Editor’s Note: On August 17, 2022, The Electronic Discovery Reference Model (EDRM) under the leadership of Mary Mack and Kaylee Walstad, hosted HaystackID as we collectively shared an educational webcast developed to highlight the foundational basics of blockchain, cryptocurrencies, and NFTs and to present practical considerations for the investigational process around these transactional technologies.
This session, led by two of the world’s leading cybersecurity, information governance, and legal discovery digital forensics experts, John Wilson and Rene Novoa, and accompanied by eDiscovery luminary Mary Mack of the EDRM, also presented an examination of raw data on blockchain ledgers, shared how to research specific addresses and transactions as part of an investigational process, and considered NFTs from an eDiscovery perspective.
While the entire recorded presentation is available for on-demand viewing, provided for your convenience is a complete transcript of the presentation.
[EDRM Webcast Transcript] Considerations and Challenges for Blockchain, Cryptocurrency and NFT Investigations
+ Mary Mack, CEO and Chief Legal Technology, EDRM
As CEO and Chief Legal Technologist for EDRM, Mary is a leading advocate and innovator in the discipline of eDiscovery. In addition to her industry leadership roles ranging from associations to providers, Mary is an accomplished author and educator, having served as the co-editor of the “Thomson Reuters West Treatise, eDiscovery for Corporate Counsel” for 10 years and the co-author of the book, A Process of Illumination: The Practical Guide to Electronic Discovery. She holds the CISSP among her certifications.
+ John Wilson, ACE, AME, CBE, Chief Information Security Officer and President of Forensics, HaystackID
As Chief Information Security Officer and President of Forensics at HaystackID, John provides consulting and forensic services to help companies address various matters related to electronic discovery and computer forensics including leading forensic investigations, cryptocurrency investigations, and ensuring proper preservation of evidence items and chain of custody.
+ Rene Novoa, Director of Forensics, HaystackID
As Director of Forensics for HaystackID, Rene Novoa has more than 20 years of technology experience conducting data recovery, digital forensics, eDiscovery, and account management and sales activities.
Hello and welcome to the EDRM global webinar channel. My name is Mary Mack. I’m the CEO and Chief Legal Technologist for EDRM, and today’s webinar is an educational collaboration with our wonderful partner, HaystackID. All organized and arranged by Rob Robinson, and the webcast is called “Considerations and Challenges for Blockchain, Cryptocurrency and NFT Investigations”, and we have as our faculty, John Wilson and Rene Novoa, and I’ll be introducing them in just a minute.
We welcome your questions and feedback in the console. The Attachments tab is the little paperclip at the right and it will give you some more information about HaystackID and how to get in touch with John and Rene, and also a link to our next webinar, which is one of our flash webinars ripped from the headlines on the deleted text messages from the Secret Service, DOD, and DHS, with Jason R. Barron and other experts.
And so, at the end of the webinar, at the top of your console, you’ll see a little link and it will give you a certificate of attendance for today’s webinar to use for your continuing ed.
Now our faculty. We are so pleased to welcome John Wilson, Chief Information Security Officer and President of Forensics at HaystackID. Besides consulting and forensic services to help companies address various matters related to regular eDiscovery and computer forensics. He has been doing cryptocurrency investigations since 2013, and ensuring proper preservation of evidence and chain of custody, and all of those matters. And Director of Forensics for HaystackID is Rene Novoa. He’s got more than 20 years of technology experience with data recovery, digital forensics, eDiscovery, and he’s worked with some of the best and most sophisticated organizations (ICAC, HTCIA, and IACIS). He’s well versed in both civil and criminal forensics.
And we’ve got quite an agenda, don’t we, John? We’re going to cover the gamut here from the beginning of what is blockchain, and what kinds of digital assets, and John, why don’t you tell us a little bit about the trip you’re going to take us on through crypto?
Yes, absolutely. So we’re going to first talk about just blockchain in general, what it is and what that means in cryptocurrencies and digital currencies and digital assets, and we’ll run through those things, and what are some of the common uses and how they’re used and misused? Why there’s a need to actually get in to start investigating them and do forensics around them? And then some parting thoughts and comments around, well, if you’re involved in a case, how do you know if digital assets are even in play in a case, or if it’s an issue, and so some guidance around some of that stuff, tips and tricks, things that you can look at to get a little deeper into figuring out what you actually need to know.
Well, that is perfect. So John, what is Blockchain? And let’s just get a little bit of a grounding on it.
Yes, sounds great. Thank you, Mary. So Blockchain, you can think of it as a ledger, like an old-school accounting ledger, and it records all those transactions. The big difference is that ledger is public, so everybody has access to the ledger, everybody can see what transactions have occurred. Now, those transactions are recorded anonymously, or pseudonymously. It’s basically the transactions identified as belonging to a crypto hash, which is the public address that any particular wallet owns, and so that’s all you would see in relation to it, and you’d have to do other things to figure out who owns that. If you can get that figured out, and we’ll talk a lot about that as we get a little further. But really key things to understand is it’s a public ledger. It tracks all the coins in, all the coins out, all the coin movements, and it’s all traceable. You can follow the transactions on most blockchains. There’s some caveats when you start talking about privacy, crypto-coins, that do things a little differently.
Again, it is still a public ledger, but understanding the amounts and the values and stuff like that gets a little different in some of those. And basic public speak, you’re dealing with a public ledger, the transactions are traceable, and they’re immutable. That’s probably one of the key characteristics to understand, is the immutable nature. So as transactions are recorded into the blockchain, they go into blocks, and hence the name blockchain, and then each block has to be verified, and there’s a time mechanism and a crypto-algorithmic mechanism that allows for that to occur, and so the next block builds on all the previous blocks. So if you go back and you were to alter any of the information in any of the transactions in a prior block, it would invalidate the blockchain itself. It would invalidate it because the hashes would no longer match, and then the hash is the key structure for moving from block to block to block as the blocks progress, and so that’s the really key thing to understand when you’re talking about blockchain technology, whether you’re talking about a logistics supply chain, or you’re talking about cryptocurrencies or smart contracts, is it’s an immutable ledger, and if you try to go back and alter anything, it’s going to break.
Now, as I said, there is more than one ledger. Each cryptocurrency, each blockchain is its own ledger. So Bitcoin, Ethereum, Monero, Dash, Shiba, whatever cryptocurrency you want to talk about, or an NFT tokenized blockchain, many of them are built on Ethereum, but each blockchain has its own ledger, and that ledger is distinct and separate from any other ledgers. If we’re talking about the Bitcoin blockchain, you would never see an Ethereum transaction in a Bitcoin Blockchain. Somebody might take Bitcoin through an exchange and convert it to Ethereum, but there would be entries of that Bitcoin being exchanged to someone else who’s then providing the cash value for those Bitcoins, and then, in turn, taking that cash value and purchasing Ethereum, so they show up independently on their separate blockchains.
Hey, John, I think one thing to also mention is that it is decentralized. There is no one centralized location where all this is stored. It is distributed as a distributed network so that everyone on the network has a piece of the Blockchain, so it cannot be controlled by one entity or not.
Yes, great point, and very valid. That’s why you’ll hear people talk about a 51% attack. If somebody can take over and control over 51% of the network, that’s how they can start writing code that could potentially change a blockchain. It’s very difficult. When you start talking about Bitcoin, there are literally millions of nodes that are running the Bitcoin software and participating in the Bitcoin network, and they would have to take over a very large percentage of those. The same thing with Ethereum or any of the other blockchains. Where that concept can get a little more interesting is when you start talking about private ledgers where financial institutions, for instance, that have a global presence, might have their own private blockchain to move money or assets from their US entity to their EU entity, to their APAC entity, those kinds of things, and so it’s a much quicker mechanism than going through the SWIFT Transfer Network to actually effectuate those transfers, and those are private blockchains. So they’re not a public ledger, they are private that you have to have access and authentication in order to actually gain access to even see the network, let alone actually run a node or participate in the network and those sorts of things. So a lot of significantly complicated concepts, but we’ll delve deeper as we go further into this.
The last parting thing here is it’s not just for managing assets. The blockchain, it does logistics, so one of the great stories is a logistics chain involving a poultry producer, and through a private blockchain that they run, they can actually check where an egg is delivered from, then where it gets boxed, where it gets shipped out to a store, where it goes into the store, what store location it actually gets delivered to, and all the way down to when you check out at the grocery store at the checkout counter to know that you are the purchaser of those eggs, so that then when a salmonella incident occurs, or some other contamination incident, recall incident occurs, they can actually track it all the way back to, hey, here are the four hens that laid the eggs that were in this carton. It’s really amazing, but certainly it’s not tracking an asset like a cryptocurrency or physical assets or whatever, whereas the smart contracts, they’re also not a digital asset, but they’re a digital asset representation of physical assets sometimes, such as there are some places that are using it for titles to track property and titles, and those titles can be moved in a much quicker and much more traceable fashion. You can very clearly see the titles owned by person X, financed by person Y. Okay, the financing was paid off into that smart contract, and now the title is owned free and clear by that individual, and now they want to title transfer to the next individual and the next individual, the next individual. It’s really intriguing stuff.
But John, the blockchain and the technology is based on protocols and rules. So no matter how it’s used, why it’s trusted is because those rules and those conditions are very set. It only can be added to. It cannot be manipulated, it cannot be deleted, or subtracted. It’s just grown from one chain to a chain. That would be safe to say, in this case, correct, on anything that we’re tracking, whether you’ve covered smart contracts, NFTs, or crypto, this whole focus is definitely on monetary value of what people think about it. But in your example of the egg and tracking, it really is that the trust that that egg made to this individual for the salmonella, is because those protocols and rules are undeniable, and they’re trusted. So the technology is trusted. So however this technology is used, you can feel secure in the end result.
Yes, absolutely correct, and actually a great statement. The whole premise behind blockchain and the reason blockchain works is it’s based on the principle of trust, and you have to have trust in the network, and even in the value. So Bitcoin, the only reason Bitcoin has value is because people have trust in it, and they’re willing to exchange in it, and they’re willing to use it, and that sets the value. If people’s trust gets eroded, if they think somebody’s figured out a way to break the network, or they think somebody has gained access to it, then that trust will go down, the value would go down correspondingly, and that’s why most of the cryptocurrencies built on blockchain that you see in the marketplace are very volatile. They have very large movements in their values sometimes. It’s not uncommon to see a five, seven, eight, 10% swing in a value in a day, and sometimes there’s a stablecoin or Tether that was tethered to the US dollar that dropped from being worth the US dollar down to 10 cents overnight, and it’s—
It’s actually down two cents as of yesterday, because I did look up Tether USD. So it’s down to two cents for what was worth $1 recently.
Yes, exactly, and so it had that huge drop overnight, and then it’s continued to erode because, again, that main statement, the trust was broken. So once that trust is broken, then the whole key element of a whole of blockchain is having that trust in the network, having that trust, and so we’ll talk about the different types of digital assets to give you an idea of what’s out there. We’ve talked about a good bit of this already, but you have virtual currencies, cryptocurrencies, NFTs (non-fungible tokens). NFTs have really taken off in popularity and have become a huge investment marketplace in the last say 12 months to two years. Really, it’s taken off in the last 12 months or so. But NFTs, most are built on the Ethereum network. Not all. There are multiple networks that have the ability to build NFTs, but NFTs are basically taking a digital something, tying it to the blockchain through a smart contract, or the coding, and then being able to assign ownership and track that ownership within the blockchain, for those non-fungible tokens. It’s a really intriguing concept. You’ve got crazy things that happen in the NFT market. Some artists are making more money in single transactions than they’ve made in their entire career as a physical artist, versus being into the digital realm, and then there’s a bunch of challenges, and we’ll start talking about all that as well.
And then similar to virtual currency, or cryptocurrency, you have stablecoins. Those are also cryptocurrencies. The key thing with a cryptocurrency is, again, it’s tied to using that encryption algorithm to balance it against that network, but stablecoins have been pegged or backed by some other real asset, whether that’s US dollars, euros, gold, or whatever other real asset you want to have it pegged to, and so then that’s somebody going beyond the trust of the network to say, so we have the trust of the network, and not only that, I have the goal to say that these coins are going to be worth $1 each in perpetuity, they’re always going to be worth $1 each in US dollars, or in gold, or in euros or whatever currency it’s pegged to.
It’s still a promise to pay or a promise to have that maintain that value.
Right. So they’re trying to have the fiat backing concept. Fiat currency is your paper currencies, your governmental currencies that are run by your country or your government, and your government says that, hey, our currency is backed by the good faith of the country, or it’s backed by gold deposits, or it’s backed by silver deposits, or whatever it may be, and so it’s trying to extend that concept into the cryptocurrencies, which can be really interesting, and as we were talking about Terra, Terra was supposed to be a stablecoin pegged to the US dollar. That trust was broken. They didn’t have enough currency to actually back it at that pegged $1 value, and hence the currency value now is two cents.
Yes, I think they unpegged it to try to change the backing is where the trust broke down. If you don’t mind, John, do you mind if I go back to one thing?
Yes, no, absolutely.
I just want to make sure we touch on the virtual currency versus the cryptocurrency. With the virtual currency, a lot of that may not be in a public ledger. So when we talk about currency, make sure that you understand between the virtual and the crypto. Virtual currency, an example would be like, if anybody has teenaged kids who’ve asked for V-Bucks, $20 will get you 1400 V-Bucks. There is a value to buy other instances, to have their characters to look however they’re going to look, John Wick or whatever my kid is asking me for, but as controlled by developers of what you’re purchasing real money for fake virtual currency, and there may not be a public ledger. There is not a transactional feature to it, like you have in cryptocurrency. But virtual currency, as a very generic term, you find that in Xbox and digital gaming, where $20 may be worth a lot more within that world, or within that marketplace.
So, depending on the cases that you work on, if you’re talking about virtual currency, the value may not be one-to-one or may not scale up and down. It’ll be dependent on the developers, or crypto. There is public ledgers. There is trust. There is all the things that John has mentioned that correlate with the NFTs, stablecoins, and as we get into digital coupons and vouchers, that trust that many supermarkets have to make sure that’s 15% off compared to 90% off, that they’re not messing with the technology there.
So, I wanted to cover the youth part of the video game world that I see from the virtual currency that, really, I have a challenge with.
And just one last comment is virtual currencies are not necessarily blockchain. Cryptocurrencies are blockchain-based, so a good distinction there, and thank you, Rene.
Then we start talking about digital coupons. So, you have places like Burger King that runs a blockchain so that they can distribute coupons, know that those coupons are authentic, if they’re actually providing a – “Hey, here’s a free Whopper because you did this thing”, whatever that thing is, whether it’s you bought 20 Whoppers or you filled out a survey or did whatever particular thing entitles you to that coupon – that there’s only one of those coupons. And that one coupon was issued to you and only you can redeem it, or only one person can redeem it, depending again on the contractual controls put around that couponing system.
But that’s a whole nother area of blockchain that most people don’t know about, and it’s very intriguing as to helping an organization establish and maintain the value of the discounts it offers, and prevent it from being abused or watered down, and those sorts of things.
And then the last thing is smart contracts. And smart contracts are really interesting. You can think of it kind of like – in a simple frame, you can think of it kind of like a vending machine. So, you walk up to a vending machine, you put your four quarters in, that meets the criteria. It provides the $1 value that you have to put into the machine to allow you to select the button to get the item at a particular slot. And so, you put in your four coins, you say, “Hey, I want the candy bar on B3”, and I push the B3 button and the machine says, “Okay, yes, I’ve got the coins, I now know what you’ve asked for, I’m going to deliver it, I’m going to spin the coil, I’m going to deliver B3 and I’m going to drop it down into the bucket and you can reach in and grab it”.
Smart contracts are, at a very simple level, exactly that. You have to have that value input, you have to meet the requirements of the input, which is achieving a certain amount of value or providing a certain piece of information. That, in turn, triggers the contract to run and the contract does whatever it says, whether it’s as simple as “Hey, I’m going to just output X, whatever X is, because that’s what you put the value in for”, or it’s going to – they can be substantially more complicated, but it’s all back to that same programmatic value.
And the key thing to understand around smart contracts is once that value criteria is met, once you’ve done whatever triggers the contract, it automatically runs. There’s no way to stop it. That blockchain is coded and programmed to execute once you achieve A, B is automatically going to happen. There’s not a way to stop that from happening outside of stopping the blockchain or breaking the blockchain itself.
But John, that’s why there has to be verification, correct? Because when you put those coins in, they need to be US coins or whatever coins the machine takes. You can’t put foreign money because it’s not been verified, and then it won’t be verified on the blockchain.
So, even if you’re saying coins, it’s very specific on the coins, and it makes sure that it’s verified to have that value to then move on to the next step. So, just because you feed it coins, it needs to be the right coins, it needs to be the right characteristics to then be verified that it truly is $1, not just because I put in – since we’re in the US – four Canadian quarters or different distinctions of money, that it’s not a penny, it is actually a quarter that represents a dollar to then be verified through the technology withinside the vending machine to then go onto the stage to complete the contract.
Yes, that’s exactly correct. So, I give the simple example of the vending machine, but in reality, the vending machine is actually doing quite a bit. It’s a lot more complicated than it sounds. Because you’re putting in the coin and it’s evaluating, “Okay, what coin is this? Okay, so this is a quarter, and then wait, now you put in a nickel, and so that’s a nickel”, and it has to validate that that coin matches the characteristics for that particular coin and that you’ve achieved whatever value or inputs are required.
Again, smart contracts can get extremely complicated and sophisticated. They can do a lot of things. One contract could kick off 30 other actions that are going to be tracked on that blockchain. It’s not a simple thing.
So, John, this auto-executing once you meet the criteria and you fund it, there’s got to be some mechanisms for making sure that the entity or the individuals that are kicking off a process have agency and control over – and appropriate control over – the downstream effects if it can’t be stopped.
Again, smart contracts are only as good as the programming that creates them. It’s a big topic of discussion is what if a programmer programs a flaw into the smart contract. And there have been tests and examples of exploiting those flaws and making a smart contract trigger because you’re meeting the criteria through the exploit versus the programming. So, it is sufficiently complicated. You have to be able to actually dive into understanding – I would recommend if you’re trying to do something through smart contracts, make sure that you have a validated contract, you’ve tested against all the edge and fringe cases, and validated that it can’t be exploited and have somebody, all of a sudden, a car title transferred to them even though they haven’t paid the amount of money or aren’t able to actually purchase the car. Say, an eight-year-old managed to get on a blockchain and purportedly pay the money, again, a lot of sophistication in smart contracts and they’re only as good as the programmer that’s created them. So, you have to ensure – as the organization that’s launching that smart contract – that you’ve done your due diligence to ensure that your contract’s only going to execute when you actually intend it to execute.
And one other example of smart contracts, when we get more into NFTs is that the NFTs is a form of a smart contract because something had to happen with whatever the digital artifact is, and it’s tracked back to an individual user or to an address. So, there are different types of the vending machine as far as NFTs, as what is considered a smart contract because something had to have happened, something had to be created, and had to be assigned to an address or to an individual.
Do you want to move forward to the uses of digital assets, John?
Yes, so now we’re going to talk about why we start having this interest in it, and why you might need to actually get into investigations, and what fraud may occur.
Digital assets are used in many ways, in many ways that are very legitimate, valid reasons to be using them. And there’s a lot of activity that’s not so valid. Again, the blockchain is just a ledger and it’s just tracking what’s occurring. So, people have… different industries have started to adopt it, so you do have a lot of criminal activity, a lot of the early cryptocurrency interest/activity was driven by the dark market, by the dark web where people were “Hey, I’m going to go buy these drugs or do whatever illicit thing I want to do and pay for it. I’m buying credit card information or whatever in the dark market”. And the dark market entities were taking the cryptocurrencies as a means to exchange money without having to raise to the level of bank involvement and currency involvement.
That’s changed. It’s continued to grow because there is a lot of bank and investigatory authority involvement in a lot of the blockchains now. But go ahead, Rene.
No, I’m just saying the main reason for the criminal aspect was the decentralization of the coins and the digital assets. It could not be stopped. They could not freeze the money transfer, the exchange of money for goods or digital assets for goods.
And again, trust is very, very big in this. If you’re going to give somebody Bitcoin or whatever coins of digital assets, the expectation was to receive. Unfortunately, in the criminal aspects, either guns or drugs or whatever illicit form of credit card information, there still had to be the trust that followed using this technology to avoid detection because you’re hiding behind a digital address (your actual address) that’s linked to you, but it’s very untraceable, and very hard to trace in many cases. But that’s a great way to launder money, to move large amounts of cash into other areas, into other countries, or into other forms of currency.
But as the marketplaces – like Silk Road was very popular, that brought a lot of attention on how digital assets could be used. We have to understand that because it’s decentralized, it was very hard to track these individuals and it required a lot of time and energy just to figure out where this money was going.
If it’s public, but it’s hard to trace the entities that are using it, what’s the impact of the sanctions on that Tornado Cash program that scrambles the account information in being sanctioned?
If you’ll give us a few minutes, we’ll tackle that Tornado Cash concept. Let’s talk about the parties involved first.
Again, just to kind of build on what Rene was talking about, again, it’s a decentralized public ledger but it is, in most instances, pseudonymous. Pseudonymous means that, basically, you have the crypto key, that’s their public address, and that’s the only thing you have. You don’t know who owns that or who has that.
Now, as you start getting into more current environments, a lot of the exchanges, any of the US-based or any of the exchanges that perform transactions in the US are required to do what’s called KYC (Know Your Customer). So, they do actually have to get a social security number and validate the identity of the individual, and they do have some tracking. But that’s not all exchanges.
Some exchanges are run solely out of places that are less reputable, less regulated, and have no controls around that. So, there are still exchanges where people can go and buy coins, and keep that pseudonymity without giving up their personal identification to the exchange that they’re buying through.
That covers the criminal gambit. Now, we start talking about why would a business actually want to deal with cryptocurrency. So, you have a lot of businesses like a Subway or something where you can actually go buy your subs with Bitcoin. They’ve realized that there’s a lot of people that have Bitcoin and they want to participate in that. They made a business decision. It’s a valid business case, it allows for much more instant settling. They actually get the Bitcoins in 10 minutes to a half-hour typically when you have a transaction occur on the blockchain versus a credit card settlement that might take them 72 hours to actually receive the funds. So, there’s valid reasons.
Tesla was taking Bitcoin for a while. They stopped taking it. They started taking it. I’m not sure where they’re actually at today. And there’s a bunch of other companies. You can buy Microsoft software with Bitcoin.
I think even Burger King – was rewarding customers by using the digital coupons – were giving out Bitcoin as rewards. I think they had 2 million dogecoins and most people were getting at least one or two dogecoins per transaction if they used the app. So, it was also a reward to help try to get more people involved. But it’s the technology of trust and the ideas of being able to have those exchanges to keep this alive.
I think it was last year, they had so many coins that they were giving out from Bitcoin to Ethereum and to dogecoin and, obviously, the majority of it was doge, because it was very cheap and they were able to spread it out. And depending on the usage, you may be rewarded in the same way that people were rewarded with coins through mining – which we’ll get into – it was acting almost like its own… the whole gambit of the cryptocurrency in the blockchain process.
So, then you start talking about now we can recognize and see that an entity might want to take cryptocurrency, because it’s a large marketplace, especially in the younger demographics. So, it’s readily available, and so they want to participate in that network.
Now, you also have businesses that are buying cryptocurrency to have a stockpile in the event – as part of their incident response in ransomware management. Those entities might be buying some Bitcoin or some Ethereum or whatever to have as a hedge in the event that they have an event occur, and they need to pay a ransom, they now have that currency available.
Or then you also have “Hey, Company X buys Company Y. Company Y has cryptocurrency, whether it was through industry, through purchases, transactional level cryptocurrency involvement, or if it was in a hedge fund or whatever”. So, now, Company X now has Bitcoin, and so how do they deal with that? It’s substantial value, and it has a valuation. Certainly, it fluctuates, but there is a valuation to it. And so, businesses can certainly wind up owning a bunch of cryptocurrency in that regard.
So, you certainly can’t stop industry from using it. And now, we’ll start talking about the geographic issues around it. So, you have places like China that restricts people from purchasing certain cryptocurrencies. They want to control and know what cryptocurrencies people are using. So, they restrict the ability to purchase or conduct transactions, so they actually just block the network, so the networks can’t run within the country’s internet infrastructure.
Now, of course, people can bypass that, going into VPNs and other stuff, so that isn’t an absolute answer. If you’re running into a geographic issue with internet investigation, there are ways people can accomplish things.
And then you have your investors and your day traders. This is where it gets really interesting and sticky from an investigation standpoint because a lot of people are going out and they have a Robinhood account, and they’re purchasing a bunch of Bitcoin, and a bunch of Ethereum through Robinhood. They’re not actually logged or tracked on the blockchain. Robinhood is actually buying those Bitcoin, and it’s in a wallet that’s controlled or owned by Robinhood. Robinhood has an internal trading ledger where they say, “Hey, this customer owns XYZ of X Bitcoins or X Ethereum or whatever”, and so that’s how they track and know how much Bitcoin you actually own. That individual purchasing it there is not actually registered on the blockchain.
And so, really important to understand the differentiation between somebody that’s bought through a trading investment firm-type exchange, versus a Coinbase or a Binance or someone that is an actual true blockchain ownership exchange.
With those exchanges like Robinhood, you’re able to instantly be able to turn that into cash and into your account, which is now regulated that banks can see, you can be taxed on that, correct?
So, that’s one of the big differences when we go to cash out, because you don’t own the actual blockchain, Robinhood is actually then rewarding you with whatever you sell within their exchange, because you do not own part of the blockchain. You have a piece of what they own, and they are then rewarding you into your bank accounts.
So, the distinction of you going to Coinbase or whatnot, when you go to cash out, then there are more challenges that it’s not so easy that does require a few extra steps. As opposed to Robinhood, let’s just sell, it goes into my account, I now have X amount of dollars.
Would you disagree or agree with that?
No, I agree. So, I’m going to address a couple of questions real quick. We have some audience questions.
The first one is how do you tell – how you’re telling a cryptocurrency is a cryptocurrency, is what I think the question is.
And again, that’s through the investigative process. If somebody is saying they bought V-Bucks or whatever it is, you’ve got to go out, do the research, determine where that currency came from, what the marketplace is in order to determine if it’s a cryptocurrency or not.
The next question is “Do all exchanges maintain the KYC?”
It is not mandatory in all foreign countries. There are some countries, other countries like the UK, generally, the EU that do have rules and regulations around it, and maintain some form of KYC requirements for exchanges that operate in those countries. But it is not a requirement in all countries, and that’s a key thing to know because it’s really important if you figure out that the currency went through Coinbase, you know that you can go out and you can do a subpoena to Coinbase for the information. The ownership of a particular address versus if it was through some other foreign exchange, you may not be able to get that information.
So, how do you identify the Robinhood transaction in the blockchain?
Again, it’s pseudonymous, so you would have to take that public address in the blockchain and do the research. There are tools that we use that maintain some levels of attribution. It would say, “Yes, this particular public wallet is a hot wallet at Robinhood or it’s a cold storage at Robinhood”, those sorts of things. But again, not a guarantee that that information will be there. You have to do that research and do that legwork. And we’ll get into that, that’s kind of where we’re headed.
So, we’ve kind of gone through this slide already, talking about a lot of the use cases for blockchain and how it’s used. You’ve got micropayments, and larger payments, and decentralized finance (DeFi). Again, there are a lot of legitimate uses. There’s also a lot of non-legitimate uses. You’ve got to be able to try to understand when you’re faced with an investigation, figuring out was this a legitimate use or an illegitimate use, is probably a key starting point and is going to help provide various amounts of information. If it’s a legitimate use and legitimate cause, you may not have success getting a subpoena to go out to Coinbase and get KYC information for an address versus illegitimate use, it’s much easier to go out and say, “Hey, I need to know who used this address”.
So, cryptocurrency, again, we did talk about it is very volatile. Currently, it’s at about 1.15 trillion globally with over 20,000 different cryptocurrencies trading on the various platforms out in the marketplace. And this is just public cryptocurrencies. There are private – again, we talked about having private blockchains where a financial institution or logistics chains and stuff like that, those are not accounted for here. But what’s really important to understand is six months ago, that was 2 trillion. So, there’s been a significant attrition over the last few months, as the global economy has gone into decline. There’s been a significant attrition in the value of the cryptocurrencies in the marketplace.
Is that why you see three and our as stablecoins, John, because they’re able to maintain their value slightly?
The reason that Tether and USD Coin are really high on the list is because that’s the currencies that financial institutions are putting into their trading portfolios, into their investment portfolios because those are more stable, they’re not as volatile. And so, that’s why they’re purchasing those.
Bitcoin was the first. Everything around blockchain and cryptocurrency started as the Satoshi Nakamoto paper. And most everybody knows that Bitcoin was the first, and it is by far the largest and highest trust cryptocurrency in the marketplace. Ethereum, certainly giving it a run for its money. But you can see it’s still only 50% of the Bitcoin marketplace.
I thought it was an interesting fact to have the stablecoins so high as the trusted. They’re not all created equal. When we talk about Terra, it’s down to 2c that we mentioned before. So, something to keep an eye on.
We already kind of talked about – and again, I like to keep this pretty conversational and not reading from slides, but there’s a lot of entities, a lot of legitimate businesses that are using cryptocurrencies. And you can see some of those logos here just to give you a quick sense of large Fortune 100 companies that are involved in the blockchain usage.
At least the technology, I think, we talked about in all those companies, not only for purchasing but actually for tracking and logistics that even though they are very popular, we may not be able to buy Starbucks with cryptocurrency. But I think it’s very interesting to a lot of those large corporations on the technology of trust and ownership.
Yes, correct. And so, then we talked about the non-fungible tokens being – really, that’s one of the growing areas. A lot of people have taken interest and think that they’re a great investment and they’re buying them. And you can see that 2021, there was 22 billion in that marketplace. 2022 is certainly going to be higher. And you have a lot of big brands. You have Gucci making purses that are digital-only and you can buy them only as an NFT, which is insane, but it is what it is, and people are buying it. So, there are some people that think it has value.
What’s the challenges there, John? If I took a picture of Gucci and created my own NFT because I took a picture of my own Gucci purse or wallet and I’m saying that I own that piece of digital art now that I’ve created off a picture, or my own Gucci purse, or bag, or sunglasses, or whatnot. There are some challenges to that, because now I actually own it on the blockchain and I am able to sell it as an NFT, but do I really have that ownership?
There’s a huge legal marketplace that’s going to come up around that I think. You’ve got a really interesting well known example which is the movie Pulp Fiction. Quentin Tarantino directed. He provided a series of NFT tokens that were stills from the film on the blockchain as NFTs and sold them, and they did very well. A lot of people bought them, and they trade them, and their value has gone up very substantially. And the studio has now gone back and said, “Hey, we own the rights to the film, therefore, we own the rights to those photos from that film that you’ve put on the blockchain. You don’t actually have ownership”. And that’s still being fought in court. So, it will be interesting to see where that lands.
Because currently, if I have an NFT marketplace that’s willing to accept whatever I put up there and has no validation around it, I can take a picture of a Gucci purse and put it up there and say that that’s my NFT that I’m selling. It will get assigned a value, and it may be nothing or it may sell well if people think it’s unique enough.
So, what you’re saying is I can have my own Gucci marketplace that I could then sell NFTs, as long as it’s accepted. They may not all be accepted, and that’s the challenge as to whether those marketplaces are legitimate or not.
Right, and the challenges of trademark and copyright and all of that are certainly going to come and probably come fast and furious. But it’s really intriguing stuff to see where that’s going to go and how it’s going to go.
Again, it’s built on blockchain, similar concepts, you have to be able to go look at that public ledger and follow the ownership of an item, see who has it. And now, they’re talking about uses of the items and being able to say, “Hey, I own it, but other people can use it”. There’s this open licensing model that people are talking about. There’s a lot of interesting things going on with NFTs. It’s a very, very young market.
Cryptocurrencies are still very young. They’re still in their infancy. NFTs are seedlings, they’re not even in infancy yet.
As we are starting to wind down, I want to get into the investigative stuff. We did talk about the stablecoins. Stablecoins are typically backed by some sort of physical asset or fiat currency. We talked a lot about that already. Certainly, if you have questions around that, feel free to reach out and we’re happy to answer them.
Similarly, we went pretty deep into the smart contracts already. We talked about – basically, a smart contract is programming, it’s written to sit on top of a blockchain, and gets transacted on the blockchain. The contracts execute, the code executes based off of a block being approved and validated, et cetera.
And again, we mentioned it, NFTs are an example of smart contracts as well.
That’s correct. So, why would you actually start getting into an investigation of a Blockchain or a crypto investigation? And what would be the drivers?
So, insurance claims. “Hey, I was ransomwared, I paid a ransom of 500,000 in Bitcoin or 500,000 U.S. dollar equivalency in Bitcoin”, and they’re wanting to be reimbursed for that through the insurance company. Cyber losses. Businesses go bankrupt and the CFO decides that – he may think that nobody knows about the Bitcoin that the company had because they just had this little hedge and it’s not on any of their balance sheets, it’s not really tracked anywhere, so he goes and transfers it to himself.
We had an actual case of that that we worked on where it was an insolvency, the company went bankrupt, the company acquired another company, that company owns some Bitcoin, it was in the ledger, and then the company went bankrupt. And the CFO said, “Oh, well, nobody knows that there’s $700,000 worth of Bitcoin sitting here, so let me just put that into my hot wallet and move that currency around, and spend it on my own accord”. We did eventually track it down and figure out that that’s what had occurred.
You also have cases where a decedent passes away, owns a bunch of cryptocurrency. You may need help getting into those wallets and actually tracking what cryptocurrencies that individual owned, if they didn’t maintain a good ledger, share good information with their family about that. That’s another type of case that we are frequently working on.
And also, valuations. The company says, “I have Bitcoin”, and you’re acquiring the company and that currency today is valued at 200,000 US dollars, and then you close the following Friday and Bitcoin’s taken a big dip, and all of a sudden, your Bitcoin is only worth $150,000. There could be a valuation issue, and so you’ve got to be able to determine the dates and transfers. It gets a lot more complicated.
And then, obviously, the criminal activity, the fraud and the corruption. It’s a common vehicle for laundering money. We talked about Tornado Cash, people used Tornado Cash so they would steal some Bitcoin or acquire Bitcoin through nefarious channels. They want to be able to legitimize it and spend it, so they put it through Tornado Cash to wash the currency. That’s called a tumbler or a spinner.
And tumblers are generally considered illegal by the US Government and some other governments. And generally, their primary purpose is to obfuscate the source and origin of the currency, which is pretty much the definition of money laundering.
It does get pretty interesting when they are able to tumble or tornado from one currency to another, not only tumble it but also convert it from Bitcoin to Ethereum and then back to Bitcoin, tumbling each time, which makes it even excessively harder to track, and becomes a bigger investigation as they try to obfuscate our investigation or our ways to track that money.
Yes, and especially as they start moving into taking that currency through a tumbler multiple times and possibly involving privacy coins.
Privacy coins are much harder, by design, to track the transactions, because they automatically, by the nature of them, do seeding and things to prevent the ability – if I put a dollar in, it doesn’t come out on the other side as a dollar to the person that I’m trying to send a dollar to. They might get five transactions that total a dollar, and so being able to put all that back together becomes much more complicated.
Trying to get us wrapped up here. I know we’re down to the last few minutes. A few key terms to understand.
Wallets. You have hardware wallets, software wallets, and you also need to understand a cold wallet versus a hot wallet. A hot wallet is generally connected, it’s on the internet and can be transacted with readily, the keys are available.
Coinbase is an example of some of those other transactional places.
And so, then you also have cold wallets. Cold wallets is more like the paper wallet or cold storage where they don’t keep it online, it’s not accessible until I plug it back in. There’s no way to authenticate a transaction with that cold wallet without it being moved online.
Understanding the public address, the private key. The private key is what authenticates somebody to be able to spend the currency in a cryptocurrency. Basically, if you have the private key for a cryptocurrency address, you own that cryptocurrency, you can do whatever you want with it.
So, if Rene wrote is private key down and left it on his desk, I can then go move his currency, spend it, do whatever I want. Again, once it’s moved, it’s moved. It’s in the permanent blockchain ledger.
Decentralized, there’s no way to come back. There’s no insurance. There’s no refund or money back. It’s all out there. So, you’ve really got to take control and have security, especially take those risks with the hot wallets that are easily attacked online by passwords and email addresses and credentials.
The exchanges. We already talked about the exchanges like an investment trader exchange maintains its own private ledger of the currency values. Only their wallets show up on the blockchain.
We already talked about the privacy coins and the reasons that’s important, and the keys.
The last key topic here is mining. Mining is the process of solving the formula for the next block. So, all of the transactions get put into a block, they get published out to the network, to the nodes of the network, and then the nodes then process it and try to solve for the hash. The hash is basically the information in that block, plus the hash of the last block. And so, it takes all of that information and creates a new hash. And you have to solve for the correct hash. There’s a mathematical formula to it, and it has a certain amount of complexity required. There’s a certain amount of compute power, and that’s what creates new Bitcoin or new currency on the blockchain, as well as the transaction fees related to all the transactions in that block.
if it’s trying to be cheated, if you try to cut the system, it won’t be verified. It will be a lot of wasted time, and energy, and computing power, because it will not be verified, so it will not be accepted. That’s why the trust is very, very important and the technology is very important, that everyone is trusted and it moves forward because that’s the only way you’re going to be rewarded with fees and for the next block.
And so, the last screen I wanted to show here is some example of RegEx searches, so if you have an investigation or you have a case and you think there might be Bitcoin or cryptocurrencies involved, here’s some great RegExes. You can search that data, see if there’s cryptocurrency evidence within that data. You start having hits on that, you likely need to start thinking about doing an investigation, probably engaging with some professionals that know how to do it or if you have your own internal team that can do that, then great. But these will be attached in the slide, a great resource for getting started.
There are a few questions. We’ll try to post answers to the questions. I know we’re just about out of time. So, let’s see if I can look at them really quickly here.
Let’s do a lightning round. So, yes or no, “Can a crypto wallet be cloned?”
No, though there are ways to restore it to a new device, so it wouldn’t technically be a clone. You can’t have two wallets exactly the same at the same time.
You would have to have the safe phrase to even restore it, and that’s very long.
Okay, but one at a time. And then another one is about transparency and privacy. “Can a third party track an NFT on the blockchain with the smart contract terms, or is it only the parties to the transaction that could do that kind of tracking?”
So, again the blockchains are a public ledger. You can track it. A smart contract, the terms, and the processes, the programming is compiled, so it’s not easily readable, but if you have somebody sufficiently skilled, you can understand what a contract does.
Very good. And then “Are there tools to help you identify a particular crypto used in a crime or would you go back to the RegEx?”
So, there are tools. We do use tools to trace wallets and stuff. We use things like CipherTrace and Chainalysis are a couple of the big popular ones. Maltego is another one. It’s open source, but much harder to use and you have to build your own attribution and stuff like that. So, there are tools. The tools are available to help assist with those investigations. They’re very pricey and very sophisticated, so it requires a pretty good amount of learning and knowledge to utilize the tools as well.
And this may be the same question. When you look at somebody’s address – let’s say they put it on their Twitter handle with a .eth on it or something like that – are there tools to search for transactions with that particular account?
Yes, there are. Again, those same tools. There are also open source tools. You can go to blockchain.org and do a trace of Bitcoins or Ethereum. There are several public ledger parsing tools, so you can put in a wallet, that address, and actually see current value, all the transactions they’ve been involved in, and things of that nature.
Perfect. So, I see your contact slide here, John and Rene. Because we are at time now, so we thank both of you, our wonderful partner, HaystackID, with a shout out to the great Rob Robinson for sharing your expertise with us. This is an emerging topic and it’s clearly top of mind for many, many of us.
So, look at the Attachments tab for more information on HaystackID and how to get in touch with John and Rene and the team and above the webinar window, a link will be there for you for a download for your certificate of attendance.
We thank all of you for your kind attention and great questions, and tune in next time on the EDRM Global webinar channel.
Empowering the global leaders of e-discovery, the Electronic Discovery Reference Model (EDRM) creates practical global resources to improve e-discovery, privacy, security, and information governance. Since 2005, EDRM has delivered leadership, standards, tools, guides, and test datasets to strengthen best practices throughout the world. EDRM has an international presence in 136 countries, spanning 6 continents. EDRM provides an innovative support infrastructure for individuals, law firms, corporations, and government organizations seeking to improve the practice and provision of data and legal discovery with 19 active projects. Learn more today at EDRM.net.