During the interrogation of the suspect Zhang in the '12.04' virtual currency pyramid scheme case handled by the Xinxian Public Security Bureau, he asked the police: 'I planned this project, and according to my idea, you cannot find the mastermind behind it at all; isn't cryptocurrency anonymous? How did you public security manage to do it?'
01. How do public security organs track currency flows and identify suspects?
Perhaps in earlier years, public security agencies in various regions lacked understanding of cases involving cryptocurrency, resulting in a low number of cases filed for investigation, leaving many victims without recourse.
However, as law enforcement agencies deepen their understanding of virtual currencies, their ability to track the flow of virtual currencies through on-chain data tracking and data analysis is also continuously strengthening.
A brief introduction to several common methods:
1. On-chain address association analysis
By analyzing transaction patterns through blockchain explorers (such as Tronscan, OkexChain), one can identify common inputs between addresses and fund aggregation patterns. For example, if multiple addresses frequently transfer funds to the same target address, it can be inferred that the same entity controls them.
Based on the experience of cryptocurrency-related cases, analytical methods are often used in virtual currency pyramid scheme crimes and illegal gambling cases.
In the previously mentioned '12.04' virtual currency pyramid scheme case in Liaocheng, police found that the pyramid scheme platform generated multiple addresses through the TokenPocket wallet to aggregate funds, eventually leading the funds to the main address and withdrawing through the exchange. By analyzing the transaction frequency and scale of these addresses, they identified the masterminds.
In multiple cases of establishing illegal casinos, the revenue settlement process between the casino and payment settlement personnel also uses aggregation addresses as a breakthrough to identify involved personnel.
2. Exchange KYC verification
Currently, most mainstream virtual currency exchanges (such as Binance, OKX, Huobi HTX) and digital wallet platforms (such as ImToken) publicly disclose their policies and rules for cooperating with law enforcement on their official websites, as well as dedicated channels for cooperating with mainland public security.
Law enforcement can send a letter of inquiry to the exchange via email, requesting to retrieve the suspect's registration information, facial photos, investment information, deposit and withdrawal transactions, wallet addresses for various currencies, fiat transactions, cryptocurrency exchanges, contract transactions, login IPs, MAC addresses, and other device information.
Additionally, exchanges will also freeze the virtual currency in the suspect's account at the request of law enforcement, with a freeze period of one year, but law enforcement agencies can apply for an extension before expiration.
3. Transaction fees (Gas fees), transaction hash tracking
Every successful transaction of virtual currency requires paying a Gas fee (TRX/ETH, etc.). When tracing the wallet address that received the stolen funds, investigators can track the suspect's records of purchasing Gas fees from exchanges. For example, police analyze the source of Gas fees for implicated addresses and find that they were purchased through a Binance account to pay transaction fees, thus locking onto the exchange account.
In virtual currency transactions, transaction hashes ensure the uniqueness and immutability of transactions, and the hash value generated by each transaction is unique. Transaction hashes can reveal transaction details, such as sender address, receiver address, transaction amount, transaction fee, etc.
Investigators can provide the Gas fee transaction records and transaction hashes to the virtual currency exchange to obtain the suspect's KYC information (such as passport, ID card, email, phone number, etc.).
4. Device fingerprinting and IP association
Investigators can associate the operational behaviors of multiple addresses through the login IP and device ID (such as phone IMEI, MAC address) of the exchange or wallet, thereby locking onto the target.
In the MIT hacker brother case, the FBI discovered that the suspect logged into the same exchange account multiple times by analyzing the VPN logs and device fingerprints used by the suspect, ultimately locating their physical location.
5. Cross-chain exchanges and mixer cracking
Many suspects believe that trading across chains or using mixers can better conceal their identities, but this is not the case.
Cross-chain tracking: tracking the flow of funds through cross-chain bridges (such as Bitcoin → Ethereum) using transaction hashes.
Mixer analysis: using on-chain fingerprint technology (such as transaction time, amount patterns) to identify the input and output addresses of mixers (such as Tornado Cash).
For example, when the U.S. Department of Justice recovered the Colonial Pipeline ransom, it analyzed the hacker's 'chain money laundering' path and ultimately intercepted the private key of a key address ending with the characters 'dh77gls'.
6. International cooperation and stablecoin freezing
For stablecoins like USDT, public security can request the issuer (such as Tether) to freeze the funds of the implicated address. International cooperation can also be conducted.
For example, in a cross-border online gambling case with a money flow of 400 billion involved, solved by the Jingmen police in Hubei (the first case of 'virtual currency' in the country), it was reported that 'since the platform was entirely settled with virtual currency, the public security organs connected with the virtual currency issuing organization to freeze the related accounts.'
For example, in the 55 million Ethereum theft case in Neijiang, Sichuan, it was reported that 'to solve this case, the Sichuan police conducted 14 international cooperations with Singapore, the United States, and the Netherlands, extracting a set of analysis techniques for blockchain address analysis, retrieving data from foreign virtual currency exchanges more than 70 times, and tracing over 20,000 blockchain addresses.'
7. Backtrack from the final outflow
In most countries, virtual currencies held by suspects cannot be directly used for daily consumption, so there is always an outlet for black and gray market transactions, which is to exchange virtual currencies for fiat money. Those who assist in exchanging fiat currency become a breakthrough point for tracing upstream criminals' identities.
8. Abnormal transactions trigger risk control
The reason many people's bank cards are frozen is that frequent rapid inflow and outflow transactions triggered the bank's risk control system. The same applies in the Web3 world.
Generally, ordinary traders will place their funds on platforms for buying and selling, rather than frequently engaging in high-frequency large-scale transactions. Therefore, when tracking the flow of coins, if it is found that an address has rapid inflows and outflows of funds, it will be considered suspicious.
02. Conclusion
Criminals may mistakenly believe that:
Virtual currency transactions are anonymous, so investigators cannot pinpoint their true identities.
Virtual currency exchanges are all abroad, making it difficult for domestic public security to investigate and collect evidence.
Through cross-chain and mixers, it cannot be tracked, etc.
Therefore, they will recklessly engage in black and gray market transactions.
However, this kind of lucky mentality will ultimately only lead them into a deeper predicament.
