Paolo Ardoino was on the front lines of one of the largest cryptocurrency heists of all time.
He was flooded with calls and messages in August alerting him to a breach at Poly Network, a platform where users swap tokens between popular cryptocurrencies, like Ethereum, Binance, and Dogecoin. Hackers had made off with $610 million in crypto, belonging to tens of thousands of people. Roughly $33 million of the funds were swiftly converted into Tether, a "stable coin" with a value that mirrors the U.S. dollar.
Ardoino, Tether's chief technology officer, took note. Typically, when savvy cyber criminals make off with cryptocurrency, they transfer the assets between online wallets through difficult-to-trace transactions. And poof — the money is lost.
Ardoino sprang into action and minutes later froze the assets.
"We were really lucky," he said. "Minutes after we issued the freezing transaction, we saw the hacker attempt to move out his Tether. If we had waited five minutes more, all the Tether would be gone." Two weeks later, Tether released the money to its rightful owners. And after threats from Poly Network, the online bandit gave up the rest.
The seizure pokes a hole in the long-held belief that cryptocurrency is impossible to trace. Cryptocurrency is computer code that allows people to send and receive funds, recording the transactions on a public ledger known as a blockchain, rather than retaining account holder info. Because of the lack of user data, cryptocurrencies like bitcoin have been hailed as a safe haven for criminal activity. Fueled by anonymity, the shadowy industry allows hackers, tax evaders and other bad actors to launder money secretively, outside of the traditional banking system.
Online scammers made off with $2.6 billion in 2020, according to a Chainalysis report. That year, ransomware attacks more than quadrupled.
But forensics investigators are getting savvier at scrupulously mapping activity on blockchains and figuring out who is behind specific accounts. This has sparked a "novel cottage industry of data providers" who are able to track cryptocurrency accounts flagged for illicit activity, said Zachary Goldman, a lawyer specializing in novel payment technologies at WilmerHale. "That's never really been available before."
Through tracking, agents have recouped stolen crypto funds in a handful of high-profile cases. In June, the Federal Bureau of Investigations seized the $2.3 million in bitcoin ransom Colonial Pipeline paid to hackers who infiltrated the company's computer network. Investigators used the blockchain to follow the flow of the ransom payment to track the perpetrators. In 2020, the crypto exchange KuCoin recovered almost all of the $281 million stolen by suspected North Korean hackers and refunded the funds to customers.
"Following the money remains one of the most basic, yet powerful tools we have," Deputy Attorney General Lisa Monaco said in a DOJ press release announcing the Colonial Pipeline funds had been seized. Authorities accessed the account holder's private key, according to an affidavit, but didn't say how they accessed it, likely to keep hackers from understanding their methods, outside experts say.
The FBI and Pipeline Colonial declined to comment about how they accessed the account. Others in the industry have theories.
There are thousands of cryptocurrencies with thousands of blockchains, which contain a public record of every crypto transaction made. But Blockchains provide limited public user data and the massive documents, supported via a network of servers, require specialized skills and terabytes of computer storage to download and parse through. This allows criminals to hide behind cryptic account numbers and conceal their assets by swiftly moving them or spreading them across a wide array of wallets.
Blockchain surveillance companies are finding success using software to scrape transactional data on the blockchain, analyze it for suspicious activity — such as accounts connected to illicit behavior on the dark web — and help law enforcement agencies track down where the funds end up.
Generally, it starts with an account number.
Whether it's a ransom payment or a stolen funds, all crypto transactions — illicit or not — are linked to a least one public crypto address, similar to a public bank account number. That number, a unique string of more than 25 characters, can lead agents to a host of information about the person behind it. It can flag other transactions the person made and identify which exchanges or wallets an account holder uses. If those exchanges or wallets are maintained by a third-party firm, the assets are considered "centralized" and subject to seizure, experts say.
Decentralized assets, however, are not verified or maintained by a centralized authority. They're maintained by code. As such, they can't be frozen.
When shifting cryptocurrency around, criminals sometimes inadvertently turn decentralized assets such as bitcoin, into other digital tokens that are controlled or supported by a company. If the cryptocurrency is "flipped" into a coin run by a single entity, then the "company can actually freeze that currency, burn those tokens or otherwise exert a lot of control over that," said Adam Lowe, chief innovation officer at CompoSecure, a cryptocurrency wallet company.
Since blockchains list transaction history for each coin, rather than owner info, investigators use sophisticated software to analyze where currencies flow.
Bitquery, a blockchain search engine firm, produces software that underpins analytics tools used by law firms, government agencies and data forensics companies.
The computation work happens at a warehouse in New York City, where servers processing up to 300 terabytes of data at a time analyze the blockchain 24-hours a day. "We extract data from the blockchain, transform it in a way that's useful, and put it onto our databases where customers can access it," said Gaurav Agrawal, head of growth at Bitquery.
The software starts by finding all the transactions associated with a flagged crypto address and generates graphs to show how digital currency circulated into and out of the account. It attempts to identify patterns that might indicate other payment services the hacker uses.
The most advanced forensics tools can tell investigators whether an account number has been active on the dark web or on a gambling website. They might reveal an IP address, which can surface an exact home address, said Steve McNew, a senior managing director at FTI Consulting, a company focused on cryptocurrency investigations.
Cryptocurrency exchanges, wallets and custodians require users to include identifiable information if they wish to sign up. These firms, if subpoenaed, can reveal account holder information.
But there are limitations to what authorities can glean.
Several tactics can throw authorities off the trail. People who want to evade scrutiny can pool their crypto into "mixers," a wallet address that combines the coins with other transactions, making them harder to trace. Hackers can also store their cryptocurrency keys in "cold" wallet devices that don't connect to the Internet and are thus more secure. They transfer the digital tokens in an online wallet to an address linked to their desktop or save the account information and private keys on a thumb drive-like device.
If you hold your crypto in a hardware wallet, "the security is pretty bulletproof," said David Sacco, a practitioner-in-residence at the University of New Haven in the finance and economics departments.
Despite a host of innovations in tracking technology, cryptocurrency still remains extremely difficult to track. Most cybercriminals get away with it, McNew said.
"If criminals store keys in a cloud provider, or with a third-party data custodian, getting access to those keys would be a way to apprehend the asset in question," said Nic Carter, a partner at Castle Island Ventures, a blockchain-focused venture fund.
Storing the information online means that it's more likely to be accessible because authorities can subpoena the wallet operator to get specific information about the account holder. When authorities can't get into an account, they wait for the cybercriminal to attempt to cash out, or shift the crypto somewhere in the U.S. before they pounce.
"That's most often how we catch people," McNew said. "As they move it from a private wallet into an exchange, hoping to cash it into their bank account, we subpoena the exchange, find out who owns the bank account, and catch them that way."