The Fraud Examiner

Tracking the Intangible: How Fraud Examiners Are Busting Bitcoin Fraud
Share |

November 2013 

By Jacob Parks, J.D., CFE 


Due to its skyrocketing value over the past year (from around $10 per Bitcoin in November 2012 to over $900 per a year later), Bitcoin has been gaining popularity beyond just the tech community. Specifically, anti-fraud professionals are taking an interest in the digital currency. Bitcoin has been involved in a range of financial crimes, including theft, price manipulation, sale of illicit goods, money laundering and even Ponzi schemes.


Virtual currencies, perhaps most notably Bitcoin, have captured the imagination of some, struck fear among others and confused the heck out of the rest of us, including me,” said Senator Tom Carper, chair of the Senate Homeland Security and Government Affairs Committee, during a meeting this November. Bitcoin is an online peer-to-peer currency that uses principles of cryptography to validate transactions between users. Much like trading in national currencies, a person can go online and exchange bitcoins for dollars, euros, and a host of other national currencies (and vice versa). One of the key features of Bitcoin is that it is decentralized, meaning individual users around the world running Bitcoin software on their digital devices form the backbone of the system. This trait has separated Bitcoin from some other virtual currencies — such as e-gold and Liberty Reserve — which operated through centralized servers and were shut down for violations of anti-money laundering regulations. To read more about the origins of Bitcoin, see this previous article from The Fraud Examiner. 


Bitcoin has often been called an "anonymous" currency, but recent criminal enforcement actions have shown that individuals who use the currency for fraudulent purposes are not as nameless as they might hope.


Online Persona 

Investigators do not always reveal criminals by looking at the books. Reflecting the online nature of the currency, the Bitcoin community is also active through social media, online forum posts, chat rooms and comment sections. For some reason, many cybercriminals have a tendency to discuss or brag about their methods in online settings.


The FBI recently busted the operator of the most popular online drug site, the Silk Road. This site was essentially the eBay of drugs and other illegal items, and only accepted payment in Bitcoins for the purpose of maintaining the anonymity of buyers and sellers. The investigation involved many sources that eventually led to the identification of the suspected operator, Ross Ulbricht. One of those sources, surprisingly enough, was the suspect's LinkedIn profile.




According to the federal criminal complaint against Ulbricht, his profile obliquely stated his goal was "creating an economic simulation," designed to "give people a first-hand experience of what it would be like to live in a world without the systemic use of force by institutions and governments." That description fits that of a Silk Road advocate, and Ulbricht's profile gave investigators more evidence.


Undercover Operations 

Those who use Bitcoin as a means for crime often operate on the "dark Web," using Tor (a tool that makes tracking a person's IP address very difficult) and other techniques to cover their tracks. As a result, law enforcement agencies such as the FBI have successfully turned to undercover operations to foil such schemes. In the same Silk Road investigation, investigators posed as users of the illegal site to learn information about it, as explained in another criminal indictment.


Additionally, Ulbricht had an employee who had stolen funds from Silk Road users and was arrested by federal law enforcement. Ulbricht wanted to punish the former employee for stealing, and also feared that the employee would give information to the police. Ulbricht decided to hire (with Bitcoin payments worth $80,000) another person to murder the extortionist — or so he thought. The hired assassin was actually an undercover agent, who happily accepted payment for the murder contract. The police staged and photographed the fake murder of the former employee, who, indeed, was working with them. The undercover agent then sent the photos to Ulbricht as "proof" of the crime. This undercover operation gave the investigation team solid evidence to indict the suspect.


Vigilante Justice 

Cybercriminals are at continual risk of being "doxed," which occurs when one person (generally a hacker) reveals the true identity of an anonymous person in public fashion. The person doing the doxing has typically found vulnerabilities in the subject's strategy to remain anonymous and takes advantage of them to obtain identification information. Doxing is sometimes done as a means to harass or cause harm, but there are also times when someone who commits fraud or other grievances against the community is targeted for doxing as a way of punishment. As a result, reading these public posts can help investigators develop leads.


For instance, in July 2013, the SEC accused an individual of operating an illegal $5 million Ponzi scheme with Bitcoin-based investments. The subject, known as the online handle "pirate40," used all of the obvious hallmarks of a Ponzi scheme. First of all, with a name like "Bitcoin Savings and Trust," suspicion should have been aroused. The subject also promised 7 percent returns on investment every week, made statements that the investment was virtually risk-free, that he never was close to operating at a loss, and so on. In truth, he actually was trading at a loss and was paying early investors with new investors' funds — a scheme that soon collapsed. He also spent a large amount of his investors' funds on himself.


However, "pirate40" was doxed at some time near September 2012 on Bitcoin forums, revealing his identity as Trendon Shavers of McKinney, Texas. The doxing in this case was a community effort to recover the stolen funds. Those who claimed to help uncover his identity also claimed to have notified various law enforcement agencies. The following year, the SEC brought its charges against Shavers.


Fraud examiners should exercise caution in using this type of information for several reasons. First, it is not necessarily reliable. The wrong person could be doxed and the information could be inaccurate, purposefully falsified or contain other problems. Additionally, evidence that is obtained illegally can cause issues if the case were to go to trial, especially if the illegal search was conducted at the behest of investigators. Therefore, legal counsel should be consulted before attempting to access or use such information in a fraud investigation.


Analyzing the Block Chain 

Bitcoin is more accurately described as pseudonymous than anonymous, meaning that while a user's name is not attached directly to an underlying transaction, the transaction history itself is permanently stored on an online public ledger for all to see. This ledger is referred to as the "block chain," and is searchable at Researchers and data analysis professionals are developing techniques that might be used to detect suspicious activity in Bitcoin transactions, and perhaps even trace them to specific people.


Researchers at the University of California at San Diego and George Mason University undertook research to identify ways in which Bitcoin transactions could be grouped and traced back to specific users. While the public information alone probably would not reveal the person's identity, a warrant or subpoena served on the user's Internet service provider (ISP) might be effective. For instance, the researchers were able to map transactions from certain parties (e.g., the Silk Road) that were related to users believed to be customers. The researchers created a transaction link diagram, as seen here.




Additionally, government and private organizations are working on tools to detect Bitcoin fraud, in case the digital currency continues its rise in popularity. Markus Rothenhöfer, CFE, works for Contelligence GmbH, a company that is working with German law enforcement and the European Union to develop data analysis software for Bitcoin. Rothenhöfer states that the tool "makes it possible to trace and detect fraudulent transactions via mathematical methods by combining graph theory with statistical models." A screenshot of the tool is provided below.




The Future of Bitcoin Fraud 

Bitcoin has the potential to benefit legitimate parties, such as merchants who might incur much lower transactional fees for payment processing. Many Bitcoin advocates believe that the currency or one like it will be the next disruptive development in payment technology, much as credit and debit cards were in the 20th century. While that prediction is far from certain at this point, it is good to know that there will be ways for fraud examiners to investigate crimes involving Bitcoin.



Contact the ACFE
For more information, contact Sarah Hofmann, Public Information Officer, at (512) 478-9000 ext. 324 or