How the IRS seized $10B worth of crypto using blockchain analytics

May 11, 2023 Coin Telegraph

How the IRS seized B worth of crypto using blockchain analytics

A public-private partnership with blockchain analytics firm Chainalysis has played a key role in helping the Internal Revenue Service solve cryptocurrency-related crimes.

Blockchain analysis has been key in helping the United States Internal Revenue Service (IRS) seize an estimated $10 billion worth of cryptocurrency since it began investigating a broad body of crimes involving digital assets.

This was a key point raised by IRS Criminal Investigations (IRS-CI) Chief Jim Lee in a wide-ranging, exclusive interview with Cointelegraph in Amsterdam. Lee was among a variety of delegates from public and private institutions sharing knowledge and insights at blockchain analytics firm Chainalysis’ Links conference held in the Netherlands.

Lee, alongwith with a cohort from the IRS-CI, gave an inside look at how the enforcement agency has tackled the use of cryptocurrency and digital assets in a wide variety of financial crimes that fall under its purview.

*Hacks of prominent exchanges, Decentralized Finance protocols and cross-chain bridges have seen a spike in stolen funds over the past two years. Source: Chainalysis 2023 Crypto Crime Report*

Chief Lee has served as a special agent with the IRS for 28 years and has been at the helm of the unit since 2020. In the years leading up to his tenure, the IRS-CI has found an increasing amount of criminal investigations involving digital assets in varying degrees land on the desks of its agents.

The IRS’ relationship with the cryptocurrency space began in earnest in the early 2010s as Bitcoin (BTC) began to proliferate its way into the monetary system as an alternative, decentralized means of holding and transferring value.

As Lee explained, the IRS’ efforts to build infrastructure to combat identity theft around 2011 preempted its effort to begin investigating crimes involving digital money:

“When cryptocurrency came into the picture, we were already thinking about digital crimes and money trails using Web2.”

However, the organization’s ability to understand, investigate and eventually prosecute and seize cryptocurrencies and digital assets became dependent on tools developed by private institutions.

The IRS-CI is one of hundreds of law enforcement and government agencies that make use of a specific suite of blockchain analysis tools that have been developed by Chainalysis. The company was established in 2014 and has become a lynchpin for blockchain-based investigations around the world over the past decade.

*Data from Chainalysis' 2023 Crypto Crime report highlights the increase in the value of money laundering through cryptocurrencies over the past seven years.* *Source: Chainalysis 2023 Crypto Crime Report*

For the IRS, the partnership with Chainalysis has become invaluable, with Lee stressing that his unit’s efforts to investigate crypto-related crimes would be near ‘impossible’ without the infrastructure and tools it now has access to. The public-private partnership with Chainalysis hinges on investing in technology that can help trace crypto and manipulate data from public blockchains to darknet marketplaces.

“Think about all the data that I have working for the IRS. It may not be the most, but it's the richest. Now I can take all this other data we have and then match it up against the records that I have. I mean, it's just incredibly powerful, but it takes time, energy and money.”

Even with the tools at its disposal, Lee admits that investigating crimes involving digital assets is a difficult undertaking. Investing in people, data and technology has been key in its efforts to combat crypto-related crime:

“When we're talking about the crypto space, the way I look at it is data and technology combined. It takes significant investment because you can't just get those results. You can't just seize $10 billion in value.”

While the market value of seized cryptocurrency in the IRS’ vaults has dropped in value from an estimated $10 billion at seizure, the institution still has to figure out how to safely hold billions of dollars of digital assets.

It’s a complex issue for the IRS-CI Chief, who highlights simple considerations for cryptocurrency custody which becomes increasingly stressful when dealing with huge sums of digitized value:

“Where do I store it? On chain or off chain? Do I keep it in my office? Do I lock up the seed phrases elsewhere? We're talking about a lot of money.”

The IRS-CI investigations have been fruitful, with the department frequently becoming the largest contributor to the U.S. Treasury asset forfeiture fund in recent years. The seizure of $3.6 billion involved in the 2016 Bitfinex hack is a prime example of the efforts of Lee’s unit to track down stolen funds.

Another key part of the IRS CI’s mandate is sharing knowledge and skills to use tools like Chainalysis Reactor with local and international crime enforcement, which is chiefly aimed at powering financial crime investigations.

Part of Lee’s visit to Europe in May 2023 was to facilitate the training of over 60 different Ukrainian officials from a variety of law enforcement agencies. IRS-CI also donated Chainalysis Reactor licenses to Ukrainian law enforcement, which will help facilitate blockchain and cryptocurrency tracing amid the ongoing Russian-Ukrainian conflict.

Magazine: Best and worst countries for crypto taxes — plus crypto tax tips

Crystal Blockchain Study Reveals $16.7 Billion in Crypto Assets Stolen Since 2011

March 21, 2023 Bitcoin.com

Crypto Exchanges Allow Russians to Circumvent Sanctions, Report Alleges

February 26, 2023 Bitcoin.com

Ransomware Revenue Drops as Victims Pay Less Often, Chainalysis Reports

January 21, 2023 Bitcoin.com

FTX hires forensics team to find lost customers’ billions: Report

December 8, 2022 Coin Telegraph

Alameda Research

Lawyers have claimed FTX assets are either stolen or missing and now a team of financial forensic experts is attempting to trace the money trail.

The new management for bankrupt crypto exchange FTX has reportedly hired a team of financial forensic investigators to track down the billions of dollars worth of missing customer crypto.

Financial advisory company AlixPartners was chosen for the task and is led by former Securities and Exchange Commission (SEC) chief accountant, Matt Jacques, according to a Dec. 7 report from the Wall Street Journal.

It is understood that the forensics firm will be tasked with conducting “asset-tracing” to identify and recover the missing digital assets and will complement the restructing work being undertaken by FTX.

On Nov. 11 hackers drained wallets owned by FTX and FTX.US of over $450 million worth of assets.

Former CEO Sam Bankman-Fried claimed in an interview recorded on Nov. 16 with crypto blogger Tiffany Fong that he was close to finding who the hacker was and that he had “narrowed it down to eight people” believing it was “either an ex-employee or somewhere someone installed malware on an ex-employee’s computer.”

On Nov. 22, a lawyer representing FTX debtors stated that “a substantial amount of assets have either been stolen or are missing” from FTX, and revealed at the time that blockchain analytics firms such as Chainalysis had been enlisted to help as part of the proceedings.

The stolen funds from FTX have since been on the move through various crypto mixers and exchanges to launder the funds.

The hacker transferred their Ether (ETH) holdings on Nov. 20 to a new wallet address and swapped some of the ETH for an ERC-20 version of Bitcoin (BTC) afterward bridging the funds to the BTC Network.

They then used a laundering technique called peel chaining that subdivides the holdings into increasingly smaller amounts across multiple wallets and sent the BTC through a crypto mixer then to the OKX exchange on Nov. 29.

The hacker also attempted more peel chaining by splitting 180,000 ETH across 12 newly created wallets on Nov. 21.

Former CEO Sam Bankman-Fried has also previously claimed to have “unknowingly commingled” customer funds at FTX and its sister trading firm Alameda Research with customer funds at FTX loaned to Alameda.

FTX’s new CEO and chief restructuring officer, John Ray III, was scalding in his initial bankruptcy filing saying that “never” in his 40-year career had he “seen such a complete failure of corporate controls.”

He claimed Bankman-Fried and his closest colleagues are “potentially compromised” and used “software to conceal the misuse of customer funds.”

OSCE Trains Uzbekistan Law Enforcement to Track and Seize Crypto, Search Dark Web

October 22, 2022 Bitcoin.com

Taliban had a ‘massive chilling effect’ on Afghan crypto market: Report

October 6, 2022 Coin Telegraph

Afghan

Crypto value received in Afghanistan surged in the wake of the Taliban seizing power in August 2021, but crypto markets have flat lined under the regime.

The Taliban’s takeover of Afghanistan has had a “massive chilling effect” on the local cryptocurrency market, bringing it to an effective “standstill,” according to a recent report.

Blockchain analytics firm Chainalysis in an Oct. 5 report stated the Middle East and North Africa (MENA) region saw the largest crypto market growth in 2022 but noted that Afghani crypto dealers had three options: “flee the country, cease operations, or risk arrest.”

The report states after the Taliban seized power in August 2021, crypto value received in August and September that year spiked to a peak of over $150 million, then fell sharply the following month.

Before the takeover, Afghani citizens would on average receive $68 million per month in crypto value mainly used for remittances. That figure has now dropped to less than $80,000 post takeover.

*Graph from Chainalysis 2022 Geography of Cryptocurrency Report. Source:* *Chainalysis*

Afghanistan was 20th place in Chainalysis’ 2021 crypto adoption index released in October 2021, but now is at the bottom of the list following the Taliban takeover.

The reinstated Ministry for the Propagation of Virtue and the Prevention of Vice in charge of implementing Islamic law in the country is the reason for the change. Chainalysis explains the agency equated cryptocurrency to gambling declaring it haram — forbidden under Islamic law.

A large portion of the activity still undertaken in the country comes from money laundering from illicit sources such as bribes or drugs, an anonymous source cited to Chainalysis.

The individual added only a “small portion” is “young people who have a few hundred bucks” to day-trade digital assets.

64% of staked ETH controlled by five entities — Nansen

September 12, 2022 Coin Telegraph

Blockchain Analysis

New report by Nansen delves into the distribution of staked ETH, respective holders and possible ramifications as The Merge looms.

A report from blockchain analytics platform Nansen highlights five entities that hold 64% of staked Ether (ETH) ahead of Ethereum’s highly anticipated Merge with the Beacon chain.

Ethereum’s shift from proof-of-work to proof-of-stake is set to take place in the coming days after final updates and shadow forks were completed in early September. The key component of The Merge sees miners no longer used as validators, replaced by stakers that commit ETH to maintain the network.

Nansen’s report highlights that just over 11% of the total circulating ETH is staked, with 65% liquid and 35% illiquid. There are a total of 426,000 validators and some 80,000 depositors, while the report also highlights a small group of entities that command a significant portion of staked ETH.

Three major cryptocurrency exchanges account for nearly 30% of staked ETH, namely Coinbase, Kraken and Binance. Lido DAO, the biggest Merge staking provider, accounts for the largest amount of staked ETH with a 31% share, while a fifth unlabelled group of validators holds 23% of staked ETH.

Lido and other decentralized on-chain liquid staking protocols were initially set up as a counter-risk to centralized exchanges accumulating the majority of staked ETH, given that these firms are required to comply with jurisdictional regulations.

Nansen’s report stresses the need for Lido to be sufficiently decentralized in order to remain censorship resistant. Onchain data shows that ownership of Lido’s governance token (LDO) is concentrated, with groups of large token holders potentially carrying censorship risk.

“For example, the top 9 addresses (excl. treasury) hold ~46% of governance power, and a small number of addresses typically dominate proposals. The stakes for proper decentralization are very high for an entity with a potential majority share of staked ETH.”

Nansen also concedes that the LIDO community is actively seeking solutions to the potential risk of over-centralization, with initiatives including dual governance as well as a legally and physically distributed validator set proposed.

Given the ongoing slump in cryptocurrency markets, the majority of staked ETH is currently out of profit - down by ~71%. Meanwhile 18% of all staked ETH is held by illiquid stakers that are in-profit.

Nansen suggests that this category of stakers is the most likely to sell their ETH once withdrawals are enabled at the Shanghai upgrade. Fears of a major sell-off at The Merge are unwarranted, though, as ETH withdrawals will only be possible six to 12 months after The Merge.

“Even then, not everyone can withdraw their stake at once as there is an exit queue in place for validators similar to the activation queue of around six validators (usually 32 ETH each) per epoch (~6.4 min).”

Nansen notes that if all validators withdrew their staked ETH and stopped being validators, this would take around 300 days with over 13 million ETH staked.

The blockchain and analytics platform announced the launch of a new research and education arm alongside its Merge report, aimed at marrying its on-chain data analytics with masterclasses and research papers. Nansen Research Portal will also publish industry-expert research reports from various partners in the blockchain and cryptocurrency industry.

Curve Finance exploit: Experts dissect what went wrong

August 10, 2022 Coin Telegraph

Blockchain Analysis

Attackers who hijacked Curve Finance’s landing page moved quickly to convert stolen funds to various tokens through different exchanges, wallets and mixers.

Decentralized finance protocols continue to be targeted by hackers, with Curve Finance becoming the latest platform to be compromised after a domain name system (DNS) hijacking incident.

The automated market maker warned users not to use the front end of its website on Tuesday after the incident was flagged online by a number of members of the wider cryptocurrency community.

While the exact attack mechanism is still under investigation, the consensus is that attackers managed to clone the Curve Finance website and rerouted the DNS server to the fake page. Users who attempted to make use of the platform then had their funds drained to a pool operated by the attackers.

Curve Finance managed to remedy the situation in a timely fashion, but attackers still managed to siphon what was originally estimated to be $537,000 worth of USD Coin (USDC) in the time it took to revert the hijacked domain. The platform believes its DNS server provider Iwantmyname was hacked, which allowed the subsequent events to unfold.

Cointelegraph reached out to blockchain analytics firm Elliptic to dissect how attackers managed to dupe unsuspecting Curve users. The team confirmed that a hacker had compromised Curve’s DNS, which led to malicious transactions being signed.

Elliptic estimates that 605,000 USDC and 6,500 Dai was stolen before Curve found and reverted the vulnerability. Utilizing its blockchain analytics tools, Elliptic then traced the stolen funds to a number of different exchanges, wallets and mixers.

The stolen funds were immediately converted to Ether (ETH) to avoid a potential USDC freeze, amounting to 363 ETH worth $615,000.

Interestingly, 27.7 ETH was laundered through the now United States Office of Foreign Assets Control-sanctioned Tornado Cash. 292 ETH was sent to the FixedFloat exchange and coin swap service. The platform managed to freeze 112 ETH and confirmed the movement of funds, according to an Elliptic spokesperson:

“We have been in contact with the exchange, which confirmed a further three addresses that the hacker withdrew funds into from the exchange (these were completed orders that FixedFloat were not able to freeze in time). These include 1 BTC address, 1 BSC Address and 1 LTC address.”

Elliptic is now monitoring these flagged addresses in addition to the original Ethereum-based addresses. A further 20 ETH was sent to a Binance hot wallet, and another 23 ETH was moved to an unknown exchange hot wallet.

Elliptic also cautioned the wider ecosystem of further incidents of this nature after identifying a listing on a darknet forum claiming to sell “fake landing pages” for hackers of compromised websites.

It is unclear whether this listing, which was discovered just a day before the Curve Finance DNS hijacking incident, was directly related, but Elliptic noted it highlights the methodologies used in these types of hacks.

Onchain Analysis Report Says Terra’s Bitcoin Reserves Were Sent to Binance and Gemini

May 15, 2022 Bitcoin.com

Blockchain Analysis

Share this video