Unmasking Crypto Money Laundering with OSINT & Blockchain Forensics

Dive deep into the methods and tools investigators use to unmask crypto money laundering operations. This article reveals how OSINT and blockchain analytics can expose the flow of illicit funds across multiple blockchains.

Digital Cashout. Image created using DALL-E.

This article is also published on Mirror.xyz.

Our preceding article introduced the “Money Laundering Base OSINT Toolkit,” featuring tools like OpenSanctions and OCCRP Aleph, essential for constructing foundational profiles of targets. This groundwork is vital when pivoting to the domain of cryptocurrencies.

Conduct Effective OSINT Investigations for Money Laundering & Sanctions

Today, we turn our attention to blockchain forensics, a burgeoning field within open-source intelligence that investigates cryptocurrency transactions. Unlike traditional banking, blockchain’s public nature makes it a prime target for OSINT. The growing adoption of blockchain analytics is a pivotal tool in the fight against money laundering.

This article aims to equip investigators with tools and knowledge to trace complex crypto laundering schemes, focusing on techniques such as “chain-hopping,” mixers, and nested exchanges.

Essential Blockchain Analytics Tools: Your Arsenal Against Crypto Crime

Before we delve into the technical intricacies of blockchain forensics, we must understand the tools at our disposal. The effectiveness of an investigation often hinges on the capabilities of the analytical tools used to parse through complex data layers.

Maltego and Its Limitations: Maltego has been a significant player in the visualization of OSINT investigations, providing a graphical representation that aids in understanding complex networks. However, it faces limitations in blockchain forensics, such as a lack of specialized transformers and a user interface not tailored for in-depth crypto investigations. For a more refined experience, the CipherTrace transformer offers enhanced capabilities, though at a higher cost ($999 per year for the base tier last time I checked).

Figure 1. This image displays a selection of Maltego transformers tailored for cryptocurrency investigations, including Etherscan for tracking Ethereum-based assets, CipherTrace for cryptocurrency forensics, and other tools for sanctions compliance and deep social media investigations.

Learn how to elevate your phishing investigations by visually mapping and exposing hidden threats using Maltego and OSINT techniques. Read on…

OSINT in Action: Visualize & Dissect Phishing Campaigns with Maltego

The Power of Free (and Affordable) Tools: For independent investigators who do not need enterprise systems, Breadcrumbs, MetaSluth and SlowMist emerge as vital resources. These tools offer free tiers and cost-effective subscription plans, making advanced blockchain analytics accessible to a broader audience. I should note that MetaSluth is my platform of choice but I have used all providers (except CipherTrace) mentioned in this article and would not have any issues with using them again if I was in a setting that subscribed to one of the other services.

Enterprise-Level Options (Brief Mention): While the focus of this discussion emphasizes accessible tools, it’s important to acknowledge enterprise-level options such as Chainalysis, TRM Labs, Elliptic, and Blockchain Intelligence Group. These platforms provide extensive capabilities for organizations with greater resources, but for most investigators, MetaSluth and Breadcrumbs offer the necessary functionality to effectively tackle money laundering investigations without substantial financial investment.

Decoding the Dark Arts: Crypto Money Laundering Techniques Exposed

In the intricate world of cryptocurrency, money launderers utilize various obfuscation techniques to mask the origins of illicit funds. Primary methods such as CoinJoins, mixers, and bridges each play a role in complicating the traceability of transactions. CoinJoins amalgamate multiple users’ transactions into a single operation, obscuring individual paths.

Figure 2. The image visually explains the concept of a CoinJoin transaction, where Alice and Carlos combine their transactions to send Bitcoin to Bob and David respectively, enhancing privacy by concealing their addresses, compared to the straightforward individual transactions shown on the left. Source: What are mixers and “privacy coins”? coincenter.org

Mixers, meanwhile, pool and scramble cryptocurrencies from numerous addresses, challenging the linkage to original sources.

Figure 3. This image explains a mixer transaction where Alice and Carlos send their Bitcoin to a centralized mixer, which then redistributes the coins anonymously to Bob and David, enhancing the privacy of their transactions by obscuring the link between inputs and outputs. Source: What are mixers and “privacy coins”? coincenter.org

However, with mixers facing increased regulatory scrutiny and sanctions, illicit actors are shifting towards more sophisticated methods like chain-hopping via bridges.

Figure 4. The image illustrates two types of cryptocurrency transaction flows: the top diagram shows a mono-chain transfer from source to destination within the same blockchain, while the bottom diagram depicts a cross-chain transaction that includes a ‘chain-hop’ to move assets between different blockchains, enhancing the complexity and potentially the privacy of the transfer. Source: TRM Talks Investigations: Latest trends, typologies and cases in crypto, TRM Labs.

How Chain-Hopping Works: Chain-hopping involves cross-chain transfers that allow cryptocurrencies to seamlessly move between different blockchains, such as from Blockchain A to Blockchain B. This technique adds layers of complexity for investigators tracking laundered assets. The typical process unfolds as follows:

1. A user initiates a transfer via a bridge interface, sending cryptocurrency from Blockchain A to Blockchain B.
2. The cryptocurrency is then locked in a vault on Blockchain A.
3. Validator nodes note this lock and relay the information to Blockchain B.
4. Validators on Blockchain B confirm the lock’s validity.
5. Blockchain B mints proxy tokens, backed 1:1 by the locked funds, which are then credited to the user’s wallet.

Detecting Red Flags: While using CoinJoins, mixers, and chain-hopping isn’t inherently illegal — indeed, many legitimate cryptocurrency users employ these techniques — caution is warranted if they are linked with services sanctioned by authorities like The U.S. Department of Justice (e.g., Tornado Cash or Samourai Wallet). Tools such as OpenSanctions or OFAC can provide updates on such sanctions. Suspicious activities that may suggest illicit usage include:

• Transactions involving mixers, sanction entities, and high-risk jurisdictions.
• Repeated transactions just below reporting thresholds.
• Activity that deviates from the customer’s typical profile.
• Extensive layering across multiple wallets, chains, and transfers.
• Leveraging of nested exchanges to cash out.

These indicators, especially when combined, might necessitate a comprehensive investigation into the subject’s transaction history to uncover potential money laundering activities.

Example: In the center of this graph is a wallet belonging to OFAC-sanctioned individual Ivan Gennadievich KONDRATIEV. As the funds flow to the right, it’s evident that this wallet exhibits activity on eight different blockchains, suggesting a high level of chain hopping. MetaSluth lets users easily click on each blockchain and track the address’s activity across various chains. What we observe here is that the individual’s primary wallet transfers funds to another wallet, which then engages in extensive chain hopping, warranting further investigation.

Figure 5. The image depicts a blockchain transaction flow chart where funds are transferred from initial sources, pass through several intermediate addresses, and are involved in cross-chain transactions indicated by various blockchain symbols, culminating in a final wallet address with an Ether balance and associated risk alerts.

Note: To keep this article concise and straightforward, I have chosen not to cover privacy coins.

Practical Crypto Money Laundering Investigation Workflow with MetaSluth

Navigating the labyrinth of cryptocurrency transactions demands precision and clarity. MetaSluth, with its robust capabilities, is an indispensable tool for tracing funds across multiple blockchains. Here are a few ways you can set up and organize your investigations using MetaSluth:

1. Initialization: Begin by setting up your MetaSluth dashboard and inputting the target cryptocurrency addresses or transaction IDs.

2. Transaction Tracing: Use MetaSluth to track the flow of funds. The tool visualizes the path of transactions across various blockchains, highlighting nodes and connections clearly.

3. Analysis: Delve deeper into each transaction to understand the origin, destination, and intermediaries involved. MetaSluth’s analytical features allow for the dissection of each step in the blockchain transfer.

4. Label & Memos: Label and add memos to key findings and suspicious transactions for further investigation.

Graph Setup and Visualization

• Orientation: Arrange your graph from right to left. Place the Wallet of Interest (WoI) in the center, with incoming funds to the left and outgoing funds to the right, to visually represent the flow of transactions.
• Color Coding: Enhance graph readability by color-coding elements. For instance, color the WoI red, with associated transactions in light red. Centralized exchanges could be marked in blue, decentralized exchanges in orange, and sanctioned entities in dark red. Feel free to customize the color scheme to suit your analysis needs.

Figure 6. The image presents a detailed flowchart tracing the source and destination of funds for a Wallet of Interest (WOI), highlighting incoming transactions from external sources like a centralized exchange, and outgoing transactions to various other addresses, effectively illustrating the wallet’s financial activity.

Tips and Tricks

• Correlation Analysis: Utilize MetaSluth’s ability to correlate disparate data points. This can help identify patterns or anomalies that are not immediately obvious.
• Alerts Setup: Configure alerts to continually monitor transactions by your wallet of interest.

Figure 7. The image shows a configuration panel for setting up address monitoring on the Ethereum blockchain, including input fields for the address, a description field filled with user tags, and options for the type of tokens to monitor, with a warning about monitoring limits.

Integrating with Maltego

When I complete my investigations using MetaSluth I will then import the final results into Maltego, attaching a comprehensive MetaSluth investigation graph as an “Exhibit.” This allows anyone reviewing my reports to easily reference a specific Exhibit to see the rationale behind attributing a particular wallet to our person of interest.

Figure 8. The image depicts the Maltego software interface with an open graph window and a details pane, where a user is in the process of attaching a MetaSluth investigation graph as an “Exhibit.” This setup allows anyone reviewing the report to easily access and understand the evidence linking specific wallets to a person of interest through detailed visual analysis.

To learn more about how to track the movement of assets on the blockchain, read this hands-on guide to mastering MetaSleuth.

Mastering MetaSleuth: Your Practical Guide to Tracking Cryptocurrency on the Blockchain

Mastering the Blockchain Battleground: OSINT & Analytics for Crypto AML

As we wrap up this detailed exploration into the world of blockchain forensics, it’s clear that the landscape of financial crime is evolving rapidly, and so must our methods of investigation. The tools and techniques we’ve discussed are not just advanced technologies; they are essential allies in the ongoing battle against money laundering in the cryptocurrency space.

From the foundational use of the Money Laundering Base OSINT Toolkit to the sophisticated deployment of MetaSluth and Maltego, each tool serves a pivotal role in unveiling the obscured paths of illicit funds. The practical insights provided here aim to educate and empower investigators and analysts. The step-by-step guides and advanced tips ensure that every reader can confidently navigate the complexities of blockchain transactions.

As you apply these methods, remember that the key to successful investigations lies in understanding the technical mechanisms and behavioral patterns underpinning crypto laundering. Whether you’re dissecting chain-hopping maneuvers or scrutinizing Tornado Cash transactions, the ability to interpret and act on these insights will ultimately disrupt criminal activities.

I encourage you to continuously evolve your toolkit and stay informed on the latest developments in blockchain forensics. Doing so contributes to a more transparent and secure financial environment. Harness these tools to their fullest potential, and you’ll follow the digital breadcrumbs and possibly lead the charge in preventing future financial crimes.

Explore Next

Elevate your phishing investigations with Maltego and OSINT: discover how to visually map and dismantle complex campaigns in my next article. Read on…

OSINT in Action: Visualize & Dissect Phishing Campaigns with Maltego

Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Mirror.xyz.