"This project was indeed organized and planned by me. I want to know how you found the mastermind behind it. As I understand it, you shouldn't be able to find me; what are you relying on?"
The above details are from the '12.04' virtual currency pyramid scheme case disclosed by the Xinxian Public Security Bureau. The suspect, Zhang, expressed confusion during the interrogation while asking the police this question.
Many parties also have such questions. For example, they might ask me, 'Old Bai, you have also collaborated with Horgos and dealt with some confiscated BTC, ETH, SOL, USDC, and USDT. Can you share your experience? When doing this, I was abroad, and my supplier was also abroad. We usually communicated using TG (VPN), and messages would self-destruct. Isn’t virtual currency trading anonymous? How can the police catch me?'
So today, let's talk about how public security tracks the transaction processes of virtual currencies in criminal cases and identifies the suspects' identities.
1: Are virtual currency transactions really anonymous?
As one application of blockchain technology, virtual currencies have advantages such as decentralization, privacy protection, reduced transaction costs, and high returns. However, their degree of anonymity often leads to misuse by criminals, making virtual currencies tools for money laundering and gray market transactions.
However, virtual currency is not entirely anonymous, as the transaction process is publicly available on the blockchain, although the addresses do not directly associate with identities. Additionally, since virtual currency exchanges must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, this makes it easier for law enforcement to trace transactions on the blockchain.
Since virtual currencies are backed by a public, immutable ledger, gathering evidence from virtual currency transactions is actually very friendly for law enforcement agencies.
2: How do public security agencies trace currency flows and identify suspects?
Years ago, local public security agencies lacked understanding of cases involving virtual currencies, resulting in a low number of filed investigations, leaving many victims without recourse.
However, as law enforcement agencies continue to deepen their understanding of virtual currencies, their ability to perform on-chain data tracking and analysis of virtual currency flows is also constantly improving. Here are a few common methods:
3: On-chain address association analysis
Using blockchain explorers (like Tronscan, OKLink) to analyze transaction graphs can identify common inputs between addresses and funding aggregation patterns. For instance, if multiple addresses frequently transfer funds to the same target address, it can be inferred that the same entity controls them.
Based on Old Bai's experiences in handling virtual currencies with Horgos in Xinjiang, this analytical method is often used in virtual currency pyramid scheme cases and gambling-related cases.
In the aforementioned '12.04' virtual currency pyramid scheme case in Liaocheng, the police discovered that the pyramid scheme platform generated multiple addresses via the TokenPocket wallet to aggregate funds, eventually directing the funds to a main address and withdrawing through exchanges. By analyzing the transaction frequency and scale of these addresses, the masterminds were identified.
Among the various confiscated stablecoins and mainstream coins that I have dealt with, it is generally possible to inquire about the revenue settlement process of casinos and payment personnel, similarly using the aggregation address as a breakthrough to identify the individuals involved.
2. Exchange KYC verification
Currently, most mainstream virtual currency exchanges (such as Binance, OKX, HTX) and digital wallet platforms (like ImToken) publicly disclose their policies and rules for cooperating with law enforcement on their official websites, as well as dedicated channels for cooperation with local public security.
Law enforcement personnel can send a cooperation request to the exchange via email, requesting to retrieve the suspect's registration information, facial photos, financial information, deposit and withdrawal transactions, wallet addresses for each currency, fiat transactions, crypto-to-crypto transactions, contract transactions, login IP, MAC, and other device information.
Additionally, exchanges will freeze the virtual currencies in the suspect's account at the request of law enforcement, with a freezing period of one year, but law enforcement can apply for an extension before expiration.
3: Transaction hash tracking of Gas fee
Every successful transaction of virtual currency requires payment of Gas fees (TRX / ETH / BNB, etc.). When tracing the wallet address where the suspect received the illicit funds, one can trace the records of the suspect purchasing Gas fees from exchanges. For instance, if the police analyze the source of Gas fees for the involved addresses and find they were purchased via a Binance account to pay transaction fees, they can identify the exchange account.
In virtual currency transactions, transaction hashes ensure the uniqueness and immutability of the transaction; each transaction generates a unique hash value. The transaction hash can reveal transaction details such as sender address, receiver address, transaction amount, transaction fee, etc.
Investigators provide transaction records and transaction hashes of Gas fees to the virtual currency exchange to obtain the suspect's KYC information (such as passport, ID card, email, phone number, etc.)
4. Device fingerprint and IP association
Investigators can use the login IP and device ID (such as mobile IMEI, MAC address) of exchanges or wallets to associate the operational behaviors of multiple addresses and thus identify the target.
In the MIT hacking brothers case, the FBI analyzed the VPN logs and device fingerprints used by the suspects, discovering that they frequently logged into the same exchange account, ultimately locating their physical position.
5. Cross-chain exchanges and mixer cracking
Many suspects believe that transacting across chains or using mixers can better conceal their identities, but this is not the case.
Cross-chain tracking: Tracing the fund transfer path through the transaction hash of cross-chain bridges (e.g., Bitcoin → Ethereum).
Mixer analysis: Using on-chain fingerprinting techniques (such as transaction time, amount patterns) to identify input and output addresses of mixers (like Tornado Cash).
For example, when the U.S. Department of Justice recovered ransom from the Colonial Pipeline, they analyzed the hacker's 'chain laundering' path and ultimately intercepted the private key of a critical address ending with 'dh77gls'.
6: International cooperation and stablecoin freezing
For stablecoins like USDT, law enforcement can require the issuer (such as Tether) to freeze funds at the involved addresses. International cooperation can also be conducted.
For example, in a cross-border online gambling case involving 400 billion yuan that was cracked by the police in Jingmen, Hubei (the 'first national virtual currency case'), it was reported that 'since the platform settled entirely in virtual currencies, the public security agency coordinated with the virtual currency issuing institution to freeze the relevant virtual currency accounts.'
For instance, in the 55 million Ethereum theft case in Neijiang, Sichuan, it was reported that 'to solve this case, Sichuan police conducted 14 international cooperations with Singapore, the United States, and the Netherlands, refining a set of techniques for analyzing blockchain addresses, retrieving data from overseas virtual currency exchanges over 70 times, and tracing over 20,000 blockchain addresses.'
7: Reverse tracing from the final outflow
In most countries, the virtual currencies held by suspects cannot be directly used for daily consumption, so black and gray market transactions always have an outlet, which is to exchange virtual currencies for fiat money. Thus, those who assist in exchanging fiat money become a breakthrough in tracing the identities of upstream criminals.
8: Abnormal transactions triggering risk control
Many people's bank cards are frozen due to frequent rapid in-and-out transactions triggering the bank's risk control system. The same principle applies in the Web3 world.
Generally, ordinary traders place their funds on platforms for buying and selling rather than frequently engaging in high-frequency large transactions. Therefore, when tracking currency flows, if an address shows rapid inflows and outflows of funds, it will be considered suspicious.
Summary:
Criminals may mistakenly believe that virtual currency transactions are anonymous, thus investigators cannot trace their true identities; that virtual currency exchanges are all abroad, making it difficult for domestic police to investigate and gather evidence; and that cross-chain transactions and mixers cannot be tracked. Therefore, they engage in black and gray market transactions without restraint. However, this sense of invulnerability will ultimately lead them into deeper trouble.