2018-46528652

Regional Organized Crime Information Center

Special Research Report

Bitcoin and Cryptocurrencies

Law Enforcement Investigative Guide

Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Regional Organized Crime Information Center

Special Research Report

Bitcoin and Cryptocurrencies

Law Enforcement Investigative Guide

E
verybody’s heard about Bitcoin by now. How the value of this new
virtual currency wildly swings with the latest industry news or even
rumors. Criminals use Bitcoin for money laundering and other
nefarious activities because they think it can’t be traced and can be used with
anonymity. How speculators are making millions dealing in this trend or fad
that seems more like fanciful digital technology than real paper money or
currency. Some critics call Bitcoin a scam in and of itself, a new high-tech
vehicle for bilking the masses.
But what are the facts? What exactly is Bitcoin and how is it regulated? How
can criminal investigators track its usage and use transactions as evidence of
money laundering or other financial crimes? Is Bitcoin itself fraudulent?

Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

Law Enforcement Needs to Know About Cryptocurrencies

L aw enforcement will need to gain at least a basic

understanding of cyptocurrencies because
criminals are using cryptocurrencies to launder money
Bitcoins was determined by its creator (a person
or entity known only as Satoshi Nakamoto) and
is controlled by its inherent formula or algorithm.
and make transactions contrary to law, many of them The total possible number of Bitcoins is 21 million,
believing that cryptocurrencies cannot be tracked or estimated to be reached in the year 2140. There are now
traced. Fortunately, however, this belief is not true. about 16.8 million Bitcoins in existence. However, one
Bitcoin and other cryptocurrencies can be traced, Bitcoin (whose value in dollars varies significantly with
detected, and tracked. time based on buyers vs. sellers) can be divided almost
Also, civilians concerned about the stability of the infinitely (100 million times).
dollar are converting them to cryptocurrencies, which Nakamoto announced Bitcoin as “a new electronic
hackers can then steal and/or destroy. cash system that uses a peer-to-peer network to prevent
Criminals are also using cryptocurrencies to transact double-spending. It’s completely decentralized with no
ransomware or extortions against innocent victims. server or central authority.”
Criminals are using cryptocurrencies on the DarkNet Bitcoin is legal but is not a currency approved by the
(the other Internet) to transact criminal activities. U.S. government. Bitcoin is considered property and
Next month’s ROCIC Special Research Report not currency by the Internal Revenue Service.
will concentrate on ransomware and the DarkNet. Bitcoin can be bought and sold with dollars. Bitcoin
You may also find two previous ROCIC reports can be used to purchase goods and services online
helpful — “Penetrating the Darknet: Silk Road, provided the merchant is willing and able to process
Bitcoins, and the Onion Router” and “Hack Attack! Bitcoin. Bitcoin can also be used as a store of value (i.e.,
Protecting Data Networks From Cyber Criminals.” buy low, sell high).
They are available online on the ROCIC Website under In simple terms, here’s how a typical Bitcoin
Publications. transaction works:
Bitcoin (BTC) is a cryptocurrency, defined as a
medium of exchange, created and stored electronically • A computer user who owns Bitcoin wants to buy a
in the blockchain, using encryption techniques to gift card (or any other item) online.
control the creation of monetary units and to verify • The transaction is broadcast to a network of
the transfer of funds. You have to download software computers known as nodes.
(usually free) in order to use it.
Although Bitcoin was the first real cryptocurrency, • The network of nodes validates the transaction and
launched in 2008, there are now dozens of alternative the user’s status using known algorithms.
cryptocurrencies, most of them based on the concept • The computer node that validates the transaction
of Bitcoin. the fastest is awarded newly created Bitcoins. This
Bitcoin is a virtual currency because it can be used validation requires quite a bit of computer power
to purchase goods and services but it exists only and the electricity to run it. The people who do this
on computer networks. Bitcoin is a cryptocurrency are called “miners.” They perform “proof-of-work,”
because it uses encryption. using the SHA 256 Hash algorithm.
Bitcoin is just a brand name. There are no physical • Once verified, the transaction is combined with
coins; there is nothing physical at all, only computer other transactions to create a new block of data for
codes and computer formulas (algorithms). the blockchain ledger.
Bitcoin has no intrinsic value; it is not redeemable for
another commodity, e.g., gold. • The new block is added to the existing blockchain
The supply of Bitcoins is not determined by a in a way that is permanent and unalterable.
centralized entity, such as a bank, and its computer • The computer user is awarded the gift card. This
network is completely decentralized. The supply of process may take several minutes.

2
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

Bitcoin’s transactional properties

Irreversible:
After confirmation, a transaction can not be reversed. By nobody. And nobody means
nobody. Not you, not your bank, not the president of the United States, not Satoshi,
not your miner. Nobody. If you send money, you send it. Period. No one can help you,
if you sent your funds to a scammer or if a hacker stole them from your computer.
There is no safety net.

Pseudonymous:
Neither transactions nor accounts are connected to real-world identities. You receive
Bitcoins on so-called addresses, which are seemingly random chains of around
30 characters. While it is usually possible to analyze the transaction flow, it is not
necessarily possible to connect the real world identity of users with those addresses.

Fast and global:

Transactions are propagated nearly instantly in the network and are confirmed in
a couple of minutes. Since they happen in a global network of computers they are
completely indifferent to your physical location. It doesn‘t matter if I send Bitcoin to
my neighbor or to someone on the other side of the world.

Secure:
Cryptocurrency funds are locked in a public key cryptography system. Only the owner
of the private key can send cryptocurrency. Strong cryptography and the magic of big
numbers makes it impossible to break this scheme. A Bitcoin address is more secure
than Fort Knox.

Permissionless:
You don‘t have to ask anybody to use cryptocurrency. It is software that everybody
can download for free. After you installed it, you can receive and send Bitcoins or
other cryptocurrencies. No one can prevent you. There is no gatekeeper.

The stages of a typical BItcoin transaction are depicted on the chart on the following
page. Some basic knowledge of computer science is necessary to understand the
process. The technology used by Bitcoin and the blockchain cannot be sufficiantly
covered in this publication. There are many technical manuals and online resources
that delve into the underlying technology.

3
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

T h e 6d0a 1899 086a...

root (56 more characters)

T h e
root 486c 6be4 6dde...

T h e
root b8db 7ee9 8392...

Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

Alternative Cryptocurrencies

B itcoin is not the only cryptocurrency out there,

although it has the largest market capitalization,
user base, and the lion’s share of news headlines.
Does Coinbase support any other altcoins?
Coinbase allows trading of Bitcoin, Bitcoin Cash,
Litecoin, Ethereum and Ethereum Classic.
Inspired by Bitcoin are what’s called alt-coins or
alternative cryptocurrencies. Although some are 1) Litecoin (LTC)
easier to mine or create, there is greater risk. Litecoin, launched in 2011, was among the initial
Criminals who have used Bitcoin because they cryptocurrencies following Bitcoin and was often
believed it could not be traced and found out referred to as “silver to Bitcoin’s gold.” It was created
otherwise have been changing over to other newer by Charlie Lee, a MIT graduate and former Google
cryptocurrencies that may be tougher for law engineer. Litecoin is based on an open-source global
enforcement to crack. payment network that is not controlled by any central
Many cryptocurrencies benefitted the past year from authority and uses “scrypt” as a proof of work, which
a combination of greater recognition in countries can be decoded with the help of CPUs of consumer
such as Japan and South Korea, rising interest from grade. Although Litecoin is like Bitcoin in many
institutional investors and Wall Street firms, and a ways, it has a faster block generation rate and hence
boom in a new fundraising method called the initial offers a faster transaction confirmation. Other than
coin offering, which attracted more than $4 billion in developers, there are a growing number of merchants
new capital in 2017. Jimmy Song, a Bitcoin developer who accept Litecoin.
in Austin, Texas, said, “Retail investors in Korea are Litecoin began December 2017 at just $88 and the
driving a lot of the price. They will buy anything that year (2017) at $4.33. Litecoin was up about 7,000
looks reasonably cheap.” percent, even after settling a bit to trade around $323,
according to coinmarketcap.com.
All cryptocurrencies have a total market value of Coinbase’s online exchange GDAX supports trading
about $600 billion. Bitcoin, at $323 billion, comprises of the currency. Since Coinbase has emerged as the
most of that, but there are several notable alternatives, first service many newcomers are trying out, they are
such as Ethereum ($71 billion), Ripple ($29 billion), also being exposed to Litecoin for the first time.
Bitcoin Cash ($32 billion) and Litecoin ($17.6 billion). Litecoin has been around long enough, and has
Reportedly, there are more than 1,300 different types enough developers working on it, that it appears
of altcoins, with only 26 having market values above more stable than some of the newer currencies. That
$1 billion. Before 2017, only Bitcoin and Ethereum development team also has a reputation for testing
were at that level. Many of the more obscure alt- and implementing upgrades that later show up in
coins such as PinkDog, MagicCoin and BitSoar are Bitcoin. Still, it has not been able to attract as many
marginal, while many others are obviously pump-and- developers and businesses as Bitcoin has, and that has
dump schemes. limited its appeal somewhat compared with its larger
Overall, 165 firms have raised more than $4 billion peers.
in 2017 through coin offerings, which resemble
crowdfunding campaigns more than traditional 2) Ethereum (ETH)
fundraising tactics like selling equity or attracting Launched in 2015, Ethereum is a decentralized
venture capital. software platform that enables Smart Contracts
Coinbase has emerged as the biggest Bitcoin and Distributed Applications (ÐApps) to be built
exchange, and it has become a company that is closest and run without any downtime, fraud, control
to the mainstream. Its app has become one of the or interference from a third party. During 2014,
most downloaded, and it has one of the largest user Ethereum had launched a pre-sale for ether which
bases in the industry. So what it does carries weight. had received an overwhelming response. The

6
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

Alternative Cryptocurrencies
applications on Ethereum are run on its platform- 5) Ripple (XRP)
specific cryptographic token, ether. Ether is like Ripple is a real-time global settlement network that
a vehicle for moving around on the Ethereum offers instant, certain and low-cost international
platform, and is sought by mostly developers looking payments. Ripple “enables banks to settle cross-
to develop and run applications inside Ethereum. border payments in real time, with end-to-end
According to Ethereum, it can be used to “codify, transparency, and at lower costs.” Released in 2012,
decentralize, secure and trade just about anything.” Ripple currency has a market capitalization of $1.26
Following the attack on the DAO in 2016, Ethereum billion. Ripple’s consensus ledger — its method of
was split into Ethereum (ETH) and Ethereum Classic conformation — doesn’t need mining, a feature that
(ETC). Ethereum (ETH) has a market capitalization deviates from Bitcoin and altcoins. Since Ripple’s
of $41.4 billion, second after Bitcoin among all structure doesn’t require mining, it reduces the usage
cryptocurrencies. of computing power, and minimizes network latency.
Ripple believes that “distributing value is a powerful
3) Zcash (ZEC) way to incentivize certain behaviors” and thus
Zcash, a decentralized and open-source currently plans to distribute XRP primarily “through
cryptocurrency launched in the latter part of business development deals, incentives to liquidity
2016, looks promising. “If Bitcoin is like http for providers who offer tighter spreads for payments,
money, Zcash is https,” is how Zcash defines itself. and selling XRP to institutional buyers interested in
Zcash offers privacy and selective transparency of investing in XRP.”
transactions. Zcash claims to provide extra security
or privacy where all transactions are recorded and 6) Monero (XMR)
published on a blockchain, but details such as the Monero is a secure, private and untraceable currency.
sender, recipient, and amount remain private. Zcash This open-source cryptocurrency was launched in
offers its users the choice of shielded transactions, April 2014 and soon spiked great interest among
which allow for content to be encrypted using the cryptography community and enthusiasts. The
advanced cryptographic technique or zero-knowledge development of this cryptocurrency is completely
proof construction called a zk-SNARK developed by donation-based and community-driven. Monero has
its team. been launched with a strong focus on decentralization
and scalability, and enables complete privacy by using
4) Dash (DASH) a special technique called ring signatures. With this
Dash (originally known as Darkcoin) is a more technique, there appears a group of cryptographic
secretive version of Bitcoin. Dash offers more signatures including at least one real participant — but
anonymity as it works on a decentralized mastercode since they all appear valid, the real one cannot be
network that makes transactions almost untraceable. isolated.
Launched in January 2014, Dash experienced an
increasing fan following in a short span of time. This 7) Bitcoin Cash (BCH)
cryptocurrency was created and developed by Evan Bitcoin Cash has the exact same transaction history
Duffield and can be mined using a CPU or GPU. In as the original Bitcoin, up to Aug. 1, 2017. Its primary
March 2015, Darkcoin was rebranded to Dash, which difference is that it is designed to allow more
stands for Digital Cash and operates under the ticker transactions to pass through, on a per-second basis,
– DASH. The rebranding didn’t change any of its than Bitcoin, which leads to lower user fees. It was
technological features such as Darksend, InstantX. developed by a group of developers and businesses
who weren’t satisfied with the existing configuration
of Bitcoin.

7
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

Blockchain Technology Could Change the World

Much Like the Internet Did

M any technologists are ambivalent about Bitcoin

being used as currency but they are much more
excited about one piece of Bitcoin’s software formula
Five basic blockchain principles:
called the blockchain. The blockchain is seen by many 1. Distributed Database
as a much better way to carry out transactions and Each party on a blockchain has access to the entire
contracts that affect every aspect of life. Some see future database and its complete history. No single party
applications of the blockchain as changing everyday life controls the data or the information. Every party can
just as powerful as the Internet changed things during verify the records of its transaction partners directly,
the past few decades. Some believe the blockchain will without an intermediary.
be widely adopted within ten years; others claim it may
take 20 to 30 years to be assimilated. 2. Peer-to-Peer Transmission
Communication occurs directly between peers
Finally, another technology which could have
instead of through a central node. Each node stores
fantastic consequences is the development of quantum
and forwards information to all other nodes.
computing, which would be like computers on steroids.
Breakthroughs in quantum computing could affect 3. Transparency with Pseudonymity
cryptocurrencies and blockchain development and Every transaction and its associated value are visible
affect national security. to anyone with access to the system. Each node, or
The implications of blockchain technology are user, on a blockchain has a unique 30-plus-character
immense, according to Marco Iansiti and Karim alphanumeric address that identifies it. Users can
Lakhani, authors of a recent article in Harvard Business choose to remain anonymous or provide proof of
Review: their identity to others. Transactions occur between
“With blockchain, we can imagine a world in which blockchain addresses.
contracts are embedded in digital code and stored in
4. Irreversibility of Records
transparent, shared databases, where they are protected
Once a transaction is entered in the database and the
from deletion, tampering, and revision. In this world
accounts are updated, the records cannot be altered,
every agreement, every process, every task, and every because they’re linked to every transaction record
payment would have a digital record and signature that came before them (hence the term “chain”).
that could be identified, validated, stored, and shared. Various computational algorithms and approaches
Intermediaries like lawyers, brokers, and bankers might are deployed to ensure that the recording on the
no longer be necessary. Individuals, organizations, database is permanent, chronologically ordered, and
machines, and algorithms would freely transact and available to all others on the network.
interact with one another with little friction. This is the
immense potential of blockchain.” 5. Computational Logic
“But while the impact will be enormous, it The digital nature of the ledger means that
will take decades for blockchain to seep into our blockchain transactions can be tied to computational
logic and in essence programmed. So users can set
economic and social infrastructure. The process of
up algorithms and rules that automatically trigger
adoption will be gradual and steady, not sudden, as
transactions between nodes.
waves of technological and institutional change gain
momentum.” Source: Harvard Business Review

8
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

“I have great respect for Karim and his co-author,

but I disagree,” wrote Bernard Golden, a tech innovator. Current Uses for Blockchain Technology:
“I think blockchain is going to arrive faster and with • Proof of ownership of modules in app
more bite than they expect; indeed, I think it will occur development
faster than most people expect.” Golden is predicting
acceptance of blockchain in five to ten years, not 30 to • Proof of ownership for digital content storage
40. and delivery
Blockchain—a peer-to-peer network that sits on top • Proof of ownership for sales and purchase of
of the Internet—was introduced in October 2008 as digital assets
part of a proposal for Bitcoin, a virtual currency system
that eschewed a central authority for issuing currency, • Digital security trading: ownership and transfer
transferring ownership, and confirming transactions. • Digitization of documents and contracts
Bitcoin is the first application of blockchain technology.
The infamous hacks that have hit Bitcoin exchanges • Decentralized storage using network of
exposed weaknesses not in the blockchain itself but in computers
separate systems linked to parties using the blockchain. • Digital identities to protect consumer privacy
Much of the initial private blockchain-based
development is taking place in the financial services • Escrow/ custodian service for gaming industry
sector, often within small networks of firms, so the • Smart contract IT portal executing order
coordination requirements are relatively modest. fulfillment
Financial services companies, for example, are finding
that the private blockchain networks they’ve set up • Decentralized patient records management
with a limited number of trusted counterparties can • Proof of ownership for digital content
significantly reduce transaction costs.
Nasdaq is working with Chain.com, one of many • Digitizing company incorporations, transfer of
blockchain infrastructure providers, to offer technology equity
for processing and validating financial transactions. • Decentralized IT resources for home and
Bank of America, JPMorgan, the New York Stock business
Exchange, Fidelity Investments, and Standard
Chartered are testing blockchain technology as a • Authenticity for employee peer reviews
replacement for paper-based and manual transaction • Point-based value transfer for ride sharing
processing in such areas as trade finance, foreign
exchange, cross-border settlement, and securities • Decentralized prediction platform for share
settlement. markets
The Bank of Canada is testing a digital currency • Anti-counterfeit digitization of assets
called CAD-coin for interbank transfers.

9
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

A “wallet” is the Bitcoin equivalent of a bank account.

Wallets provide an easy-to-use interface for an
individual to receive, store, and send Bitcoin to other
people. A wallet massively simplifies the complicated
process of signing a transaction, broadcasting it to the
blockchain, and verifying incoming transactions. In
nearly all cases, it is as simple as typing in an address, a
transaction amount, and hitting Send.
Many departments develop a policy for handling
digital evidence; some practices also apply to A wallet simply manages your collection of public/
handling digital currency. private key pairs. Wallets continuously check the
global blockchain for transactions that are broadcast
An effective cryptocurrency policy will address with one of your addresses as the receiver. When your
the following: wallet sees that you “own” Bitcoin according to the
• Identify who is authorized to conduct Bitcoin ledger, it updates your balance. When you want to send
seizures and transactions or forward your balance to someone else, you use their
public key as the address, and release the funds of one
• List internal and external notifications when of your public keys by signing the transaction with the
a case involves Bitcoins corresponding private key.

• Standard operating procedures for handling Since anyone with the private key of an address has
and preserving digital evidence complete control over funds in that address, this gives
• Chain-of-custody instructions for devices Bitcoin a certain level of flexibility and control not
containing digital evidence otherwise found in fiat (“cash”) currency. There could
be multiple copies of the private key stored in multiple
It is highly recommended that your department locations, or different people could have it. There is no
set up an all-encompassing crypto-currency central bank or system to freeze funds.
policy. Set up a department-controlled wallet
on a secure machine and establish rules When seizing Bitcoin, it is essential to move the Bitcoin
surrounding the process of seizing and storing to a wallet you control, or they could be sent anywhere
Bitcoin. The address of the wallet should be in the world in minutes, even if you have the suspect in
easily accessible to allow the swift seizing of custody and their device secured.
Bitcoin if it is encountered during the course of
an investigation, due to its fungible and unique Since a wallet is simply a way of storing, managing,
nature. Seizing a suspect and their computer and securing your private keys that allow you to sign
does not mean seizing the Bitcoin; anyone in a transaction, different types of wallets offer different
the world that the suspect trusted with their levels of ease-of-use and security. Wallets can exist in
Bitcoin could move it in seconds. It is imperative many different forms. The most commonly used is a
to move the funds to an address that you control
the private key to. Source: Bitcoin Investigative Field Guide, by
Refer to your local prosecutor or legal counsel the National White Collar Crime Center,
for any details or steps taken after the funds accessible online at https://www.nw3c.
have been seized. org/Resources/Bitcoin-investigative-field-
guide/content/index.html#/?_k=kjt5dz

10
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

software wallet, which is a program that runs on your Almost every type of wallet uses a file with this naming
computer or mobile device. There are also web-based convention, and a file like that existing on a computer
wallets that you log into with an email or username is indicative of Bitcoin being in play.
and password.
A relatively new type of wallet, online wallets exist
The Cyber Crime Unit at the National White Collar on a user’s Android or iOS smartphone. This type of
Crime Center recommends the use of the Coinbase wallet is generally very simple and features a basic and
online wallet. Coinbase operates as a US-based intuitive interface designed for the average end-user
exchange and is the only large Bitcoin service to who is just getting into Bitcoin. They can be identified
have never suffered a security breach compromising by a logo or icon on the home screen of a smartphone.
customer or user information or funds. They are law They are occasionally secured by an additional PIN
enforcement-friendly and are willing to work with law or password with a lock-out feature if failed too many
enforcement to track funds, freeze user accounts, and times. The most common wallets for mobile devices
otherwise assist in investigations however they can. are Mycelium, Greenbits, breadwallet, and Airbitz.
They are an industry leader and are the largest US-
based exchange. Online wallets typically function as an extension of
the exchange on which they were purchased. They
Creating an account for their service involves identity are accessed through a website and require log-in
verification, due to Know Your Customer laws. After information, and typically require a form of two-factor
successfully completing registration, you can log in and authentication as additional security.
view your Bitcoin wallet with the Accounts tab at the
top of the screen. Click “Receive” next to the Bitcoin The most popular exchanges and online wallet services
wallet, and you will be prompted with a QR code to are Coinbase, GDAX, Gemini, and Kraken. Many
scan, if you have seized a mobile device storing Bitcoin, of these also serve as trading platforms, similar to a
and a text string if it is a software or online wallet. stock exchange. The 4 listed above all require proof
Simply copy and paste the string into the input field in of identity, due to Know Your Customer laws, and
whatever wallet you’re seizing funds from and dump operate out of the United States. Coinbase and GDAX
the balance to secure the funds. You then have the have been known to cooperate with law enforcement
choice of converting the seized Bitcoin to USD through investigations in the past, surrendering customer
your Coinbase wallet, to preserve the monetary value, information and purchase patterns.
or leaving it as-is to preserve the property and potential
chain-of-custody. Cold storage wallets can be more difficult to identify,
as they are simply a website that was visited and
The most common way of storing and securing Bitcoin used. The best way to identify these are through the
is the computer wallet, which runs as an application suspect’s browser history. Searching for “bit”, “coin”,
on your computer. They are generally very easy to use, or any of the four exchanges above will cover almost
with clear indicators on-screen of how to transfer funds every commonly used exchange. If any of the other
out. The most common computer wallets are Electrum, three types of wallets are found during the course of an
Armory, Bitcoin Core, and MultiBit-HD. These will investigation, it is almost guaranteed that the suspect
typically be identified as an icon on the user’s desktop. used an online wallet at some point to either buy or sell
You can also use the Search function on the computer their Bitcoin for US dollars, and it is worth looking into
to look for any file with the word “wallet” in the file which exchange they used and attempting to obtain
name, or a .dat file extension. additional information about them from the exchange.

11
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

*Investigative Note: Contact the online wallet service credentials for accessing the department Bitcoin wallet.
for assistance in freezing an account to prevent If there is no existing department Bitcoin wallet, DO
additional transactions. NOT use a personal Bitcoin wallet.
Without a Bitcoin wallet, you cannot continue
Cold storage is an alternative way of storing Bitcoin, through the collection process. Please proceed to the
and by far the most secure. Since you need the private “Preservation” section on page 14.
key to send Bitcoin, cold storage revolves around the
idea of never exposing the private key to the Internet. Step 3
This may mean writing it down on a piece of paper, If you can access the suspect’s Bitcoin wallet:
storing it on a USB stick, or memorizing it. This type To transfer a suspect’s Bitcoin to a department Bitcoin
of wallet is much harder to identify, as it could be wallet, you must have access to the private keys within
anything. If there is evidence of Bitcoin being in play, his/her Bitcoin wallet.
such as recently used Bitcoin exchanges, empty Bitcoin Getting the suspect to volunteer the encryption code
wallets, or recently visited websites explaining Bitcoin, is the easiest method of access. If the suspect will not
it is possible that a cold storage wallet is being used. volunteer the encryption code, simply getting the
suspect to admit he knows the encryption code is
Look for labeled USB drives, pieces of paper with 12 to helpful in obtaining an order to compel the suspect to
24 random English words (a recovery seed), or a long unlock the wallet.
string of what appears to be gibberish or encrypted If you cannot access the suspect’s Bitcoin wallet:
information. The information on the USB drive, the The device on which the encrypted wallet exists should
recovery seed, or the string of gibberish can all be be seized in compliance with department procedures
imported into Coinbase to directly seize the funds for seizing any other encrypted device. Officers should
without any technical knowledge needed. document the scene, keep the device powered, and
call the department’s IT specialist as soon as possible.
Bitcoin should be collected as soon as possible once Proceed to “Preservation” on page 14.
it has been determined that seizure is appropriate.
Because there is a risk that a co-conspirator might Step 4
drain a suspect’s Bitcoin, time is of the essence. Depending on the type of Bitcoin wallet encountered,
follow the below process.
How to seize Bitcoin protected by encryption
Mobile wallets: If the suspect is using a mobile wallet,
Step 1 the process for making a transfer is relatively simple.
As in all cases involving evidence, responding personnel In the suspect’s wallet, navigate to the transfer or send
should thoroughly document the scene. tab. Enter the department wallet’s address or scan its
When a Bitcoin wallet is discovered, access to it is often QR code in the space labeled recipient. Enter the full
protected by encryption. value of the wallet as the amount to be transferred.
In the event the suspect’s computer or mobile device Then press transfer or send to move the funds to the
is unlocked, follow best practices for maintaining the department wallet.
current state of the device to prevent it from locking
from inactivity. Software wallets: Generally, funds can be obtained
from a software wallet using the same method as a
Step 2 mobile wallet. However, with a software wallet, the
Ensure you (or authorized person) have access to your suspect’s private keys may be available either within
department’s Bitcoin wallet. You will need to know the the wallet or stored elsewhere on the device. Access

12
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

to a suspect’s private keys gives indefinite access to the When a Bitcoin wallet is discovered not protected by
accounts associated with those keys. While it is not encryption, you have complete access to all available
recommended that the officer attempt to access the Bitcoins.
private keys, it is important that the device is treated as In the event the suspect’s computer or mobile device
an encrypted device and seized, even if the officer can is unlocked, follow best practices for maintaining the
transfer the Bitcoin. current state of the device to prevent it from locking
from inactivity.
Online wallets: If a suspect is using an online wallet,
police can use the above method to transfer funds. Step 2
Because online wallets use a third party to store Bitcoin Ensure you (or authorized person) have access to your
funds, that third party can freeze accounts and assist in department’s Bitcoin wallet. You will need to know the
the seizure of funds left online. Police can do so using credentials for accessing the department Bitcoin wallet.
the same method to freeze traditional bank accounts, If there is no existing department Bitcoin wallet, DO
but the warrant or subpoena must be directed at the NOT use a personal Bitcoin wallet.
online wallet operator. Without a Bitcoin wallet, you cannot continue
through the collection process. Please proceed to the
Hardware wallets: Because hardware wallets are “Preservation” section on page 14.
external memory or paper QR codes containing private
keys, they must be loaded into a wallet that allows Step 3
private keys to be imported. For an officer seizing Depending on the type of Bitcoin wallet encountered,
the property of a suspect, it is sufficient to secure the follow the below process.
hardware wallet and get it into the hands of an IT
specialist as soon as possible. Mobile wallets: If the suspect is using a mobile wallet,
the process for making a transfer is relatively simple.
Often the private keys in a Bitcoin wallet will be hidden, In the suspect’s wallet, navigate to the transfer or send
but as long as the officer has access to the wallet the tab. Enter the department wallet’s address or scan its
funds can be transferred. QR code in the space labeled recipient. Enter the full
value of the wallet as the amount to be transferred.
It is important to remember that a wallet may actually Then press transfer or send to move the funds to the
have multiple files that are holding Bitcoin separately. department wallet.
If an officer is transferring funds from an open or
unencrypted wallet, they should ensure that there Software wallets: Generally, funds can be obtained
are not multiple files in the wallet. There should be a from a software wallet using the same method as a
tab that allows all the wallets within the program to mobile wallet. However, with a software wallet, the
be viewed. It is possible that individual wallets may be suspect’s private keys may be available either within
separately encrypted within the program. If that is the the wallet or stored elsewhere on the device. Access
case, then the device should be seized as an encrypted to a suspect’s private keys gives indefinite access to the
device. accounts associated with those keys. While it is not
recommended that the officer attempt to access the
How to seize Bitcoin not protected by encryption. private keys, it is important that the device is treated as
an encrypted device and seized, even if the officer can
Step 1 transfer the Bitcoins.
As in all cases involving evidence, responding personnel
should thoroughly document the scene. Online wallets: If a suspect is using an online wallet,

13
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

police can use the above method to transfer funds. PRESERVATION SECTION
Because online wallets use a third party to store Bitcoin
funds, that third party can freeze accounts and assist in Prior to Collection
the seizure of funds left online. Police can do so using
the same method to freeze traditional bank accounts, Preservation of a suspect’s Bitcoin is especially
but the warrant or subpoena must be directed at the important when the suspect may have co-conspirators.
online wallet operator. A third party with access to the suspect’s private keys
can drain the suspect’s wallet of its funds before the
Hardware wallets: Because hardware wallets are officer can access the wallet.
external memory or paper QR codes containing private
keys, they must be loaded into a wallet that allows Being proactive when Bitcoin is suspected to be in use
private keys to be imported. For an officer seizing is the best course of action. Having a department wallet
the property of a suspect, it is sufficient to secure the and proper procedures in place before alerting the
hardware wallet and get it into the hands of an IT suspect to possible seizure of his or her assets will help
specialist as soon as possible. streamline the process and minimize the risk of loss.

Often the private keys in a Bitcoin wallet will be hidden, If it is not possible to transfer the Bitcoin to a controlled
but as long as the officer has access to the wallet the wallet immediately, treat the device as though it is
funds can be transferred. encrypted. As such, officers should leave the device
on. Move the mouse to avoid the device entering sleep
It is important to remember that a wallet may actually mode; on a smart phone or other mobile device, it may
have multiple files that are holding Bitcoins separately. be necessary to tap the screen. On a phone or mobile
If an officer is transferring funds from an open or device, it is important not to search the phone without a
unencrypted wallet, they should ensure that there proper specific warrant. Document the scene and leave
are not multiple files in the wallet. There should be a as much of it unaltered as possible. As soon as possible,
tab that allows all the wallets within the program to call a digital forensic expert for further instructions.
be viewed. It is possible that individual wallets may be
separately encrypted within the program. If that is the If the suspect has Bitcoin stored on a web based wallet,
case, then the device should be seized as an encrypted then the wallet provider can freeze the account with
device. the proper administrative procedure, such as a warrant
or a subpoena. Bitcoin stored on web-based wallets are
Step 4 especially vulnerable, so time is a significant factor.
By successfully transferring Bitcoins from the suspect’s
wallet to the department, he/she (or anyone with access After Collection
to the suspect’s wallet) is no longer in possession of the
Once a suspect’s Bitcoin are in the department’s
Bitcoins.
Bitcoin wallet, they will be fairly safe and secure. If the
department is using a web-based wallet, ensuring that
The department’s Bitcoin wallet should have controlled
the department is on a secure server or transferring
access to maintain accountability and integrity in the
the coin to either a software wallet and encrypting the
preservation of the digital evidence.
wallet or placing the Bitcoin in cold storage can provide
additional security.

Some wallets allow for a Bitcoin vault to be established,

which allows the transfer of Bitcoins only if multiple

14
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

parties approve of the transfer. Using a vault may The blockchain is much like a full history of banking
provide even more security for the Bitcoin. However, transactions, while blocks function as individual bank
once the Bitcoin have been transferred to a wallet statements.
controlled by law enforcement, the Bitcoin should be
safe and adequately preserved. Based on the Bitcoin protocol, the blockchain database
is shared by all nodes participating in a system. The
Online wallets full copy of the blockchain has records of every Bitcoin
Web-based wallet services and Bitcoin exchanges have transaction ever executed. It can thus provide insight
historically been cooperative with law enforcement about facts like how much value belonged a particular
investigations. In the event you cannot seize Bitcoin address at any point in the past.
from a suspect’s wallet, attempt to obtain any username,
ID or wallet number that may help identify the wallet The blockchain is of particular interest to law
in question. enforcement due to its inability to be altered in any way.

Investigative Use Follow the money

Bitcoin can be used to purchase goods, property, and
The challenge of anonymity services. The Securities Exchange Commission (SEC)
A common myth regarding the use of Bitcoin is that also views Bitcoin as a security. Regardless if Bitcoin
the identities of those involved in transactions are is considered money or a security, its value cannot
completely anonymous. This misconception has lead be ignored. Bitcoin are often traded in the Dark Web
many criminals to pursue Bitcoin as a means to fund to further anonymize criminals, but the money can
illicit activities such as money laundering, fraud, ultimately be traced. Whether through legitimate
corruption, and criminal trafficking. Bitcoin exchanges or personal and business financial
records, all money has a start and endpoint.
The Dark Web is a part of the world wide web that
requires special software to access. Within this web, Through information sharing, multi-agency task
some sites are effectively hidden, as they have not forces, partnerships, training, and the use of cutting
been indexed by a search engine such as Google or edge technology, the law enforcement community
Bing. Special markets, referred to as darknet markets, is enhancing its capabilities to respond to criminal
also exist on the dark web and sell illegal products activity involving cryptocurrencies such as Bitcoin.
such as drugs and firearms, or deal with sex and labor
trafficking. The use of Bitcoin on the Dark Web has Law enforcement can work with private companies
increased the challenges faced by law enforcement to investigative cases involving cryptocurrencies.
conducting criminal investigations. Three of the most well-known are listed below, with
descriptions supplied by the companies. This listing
About the blockchain does not in any way constitute an endorsement of these
A blockchain is a public ledger of all cryptocurrency private companies by ROCIC or RISS.
transactions that have ever been executed. It
constantly grows as completed blocks are added with About Chainalysis (www.chainalysis.com)
a new set of recordings. Blocks are added in a linear The transfer of value over the internet requires new
and chronological order as transactions occur. The methods of data analysis, visualization and actionable
blockchain holds complete information regarding intelligence to protect the integrity of our financial
addresses and balances since the first transaction to the system.
most recently completed block.

15
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

Founded in 2014, Chainalysis is the leading provider About Elliptic (www.elliptic.com)

of Anti-Money Laundering software for Bitcoin. With Elliptic has delivered robust evidence for law
offices in New York and Copenhagen, Chainalysis enforcement agencies worldwide.
works with global financial institutions, like Barclays We trace Bitcoin transactions across hundreds of
and Bitcoin exchanges to enable every stakeholder entities and help you connect illicit Bitcoin activity to
to assess risk in this new economy. According to real world actors.
Chainalysis, customers have checked over $15 billion Our proprietary database links millions of Bitcoin
worth of transactions using their platform. addresses to thousands of clear web and dark web
entities. We back this up with transparent documentary
Through formal partnerships with Europol and evidence.
other international law enforcement, Chainalysis’ We have delivered actionable evidence in cases
investigative tools have been used globally to involving international arms trafficking, money
successfully track, apprehend, and convict money laundering, theft, and drug offences.
launderers and cyber criminals. Elliptic allows you to link real-world actors to Bitcoin
activity. Our proprietary technology has proven
About BlockSeer (www.blockseer.com) effective in major international investigations.
BlockSeer’s mission is to build a unified foundation of Elliptic’s results are backed by our proprietary database
transparency for the public Bitcoin ecosystem. Bitcoin of evidence spanning millions of Bitcoin addresses
is a revolutionary new technology that has the potential across thousands of clear and dark web entities.
to enable many valuable new services that are fully
trusted. Currently, there is a lack of clarity in Bitcoin
payments and transactions. By providing transparency Technical Assistance
of the Bitcoin blockchain and its participants, BlockSeer The National White Collar Crime Center provides
aims to reduce the level of disorder and chaos and technical assistance to law enforcement and regulatory
increase the level of knowledge and analysis of the agencies in the areas of Cybercrime and Financial Crime.
publicly accessible blockchain network. Technical assistance examples includes providing
guidance in handling financial investigations and
proper handling of electronic evidence (smartphones,
computers, etc.).

16
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

RESOURCES FOR LAW ENFORCEMENT

ROCIC:
Publications Manager Mark Zimmerman, mzimmerman@rocic.riss.net
Training Manager Ms. Jarret Miller, jamiller@rocic.riss.net
Criminal Intelligence Unit Manager Kendall Neal, kneal@rocic.riss.net
Analytical Unit Manager Cindy Purviance at cpurviance@rocic.riss.net
ROCIC, 1-800-238-7985

“Penetrating the Darknet: Silk Road, Bitcoins, and the Onion Router,” ROCIC Special Research Report
http://rocic.riss.net/publications/darknet/Pages/default.aspx

“Hack Attack! Protecting Data Networks From Cyber Criminals,” ROCIC Special Research Report
http://rocicuag.riss.net/publications/hack_attack/Pages/default.aspx

BOOKS:

Future Crimes, by Marc Goodman, Doubleday, 2015

Digital Gold, by Nathaniel Popper, HarperCollins, 2015

Mastering Bitcoin, by Andreas M. Antonopoulos, O’Reilly Press, 2015

An Introduction to Systems Science, by John N. Warfield, World Scientific, 2006

Good Money, Part I: The New World, by F. A. Hayek, Ed. By Stephen Kresge, Liberty Fund Press, 1999

Good Money, Part II: The Standard, by F. A. Hayek, Ed. By Stephen Kresge, The University of Chicago Press, 1999

Denationalization of Money: The Argument Refined, by F. A. Hayek, The Institute of Economic Affairs, 1990

The Ascent of Money: A Financial History of the World, by Niall Ferguson, Penguin Press, 2008

Free to Choose: A Personal Statement, by Milton Friedman and Rose Friedman, Harvest Book, 1980

The Psychology of Communication (The Magic Number Seven essay), by George Miller, Penguin Press, 1969

The General Theory of Employment, Interest, and Money, by John Maynard Keynes, Harvest Book, 1964

BITCOIN INDUSTRY WEBSITES:

Tennessee Bitcoin Alliance

http://tennesseeBitcoin.org/

LocalBitcoins.com
https://localBitcoins.com/accounts/login/

Bitcoin Foundation
https://Bitcoin.org/en/faq

Coinbase
https://www.coinbase.com/what-is-Bitcoin

17
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

RESOURCES FOR LAW ENFORCEMENT

Bitcoin Charts
https://blockchain.info/charts

Bitcoin Stats
https://blockchain.info/stats

Google Bitcoin, then News

CoinDesk
http://www.coindesk.com/

Bitcoin Price Index

http://www.coindesk.com/price/

The Onion Router Project

https://www.torproject.org/

GOVERNMENT WEBSITES:

Financial Crimes Enforcement Network (FinCEN) Support of Law Enforcement

http://www.fincen.gov/law_enforcement/les/

Application of FinCEN’s Regulations to Persons Administering, Exchanging, or Using Virtual Currencies

http://fincen.gov/statutes_regs/guidance/html/FIN-2013-G001.html

FBI Cyber Crime

http://www.fbi.gov/about-us/investigate/cyber

National White Collar Crime Center

https://www.nw3c.org/Resources/Bitcoin-investigative-field-guide/content/index.html#/?_k=kjt5dz

MEDIA WEBSITES:

BloombergView (currency-Bitcoin)
http://www.bloombergview.com/topics/currency

BitBeat: Wall Street Journal

http://blogs.wsj.com/moneybeat/tag/bitbeat/

Wired magazine
http://www.wired.com/tag/Bitcoin/

COMMERCIAL WEBSITES:

Elliptic
https://www.elliptic.co/

Chainalysis
https://www.chainalysis.com/

BlockSeer
https://www.blockseer.com

18
Ref # 8091-4ee9-ae43-3d3759fc46fb
 2018-46528652

Bitcoin Basics

ROCIC Can Assist Officers with Investigations

ROCIC Training and Officer Safety Resources ROCIC Law Enforcement Coordinators
The ROCIC Law Enforcement Coordinators have
ROCIC Criminal Intelligence Unit specialized email lists to get your information out
The Intel Specialists with ROCIC’s Criminal as fast as possible to jurisdictions that might be
Intelligence Unit (CIU) can access dozens of affected by similar cases.
research tools, specialized databases, public
record information, criminal justice information, ROCIC Analytical Unit
and data. They are able to search, retrieve, The Analytical Unit converts complex
compile, and provide a consolidated reporting information into easy-to-understand charts and
of findings to officers. This assistance helps presentations. The Audio and Video Forensic
officers in need of quick, accurate, and complete Department can enhance photos and video
information. Information gained by ROCIC surveillance footage. The Computer Forensics
can help develop leads, link criminal activity, Department assists in collecting evidence from
gain background information on suspects, and electronic devices.
quickly obtain driver’s license photos.
ROCIC Technical Services
RISSIntel The ROCIC Technical Services Unit loans
The RISS Criminal Intelligence Databases specialized equipment to member agencies at
(RISSIntel) provides for a real-time, online no charge, including surveillance cameras and
federated search of RISS and partner intelligence recording devices.
databases, including state systems. Millions of
intelligence records are available via RISSIntel. ROCIC Training Department
These records include individuals, organizations, The ROCIC Training Department offers numerous
groups, and associates suspected of involvement training opportunities for police officers,
in criminal activity, as well as locations, vehicles, including operational planning, social media, civil
weapons, and telephone numbers. unrest planning and response, risk avoidance,
crime scene management, and others. Training
Other ROCIC Resources courses can be found at www.rocic.com/training.

ROCIC Publications ROCIC Officer Safety Website

Additional training publications can be found RISS also offers officer safety resources on their
on the ROCIC Publications webpage, including Officer Safety Website, including concealment
topics on fraud, credit card crime, virtual methods, law enforcement threats, gangs,
currencies, forged identification, gift card narcotics, domestic terrorism, sovereign citizens,
scams, burglaries and thefts, crimes against and armed and dangerous subjects. This
the elderly, among others. These publications information can be accessed by logging into your
can be accessed by logging into your RISSNET RISSNET account at https://officersafety.riss.net.
account at https://rocic.riss.net/publications. More information on RISS and ROCIC
resources can be found at www.riss.net.

This project was supported by Grant #2015-RS-CX-0005 awarded by the Bureau of Justice Assistance. The Bureau of Justice Assistance
is a component of the Department of Justice’s Office of Justice Programs, which also includes the Bureau of Justice Statistics, the National
Institute of Justice, the Office of Juvenile Justice and Delinquency Prevention, the Office for Victims of Crime, and the SMART Office. Points
of view or opinions in this document are those of the author and do not necessarily represent the official position or policies of the U.S.
Department of Justice.

19
Ref # 8091-4ee9-ae43-3d3759fc46fb