Skopenow Resource Center / Post

July 29, 2022

Cryptocurrency and NFT OSINT Investigations Tips & Techniques

In the absence of effective regulation, the criminal use of cryptocurrency is accelerating. Whilst the scale of the criminal use of cryptocurrencies is difficult to determine, it was estimated to be roughly $14 billion worth of transactions in 2021. $14 billion represents only a small share of the overall cryptocurrency market, however, this figure demonstrates a significant utilization of digital currency to support criminality.

Criminals utilize cryptocurrencies to launder profits from virtually every existing crime type. Law Enforcement Agencies have identified criminals using cryptocurrencies to launder existing digital funds and funds held in fiat currencies. Criminals are also increasingly utilizing cryptocurrencies for human and drug trafficking. Large-scale money laundering networks also offer their services to less technically able criminal actors.

Criminals utilize cryptocurrencies because unlike fiat currencies and online banking, digital coins offer decentralization, pseudo-anonymity, and transparency. Cryptocurrencies are decentralized because their administration takes place via a peer-to-peer network rather than through any single institution. Cryptocurrencies enable coin holders to remain pseudo-anonymous because they utilize hashes of public keys to identify users rather than usernames or account numbers, separating coins from the real-world identities of their owners. Cryptocurrencies also offer transparency because all transactions are recorded on the publicly available blockchain, meaning criminals can conduct due diligence.

In this article, we’ll outline some of the tools that investigators can use to investigate activity conducted within the blockchain, showing you how to get the most value from your Cryptocurrency OSINT investigations.

This is an introduction to Cryptocurrency and NFT OSINT Investigations. To view the full webinar, click here. To download the guide, which includes advanced techniques and analysis, click here.

 

Fundamental Concepts

  • Exchanges - A cryptocurrency exchange is a platform that enables customers to trade cryptocurrencies for other assets, such as conventional fiat money or other digital currencies. Cryptocurrency exchanges may accept credit card payments, wire transfers, or other forms of payment in exchange for cryptocurrencies.
  • Regulations - Cryptocurrency exchanges are legal in the United States and fall under the regulatory scope of the Bank Secrecy Act (BSA). In practice, this means that cryptocurrency exchange service providers must register with FinCEN, implement an AML/CFT program, maintain appropriate records, and submit reports to the authorities. Similarly, cryptocurrency exchanges have registration requirements in the UK. All UK cryptocurrency asset firms that have a presence or market product in the UK, or that provide services to UK resident clients, have to register with the Financial Conduct Authority (FCA).
  • Cryptocurrency Types & Addressing

Cryptocurrencies come in many forms. Some of the popular cryptocurrencies include: Bitcoin, Ethereum, XRP, Tether, Cardano, Polkadot, Stellar, Dogecoin, and Chainlink.

Cryptocurrency addresses are derived from private keys and are a string of alphanumeric characters. Cryptocurrency wallet addresses are publicly available and the type of address can be determined by the starting characters.

  • Legacy Addresses (P2PKH) start with the number 1, i.e.: 15e15hWo6CShMgbAfo8c2Ykj4C6BLq6Not.
  • Pay to Script Hash (P2SH) addresses that start with the number 3, i.e.: 35PBEaofpUeH8VnnNSorM1QZsadrZoQp4N.
  • Native SegWit (P2WPKH) addresses that start with bc1q, i.e.: bc1q42lja79elem0anu8q8s3h2n687re9jax556pcc.
  • Taproot (P2TR) addresses start with bc1p, i.e.: bc1pmzfrwwndsqmk5yh69yjr5lfgfg4ev8c0tsc06e.

 

Locating Cryptocurrency Content

Each Blockchain wallet has a unique wallet ID,  a string of random letters and numbers that acts as a username. Similarly, each transaction has a unique ID, also known as a “hash”, a string of numbers and letters that identifies a specific transaction.

Investigators can attempt to follow criminal use of cryptocurrencies through wallet explorers, which provide real-time transaction details for cryptocurrency wallets. Investigators can use these platforms to search for wallet and transaction IDs like  12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw to identify publicly available details.

 

Blockchain -  https://www.blockchain.com/explorer

Blockchain.com enables users to look up a bitcoin wallet address and see all of the past financial transactions linked to it, in addition to how much currency it currently holds. Blockchain lists every transaction, each time the bitcoin address sent or received money, the date of transactions, the amount of money transferred, and the bitcoin wallet addresses that were involved in the transaction.

To use Blockchain, head to https://www.blockchain.com/explorer.

Enter a transaction or wallet ID into the search bar and hit the ‘Search’ button. Results may include a BTC, Bitcoin, and a BCH, Bitcoin Cash. Click on a result to see the relevant transaction information.

At the top of the results, you will see a general overview, showing a QR code, transaction statistics, and the total value of a wallet. 

Bear in mind that Bitcoin has “exchanges”, where people buy and sell bitcoins. If you find a bitcoin address that has conducted hundreds of thousands of transactions, it is probably owned by an exchange, not a person.

Beneath the wallet information is a table of contained transactions, which provides a range of information.

A small amount of bitcoin during any transaction will go to a fee, seen in the Fee section.

The remainder of the bitcoin will go to the intended wallet, the address ID shown on the right of the corresponding green arrow. 

Beneath the fee information is a transaction ID, a Hash.

The number to the write of the wallet address is the amount received after the fee. 

In the top right corner is the date and time of the transaction. 

To follow the money after the transaction, click on the green address to see what happened with the money next, or click on the orange address to try to find where the money came from.

 

Bitcoin Who's Who - https://www.bitcoinwhoswho.com/ 

In addition to block explorers and crypto transaction search engines, other tools enable investigators to attempt to identify cryptocurrency holders, their associates, and the financial histories of everyone involved. Bitcoin Who's Who can provide insights into address owners and if addresses were linked to any known scams. 

Bitcoin Who's Who has an extensive directory of addresses reported as being involved in a scam, in addition to information posted by individuals about a given address, such as an associated social media account. Bitcoin Who's Who also includes listings of cryptocurrency addresses referenced on social media.

To use Bitcoin Who's Who, enter an ID, username, or keyword, into the search bar and hit enter.

At the top of the results, a scam alert may appear in red, if the address has previously been linked to a scam. Results will include the number of website appearances and transaction details.

Below the basic transaction details, investigators can find a Scam Alert section, which lists the scams reported by users as linked to the searched address.

Below Scam Alert is a Public Sightings section, which includes mentions of the searched address across the internet, including Reddit, Twitter, and general web pages.

Below Public Sightings, is a Transaction History section, which lists all known crypto transactions linked to the address.

 

Locating NFT Content

Non-fungible tokens, also known as NFTs, are assets first launched in 2014 that only exist digitally, and can include digital artwork, in-game items and avatars, digital and non-digital collectibles, domain names, and event tickets.

NFTs have been linked to crimes including pump and dump schemes (illegally boosting the value of an asset, before selling whilst prices remain high), money laundering, rug pulls (where developers obtain funds for a project before vanishing), and tax evasion, and have already been seized by governments as assets.

 

Open Sea - https://opensea.io/

Open Sea is the world's largest web3 marketplace for NFTs and crypto collectibles. Investigators can leverage Open Sea to find NFTs and view their related transaction history.

To use Open Sea, enter a search term, including Items, collections, or account names, into the search bar and hit enter.

Results will populate within a new page, with collections appearing at the top. Investigators can leverage filters on the left-hand of the page to narrow results.

Clicking on a Collection result will take investigators to the NFTs listed in that collection.

Clicking on a specific NFT will show the current and historic valuation and transaction history for that NFT, often including the name of the buyer.

 

Automating your Cryptocurrency and NFT OSINT Investigations

Using a tool like Skopenow, you can automate OSINT research when conducting research into cryptocurrencies and their related transactions. Skopenow instantly and anonymously locates and archives wedding registry pages, social media accounts and posts, plots location history, flags actionable behaviors, and reveals hidden connections between individuals. Skopenow’s automatic report builder will save you time organizing the analyzed intelligence into a court-ready report. Please reach out to sales@skopenow.com or visit www.skopenow.com/demo to schedule a demo and activate a 7-day free trial for qualified businesses.

 

This is an introduction to Cryptocurrency and NFT OSINT Investigations. To view the full webinar, click here. To download the guide, which includes advanced techniques and analysis, click here.

Unlock the Power of Skopenow

See for yourself how Skopenow can modernize your investigations.
To get started, request a demo and an expert will get in touch with you shortly.

Book a Demo