The admins of the Wall Street Markets had just grabbed the bitcoins of their criminal clientele and wanted to go underground when the police came around the corner. One of the three perpetrators, the investigators were basically by intensive analysis of the Bitcoin cash flows using the Blockchain on the mend – even though the perpetrators had washed the bitcoins in a blender.
The arrest of the admins of the world’s second-largest darknet market in late April is not the first case in which the blockchain played a crucial role: Even the admin of the largest German Darknet forum “Germany in the Deep Web” was unmasked because the investigators using Blockchain could understand the way of money. In the case of the forum admins Alexander, it was donations that you supposedly exchanged on the crypto exchange desk and had credited in his current account.
Chain of evidence
One of Wall Street Market’s three admins betrayed himself by carelessness: Instead of working with Tor as usual in the scene, Tibo L. and Jonathan K. just used a VPN to log in to the Darknet server. Tibo made the mistake of continuing to work after a breakdown of the VPN connection – so the IP address of his Internet connection became visible. Jonathan was revealed by a correlation analysis: The investigators found out that K. established a connection to a particular VPN provider whenever the admin area of the market was accessed.
The crucial clue to convict the third admin, Klaus-Martin F., was found by the investigators of the US Postal Inspection Service in the blockchain. The BKA had already discovered in advance that the Admin of Wall Street Market used the same PGP key as a user of the Hansa Market seized last year. There F. had given a bitcoin address for payouts. The Bitcoins of these and other wallet addresses washed F. in a Bitcoin mixer – more on that later -, transferred them to a new wallet and paid for an order. But the money laundering was useless, the experts of the US Postal Inspection Service could still understand the payment. So the investigators had only asked the customer for information about the payment service provider to unmask F. and then arrested them.
How complicated such investigations are, one becomes aware only when one remembers that the Blockchain itself knows no Wallets. For the blockchain, there are only discrete, disjointed addresses to which bitcoins have been transferred at any point in the past.
Previously, a Bitcoin wallet was a database used to store the public and private keys of its Bitcoin addresses, as needed. Often one used the same address for several transactions permanently. If the wallet with the keys was lost, it was no longer possible to get close to its bitcoins.
Today, the term Wallet but mostly used as a synonym for a Hierarchical Deterministic Wallet (HD wallet): Here, a so-called seed, which can easily be written down into 12 or 24 words, used as the basis for generating the first Bitcoin address, For the keys of the next and all other bitcoin addresses, only one count variable of this base is incremented by one. So you only have to keep the seed and can thus generate at any time the keys of all addresses. So an HD wallet is usually the collection of the keys of all Bitcoin addresses created with the same seed.
However, because the Bitcoin address is a simplified hash of the key, outsiders can not determine if two Bitcoin addresses were created with the same seed, that is, belong to the same wallet or not. The anonymity is basically preserved. It is the cash flows with which the offender has betrayed himself.
Ironically, when attempting to salvage funds from a darknet marketplace, wash them in a Bitcoin mixer, or spend them, the perpetrators leave traceable tracks in the blockchain. And this works like this: Anyone who buys about 2 grams of cannabis for 20 euros in the Darknet, gets called from the marketplace or the drug dealer a Bitcoin address for the transfer. So that the payment can be easily assigned to the purchase and you also do not see the payments of other buyers, you get for each purchase its own Bitcoin address.
But if the merchant sends the Bitcoins to a Bitcoin mixer for washing, or if the Darknet marketplace transfers the funds from the last dealings to the merchant, the individual small amounts are combined into a larger amount: The source of the transaction is the many Bitcoin addresses from the individual purchases, the goal is a single address in the merchant’s wallet or in the Bitcoin mixer.
If the authorities have also bought something in the course of their investigations, they can use this summary transaction to identify the purchases of other customers and, for example, if someone has bought the Bitcoins under their real name from a crypto exchange, they can determine their addresses. Incidentally, everyone can understand this themselves: the website walletexplorer.com automatically evaluates such indicators and assigns virtual wallets to individual addresses that are related to each other so that cash flows can be easily understood.
By using a Bitcoin mixer, the drug dealer imagines himself safe. Its task is to disguise the flow of money that is transparent to anyone through Blockchain. In the simplest case, the mixer uses two different wallets: Customers who deposit bitcoins on the first wallet receive a transfer from the second wallet – and other customers can be deposited on the second wallet and served from the first wallet. There is no connection in this way between an incoming and outgoing payment that can be traced in the blockchain; theoretically, only the mixer operator could make the connection. The services charge a service fee of usually one to three percent.
The investigators benefit here from the greed and suspicion of the criminals: Nobody pays voluntarily a high fee, especially at large sums of money, such as those incurred in the final descent of the Wall Street Market admins or bustling drug traffickers. Therefore, the paid-in and the amount paid out by the blender are almost equal.
In addition, blender operators are generally suspected of occasionally cheating and not repaying funds they have received – after all, they do not need to fear displaying their criminal clientele. You do not want to wait long for the money you have washed.
Both play the investigators directly into the hands: The collection deposit of small amounts with the mixer can be easily understood in the blockchain, including the total. Now all you have to do is look for transactions in the next one to two dozen blocks, where a similar amount of money, a few percent lower, will be transferred, unrelated to a period deposit. Of the approximately 50,000 to 100,000 transactions in question blocks, these are just a few.
First the goods, then the police
Subsequently, the suspicious transactions need only be observed in the blockchain. In the case of Wall Street Market’s Adm. F., the investigators waited until he bought the bitcoins online and transferred them to a payment service provider. From the payment service provider, they then got the customer data of the paid order – and so had unmasked Klaus-Martin F. With the package came the police.
The success in the Wall Street Market case gives hope that the investigators can pick up the burglars on the crypto exchange Biance: These had access to the hot wallet through hacking attacks, so to speak, the cash of the company. There, they stole 7074 bitcoins worth 7 million euros on May 7, at a value of almost 40 million euros. Today, the loot is worth over 50 million euros due to the interim increase in prices. But the crux is to exchange the bitcoins – either in other cryptocurrencies, in paper money or in goods. And this is exactly where the Biance burglars face the same challenges as the Wall Street Market admins. The investigators are just waiting for the perpetrators to provide further evidence or make a tiny mistake.