20 August 2018

Crypto blockchain analysis: the tool for criminal investigations and AML & KYC requirements

Nicholas Cooper

Nicholas Cooper

Deputy CFO bei Crypto Fund AG

Über den Autor

The Crypto Privacy Myth

Crypto and Bitcoin are terms synonymous to many with secrecy and illegality. Stories of drug dealing, tax evasion and money-laundering have dominated the press on Bitcoin in earlier years. Many consequently, and wrongly, assume crypto to be a cover for criminal activity.

In fact, Bitcoin and the majority of other crypto assets provide safeguards against criminal use. They are public blockchains where each coin’s history and chain of ownership is permanently and publically logged. The journey of a coin can be traced back in time – and it can be followed going forward. Compare this to a bank note, with no such history attached to it. These permanent records mean Bitcoin does not offer the same level of privacy as cash.

Governments and other institutions are able to gather a large amount of data from public blockchains. Had the transactions occurred with traditional money such information would not be available.

A number of innovative firms are using proprietary intelligence tools to analyse blockchains to create reports for anti-money laundering (AML), counter-terrorism regulatory (CTR) and know-your-customer (KYC) requirements. They search the public, and freely accessible, blockchain to build a historic picture of the blockchain addresses and transactions.

Shift in Criminal Activity

New technologies are often first adopted by those with questionable intents. The internet’s early use was disproportionately used for unsanitary and illegal reasons.

The crypto market has entered a maturing and exchange-dominated stage. The time of the illegal and unethical activity being the majority of transactions is now history. In the early years, criminals could hide behind Bitcoin when no one was looking and when it was little understood. A paper (published by Paolo Tasca, Shaowen Liu and Adam S. Hayes of University College London, Deutsche Bundesbank and University of Wisconsin-Madison respectively) concludes that the crypto market has moved away from mainly illegal activity towards a market dominated by legitimate merchants.

A sample study on Bitcoin Laundering by the blockchain analysis firm Elliptic finds the vast majority of funds received by conversion services (e.g. crypto exchanges) do not appear to be illicit. The study notes that the volume of coins previously used on the Bitcoin network for illicit reasons entering conversion services has decreased over time. Another firm, Chainalysis, reported “the share of Bitcoin transactions sent to darknet markets has declined from 30% in 2012 to less than 1% in 2017”. These studies concur that the relative decline of Bitcoin usage in the darknet is largely a consequence of the rise of legitimate uses of the Bitcoin network.

USD currency is used for terrorist financing, money laundering and drug dealing. The common mistrusting view of Bitcoin starts to look unjustified when comparing the low levels of illicit activities using Bitcoin against the levels of criminal activity using USD.

The real current concern regarding illegal activity in crypto is their use as a way to obtain cyber ransom proceeds (Elliptic’s study finds 16% of illicit Bitcoins entering conversion services come from ransomware in 2016 compared to just 0.5% in 2013). This is most commonly demanded in cybercrime and ransomware attacks (e.g. hacking and taking control of an entity’s system then demanding crypto as ransom).

Blockchain Analysis for Forensic Investigation and Law Enforcement

Analysis of a blockchain, combined with other data sources, can provide game-changing information and data. Governments, regulators, secret services and law enforcement agencies are using data analysis of blockchains.

Natural persons behind crypto transactions are identified at the point of “fiat gateway”. This is where, at some point, the individual exchanged crypto for their fiat currency (or vice versa). The crypto transactions can be followed to the fiat gateway. The firm providing the fiat gateway (e.g. a fiat-to-crypto exchange website) provides law enforcement agencies the identifying data on the individual. As the availability for direct crypto purchases for goods and services increases, the range of fiat gateways will open up. Depending on the size of the transaction, identify verification may or may not be required (as with current traditional transactions). The burden will be on the vendors to meet regulations for acceptance of crypto payments.

The US Department of Justice used the “immutable, digital footprints” of the Bitcoin blockchain to identify a federal agent working undercover on the Silk Road Task Force that was abusing his power and selling information to obtain crypto. Leaked papers from the US National Security Agency (NSA) indicate they are delving into the blockchain to gather data and locate individuals.

Blockchain analysis companies Coinfirm, Neutrino, Chainalysis, Elliptic, Blockchain Intelligence Group and CipherTrace provide services to law enforcement agencies, intelligence agencies and regulators in blockchain surveillance and forensic investigation. These companies assist in tracking criminally obtained funds and in investigations of money laundering, ransomware and the darknet.

Chainalysis were the official investigators in the Mt. Gox bankruptcy case (a Bitcoin exchange that went into bankruptcy after losing a large number of funds). They have also contracted with many US government agencies including the DEA, FBI and IRS, worked with Dutch police to track down criminals involved in darknet markets and have successfully identified the attacker in a ransomware case.

Elliptic was engaged by a law enforcement agency to identify an individual using Bitcoin for illegal firearms trafficking and have engaged with the FBI, homeland security, IRS and SEC. They also investigated the flow of funds related to a Russian hack.

Neutrino collaborated with Sophos to trace and interpret crypto flows involved in the ongoing SamSam ransomware threats.

Blockchain Intelligence Group has established an office in Washington D.C. to keep close proximity to key federal agencies and provides law enforcement and regtech services.

Despite the use of advanced and obfuscating crypto strategies aimed to hide identifies, criminals are being foiled by blockchain analysis and intelligence. Governments are using the new public technology to their advantage. They are benefiting from the transparent feature of blockchains.

Blockchain Analysis for AML and KYC

These same blockchain analysis companies use their proprietary software and methodologies to provide comprehensive reports on fund origin checks and risk assessments for AML, CTF and KYC requirements.

Blockchain analysis companies provide individual credit risk ratings for each address – every coin is not equal. This is because the Bitcoin network stores all transaction history which is immutable (it cannot be altered). A coin can be considered “tainted” (see next section) if it is linked to previous illegal transactions. For example, an A rating for where no risks were identified vs. a C rating when it has been linked to ransomware attacks. Crypto exchanges, financial institutions and ICOs use these ratings for AML and KYC purposes.

Figure 1. Extract of example AML/KYC risk report on Bitcoin address by Coinfirm. Search and check blockchain addresses to get initial AML and financial risk assessment results for free.

Note this diminished fungibility (where one unit is equally interchangeable for another) is unlike fiat cash. An A rated Bitcoin address is not equal to a C rated Bitcoin address, as the lower rated coins will be rejected by financial institutions and crypto exchanges. Whereas, one USD is legally equal to another one USD.

Coinfirm has collaborated with Iconiq Lab (an ICO accelerator) to provide AML services for their ICO partnerships. They have also partnered with Payment21 (a Swiss-based crypto payment processing firm) and with Billion (a blockchain based payment platform). Coinfirm is launching their AML token (AMLT) designed to enhance their data knowledge by encouraging members to provide AML ratings and information in exchange for tokens.

Chainalysis is working with Barclays and Circle to provide information used to investigate the source, activity and destination of their client’s crypto funds.

Blockchain Intelligence Group has contracted with a number of firms to provide crypto risk assessment and compliance services such as with ATB Financial.

These modern approaches to AML and KYC are accelerating the crypto industry’s integration into the mainstream system and into existing regulatory requirements.

How to Analyse the Blockchain

The scope of public blockchain information available depends on the blockchain, but the Bitcoin blockchain holds a lot of data. It can be publicly accessed by anyone. Websites such as provide free and easy-to-use interfaces to extract blockchain information.

Figure 2. 3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r is a known Bitfinex Crypto Exchange (the company, not a user) wallet address – enter this into a blockchain explorer site.

Every address (typically held in a wallet) and every transaction address can be searched on the Bitcoin blockchain.

Key transaction data available:

  • Size in BTC
  • Fees
  • Timestamp
  • Origin addresses
  • Destination addresses

Key address data available:

  • Total coins sent
  • Total coins received
  • Final balance
  • Number of transactions

This raw data, along with other information obtained, is used to create the AML, KYC and CTR reports. For example, analytics can be performed to categorize wallets into types of users (such as wallets owned by crypto market exchanges or private wallets) based on their transactional behaviour. Judgement is then made on the groups and on the quality of their crypto holdings. Another method involves clustering – where multiple transactions and addressed can be linked together and associated with one owner. The owner is identified at a fiat gateway, or via alternative methods such as investigating an identity from their online public mentioning of a crypto address (for donations or payment requests).

A publication by Imperial College London visualises actual Bitcoin transactions and clearly identifies certain behaviour. For example, figure 3.1 shows how a firm can link many small payments to the same transaction and figure 3.3 shows a historic pathway of transactions from user to user. Explore the Bitcoin blockchain by amending the block numbers in the URL to visualise block transactions.

Figure 4 Visualisation of actual Bitcoin transactions: As coins move via transactions between addresses the history is saved and judgements are made on their journey.

Importantly, it is established if a coin has a questionable history. This is when the coin has entered services such as mixers (services that mix crypto to obscure their historic trail) or to wallet addresses that are already known to be associated with illegal activity. At this point, the coin is tainted and this is factored into the blockchain analytic companies’ reports.

The Right to Privacy

Many crypto enthusiasts value the importance of privacy, anonymity and freedom from central authorities such as governments. The advancements in blockchain analysis by governments may be seen by some as an attack on their principles of crypto. They will look for alternative ways to pursue their goals.

“Privacy coins”, such as Monero and Zcash, help make transactions anonymous. Other services, such as mixers and unregulated crypto exchanges, are used to attempt to blur the historic linkages. It is expected that while most governments are now moving forward to provide a regulatory framework to support the crypto industry, they are likely to exclude the permission of privacy coins.

Evolution of the Industry

A large amount of useful information can be obtained on analysis of a Bitcoin transaction. It is information that never would have been available had the transaction occurred with cash.

Blockchain analysis firms are helping crypto become mainstream by using technology to provide robust KYC/AML services and to assist in forensic investigations. Regulated institutions are using these services to invest in the industry. A deeper understanding of the assumptions used by the blockchain analysis companies is required to strengthen their acceptability for KYC and AML regulatory requirements.

Leading financial service firms in the emerging crypto market are taking a professional and proactive approach to regulatory requirements using blockchain analysis to enhance their AML and KYC procedures. Governments, regulators and other agencies continual collaboration with the crypto world is helping establish stability in the industry.