarkSide Consolidation) and roughly one hour later moved to a mixer, whose name we can’t reveal as the investigation is ongoing,” the blog post noted.
As mentioned in the update, it is possible to review this activity in Reactor because Chainalysis has “previously identified the receiving address on the final transaction seen above as belonging to the mixer in question.”
But if users tried to analyze this transaction using a public block explorer or a blockchain analysis tool that has not actually cataloged the receiving address as part of a mixer, they “wouldn’t be able to tell what’s happening,” Chainalysis clarified.
Instead, they would “see funds moving to several different addresses in quick succession, in a pattern resembling a peel chain,” the update revealed.
As noted by Chainalysis:
“A peel chain is a transaction pattern commonly seen in blockchain analysis, in which funds appear to move through several intermediate addresses. In reality though, those intermediate addresses are part of a single wallet, and are created automatically to receive the leftover change that results from certain transactions.”
They added:
“In the case of an unidentified mixer, the intermediate addresses are part of the mixer itself rather than a wallet, and the new addresses are made not to receive trades, but instead to distribute funds to new addresses also hosted by the mixer, from which they can be distributed to the mixer’s users.”
Peel chain-like patterns “stemming from unidentified mixer usage have likely contributed to the belief that peel chains themselves are an obfuscatory technique for criminals seeking to launder cryptocurrency,” the blog post from Chainalysis noted.
In reality, however, cybercriminals could often take advantage of the confusion they can cause investigators, as peel chains are “a naturally occurring pattern arising from how cryptocurrency wallets are designed to collect change from transactions,” the company explained.
As noted by Chainalysis:
“Recent reporting characterizing DarkSide’s fund movements as merely being part of a peel chain suggest that investigators may have used a blockchain analysis tool that didn’t catalog the addresses of the mixer DarkSide administrators used.”
Those investigators likely reached the “incorrect conclusion that DarkSide’s funds have been collected in one or more self-hosted wallets, when in reality they’ve been mixed and sent to the DarkSide administrator at a new address,” Chainalysis noted.
Those investigators seem to have continued tracking the funds — funds no longer under DarkSide administrators’ control — “as they left the mixer and went to services like exchanges.” The update from Chainalysis also mentioned that this may have “resulted in erroneous subpoenas, wasting the time and resources of both the investigators and the exchanges.”
The blockchain analysis firm added that criminals tend to move cryptocurrency via intermediary wallets in order to throw investigators “off the trail.” These transactions are quite easy to trace with most blockchain analysis tools, “as investigators can rely on the blockchain to show them which new address received funds following each transaction,” Chainalysis explained.
But investigations can get a lot trickier when funds hit a service like an exchange, as it’s “impossible to trace where funds are sent after they’ve arrived at a deposit address hosted by a service.” The blockchain alone – without attribution data such as Chainalysis data – is “no longer a reliable source of truth at this point.”
The blockchain firm added:
“Why is this? It has to do with how services manage users’ cryptocurrency. When someone sends cryptocurrency to their deposit address at a service, the cryptocurrency doesn’t just sit at that address. Instead, the service moves it around internally as needed, pooling and co-mingling it with the funds of other users as needed.”
For example, many exchanges tend to keep portions of deposited funds in cold wallets that are “disconnected from the internet for security reasons.” This idea holds true in the fiat world as well — “if you deposit a $20 bill at an ATM and then withdraw $20 one week later, you’re not going to receive the exact same bill you originally had.”
As noted by Chainalysis:
“Blockchains don’t know that services’ internal fund movements aren’t ordinary transactions as we understand them — they get recorded in the ledger just like any other transaction. Therefore, it doesn’t make sense to continue following funds once they’ve been deposited at a service, as the owner of the deposit address isn’t usually the one moving them after that point.”
Only the exchange itself should know which deposits and withdrawals are “associated with specific customers, and that information is kept in the exchange’s order books, which aren’t visible on blockchains or in Chainalysis’s data platform.”
To prevent investigators from “mistakenly following funds after they’ve been deposited at a service, Chainalysis Reactor doesn’t show the outgoing transaction history for individual service deposit addresses,” the blog post explained.
Even though the blockchain technically can record outgoing transfers from this exchange deposit address, Chainalysis Reactor “doesn’t display this misleading information,” the update noted.
Inexperienced investigators using public block explorers or blockchain analysis tools “without this safeguard sometimes end up sending erroneous subpoenas asking for information on exchanges’ internal addresses, leading to wasted time and resources,” the blog post added.
Nested services are crypto services that “operate using addresses hosted by larger exchanges in order to tap into those exchanges’ liquidity and trading pairs,” Chainalysis explained.
Over-the-counter (OTC) brokers are a good example though many of them are operating as standalone or independent services.
Customers of merchant services providers operate in a similar manner, the update noted while adding that merchant services providers allow mainstream businesses to “accept cryptocurrency as payment for products and services, similar to payment processors in the fiat world.”
The companies or businesses using the merchant services providers are “analogous to the nested services described above, in that they receive cryptocurrency using addresses hosted by another business.” That means that investigators can “draw false conclusions in cryptocurrency investigations if they trace funds to an address that isn’t properly labeled as belonging to a nested service or merchant services provider,” the Chainalysis team noted.
For more details on this update, check here.