Understanding Asset Recovery and Cryptocurrency Wallets

As featured in ICC FraudNet Global Annual Report 2024

Cryptocurrency presents both unique challenges and innovative solutions to the asset recovery world. There are some overarching concepts and practices in common with asset recovery in the traditional finance (‘TradFi’) realm, but in this article we focus on how the concept of custodial and non-custodial cryptocurrency wallets present a major departure from TradFi. Asset recovery professionals need to be well educated on this critical nuance as it can inform the rest of the recovery plan and the overall chances of success.

How far can open source blockchain tools take you?

From the outset, the way assets are traced in cryptocurrency is inherently different. Cryptocurrency is based on blockchain technology, a digital, decentralized public ledger. The tracing of crypto assets can be accomplished more easily than with fiat currencies. Open source blockchain explorers and Open Source Intelligence (‘OSINT’) tools allow anyone with an internet connection to learn details about cryptocurrency transactions, such as the sending and receiving of wallet addresses, transaction hash, timestamps, and amounts. This type of investigative capability is non-existent in the traditional finance world, as all transactional information is inherently private.

However, in a large-scale investigation, conducting an asset tracing investigation using only open source blockchain explorers may not be practical. Additionally, these wallet identifiers are pseudo-anonymous – the wallet identifier is visible but there is no attribution information similar to Know-Your-Customer (‘KYC’) information for a bank account.

This is where commercial blockchain analytic tools can greatly aid a cryptocurrency asset recovery investigation. Commercial blockchain intelligence tools layer in attribution information (such as wallet addresses that have been attributed to a cryptocurrency exchange or cryptocurrency investment scam) and analyse behavioural spending patterns to group or “cluster” wallet addresses together that are controlled by the same entity. Once the cryptocurrency asset tracing portion of the investigation has been completed and the address holding the cryptocurrency assets has been identified, the next pivotal variable in the recovery process will be assessing the wallet type.

What are Custodial Wallets?

There are two main wallet types in the cryptocurrency world: custodial and non-custodial. Custodial wallets are services that retain the private keys of a wallet, a long alphanumeric string that can be likened to the password of a wallet. Possessing the private key is critical to wallet’s functionality, as one cannot send funds, trade, convert currencies, or achieve any other critical transaction without it (source: CoinDesk).

In the case of custodial wallets at crypto services, the service itself holds those private keys and are the ultimate authority on executing transactions and wallet administration. This is most commonly through a custodial account at a Virtual Asset Service Provider (‘VASP’), commonly referred to as a cryptocurrency exchange. Discovering if a wallet is a custodial wallet can be achieved through OSINT methods or the use of proprietary tools to identify the crypto service the wallet is associated with. This is not only an important consideration in the recovery process but informs further tracing efforts. Once funds enter a custodial wallet, tracing cannot proceed as these services utilize different accounting methods conducted off the blockchain.

With Custodial Wallets, the Crypto Exchange Can Help with Tracing and Recovery

When a wallet is assessed to be a custodial cryptocurrency wallet, wallet providers such as the exchanges Binance, Coinbase, and Kraken will typically require the collection of a host of information about the user and their activity. This primarily includes technical data, transaction information, and KYC data outlined in the exchange’s Anti-Money Laundering (‘AML’) policies and regulations, as well as those in the jurisdiction from which the exchange is operating (source: NotaBene). Varying levels of this information will generally be retrievable through legal process to exchanges compliant with laws and regulations in their region, though this is not always the case in the use of high-risk exchanges, exchanges in unreachable jurisdictions, or immature exchanges.

Once this information is obtained, asset recovery can take place in coordination with the exchange, should the assets remain in the wallet. As the exchange is the custodian of the private keys, it can freeze funds, block access, and move funds at will.

If the user of the custodial wallet already transferred the cryptocurrency elsewhere, the custodial wallet provider can still furnish valuable wallet activity information such as transaction information. This transaction information, namely the withdrawal history, will have details of the wallet address the user sent the cryptocurrency to, the amount transferred, and when the transfer occurred.

If the user converted the assets to fiat and cashed out at the exchange, i.e. off-ramping, the custodial wallet provider can furnish valuable wallet information pertaining to that “sell” action. This information will include the details of the bank account that the fiat currency funds were transferred to as a result of the sell. The asset tracing or seizing process can then continue in the TradFi world by acquiring the records for that bank account.

Recovery from Non-custodial Wallets Requires the Private Key, or Some Creativity

Conversely, in non-custodial wallets the user retains private key control, either with a physical device like a hardware wallet or phone application like a software wallet. The user has complete autonomy over the transactional functionality of their wallet without the intermediary or middlemen in custodial wallets (source: CoinDesk). Custodial wallets will offer a far better chance of asset recovery compared to non-custodial, though identifying a non-custodial wallet doesn’t completely render recovery impossible.

Non-custodial wallets offer unique challenges on their own simply due to the private keys remaining in the user’s custody. Wallet providers such as MetaMask, Electrum, and Trezor do not collect the same KYC and technical data that the custodial wallet providers typically do, thus there is no central authority to seek any exhaustive information from (source: Exodus). In some circumstances, identifying information about the user of the wallet can be acquired via OSINT. For example, in February 2022, a hacker leaked internal messages of the Conti Ransomware group, which included wallet addresses used by the group to facilitate their criminal enterprise (source: CoinDesk). This provided a wealth of information on non-custodial wallets that were previously unattributed to the Conti Ransomware group.

It takes more creative and intensive investigation processes to gain direct access to non-custodial wallets. The private key is necessary for asset recovery to proceed. Without it, the next best option is finding the wallet’s seed phrase.

Private keys are paired with seed phrases, an ordered list of random words that act as a password or recovery phrase in the event the user loses their long, alphanumeric private key (source: Coinbase).These seed phrases are often written down somewhere, stored in a document on the same device as the wallet, or memorialized by the user in some other manner. Finding and gaining access to the seed phrase will enable control of the wallet to initiate recovery. However, the likelihood of success with this approach is low as investigators usually require access to an individual’s house, property, device, or wallet itself.

There are examples of government agencies acquiring the private keys of a subject’s non-custodial wallet though other means, e.g. finding the key(s) through an authorized search of the subject’s electronic devices or residence, or the subject providing them to the government voluntarily in a custodial or non-custodial interview, and successfully seizing cryptocurrency assets that ultimately ended up in a non-custodial wallet. For example, in the Bitfinex hack case, the USG executed search warrants on online accounts controlled by the subjects and obtained access to files that contained the private keys required to access the cryptocurrency wallet that directly received the stolen funds from Bifinex (source: US DOJ).

Funds from Non-Custodial Wallets are Commonly Transferred to Custodial Wallets for Conversion to Fiat

If asset recovery is not feasible in the event funds are transferred to a non-custodial wallet, the best option is surveillance of these wallets. Maintaining watch over the wallet through tracing tools, block explorers, or any other method will enable the concerned parties to monitor when funds are moved and to where. As cryptocurrency isn’t seamlessly integrated into society as a true fiat currency alternative, most users require a point where they can exchange between crypto and fiat to make real world application of the funds. Because of this, it is more common than not for funds to arrive at a custodial wallet, as these services are an extremely popular and accessible means to convert between crypto and cash and have liquidity necessary to affect large transfers. Once a custodial wallet is identified, the process of recovering the assets through the provider can proceed as outlined.

Outlook

The cryptocurrency industry is no longer the “wild west”, and there are numerous examples of successful cryptocurrency asset tracing and seizure. That said, as the cryptocurrency userbase continues to innovate and evolve, asset recovery practitioners must keep up if they are to successfully challenge bad actors in this space.