Lawrence Stephens

We are a *knowledge business

Matt Green explores the tracing and recovery of stolen cryptoassets in FTAdviser

August 2024

Matt Green explores the tracing and recovery of stolen cryptoassets in FTAdviser

Director and Head of Blockchain and Digital Assets and Technology Disputes, Matt Green, explores the challenges of tracing stolen crypto and discusses how the recovery of digital assets is a real, established and carefully considered process.

Matt’s article was published in FTAdviser, 27 August 2024, and can be found here.

Recently, an American law firm asked for strategic advice on a multi-million-dollar crypto recovery case. Their plan was to use securities laws which required the scammers’ genuine identities from the outset. The list of defendants was endless- bogus usernames, individuals across the globe using VPNs, spurious connections based on social media. It was clear- not everyone is familiar with the alternative method- follow the money and the ghosts materialise.

According to the Chainalyasis 2024 Crypto Crime Report[1], revenue from different species of crime, including romance/ pig-butchering scams jumped from $5.9billion 2022 to $6.5billion in 2023. Similarly, Immunefi’s Crypto Losses in Q2 2024 report[2] details a 112% rise in hacks and scams compared with the previous year. Although crypto-assets are at play in these cases, to quote Aidan Larkin of Asset Reality, Ari Redbord of TRM Labs, and Nick Furneaux of both, “there is no such thing as crypto crime”. Instead, if we treat it like any other crime, we remove the inertia, and can start the recovery process.

For many, the hope of recovery dies on the pretence the assets disappear into the ether, bad actors are sophisticated masked hackers in faraway lands, that processes for recovery lack maturity or that authorities have no appetite. In the clearest terms, recovery of crypto-assets, or their equivalent monetary (fiat) value is a very real, established and carefully considered process.

However, often with crypto-assets, hackers and fraudsters operate in increasingly sophisticated ways.

Examples Of Hacks And Scams

In 2019, a Canadian hospital was hit with a ransomware attack demanding $1,200,000 to recover the data- computer screens read: “No free decryption software is available on the web… You have to make the payment in Bitcoins”. Here, my task was to help trace the Bitcoin paid using blockchain analytics tools and prepare novel Court procedures to freeze funds. This now seminal case AA v Persons Unknown, set the precedent that “a crypto asset such as Bitcoin is property” – the genesis of all crypto-asset recovery cases.

Over the past few years, I have acted on matters involving a North-Korean sponsored $100million hack at a major crypto exchange, scams in which the perpetrators utilise dating apps  (which includes blackmail after sending explicit photos), as well as fake investment platforms promoted via forums like Reddit which promise lucrative returns, falling apart when the return of capital and profits are refused until further withholding taxes (not a real thing here) are paid, usually via bank transfer. A contact of mine once met with Disney executives to pitch a Web3 gaming product, only to immediately receive a convincing phishing email offering a contract, and which led to the complete drain of his crypto-wallet. Another attended a gaming event showcasing facial-recognition technology, which was later exploited to side-line iPhone biometrics safeguards leading to loss of significant crypto-assets. 

Most heartbreakingly, my client lost her husband following a heart attack and was manipulated by an individual in a Facebook group called “I Miss My Husband” into transferring over £500,000 worth of Tether (a stable coin designed to hold value to the US dollar) to a fraudster. Funds were traced to individuals in South East Asia, with certain physical addresses including a human organ harvesting facility in Myanmar, which resulted recovery of funds. This is not merely naivety – rather, these are highly sophisticated scams that prey on emotions, utilise data that is designed to instil trust, or by virtue of a small mistake, like phishing.

All too often, it seems there is no recourse for victims. However, it is not only possible but in fact a real and effective process.

Tracing Shadows

The first step is to instruct investigators who utilise blockchain analytics software to trace the funds. Where a victim has paid a threat actor (the thief/ scammer) in cryptocurrency, there will be an immutable public record of the transaction including the blockchain address receiving the funds, and a transaction identifier. Some might point to issues in tracing, like mixing services which seek to obfuscate the movement of funds. The trend leans to shutting these down these facilities- consider the now sanctioned Tornado Cash. Also mixing software can largely be undone by unmixing software, subject to the obfuscation processes and technology available. However, in any event, it must be remembered that the focus here is not on the who, but on the assets themselves, their movement and their whereabouts.

Like those examples given above, organised criminal gangs (OCGs) use crypto-assets to extract funds from victims, then convert into fiat money as part of the laundering process. They utilise cryptocurrency exchanges, which convert those gains into local currencies, at the demand of their money mule customers. Investigators can see that the funds moved from the threat actor’s address to several other addresses and landed at an exchange. The exchange is then put on notice that it has the proceeds of crime, and requests are made about its customers’ identities, usually provided subject to a Court Order.

Helpful Ghosts

Importantly, substantive claims and injunctive relief (orders to freeze assets) can be obtained against a hypothetical category called Persons Unknown (PU). In doing so, we can use ghosts to our advantage. In this instance, there are usually two: PU who committed the act, being the threat actor (D1) and PU who received the proceeds of the misappropriated funds, being the customer of the exchange (D2). D2 is the target and exchanges can provide identifying data taken during the onboarding processes (anti-money laundering and counterterrorism financing checks) including passport information and email addresses. Even questionable information (I have seen 123[expletive]@protonmail.com), is useful. Vitally, this identifying data allows D2 to be served with the claim and kick starts the formal process.  

Role Of Crypto Exchanges

Despite mixed reputations, crypto-exchanges are often open to helping victims of fraud, namely because it builds sector confidence, improves their reputation and avoids time-consuming and costly legal proceedings. However, there are instances where exchanges are registered offshore, claim to be decentralised, or simply fail to reply to requests. Debate reigns on whether crypto exchanges owe a duty to consumers where they are on notice of fraud and allow a withdrawal, and a formal duty may mitigate risks in the future and compel exchanges to act. In any event, market pressures ensure customers, including OCGs, are attracted to the reliability, ease and stability of trusted exchanges.

Service and Recovery

Once the individual has been identified, they then must be served with legal documents and victims can rely on the crypto-exchange’s disclosure: email and physical addresses. However, in certain instances exchanges fail to onboard customers properly and no data is available. Here, parties can still be served documents via non-fungible tokens (NFTs), a process ratified by the Courts utilising blockchain technology. In addition, information gathered via intelligence agencies, as well as published data on the dark web following a hack, or proprietary software to identify individuals, can assist, starting with very few breadcrumbs. Investigators are also able to review open-source intelligence, social media sites, those behind websites, and gather clues via geolocation of account access.

In most cases, D1 and D2 do not respond, given bad actors’ resistance to open Court procedures. This usually results in an on-paper win for victims.  

Next is getting the funds back. In the instance there are funds at the exchange, Court sanctioned processes allow for the repatriation of those funds, whether in crypto or fiat currency. In the event exact funds are not in the account, victims are often entitled to compensation on a restitutionary basis. There is usually a clear link between D1 and D2, so any funds associated with either are fair play. Intelligence plays a key role in identifying potential assets- firms like GreyList utilise big data to determine whether email addresses are registered at banks or exchanges, so more funds can be located.

Centralised Token Issuers

Importantly, in instances where there is a centralised token issuer (Tether, for example), there are alternative processes. If the funds have not reached a crypto-exchange and are instead sitting in a private address, blacklisting the address with a token issuer’s assistance can freeze assets by preventing withdrawals.

For example, in November last year US authorities worked with Tether and exchange OKX resulting in a freeze of $225m, with assets linked to a human trafficking syndicate in South East Asia. Further, Grant Thornton’s Independent Audit Report[3] of Circle Internet Financial, Inc., the issuer of USD Coin (another stable coin) notes the “ability to blacklist addresses”, stopping private wallets from transacting altogether.

These processes are available via civil routes too, usually with help from law enforcement. Through these methods, including a token burn and remint, victims can be made whole again.

Moving Forward

Quiet stoicism keeps the industry at a plateau and all instances of fraud should be reported to law enforcement. Of course, more should be done to discourage bad actors and prevent frauds altogether, but by sharing stories we can educate other potential victims and break the fraud cycle. The Law Commission has also recommended that the direction of travel should be driven by case law, so the more trodden the path, the more precedents set for recovering crypto-assets.

While the recovery of crypto-assets can often feel like chasing ghosts, in many instances those ghosts are incredibly helpful – casting a wide net to allow exchanges and token issuers to be the force for good in helping recoveries.