Cryptocurrency Enforcement Framework: Impacts on digital forensic investigations
Back in 2010, Laszlo Hanyecz bought two pizzas for 10,000 bitcoins. This was the first transaction using the novel technology based on a blockchain, cryptocurrency. As I write, a single bitcoin is valued at around $57,000.
I hope the pizzas were tasty.
Cryptocurrency has become a force to be reckoned with. From the early days of technical and privacy interest to now being traded on crypto exchanges for vast sums, cryptocurrency has reached the mainstream. Web 3.0 is coming. This new user-controlled and human-led version of the internet holds much promise for privacy and sovereignty. However, with the ying comes yang.
Every time a new technology emerges, especially one that carries inherent value, cybercriminals follow. Cryptocurrency is already intrinsic to ransomware attacks because the technology was designed to make transactions, and the users behind the transaction, anonymous.
The FBI and other law enforcement agencies recognize that this anonymity can be used for nefarious purposes. To help in investigations, the attorney general’s Cyber Digital Task Force has developed the “Cryptocurrency Enforcement Framework.” This framework is likely to have uses in carrying out digital forensic investigations.
What is the Cryptocurrency Enforcement Framework?
Technology is typically designed for the good of humanity. But even the best-designed technology can be used to carry out bad deeds. Cryptocurrency is another technology that was designed for the protection of privacy but has subsequently been used to hide illegal transactions and help fraudsters carry out exploitation. The latest analysis of the amount of bitcoin extorted by cybercriminals carrying out ransomware attacks comes in at around $1.4 billion, for example.
The situation regarding cryptocurrency has left law enforcement agencies with a gap in security. A Cyber Digital Task Force within the U.S. Department of Justice was set up to resolve the conflict between the right to anonymity in using digital products whilst ensuring that cybercriminal activity can be traced. One of the tasks of the group was to evaluate the impact of various technologies, including cryptocurrencies, on law enforcement’s ability to keep citizens safe. The result was the Cryptocurrency Enforcement Framework.
The framework consists of three parts:
- Threat overview
- Law and regulations
- Ongoing challenges and future strategies
Cryptocurrency Enforcement Framework: Threat overview
This section explores the use of cryptocurrencies in an illegal context, whilst setting out the basics of how the technology works.
Details of how the cryptocurrency technology operates, including a definition of the key parts of the system such as a “miner,” a “wallet” and so on, set the scene for an understanding of the wider crypto ecosystem. This baseline knowledge is a vital ingredient in a digital forensic investigator’s knowledge base.
This first section goes into the anatomy of a cryptocurrency exchange process and how a transition flows from person to person across the platform, to a final outflow and cash-out options.
The section also explores both the legitimate and illegitimate uses of cryptocurrencies. For example, the framework states that cryptocurrencies can be used legitimately to help minimize transaction costs and reduce corruption and fraud. Conversely, a cryptocurrency exchange mechanism can be used to hide illicit activities, including facilitating the movement of illegal items such as drugs and weapons on the dark web. The framework sets out specific examples of illicit activities that rely on cryptocurrency exchange:
- Buying and selling illegal things
- Buying and selling tools to commit crimes or to support terrorism
- Ransom, blackmail and extortion (including ransomware)
- Raising funds for criminal and terrorist activity
Cryptocurrency can also be used to hide illicit activities, including money laundering, operating unlicensed exchanges that do not comply with anti-money laundering checks (AML) and tax evasion.
The darknet is placed as the prime facilitator of crypto-enabled illicit activities.
Cryptocurrency Enforcement Framework: Law and regulations
This section of the framework explores the statutory and regulatory framework that can be used to regulate cryptocurrency. The section details the multi-party landscape in the enforcement of cryptocurrency, including the U.S. Treasury Department, the Securities & Exchange Commission, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) and the Internal Revenue Service. The framework also highlights how auditing and compliance can be tricky with so many departments working together.
The section sets out this long list of federal charges that can be brought to bear against the use of cryptocurrencies for illegal activities. This includes “fraud and intrusions in connection with computers.” And the report gives the SamSam ransomware indictment as an example, along with other key use cases. The framework documents also set out an example of the components of a global virtual asset network and how this network operates.
Again, having this level of know-how into the operational aspects of a crypt-enabled illicit activity is a useful tool in a digital forensic investigators kit.
Cryptocurrency Enforcement Framework: Ongoing challenges and future strategies
Whilst the first two sections of the Cryptocurrency Enforcement Framework set the scene in terms of the how and why of cryptocurrency enforcement, the third section is particularly useful for digital forensic investigators.
When analyzing any situation, a deep understanding of the mechanisms that drive and facilitate an illegal activity is vital. This section goes into such detail.
The section covers “business models and activities that may facilitate criminal activity.” This includes the types of exchanges, kiosks and virtual currency from online gaming that can prevent a thorough investigation of illegal activity under the hood of crypto. This section maps activity in these exchanges as well as P2P crypto exchange groups against FinCEN rules. The section also addresses the use of “anonymity enhanced cryptocurrencies” (AEC) as these can be seen as a “high-risk activity that is indicative of possible criminal activity.”
The existence of “mixers” is acknowledged. These entities add a layer of obfuscation to a crypto transaction. Again, this could be part of a criminal event. The section looks at a variety of use cases that use different mechanisms to facilitate continued transaction obfuscation.
Cryptocurrency Enforcement Framework and digital forensic investigations
Several key case studies are outlined in the report. For example, the international operation to dismantle dark web marketplace, AlphaBay. These case studies show the scope and mechanisms that cybercriminals use to ensure a successful outcome of illegal activity. The use of examples as well as setting out the crypto landscape in detail offers the intelligence needed by the digital forensic investigator to help in an investigation.
The in-depth description of how “mixers,” “tumblers” and “peel chains” work is a vital part of an investigator’s toolkit. The report also highlights issues like the exploitation of both human and technical vulnerabilities to hack exchanges and wallets. Several such attacks have been made against exchanges in recent years. By cross researching the areas highlighted in the report, investigators can build up their domain knowledge. Research from industry experts helps support the digital forensic investigator’s core knowledge. For example, past Black Hat security conferences have demonstrated techniques that can be used to hack into crypto exchanges and wallets.
Source: Cryptocurrency Enforcement Framework
The Department of Justice’s Cryptocurrency Enforcement Framework report provides an important resource in the use of cryptocurrency for nefarious operations. It can be used to build up domain knowledge into the mechanics of cryptocurrency, using use case studies of illicit activities and showing the type of opportunities, as well as attack modes afforded by cryptocurrency.
The report should be seen by a digital forensic investigator as a useful guide to keep at hand for any investigation that has a crypto element.
Cryptocurrency Enforcement Framework, Justice.gov
Can cryptocurrencies preserve privacy and comply with regulations? Frontiers in Blockchain
The cost of ransomware report 2020, Emisoft
SamSam ransomware indictment, Justice.gov
Flaws Could Have Exposed Cryptocurrency Exchanges to Hackers, Wired