“This project was indeed organized and planned by me. I want to know how you found the mastermind behind it. As I understand it, you shouldn't be able to find me. What are you relying on?”
The above is a detail disclosed by the Xinxian Public Security Bureau in handling the “12.04” virtual currency pyramid scheme case, where the suspect, Zhang, expressed confusion during the interrogation about how the police managed to track him down.
Lawyer Shao, who frequently handles criminal cases related to organized crime and virtual currency, often encounters similar questions from clients. For example, they might ask, “Lawyer Shao, at the time of this incident, I was abroad, and my uplink was also abroad. We usually communicated via TG (Telegram), which is self-destructing. Isn't virtual currency trading anonymous? How could the police catch me?”
So today, let's discuss how, in criminal cases involving virtual currency, the police track the transaction process of virtual currencies and identify the suspects.
Author of this article: Lawyer Shao Shiwei
1
1 Virtual Currency Trading
Is it really anonymous?
Virtual currency, as an application of blockchain technology, has advantages such as decentralization, privacy protection, reduced transaction costs, and high returns. However, due to its degree of anonymity, it is often exploited by criminals for money laundering and other illicit activities.
But virtual currency is not completely anonymous, as the transaction process is public on the blockchain; only the addresses are not directly linked to identities. Additionally, since virtual currency exchanges must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations, law enforcement agencies find it easier to track transactions on the blockchain.
Because there is a public, immutable ledger behind virtual currency, the collection of evidence for virtual currency transactions is actually very friendly for law enforcement.
2
How do law enforcement agencies track the flow of coins and identify suspects?
In earlier years, law enforcement agencies lacked understanding of cases involving virtual currencies, and the number of cases filed for investigation was low, leaving many victims without recourse.
However, as investigative units deepen their understanding of virtual currencies, their ability to track the flow of virtual currencies through on-chain data analysis and interpretation has also been continuously strengthened. Here are a few common methods:
1. On-chain Address Association Analysis
By analyzing transaction graphs through blockchain explorers (such as Tronscan, OKLink), it is possible to identify common inputs and fund aggregation patterns between addresses. For example, if multiple addresses frequently transfer funds to the same target address, it can be inferred that the same entity controls them.
Based on Lawyer Shao's experience in handling cases involving virtual currencies, this analytical method is often used in pyramid scheme cases and illegal gambling cases.
In the aforementioned Liaocheng “12.04” virtual currency pyramid scheme case, the police discovered that the pyramid scheme platform generated multiple addresses through the TokenPocket wallet to aggregate funds, ultimately directing the funds to a main address and withdrawing through an exchange. By analyzing the transaction frequency and scale of these addresses, they identified the masterminds.
In several illegal gambling cases handled by Lawyer Shao, the process of profit settlement between the casino and payment personnel was also approached by identifying aggregation addresses to lock in the identities of those involved.
2. Exchange KYC Verification
Currently, most mainstream virtual currency exchanges (such as Binance, OKX, Huobi) and digital wallet platforms (such as ImToken) publicly disclose their policies for cooperating with law enforcement on their official websites, along with dedicated channels for collaboration with domestic police.
Law enforcement personnel can send a request for assistance via email to the exchange, asking for the suspect's registration information, facial photos, financial information, deposit and withdrawal transactions, wallet addresses for various currencies, fiat transactions, cryptocurrency transactions, contract transactions, login IPs, MAC addresses, and other device information.
Additionally, exchanges will also freeze the virtual currency in the suspect's account at the request of law enforcement, with a freezing period of one year, but law enforcement can apply for an extension before the expiration.
3. Gas Fees and Transaction Hash Tracking
Every successful virtual currency transaction requires the payment of a gas fee (e.g., TRX / ETH). When tracing the wallet address where the suspect received illicit funds, investigators can trace the suspect's records of purchasing gas fees from the exchange. For example, if the police analyze the source of the gas fees for the involved addresses and find that they were purchased through a Binance account to pay the fees, they can identify the exchange account.
In virtual currency transactions, the transaction hash ensures the uniqueness and immutability of the transaction; each transaction generates a unique hash value. The transaction hash can reveal transaction details such as sender address, receiver address, transaction amount, and transaction fee.
Investigators can provide the gas fee transaction records and transaction hashes to the virtual currency exchange to obtain the suspect's KYC information (such as passport, ID card, email, phone number, etc.).
4. Device Fingerprinting and IP Association
Investigators can associate the login IPs and device IDs (such as mobile IMEI, MAC address) from exchanges or wallets with the operational behaviors of multiple addresses to identify targets.
For instance, in the MIT hacker brothers case, the FBI analyzed the VPN logs and device fingerprints used by the suspects, discovering that they logged into the same exchange account multiple times, ultimately pinpointing their physical location[i].
5. Cross-chain Exchanges and Mixing Service Decryption
Many suspects believe that trading across chains or using mixers can better conceal their identities, but this is not the case.
Cross-chain Tracking: By tracking the transaction hashes through cross-chain bridges (e.g., Bitcoin → Ethereum), the path of fund transfers can be traced.
Mixing Analysis: On-chain fingerprinting techniques (such as transaction time and amount patterns) can identify the input and output addresses of mixers (e.g., Tornado Cash).
For example, when the U.S. Department of Justice recovered ransom from the Colonial Pipeline, they analyzed the hacker's "chain laundering" path and ultimately intercepted the private key of a critical address ending with the characters “dh77gls”[ii].
6. International Cooperation and Stablecoin Freezing
For stablecoins like USDT, the police can request the issuer (e.g., Tether) to freeze the funds in the involved addresses. International cooperation can also be conducted.
For instance, in a cross-border online gambling case in Jingmen, Hubei, involving a flow of 400 billion, it was reported that “since the platform settled entirely in virtual currency, the police coordinated with the virtual currency issuing institution to freeze the relevant virtual currency accounts.”
Additionally, in the 55 million Ethereum theft case in Neijiang, Sichuan, it was reported that “to solve this case, Sichuan police conducted 14 international cooperations with Singapore, the United States, and the Netherlands, refining a set of techniques for analyzing blockchain addresses in practical operations, retrieving data from overseas virtual currency exchanges over 70 times, and tracing over 20,000 blockchain addresses”[iii].
7. Tracing Back from the Final Outflow
In most countries, the virtual currency held by suspects cannot be directly used for daily consumption, so there is always an outlet for illicit transactions, which is to exchange virtual currency for fiat currency. Those who help exchange for fiat currency become the breakthrough point for tracing upstream criminal identities.
8. Abnormal Transactions Triggering Risk Control
Many people's bank cards are frozen due to frequent rapid transactions triggering the bank's risk control system. The same principle applies in the Web3 world.
Generally, ordinary traders will keep their funds on the platform for buying and selling, rather than frequently engaging in high-volume rapid transactions. Therefore, in tracking coin flows, if an address shows rapid inflows and outflows of funds, it will be considered suspicious.
3
Conclusion
Criminals mistakenly believe that virtual currency trading is anonymous, so law enforcement cannot identify their true identities; that virtual currency exchanges are all abroad, making it difficult for domestic police to investigate and collect evidence; and that cross-chain transactions and mixers cannot be tracked, etc. Thus, they engage in illicit transactions without restraint. However, this kind of lucky thinking will ultimately lead them into deeper trouble.
Some individuals, after being caught, discuss with me how regretful they are, but their regret is not about breaking the law; rather, they regret not designing the transaction chain to be more secretive.
In the face of such individuals, sometimes I don't know what to say, and can only respond with a sigh.
[i] $25 million cryptocurrency stolen in 12 seconds, MIT-educated hacker brothers arrested http://note.f5.pm/go-240378.html
[ii] U.S. Department of Justice intercepts 63.7 bitcoins extorted by hackers, Bitcoin drops over 10% in a single day | Interface News https://m.jiemian.com/article/6209923.html
[iii] Sichuan Neijiang 55 million blockchain asset theft case solved! https://xinjiapo.news/news/215601/
Can frozen virtual currencies be enforced?
Deep investigation leads to the successful resolution of Xinxian Public Security Bureau's first major virtual currency pyramid scheme case in the city https://mp.weixin.qq.com/s/KduRfmY5hk8r6xLO5t_epQ
免责声明:本文章仅代表作者个人观点,不代表本平台的立场和观点。本文章仅供信息分享,不构成对任何人的任何投资建议。用户与作者之间的任何争议,与本平台无关。如网页中刊载的文章或图片涉及侵权,请提供相关的权利证明和身份证明发送邮件到support@aicoin.com,本平台相关工作人员将会进行核查。
