Want to know if your investigation involves cryptocurrency? Look for these red flags.

According to the US Department of Treasury, since 2013 there has been a consistent decrease in the number of reported bulk cash seizures by agencies throughout the United States. This could signal increased cryptocurrency use by criminals in favor of cash. The lack of cash seizures for known cash-intensive activities should be an automatic red flag for investigators as criminals begin to rely more on cryptocurrency use to obfuscate and move funds.

The signs of cryptocurrency usage, however, can easily be overlooked by investigators unfamiliar with what to look for. Here are five key signs that may indicate cryptocurrency is being used to hide criminal fund swapping.

1. Phones and Computers

Check phones and computers for cryptocurrency-related applications and bookmarks. These could either be software wallets or cryptocurrency exchanges they are accessing through their devices.

Old, disconnected, and seemingly non-functioning computers could hold the private keys to cryptocurrency wallets.  These devices should be evaluated for the following:

Figure 1: Here are some popular crypto apps listed available for download from the Apple app store.

Mobile Wallets

Many mobile wallets are compatible with both Android and iOS devices, including iPads and other tablets. Examples include, but are not limited to:

Exchanges:

  • Abra
  • Binance
  • BitPay
  • Blockchain Wallet
  • CashApp
  • io
  • Circle
  • Coinbase
  • com
  • Gemini
  • Huobi
  • Paxful
  • Remitano
  • Uphold
  • Changelly
  • Shapeshift

Private Wallets:

  • Atomic Wallet
  • BRD
  • Exodus
  • Ledger Live
  • LiteWallet (Litecoin only)
  • Metal Pay
  • MyMonero (Monero only)
  • Trust
  • ZenGo

Bitcoin ATM Finders:

  • CoinATMRadar
  • LibertyX

Mobile wallets can be found by searching through a person’s applications or in the search bar. A search for “crypto” or “Bitcoin” can often reveal associated applications available on a user’s mobile device.

Cellebrite UFED, Cellebrite Physical Analyzer, and Cellebrite Responder can help you detect cryptocurrency apps that are installed on the mobile device much faster –  using the “insights from installed apps” feature. Before conducting the mobile device data collection or while examining the collected data with Physical Analyzer, check the list of installed apps and look for the “cryptocurrency” category.

Figure 2: Cellebrite Physical Analyzer is a powerful tool that can unveil insights from installed apps.

Web Wallets

Web wallets must be accessed through a web browser such as Chrome, Safari, or Brave. They can be hosted or unhosted depending on a user’s needs and security preferences. Web wallets can also be found by looking through a person’s open tabs in their browser, bookmarks, search history, or even saved passwords. Many of the aforementioned mobile wallets also have corresponding web wallets.

Desktop Wallets

Desktop wallets are available as downloadable applications that can be run on a computer instead of through a web browser. These wallets are installable on operating systems such as Mac, Windows, and Linux. Below are some of the most common desktop wallets as noted by https://coinswitch.co/news/desktop-wallet.

“Pocket litter” or any other random papers should be evaluated for lists of seemingly random words—typically 12, but some wallets can support seed phrases up to 33 words. If used in the correct order, these words could be used to recover a crypto wallet.

Figure 3: “Recovery seeds” can also be hidden within books, planners, and unrelated notes, or in plain sight as clear lists or metal backups.

Source: https://wiki.trezor.io/User_manual:Filling_out_your_recovery_card

Figure 4: This is an example of a steel wallet recover seed.[i]

Figure 5: Recover seed written hidden in a daily planner.[ii]

Pocket litter should also be evaluated for Bitcoin ATM receipts. While many BATM receipts will say “Bitcoin” or some “bit” derivative thereof, some Bitcoin ATM receipts are less conspicuous than others. In more inconspicuous cases, phrases such as “ledger balance” can tip you off to crypto usage.

Figure 6: Pocket litter should be examined carefully for evidence like this EasyBit Bitcoin ATM receipt.[iii]

3. Authenticator Apps

Two-factor authentication is common practice to secure user accounts at cryptocurrency exchanges. Looking through authenticator apps can reveal ties to specific exchanges.

Figure 7: Google authenticator codes like this can indicate an association with cryptocurrency exchange Coinbase.

4. Photos and Screen Shots

Looking through a suspect’s photos can reveal valuable information such as recovery seeds, specific transactions, or wallet and exchange services used.

Figure 8: These screenshots show a BTC transaction sent through the BRD app.

5. Hardware Wallets

Hardware wallets come in all shapes and sizes, with some even looking like simple USB drives.

Figure 9: Here are some variations of hardware wallets that are commonly used.[iv]

List of Common Hardware Wallets

The following list consists of common hardware wallets investigators may run into:

Make

Model

Link

Archos

Safe-T Mini

https://shop.archos.com/fr/hardware-wallet/588-archos-safe-t-mini.html

Archos

Safe-T Touch

https://shop.archos.com/us/hardware-wallet/719-archos-safe-t-touch-0690590037359.html

BC Vault

One

https://bc-vault.com/shop/bc-vault/

Bitfi

 

https://bitfi.com/

Bitlox

 

https://www.bitlox.com/

Cobo

Vault Essential

https://shop.cobo.com/products/cobo-vault-essential

Cobo

Vault Pro

https://shop.cobo.com/products/cobo-vault

Cobo

Vault Ultimate

https://cobo.com/hardware-wallet/hardware-wallet-comparison

Coinkite

ColdcardMk3

https://store.coinkite.com/store/coldcard  

Coinkite

Opendime

https://opendime.com/

Cool Wallet

S

https://www.coolwallet.io/product/coolwallet/

D’CENT

Biometric Wallet

https://dcentwallet.com/Shop/detail/b15125cd52814be19a3f0edf54c8bc17

Ellipal

Titan

https://www.ellipal.com/products/ellipal-titan

Elliptic Secure

MIRkey

https://ellipticsecure.com/order.html

Elliptic Secure

eHSM

https://ellipticsecure.com/order.html

Hash Wallet

 

https://gethashwallet.com/

KeepKey

Hardware Wallet

https://keepkey.myshopify.com/collections/frontpage/products/keepkey-the-simple-bitcoin-hardware-wallet

Keevo

Model 1

https://www.keevowallet.com/collections/choose-your-keevo-wallet

KeyCard

 

https://get.keycard.tech/

Ledger

Blockchain Lockbox

ttps://www.blockchain.com/lockbox

Ledger

Nano X

https://shop.ledger.com/products/ledger-nano-x?r=9621

Ledger

Nano S

https://shop.ledger.com/products/ledger-nano-s

Ledger

Blue

https://shop.ledger.com/products/ledger-blue?r=5c71&path=/products/ledger-blue&tracker=FINDERGX

Ledger

Blockstream Nano S

https://store.blockstream.com/product/blockstream-ledger-nano-s/

Ngrave

Zero

https://www.ngrave.io/products/zero

SafePal

S1

https://shop.safepal.io/products/safepal-hardware-wallet-s1-bitcoin-wallet

Secalot

Dongle

https://www.secalot.com/product/secalot-dongle/

SecuX

V20

https://shop.secuxtech.com/

SecuX

W20

https://shop.secuxtech.com/

SecuX

W10

https://shop.secuxtech.com/

Shift Crypto

BitBox02 Bitcoin-only edition

https://shiftcrypto.shop/en/products/bitbox02-bitcoin-only-edition-4/

Shift Crypto

BitBox02 Multi edition

https://shiftcrypto.shop/en/products/bitbox02-multi-edition-2/

Trezor

Model T

https://shop.trezor.io/product/trezor-model-t

Trezor

One

https://shop.trezor.io/product/trezor-one-white

Trezor

Gray Corazon Titanium

https://gray.inc/collections/corazon-wallet

Trezor

Gray Corazon Stealth

https://gray.inc/collections/corazon-wallet

Trezor

Gray Corazon Gold

https://gray.inc/collections/corazon-wallet

XZEN

Wallet

https://xzen.io/wallet

  

https://en.bitcoinwiki.org/wiki/Hardware_wallet

In a recent webinar poll, 56% of attendees indicated not having come across cryptocurrencies too often in their investigations. The inside scoop is, like the old saying “you don’t know what you don’t know.” We’ve seen numerous cases where investigators inadvertently overlooked a long string of funny characters found on a device (aka bitcoin address) or a child’s spelling list jotted down on a side of a notebook (aka seed list).  

Whether you are a newly dubbed crypto investigator, or a digital forensic analyst looking to be proactive, check out our recent on-demand webinar to learn how cryptocurrency investigation capabilities integrate with your overall digital intelligence (DI) ecosystem.

[i] Retrieved September 23, 2020 from: https://blog.trezor.io/steel-bundle-trezor-one-cryptosteel-e02cadaeb4dc
[ii] Retrieved September 23, 2020 from: https://www.justice.gov/usao-or/page/file/1232626/download
[iii] Retrieved September 23, 2020 from: https://coinatmradar.com/blog/using-a-bitcoin-atm-satoshi1-machine-at-vape-dynamiks-in-athens-ga/
[iv] Retrieved September 23, 2020 from: https://www.reddit.com/r/Bitcoin/comments/80m8dy/just_a_quick_sizeform_factor_comparison_of_4/

Share this post