Want to know if your investigation involves cryptocurrency? Look for these red flags.

According to the US Department of Treasury, since 2013 there has been a consistent decrease in the number of reported bulk cash seizures by agencies throughout the United States. This could signal increased cryptocurrency use by criminals in favor of cash. The lack of cash seizures for known cash-intensive activities should be an automatic red flag for investigators as criminals begin to rely more on cryptocurrency use to obfuscate and move funds.

The signs of cryptocurrency usage, however, can easily be overlooked by investigators unfamiliar with what to look for. Here are five key signs that may indicate cryptocurrency is being used to hide criminal fund swapping.

1. Phones and Computers

Check phones and computers for cryptocurrency-related applications and bookmarks. These could either be software wallets or cryptocurrency exchanges they are accessing through their devices.

Old, disconnected, and seemingly non-functioning computers could hold the private keys to cryptocurrency wallets.  These devices should be evaluated for the following:

Figure 1: Here are some popular crypto apps listed available for download from the Apple app store.

Mobile Wallets

Many mobile wallets are compatible with both Android and iOS devices, including iPads and other tablets. Examples include, but are not limited to:

Exchanges:

  • Abra
  • Binance
  • BitPay
  • Blockchain Wallet
  • CashApp
  • io
  • Circle
  • Coinbase
  • com
  • Gemini
  • Huobi
  • Paxful
  • Remitano
  • Uphold
  • Changelly
  • Shapeshift

Private Wallets:

  • Atomic Wallet
  • BRD
  • Exodus
  • Ledger Live
  • LiteWallet (Litecoin only)
  • Metal Pay
  • MyMonero (Monero only)
  • Trust
  • ZenGo

Bitcoin ATM Finders:

  • CoinATMRadar
  • LibertyX

Mobile wallets can be found by searching through a person’s applications or in the search bar. A search for “crypto” or “Bitcoin” can often reveal associated applications available on a user’s mobile device.

Cellebrite UFED, Cellebrite Physical Analyzer, and Cellebrite Responder can help you detect cryptocurrency apps that are installed on the mobile device much faster –  using the “insights from installed apps” feature. Before conducting the mobile device data collection or while examining the collected data with Physical Analyzer, check the list of installed apps and look for the “cryptocurrency” category.

Figure 2: Cellebrite Physical Analyzer is a powerful tool that can unveil insights from installed apps.

Web Wallets

Web wallets must be accessed through a web browser such as Chrome, Safari, or Brave. They can be hosted or unhosted depending on a user’s needs and security preferences. Web wallets can also be found by looking through a person’s open tabs in their browser, bookmarks, search history, or even saved passwords. Many of the aforementioned mobile wallets also have corresponding web wallets.

Desktop Wallets

Desktop wallets are available as downloadable applications that can be run on a computer instead of through a web browser. These wallets are installable on operating systems such as Mac, Windows, and Linux. Below are some of the most common desktop wallets as noted by https://coinswitch.co/news/desktop-wallet.

“Pocket litter” or any other random papers should be evaluated for lists of seemingly random words—typically 12, but some wallets can support seed phrases up to 33 words. If used in the correct order, these words could be used to recover a crypto wallet.

Figure 3: “Recovery seeds” can also be hidden within books, planners, and unrelated notes, or in plain sight as clear lists or metal backups.

Source: https://wiki.trezor.io/User_manual:Filling_out_your_recovery_card

Figure 4: This is an example of a steel wallet recover seed.[i]

Figure 5: Recover seed written hidden in a daily planner.[ii]

Pocket litter should also be evaluated for Bitcoin ATM receipts. While many BATM receipts will say “Bitcoin” or some “bit” derivative thereof, some Bitcoin ATM receipts are less conspicuous than others. In more inconspicuous cases, phrases such as “ledger balance” can tip you off to crypto usage.

Figure 6: Pocket litter should be examined carefully for evidence like this EasyBit Bitcoin ATM receipt.[iii]

3. Authenticator Apps

Two-factor authentication is common practice to secure user accounts at cryptocurrency exchanges. Looking through authenticator apps can reveal ties to specific exchanges.

Figure 7: Google authenticator codes like this can indicate an association with cryptocurrency exchange Coinbase.

4. Photos and Screen Shots

Looking through a suspect’s photos can reveal valuable information such as recovery seeds, specific transactions, or wallet and exchange services used.

Figure 8: These screenshots show a BTC transaction sent through the BRD app.

5. Hardware Wallets

Hardware wallets come in all shapes and sizes, with some even looking like simple USB drives.

Figure 9: Here are some variations of hardware wallets that are commonly used.[iv]

List of Common Hardware Wallets

The following list consists of common hardware wallets investigators may run into:

Make Model Link
Archos Safe-T Mini https://shop.archos.com/fr/hardware-wallet/588-archos-safe-t-mini.html
Archos Safe-T Touch https://shop.archos.com/us/hardware-wallet/719-archos-safe-t-touch-0690590037359.html
BC Vault One https://bc-vault.com/shop/bc-vault/
Bitfi   https://bitfi.com/
Bitlox   https://www.bitlox.com/
Cobo Vault Essential https://shop.cobo.com/products/cobo-vault-essential
Cobo Vault Pro https://shop.cobo.com/products/cobo-vault
Cobo Vault Ultimate https://cobo.com/hardware-wallet/hardware-wallet-comparison
Coinkite ColdcardMk3 https://store.coinkite.com/store/coldcard  
Coinkite Opendime https://opendime.com/
Cool Wallet S https://www.coolwallet.io/product/coolwallet/
D’CENT Biometric Wallet https://dcentwallet.com/Shop/detail/b15125cd52814be19a3f0edf54c8bc17
Ellipal Titan https://www.ellipal.com/products/ellipal-titan
Elliptic Secure MIRkey https://ellipticsecure.com/order.html
Elliptic Secure eHSM https://ellipticsecure.com/order.html
Hash Wallet   https://gethashwallet.com/
KeepKey Hardware Wallet https://keepkey.myshopify.com/collections/frontpage/products/keepkey-the-simple-bitcoin-hardware-wallet
Keevo Model 1 https://www.keevowallet.com/collections/choose-your-keevo-wallet
KeyCard   https://get.keycard.tech/
Ledger Blockchain Lockbox ttps://www.blockchain.com/lockbox
Ledger Nano X https://shop.ledger.com/products/ledger-nano-x?r=9621
Ledger Nano S https://shop.ledger.com/products/ledger-nano-s
Ledger Blue https://shop.ledger.com/products/ledger-blue?r=5c71&path=/products/ledger-blue&tracker=FINDERGX
Ledger Blockstream Nano S https://store.blockstream.com/product/blockstream-ledger-nano-s/
Ngrave Zero https://www.ngrave.io/products/zero
SafePal S1 https://shop.safepal.io/products/safepal-hardware-wallet-s1-bitcoin-wallet
Secalot Dongle https://www.secalot.com/product/secalot-dongle/
SecuX V20 https://shop.secuxtech.com/
SecuX W20 https://shop.secuxtech.com/
SecuX W10 https://shop.secuxtech.com/
Shift Crypto BitBox02 Bitcoin-only edition https://shiftcrypto.shop/en/products/bitbox02-bitcoin-only-edition-4/
Shift Crypto BitBox02 Multi edition https://shiftcrypto.shop/en/products/bitbox02-multi-edition-2/
Trezor Model T https://shop.trezor.io/product/trezor-model-t
Trezor One https://shop.trezor.io/product/trezor-one-white
Trezor Gray Corazon Titanium https://gray.inc/collections/corazon-wallet
Trezor Gray Corazon Stealth https://gray.inc/collections/corazon-wallet
Trezor Gray Corazon Gold https://gray.inc/collections/corazon-wallet
XZEN Wallet https://xzen.io/wallet
    https://en.bitcoinwiki.org/wiki/Hardware_wallet

In a recent webinar poll, 56% of attendees indicated not having come across cryptocurrencies too often in their investigations. The inside scoop is, like the old saying “you don’t know what you don’t know.” We’ve seen numerous cases where investigators inadvertently overlooked a long string of funny characters found on a device (aka bitcoin address) or a child’s spelling list jotted down on a side of a notebook (aka seed list).

Whether you are a newly dubbed crypto investigator, or a digital forensic analyst looking to be proactive, check out our recent on-demand webinar to learn how cryptocurrency investigation capabilities integrate with your overall digital intelligence (DI) ecosystem.

[i] Retrieved September 23, 2020 from: https://blog.trezor.io/steel-bundle-trezor-one-cryptosteel-e02cadaeb4dc
[ii] Retrieved September 23, 2020 from: https://www.justice.gov/usao-or/page/file/1232626/download
[iii] Retrieved September 23, 2020 from: https://coinatmradar.com/blog/using-a-bitcoin-atm-satoshi1-machine-at-vape-dynamiks-in-athens-ga/
[iv] Retrieved September 23, 2020 from: https://www.reddit.com/r/Bitcoin/comments/80m8dy/just_a_quick_sizeform_factor_comparison_of_4/

Share this post