The administrators of the Wall Street Market had just snatched the Bitcoins of their criminal clientele and wanted to disappear when the police came around the corner. The investigators found out about one of the three perpetrators essentially by intensive analysis of the Bitcoin money flows with the help of the blockchain – even though the three perpetrators had washed the Bitcoins in a so-called mixer.
The arrest of the admins of the world’s second largest darknet market at the end of April is not the first case in which the blockchain played a decisive role: the admin of Germany’s largest darknet forum “Deutschland im Deep Web” was also unmasked because the investigators were able to trace the path of payments using blockchain. In the case of forum admins Alexander U., it was donations that U. allegedly exchanged via the crypto exchange Bitcoin.de and credited to his current account.
Digital chain of evidence
According to the investigators, one of the three admins of the “Wall Street Market” revealed himself through carelessness: Instead of working with the Tor browser as usual in the scene, Tibo L. and Jonathan K. only used a VPN service to log on to the Darknet server. L. made the mistake of continuing to work after the VPN connection collapsed – so that the IP address of his Internet connection became visible. K. was uncovered by a correlation analysis: Investigators found that K. always established a connection to a specific VPN provider when accessing the admin area of the market.
The decisive clue to convict the third admin, Klaus-Martin F., was found in the blockchain by investigators from the US Postal Inspection Service. The BKA had already discovered in advance that the admin of “Wall Street Market” used the same PGP key as a user of the Hansa Market seized last year. There, F. had given a Bitcoin address for payouts. The Bitcoins of this and other addresses of the wallet were washed by F. in a Bitcoin mixer – more about this later -, transferred to a new wallet and paid an order with it. But the money laundering was useless, and the experts of the US Postal Inspection Service were still able to trace the payment. All the investigators had to do, for example, was ask for customer data about the payment service provider in order to uncover F. and then arrest him.
How complicated such investigations are, one only becomes aware of when one recalls that the blockchain itself knows no wallets. For the blockchain only single, unconnected addresses exist, to which bitcoins were transferred at any time in the past.
In the past, a Bitcoin Wallet was a database in which the public and private keys of Bitcoin addresses were stored. Often the same address was used permanently for several transactions. If the wallet with the keys was lost, you could no longer access your Bitcoins.
Today, however, the term wallet is mostly used as a synonym for a Hierarchical Deterministic Wallet (HD-Wallet): Here, a so-called seed, which can be easily written down in 12 or 24 words, is used as the basis for generating the first Bitcoin address. For the keys of the next and all further Bitcoin addresses only one counting variable of this base is increased by one. So you only have to keep the seed and can regenerate the keys of all addresses at any time. An HD Wallet is usually the collection of the keys of all Bitcoin addresses created with the same seed.
Since the Bitcoin address is a simplified hash of the key, outsiders cannot determine whether two Bitcoin addresses were created with the same seed, i.e. belong to the same wallet, or not. Anonymity is basically maintained. These are the money flows with which the perpetrator has betrayed himself.
Trace search in the mixer
Just when trying to bring money from a Darknet marketplace to safety, launder it in a Bitcoin mixer or spend it, the perpetrators leave traceable traces in the blockchain. And that’s how it works: If you buy about 2 grams of cannabis for 20 euros on the Darknet, the marketplace or the drug dealer will give you a Bitcoin address for the transfer. You get a separate Bitcoin address for each purchase, so that the payment can easily be assigned to the purchase and you don’t see the payments of other buyers.
But if the merchant sends the Bitcoins to a Bitcoin mixer for washing or the Darknet marketplace transfers the payments from the last shops to the merchant, the individual small amounts are combined into a larger amount: The source of the transaction is the many Bitcoin addresses from the individual purchases; the destination is a single address in the merchant’s wallet or in the Bitcoin mixer.
If the authorities have also made purchases as part of their investigations, they can use this summary transaction to identify the purchases of other customers and, if someone has bought the Bitcoins under their real name from a crypto exchange, to determine their addresses. By the way, everyone can understand this for themselves: The “walletexplorer.com” website automatically evaluates such evidence and assigns virtual wallets to individual addresses that are related to each other so that money flows can be easily traced.
The drug dealer believes himself to be safe by using a Bitcoin mixer. The task of the mixer is to disguise the flow of money, which is transparent for everyone through the blockchain. In the simplest case, the mixer uses two different wallets: customers who deposit Bitcoins on the first wallet receive a transfer from the second wallet – and other customers are transferred to the second wallet and served from the first. In this way, there is no comprehensible connection in the blockchain between deposit and withdrawal; theoretically, only the mixer operator could establish the connection. For this, the services charge a service fee of usually one to three percent.
At this point, the investigators profit from the greed and mistrust of the criminals: No one voluntarily pays a high fee, especially not for large amounts of money, such as the Wall Street Market admins or busy drug dealers. That’s why the amount paid in and the amount paid out by the mixer are almost the same.
In addition, mixer operators are generally suspected of occasionally cheating and not paying out money they have received – after all, they don’t have to fear reports from their criminal clientele. Therefore one does not want to wait long for the laundered money.
Both play directly into the hands of the investigators: The collective deposit of small amounts at the mixer can easily be traced in the blockchain, including the total amount. Now you only have to search for transactions in the next one to two dozen blocks, where a similar, a few percent lower amount of money is transferred and which is not related to a deposit from the period. Of the approximately 50,000 to 100,000 transactions of the blocks in question, there are only a few.
First the goods, then the police
Afterwards, the suspicious transactions only need to be monitored further in the blockchain. In the case of the admin Klaus-Martin F. of Wall Street Market, the investigators waited until he bought online with the Bitcoins and transferred them to a payment service provider. They then obtained the customer data of the paid order from the payment service provider – and had thus uncovered Klaus-Martin F.. The police also came with the package.
The success in the “Wall Street Market” case gives rise to hopes that the investigators will also be able to pick up the burglars at the Binance crypto exchange: Hacking attacks gave them access to the Hot Wallet, the company’s cash register, so to speak. On 7 May of this year, they stole 7074 Bitcoins worth almost EUR 40 million from the Hot Wallet – due to the rise in the share price, the loot is now worth over EUR 50 million. But the crux is to exchange the Bitcoins – either for other crypto currencies, for paper money or for goods. And this is exactly where the Binance burglars face the same challenges as the admins of Wall Street Market. Investigators are just waiting for the perpetrators to provide further evidence or make a tiny mistake.