In brief

  • Crypto forensic investigators such as CipherBlade are tracing criminals’ digital footsteps and restoring their ill-gotten gains to their victims.
  • CipherBlade boss Rich Sanders tracked $2 million stolen from crypto influencer Ian Balina to hackers on a Discord server.
  • Sanders uses analytics tools such as CipherTrace and Chainalysis, but often finds law enforcement slow to act on his findings.

Cryptocurrency was supposed to be anonymous; a way to transfer money without banks and governments. It’s the currency of choice for whistleblowers and privacy advocates. But the promise of secrecy has also enticed countless crypto scammers, thieves and fraudsters, who try to profit at other people’s expense. 

And because blockchain is anonymous, their crimes can’t come back to haunt them, they thought. They were dead wrong. An industry of private crypto forensic investigators has sprung up, often working hand in hand with law enforcement to trace criminals’ digital footsteps and restore their ill-gotten gains to their victims. 

Inside the world of crypto forensics

Decrypt rode shotgun with one of these for-hire white-hatted sleuths, Rich Sanders, CEO and founder of blockchain investigation and crypto forensics firm CipherBlade. Since 2018, Sanders' six-person company—along with a retinue of 30-40 white hatters—claims to have recovered millions of dollars worth of stolen cryptocurrencies in hundreds of cases. 

But rid yourself of mental images of hooded teenagers in dark rooms lit only by endless lines of code. “People have this image in their heads of these super sophisticated black-hat hackers that are going after Binance and Coinbase and stealing hundreds of millions in one fell swoop. That's not what it is,” Sanders told Decrypt under lockdown from his apartment in Pittsburgh. (On Zoom, of course). 

It’s the soon-to-be-ex-wife that hides cryptocurrency to support her elopement with the gardener; a shady exchange owner that siphons his customers’ money through mixers; a backstabbing friend that got greedy after a seed phrase was forgotten on the kitchen counter. Sanders spends his days following these threads of betrayal and deception to find his clients’ money. He calls it “victim management.”

Sanders is ex-military. He retired from the army just three months ago after 12 years of service (he had joined at 17.) He first provided artillery support to troops in Afghanistan and later served in a psychological operators unit—there, he was told to “win hearts and minds and ultimately change thoughts into behaviors that are within US national interests.”

Understanding what people want and, he says with a hint of regret, “exploiting that,” can be very powerful. “If I know that somebody has a whole bunch of speeding tickets or a bunch of tickets for not wearing a seatbelt, I know they're more likely to gamble.”

That stood him in good stead when he fell down the crypto rabbit hole years later. “These things are never just on chain investigations. I've never had one investigation where all we had to work with is the blockchain,” he said. 

When crypto influencer Ian Balina was robbed of $2 million worth of crypto in 2018, Sanders traced the hackers to a Discord server, where they’d hang out and play videogames. He joined it, posing as a 19-year-old girl, around the same age as the hackers. “They want validation,” he explained. “They want approval; they're on social media flashing their watches and their drinks.”

"I've never had one investigation where all we had to work with is the blockchain."

Rich Sanders

“That was the downfall of a few of them,” he said. Using tools such as a voice changer, Sanders spent several weeks gaining the confidence of the hackers, who later boasted about their scheme: they had bought databases full of leaked usernames and passwords online and ran through the records for cryptocurrency accounts, hoping they’d find someone with significant holdings. In Balina, they had found their jackpot. In Sanders, a siren.

Diagnosing a crypto breach

Sanders’ first task when taking on a client is to “diagnose” the incident.

“The overwhelming majority of these situations are not complicated breaches,” he said. “It's people that are making simple mistakes, like storing a seed phrase on Google Drive. How many people still fall for the “send me one ETH and I'll send you back ten?”

Simple mistakes can prove disastrous. “If I plug your email address into a leaked database and I find that you reused a password. Well, guess what? Now I've got the keys to the castle, and if those keys to the castle get me into your Dropbox, which is also not secured, I've got your seed phrase. It's never too complex,” he said. 

He describes a typical initial exchange between him and a client:

“Let's pretend they were using a Trezor. ‘Okay, great, you were using a Trezor. Where did you keep your seed phrase?'

“'Well, in a book.'

“'Did you ever take a picture of the book?'

“'Oh shit. Yes I did.'

“'Do you use Google Photos?'

“'Yeah, I do.'

“'It's in your Google photos, isn't it?'

“'Yeah.'

“'What security does your Gmail have?'

“'I don't use Google Authenticator.'

“'Did you reuse a password?'

And so on, until Sanders has enough data to start tracing the funds on the blockchain, usually to an exchange—the last stop before it’s traded for fiat currencies and withdrawn to a bank account. Missteps from hackers often help speed up the process: they might reuse an email address or forget to use a VPN while on their cousin’s Wi-Fi.

How crypto sleuths track stolen funds

Technically, anyone can trace funds using a blockchain explorer, but most of Sanders’ on-chain sleuthing is conducted through industry-leading analytics tools from CipherTrace and Chainalysis, which automatically map the flow of transactions, making it far quicker to work out where the money has gone.

Should funds reach their most common final destination—crypto exchanges—Sanders picks up the phone. “If most people just contact an exchange out of the blue asking for funds to be locked up, the exchange is probably going to be like, ‘Who the hell are you?’” 

Through experience, he’s learned which buttons he needs to press. Analytics tools can “visually demonstrate” how stolen funds ended up in a customer’s account, meaning that victims will “have a chance for the funds to actually be frozen in the exchange—at least temporarily until law enforcement emails them.”

Law enforcement can be slow to act, though. For instance, getting the FBI to work with the Nigerian police force is “a huge hassle,” not worth, say, $5,000 in stolen funds, said Sanders. And the average response time for the FBI’s cyber crime reporting tool, he said, is three months. Subpoenas and other court orders further protract the process. Some cases never get resolved due to a lack of “the right information shown to the right people.”

“It is a monolithic bureaucratic process and this can take a long time,” he said. Law enforcement are “incredibly understaffed; incredibly under-resourced,” he said. But “they are hungry to learn. I have never worked with anyone in law enforcement that was not eager to learn some type of methodology or best practice.”

While the law awaits further funding, crypto sleuths like Sanders will fill in the cracks.

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.