Crypto in the FinCEN Leak

Written by Evgeny Dmitriev, Sofia Sedlova, Christina Tkach

Buzzfeed and their partners recently released stories about a trove of almost 2,500 Suspicious Activity Reports (SARs) filed by banks with the Financial Crimes Enforcement Network (FinCEN) between 2000 and 2017. They included thousands of suspicious bank transactions totaling over $35B. In cooperation with BuzzFeed, the International Consortium of Investigative Journalists (ICIJ) published a dataset that includes detailed information on 4500 suspicious transactions.

Inca Digital’s investigation team correlated these transactions with blockchain and crypto market venue activity around the filing dates. By looking at the transaction sizes and timestamps, we matched senders (originator banks) and receivers (beneficiary banks) mentioned in SARs to specific blockchain addresses and business entities. Note that the below research is only circumstantial evidence meant to show supplement the work done by ICIJ and other investigative journalists. Still, from an intelligence perspective, the following should initiate a deeper dive into the data.

Blockchain and bank transaction volume (USD) streams overlapped in the common time period, Jan — Dec, 2016. Source: NTerminal data in Splunk

After aggregating and analyzing openly available data from multiple sources (ICIJ dataset, blockchain data, crypto market venue APIs, and natural language data), we found a number of suspiciously similar transactions. The slight differences in the transaction amounts are probably due to the differences in exchange rates and transaction fees. Below are just a few examples with corroborating evidence, indicating that the flagged participants are likely using Bitcoin.

01/14/2016: Bank of China (China) — Saigon Thuong Tin Commercial Joint Stock Bank (Vietnam)

Mapped financial and blockchain transactions. January, 2016. Source: NTerminal data in Splunk

On January 15, 2016, $1M was moved from the Bank of China’s account to Saigon Thuong Tin Commercial Joint Stock Bank, a Vietnam-based financial institution. One day prior to that, on January 14, 2016, a transfer of approximately the same amaount ($1,003,862.21061 at the time) was spotted on bitcoin blockchain to 3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw. This address is known to have received funds from a drained Cryptsy hot wallet, a now defunct cryptocurrency trading platform with a website that went offline on January 15, 2016…and took customer funds along with it. Cryptsy’s CEO Paul Vernon claimed this was due to a hack, but was accused of stealing customer funds and is facing a class action lawsuit.

Blockchain transaction to 3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw BTC address. January 15, 2016. Source: NTerminal data in Splunk

12/14/2016: Falcon Private Bank (Switzerland) — Meridian Trade Bank (Latvia)

According to another SAR, Falcon Private Bank moved $1.9M to Meridian Trade Bank toward the end of 2016. Around the same time, a 2,500 BTC transaction was seen on Bitcoin blockchain.

Blockchain transaction from 1NH87os8v6x42Fhno2pHUzqDj9q4HT3MQS to 1Ayz52eMzCo98M93wQQxWDrPRiokMZWmoD BTC address. December 14, 2016. Source: NTerminal data in Splunk

Falcon Private Bank is already suspected by Singapore’s Central Bank of serious anti-money laundering failings. Moreover, this Swiss-based bank was one of the first to offer cryptocurrency services. The beneficiary, Meridian Trade Bank, is also known for breaching anti-money laundering rules.

10/04/2016: JSC International Financial Club (Russia) — JSC Norvik Bank (Latvia)

On Oct 4, 2016, $2M was transferred from the Russian-based IFC Bank to Norvik Bank. The latter one is recognized by the crypto-community as a European friendly offshore bank. This Latvian bank transfer overlapped with a 3,405 BTC transaction on the blockchain. An equivalent amount withdrawal was made from the BitClub mining pool the day before.

Blockchain transaction from 155fzsEBHy9Ri2bMQ8uuuR3tv1YzcDywd4 to 1HP1Z3Kkyfuy1Gw2sM5oVnssvGsHeXFbC BTC address. October 3, 2016. Source: NTerminal data in Splunk

More suspiciously similar transactions were seen in NTerminal data, which underlines the importance of publicly available data and systems capable of correlating large datasets when performing fraud analysis. This open source intelligence methodology can also be applied to other data types, from market data and natural language to blockchain transaction and attribution data.

Appendix

01/15/2016:

34JSeko1JgXRUYtXtCUTbZDpGKz61yE9wA — 3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw

37A2u77XcFpmg4iaEuGGFVtEpupcXiFQei — 3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw

3FfXPU8JPMg1zaH6Thmxs6xrpnhoncesc1 — 3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw

3M8wnd72ih5ywq3nBMo6mqS3BLLFr8dTi6–3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw

3NFfRKfgeShy9jk7LAwcVnHsa76jxTcLV — 3HNSiAq7wFDaPsYDcUxNSRMD78qVcYKicw

12/14/2016: 1NH87os8v6x42Fhno2pHUzqDj9q4HT3MQS–1Ayz52eMzCo98M93wQQxWDrPRiokMZWmoD

10/03/2016:

155fzsEBHy9Ri2bMQ8uuuR3tv1YzcDywd4 — 1HP1Z3Kkyfuy1Gw2sM5oVnssvGsHeXFbC