The purported “traceability” of cryptocurrency is routinely touted as the foil to criminal use of crypto.
This specious line of reasoning claims that since cryptocurrency is “traceable,” bad actors would be foolish to use it.
Yet there is an ever-growing list of crypto hacks, crypto thefts, crypto scams, bitcoin ransomware events, etc. that proves bad actors use crypto regardless of purported cryptocurrency traceability.
Below, I unravel underlying assumptions about cryptocurrency traceability.
(1) Just because…a crypto transaction occurred, does not mean that the transaction was recorded on the blockchain.
The biggest myth in crypto is that “all crypto transactions are recorded on the blockchain.”
Most crypto transactions occur within exchanges. The exchange transactions occur on private ledgers and internally match buyers and sellers. These transactions are not posted on the blockchain.
Therefore, there is no record of the internal crypto exchange transaction to trace on the blockchain.
(2) Just because…a crypto transaction was recorded on the blockchain, does not mean that the cryptocurrency is traceable.
Bad actors can use a variety of obfuscation techniques to thwart on-chain tracing. For example, decentralized exchanges, mixers, privacy coins, side-chains, chain-hopping, moving cryptos in and out of exchanges or crypto casinos, all hinder tracing of on-chain transactions. Additionally, all blockchains are not created equal. Some blockchains have enhanced privacy which hinders traceability.
(3) Just because…a cryptocurrency transaction is traceable, does not mean that the transaction has been attributed. Or that the attribution is correct.
There is no universally agreed upon definition of blockchain “attribution.” Some commentators define attribution as “links” or “ties” between an address and a real-world person or entity. While others more broadly link an address to an event.
The following may all be considered attribution in blockchain analytics:
- A ransomware event where the bad actor is unknown
- A hack event where the hacker is unknown
- A ransomware event or hack undertaken by a known cybercrime group composed of unknown individuals
- A wallet linked to a Twitter or Discord handle
- An address linked to an offshore exchange with unknown ownership
- A wallet linked to a mining pool composed of unknown individuals
- A DEX or DAO with unknown individual controllers/managers
- A darknet market with unknown owners
What Percent of Addresses Have Been Attributed?
There is a dearth of data on what portion of cryptocurrency addresses have been attributed. One of the few data points available is from a 2020 Chainalysis report that found 43% of bitcoin flows were between one unknown address to another unknown address. The report also identified additional bitcoin flows between unknown addresses “in transit to exchanges.”
Glassnode reports that as of December 2023 over 1.2 billion unique bitcoin addresses have appeared in transactions. However, bitcoin is just one of many cryptocurrencies, with other cryptos having hundreds of millions of additional addresses. If for instance, one-third of addresses are unattributed, that would mean hundreds of millions of crypto addresses do not have attribution.
The NYDFS acknowledged that blockchain analytics vendors “may have limited attribution capability.” TRM and Chainalysis both concede that attribution may be missing/absent or even incorrect. Finally, google “mysterious bitcoin whale” to see all the unattributed wallets holding large amounts of bitcoin.
How Reliable is Attribution?
Blockchain analytics vendors do not always agree on attribution.
For example, the Second 12-Month Review of Revised FATF Standard on Virtual Assets and VASPs found:
“While the collected data on illicit usage varies dramatically between [blockchain analytics] providers, thus not reflecting a clear trend towards increasing or decreasing illicit virtual asset transfers, all of the companies identified some proportion of illicit bitcoin activity between 2016-2020. The results not only demonstrate that there are ML/TF risks associated with virtual assets, but also that the estimates are quite different. This suggests that there is considerable uncertainty among the analytics companies, with an extremely large difference between the high and low estimates.” pg.29
Also consider that the U.S. government pays for a service to reconcile the attribution data across blockchain analytics companies.
Per a Coindesk article about Blocktrace’s Fusion product:
Think of Fusion as a bridge between crypto tracers’ data silos. One tracing firm might know bitcoin address xyz123 transacted on the dark web, and a separate transaction database knows that the same address likely violated sanctions. With Fusion, MaGruder [Blocktrace CEO] said, investigators can access both bread crumbs in a single place.
“Whether it be CipherTrace or Elliptic or the anti-human trafficking intelligence initiative, or other data partners for that matter,” Fusion can pool the data for easy access, MaGruder said, arguing this “makes the picture more complete.”
Finally, a criminal case has raised issues into whether the methodologies (aka “heuristics”) used by a blockchain analytics vendor have been audited, identify the margin of error/false positives/false negatives, or have been scientifically tested. While this case involves one specific analytics vendor, these same questions should be asked of all vendors.
(4) Just because…a cryptocurrency transaction is traceable and attributed, does not mean that the transaction has been de-anonymized.
Only one word is needed to demonstrate this: Satoshi.
Satoshi’s bitcoin transactions are on-chain, traceable and attributed, but the identity of the person conducting these transactions is unknown after 15 years of on-chain traceability.
De-anonymization connects the name of a person to a given transaction.
Tracing ≠ De-Anonymization
Tracing and de-anonymizing are often conflated.
I can use the Find My Phone app to trace my stolen iPhone but it doesn’t mean that I know who stole my phone. Even if I track my stolen phone to a house where I identify the homeowner via public property records, I still don’t know who stole my phone. Maybe the owner is renting the house, or they have a roommate, or the house is used as an AirBnB.
Similarly, even if you can trace crypto to an address that has been “attributed” to an entity (exchange, dark market, etc.), that alone may not tell you who stole your bitcoin. This is the “fingers on the keyboard” issue.
(5) Just because…a cryptocurrency wallet has been correctly attributed and de-anonymized, does not mean that the cryptocurrency in that wallet is seizable.
Returning to the stolen iPhone example, even if I can trace my phone and see exactly where it is and who has it, doesn’t mean I’m going to get it back. What if my iPhone is in China or North Korea or Nigeria? Good luck.
The same holds for crypto. Major crypto hacks have been attributed to North Korea. Ransomware attacks have been attributed to Russia. The U.S. has sanctioned groups such as the Russian crypto exchange Garantex which continues to operate post-sanctions.
Even when we know who has the illicit crypto, without the private keys or a cooperative exchange, the government / blockchain analytics vendors and/or “crypto recovery” specialists cannot seize the crypto.
(6) Just because…cryptocurrency was seized by the government, does not mean that it will stay seized.
In multiple instances, cryptocurrency seized by the government was stolen from the government after the seizure.
For example, the brother of a man on trial for operating an unlicensed mixer used the private keys to steal the crypto from the government. Per the DOJ:
Law enforcement seized various assets, including cryptocurrency storage devices containing Larry Harmon’s illegal proceeds generated through the operation of Helix, which were subject to forfeiture in the criminal case. However, law enforcement was initially unable to recover bitcoin stored on the device due to the device’s additional security features.
Knowing that the government was seeking to recover the bitcoin stored on the seized device for forfeiture in Larry Harmon’s criminal case, Gary Harmon used his brother’s credentials to recreate the bitcoin wallets stored on the device and covertly transfer more than 712 bitcoin, valued at approximately $4.8 million at the time, to his own wallets—stealing those funds and obstructing the pending criminal forfeiture.
In another example, a corrupt Secret Service agent “admitted to using a private key to access a digital wallet belonging to the US government, and subsequently transferring the bitcoin to other digital wallets at other bitcoin exchanges to which only he had access.”
Finally, in 2023, the DEA lost over $55,000 in Tether it had seized during a drug proceeds laundering investigation. Forbes reported that a scammer airdropped the DEA a fake address that mimicked a US Marshalls address and the DEA sent $55,000 in Tether to the fake address.
(7) Just because…cryptocurrency was seized and returned to victims, does not mean that the damage to the victims was undone.
Consider the impacts of ransomware… businesses who paid bitcoin ransom have gone out of business, patients were diverted to other hospitals when healthcare facilities were under attack, and drivers sat waiting at gas pumps for hours. This type of damage is not undone because a portion of ransom is later recovered.
In addition, crypto prices swing wildly which can impact the value recovered by victims. The recent large bitcoin recoveries (Razzelkhan and Silk Road hacker hiding bitcoin in a popcorn tin) were from hacks that occurred 8 and 12 years ago respectively. At the time of these hacks, bitcoin was only worth about $13 in December 2012, and a few hundred dollars in 2016.
The opposite may now hold true. For example, if a business paid a ransom of 10 bitcoin in November 2021, when the price was around $60,000 ($60,000 * 10 = $600,000) and recovered the bitcoins in January 2024 at $40,000 per bitcoin, the business would have lost about $200,000 in value.
_________________________
In some instances, law enforcement has been able to trace and seize cryptocurrency. That is rightly celebrated.
However, cryptocurrency tracing and seizure is the exception, not the rule. And it certainly doesn’t make victims of sextortion, CSAM, human trafficking, or fentanyl overdoses whole.
_____________________________________
Want more Cryptocurrency Insights?
The Limits of Blockchain Transparency: Fraud with Crypto Companies
Cryptocurrency Suspicious Activity Report Enforcement Actions
3 Misconceptions About Cryptocurrency Crime Estimates