This might be interesting to some parties who are interested in OPSEC and the current status of LE (especially within the EU)IntroductionTraditionally, AML (Anti-Money Laundering) concepts rely on KYC systems, due diligence, compliance systems and monitoring and reporting duties of banks and other financial service providers. Depending on the scale of transactions, the domicile of the business partner and, especially in contractual relationships with politically exposed persons, financial service providers have to check the identity of their contractual partners, gather information regarding the purpose and the type of the business relationship sought, make a risk assessment and monitor the relationship continuously. In the context of traditional, "real" currencies, this concept is (arguably) effective because a person can only participate in the deposit money system with a bank account (and huge amounts of cash are hard to store and transport, especially across borders). In contrast to that, in the Bitcoin system users can create their own "account" (= the wallet/address) on their own device and create as many key pairs as they want without involving any financial service provider. Hence, AML measures have to be directed towards the legal and natural persons who exchange cryptocurrencies for real currencies or goods, like exchange platforms and merchants.
However, exactly three years ago a new system was introduced to law enforcement within the US and Australia, and investigators attended CP sessions on AML/CFT (Anti-Money Laundering/Combating the Financing of Terrorism) with particular regard to cryptocurrencies.
The technology shown in those sessions have advanced since then and a tag-system was introduced, which - as the name already reveals - automatically tags customers of exchanges with specific labels. This system works similar to conventional AML techniques, where banks have been indiscriminately flagging every transaction related to bitcoin purchases and sales.
This data from the banks has been consolidated with many banks within the 5 eyes and provided to a data science corporate (Palantir) to conduct large scale inference matching alongside the distributed ledger. This software basically matches up all transactions that show funds being flowed into the blockchain (via banks, credit cards and KYC/verified websites) and matches this information up to begin building out a map of who wallets relate to. The software has an integration to undertake profile matching, so if you have sent funds to the same wallet from a different wallet, it will link them to the owner again. In addition to this, additional cluster-analysis has been added.
(The following products are all developed and sponsored by the EU and used by two three-letter agencies in Germany, namely BKA and LKA))
CointelAnother product which has a similar functionality it called "cointel" and is currently developed in the H2020 programme by the European Union. Cointel enables agents to get quick access to dashboards of transactions, addresses and entities as well as assisted search to find relevant information on the internet more efficiently. Furthermore, the product provides the agent with insights and (possible) relations between addresses and entities based on advanced clustering techniques. Cointel also provides the possibility for the law enforcing agents to get notified if a transaction is registered on an address they have marked, supporting time critical actions.
GraphSensehttps://s01.geekpic.net/di-HQHNL6.pngGraphSense offers scalable quantitative methods and services that contribute to a better understanding of the structure and dynamics of cryptocurrency ecosystems. The tool is tailored to aid forensic investigations of virtual currency transactions. By semantically enriching transaction graphs with additional information extracted from contextually relevant sources, GraphSense enables a context-based analysis.
GraphSense supports key clustering heuristics and
can filter CoinJoin transactions. Multiple addresses are usually controlled by one single entity and they can be grouped together to form a cluster. If a single address within a cluster containing hundreds of thousands of addresses can be attributed, the entire cluster can be attributed to the same entity. In GraphSense, a cluster - like an address - is represented in a graph where neighboring nodes are clusters with which it exchanged money.
In order to associate real-world actors, such as Bitcoin exchanges or gambling sites, with addresses and clusters, information is gathered from publicly available sources. Each tag associates a specific Bitcoin address with some contextually relevant information (e.g., BTC-e.com) about real-world actors and facilitates the interpretation of monetary flows.
GraphSense current implementation (release 0.4) consists of several components: a utility for extracting transaction data from the blockchain, a data transformation pipeline built on Apache Spark, a data storage backend exposing a REST API, and an initial Web interface, which supports users in the following tasks:
- Search address graph: using a Google-like search interface, users can search for cryptocurrency addresses.
- Explore and traverse transaction graph: all entities (blocks, transactions, addresses) are exposed as first class resources identified by a unique URI. Relationships between entities are represented as HTTP links.
- Inspect address cluster: each address is assigned to a cluster, which can be further inspected.
- Explore address graph: for each address, GraphSense displays a reduced ego-net graph, which allows users to inspect and traverse the address graph.
GraphSense can also be applied in hands-on training for cybercrime specialists who need introduction to specific aspects of blockchain, cryptocurrencies and dark web. In particular, GraphSense can be used to analyze events in cryptocurrency blockchains, e.g. Bitcoin, which are related to crimes such as embezzlement, money laundering, hacking, and ransomware. Next to explaining how cryptocurrency addresses are clustered, GraphSense can be used to demonstrate how cybercrime prosecutors can operate.
Blockchain investigatorhttps://s01.geekpic.net/di-58GMMA.jpegVirtual cryptographic currencies such as Bitcoin gain a rapid growth in popularity. A major driver behind virtual currencies is the blockchain, a distributed shared public ledger recording every issued transaction of every participant. Analysing and structuring the vast amount of stored transactions introduces new challenges in criminal investigations.
The dence blockchain investigator provides an intuitive interface to the exploration of blockchain data by implementing different types of views (tabular and graphical views, custom filters, ...). This improves the speed in understanding the chain of actions in criminal payments as well as relations between different transactions dramatically.
Users can add and share annotations based on observations, tests or case data. Case data is managed on the local device and never leaves the control of the user. However, on the users own request, data can be shared with other tools (e.g., other H2020 tools) or users (CSV export). In order to avoid leakage of inside knowledge of a crime, the tool can be operated in high-security mode using a fully isolated, offline PC and updates can be installed according to institutional policies.
Search by | address, transaction, entity, annotation and prefix |
Free blockchain search by | range of dates, amount and address |
Search results | intuitive tabular and graphical presentation, custom filtering, explore data graphically |
Annotation support | users can annotate and share their annotations with other users and other H2020 tools |
API support | direct access to blockchain data via API enabling data-driven statistical analytics |
Export results | table (CSV), graphics (PNG, SVG) and single records |
Updates | offline updates, updates per block |
Supported languages | software and professional support in German and English (other languages can be integrated on request) |
Wallet investigatorVirtual currency assets like Bitcoin can be managed with different wallet solutions. Wallets typically store private and public key pairs for securely handling virtual currency assets, together with personal addresses and historic transaction information. For example, wallets typically save information about received and spent virtual currencies, transactions, exchange rates, activity timestamps and labels (annotations) about the use or owner of addresses and transactions. Investigators and normal users need tools to access and evaluate the stored data.
Wallet investigator is developed in the EU-project Titanium to analyze traces left by wallet software. The tool focuses on desktop and mobile wallets. Results are summarized in a short report. An automatic checkup based on blockchain data detects issued/triggered transactions and determines the history of activities. Selected wallets can be decrypted either using a known password or, if the password is unknown, using brute-force search strategies. The most important features include:
Analysis of | wallet traces, wallet.dat and mnemonic seed |
Encryption support | readout with known password, brute-force search strategies |
Blockchain access | correlation with public blockchain data, activity detection, detect external transactions and multi-wallet scenarios |
Export results | HTML report, table (CSV), automatic annotations |
Supported languages | software and professional support in German and English (other languages can be integrated on request) |
Export results | table (CSV), graphics (PNG, SVG) and single records |
Updates | offline updates, updates per block |
Supported languages | software and professional support in German and English (other languages can be integrated on request) |
The tool aims to enable virtual currency investigations in high and low profile cases. It facilitates data extraction and analysis, eliminating financial or operational barriers. dence provides professional investigative support together with its tooling.
Dark Web MonitorBackgroundThe Dark Web is a place on the internet that is designed in such a way that it is easy to conceal the identities of natural persons. Besides legitimate activities, this has attracted a multitude of criminal business as well. The infamous Dark Markets are places where trade takes place in weapons, illicit drugs, child abuse material, stolen credentials, and others. However, there is no Google here. Markets disappear and emerge as a result of scams or Law Enforcement, and they change their structure frequently. Additionally, actors actively try to hide their identities as much as possible.
These features make it difficult for Law Enforcement to effectively gather evidence on the Dark Web. For one, it is slow (because of its technological design), but more importantly: it is very hard to create an overview of what happens where, and to find out which user is active across different markets. Another reason why it is good to have a specialized monitor instead of just using a Tor browser, is that Law Enforcement Agencies IT departments are usually not fond of individuals in their organizations to access the Dark Web from within their network.
Standardized access
The Dark Web monitors of TNO aim to remove some of the barriers when researching the Dark Web. There is a so-called Persistent Monitor (PM) that contains an up-to-date overview of active and offline Tor hidden services including a search index on the first depth of pages. Second, historic data of forums that enable research into communications of actors on the Dark Web is available.
H2020 has focused on the so-called Ephemeral Monitor (EM). The aim of this EM is to provide a layered and unified access to Dark Market data. On the highest layer, an overview of topics per market is presented, and it is possible to drill down to individual markets, individual vendors, and their individual posts. The EM shows the Dark Web ‘as it is’ and does not store historic data (hence the name ‘ephemeral’).
An important feature of the EM is that it provides an intelligent and flexible way to control access to the data: sometimes local legislation or mandates from LE Officers prevent them to access the most detailed information (which may contain personal information).
The EM makes it possible to identify connections across markets, based on similarity of users: usernames, PGP keys, authorship style or even the re-use of images may provide evidence for actors being active across different markets.