chevron-down Created with Sketch Beta.
August 10, 2023 Feature

The Formula for Digital Asset Recovery

Johnny Lee

Digital assets are steadily gaining acceptance with users around the world. As the adoption rate grows, so do the types of users, the range of use cases, and the level of investment.

Indeed, businesses have begun to adopt cryptocurrencies as an inflation hedge or long-term store of value, as well as for payments and other uses. In the realm of cryptocurrency, there are a growing number of investment advisors and investors contemplating significant holdings in common currencies like Bitcoin and Ethereum.

This trend is unfolding for both retail and institutional investing, with all manner of traditional industries revisiting their stances on digital assets—from corporate treasury holdings to more strategic investments. Predictably, this has generated an entire industry of solution providers that educate, manage the custody of, and facilitate the trading of digital assets.

These adoption trends have also generated a maturation in risk-management considerations in this nascent arena. The notion of digital assets (and investing in same) has become so established that there are now tailored insurance products available—even for retail cryptocurrency investors.

Beyond cryptocurrencies, non-fungible tokens (NFTs) (unique digital assets that are not interchangeable, unlike cryptocurrency assets) give organizations another valuable use case for digital asset adoption. NFTs provide a flexible and innovative way to directly commoditize brand value and programmatically provide rights and/or privileges to the holder of record. Both creators and established brands are actively employing NFTs to generate revenue and to increase audience engagement. It is becoming axiomatic that, through the vehicle of NFTs, digital assets provide corporations with a unique way to interact with their customer base, enhance their brand, and monetize that enhancement—thereby creating powerful network effects.

Protect the Investment

As organizations shift focus and investment toward digital assets, risk-management considerations logically take hold. The risks that are top-of-mind tend to focus on security considerations. Adopting organizations want to know about the risk of misappropriation, fraud, and theft in the digital realm—as well as how digital assets can be traced or recovered in such cases.

Here, it may be helpful to draw parallels between digital assets and traditional assets, vis-à-vis tracing and recovery efforts. While the tracing and recovery of digital assets does present new challenges for investigators, the forensic work follows a familiar framework for a financial investigation:

  1. Identify the target suspected of theft or misappropriation;
  2. Gather information about the target (including the associated people, transactions, and assets of that target);
  3. Establish connections between target and assets;
  4. Follow the money; and
  5. Work to recover same.

Put differently, digital asset tracing and recovery is methodologically indistinguishable from a traditional forensic investigation, though new tools and techniques are required. Indeed, in some respects, the methods for tracing digital assets can be easier than traditional asset tracing; in other respects, the recovery of digital assets can be eminently harder than traditional means.

Call Upon Specialists

The permanent ledger of cryptocurrency transactions means that an immutable record of every transaction can be interrogated. In that respect, tracing transactions can be easier (with the right tools and techniques), as an investigator need only parse the ledger data (which is usually publicly accessible)—as opposed to obtaining bank records for potentially dozens or hundreds of different bank accounts.

Of course, with bank records, transactional data are tied to individual parties in a fairly straightforward manner. The same cannot be said of blockchain investigations involving cryptocurrency, as a valid identification is not required to establish a cryptocurrency address (which is tantamount to a bank account).

Accordingly, while tracing assets via a blockchain ledger is easier in some ways than traditional tracing mechanisms, the step of “attribution” (i.e., connecting transactional activity to individual participants) can be very challenging. This stems from the fact that blockchain ledgers (as a general rule) track only addresses, amounts, and transaction dates/times. The pseudo-anonymity of the participants to blockchain transactions provides an incentive for some actors to try and obscure their true identities. In such cases, additional context is needed to pierce this veil of anonymity and tie individual actors to specific transactions.

Thus, just as widespread adoption has spawned investment options and insurance products, it has also given rise to forensic specialists focused on tackling these novel cases. For several years, the tools, techniques, and specialists focused on this arena have been steadily rising—and improving.

In a headline-grabbing case in 2022, the U.S. Department of Justice arrested two individuals for their role in the theft of roughly $3.6B USD worth of Bitcoin from the Bitfinex cryptocurrency exchange in 2016. Deputy Attorney General Lisa O. Monaco said, “In a futile effort to maintain digital anonymity, the defendants laundered stolen funds through a labyrinth of cryptocurrency transactions. Thanks to the meticulous work of law enforcement, the department once again showed how it can and will follow the money, no matter what form it takes.”

Arrests like these are both more common in recent years and an illustration of the point that specialists are already performing fraud investigations using traditional asset-tracing and recovery technologies, enhanced with a command of digital assets. Indeed, for the case cited above, there was little mystery as to where the stolen funds went; anyone interested in reviewing the publicly available ledger would have identified the destination addresses related to the theft. The question that stymied law enforcement for over five years was the identity of the actor(s) associated with those destination addresses.

Those destination addresses are comprised of a string of alphanumeric characters, which forensic specialists can analyze to provide the history and context of interactions related to each address over time. The public nature of the distributed ledgers involved provides for transaction-flow analyses, even when actors attempt to obfuscate their transactional histories by distributing funds to dozens or hundreds of different accounts.

This is tantamount to what an investigator would do in a traditional asset-tracing exercise, observing the flow of funds from one bank account in one part of the world to another bank account somewhere else. In the digital asset arena, forensic specialists work to contextualize any address that was either an intermediary or a destination address along the way. Ultimately, an actor is likely seeking to convert cryptocurrency holdings into fiat currency, and this requires an “off-ramp” of some kind. Typically, these off-ramps are cryptocurrency exchanges (which convert crypto to fiat, and vice versa), and an increasing percentage of these exchanges are compliant with international financial compliance regimes, like the “Know Your Customer” provisions of the US Bank Secrecy Act.

This exchange-level compliance often provides forensic specialists with what might be their first contextualization of the transactional history (derived from ledger analytics) correlated to an identifiable human being. That contextualization (i.e., the identification of the human beings involved in the transactional flow) provides traction for the pivot from digital asset tracing to digital asset recovery.

Reputable exchanges can be subpoenaed to release the registered account information of the cryptocurrency addresses of interest. This close collaboration of forensic specialists and legal counsel is very similar to traditional asset-tracing and recovery gambits, as they focus on providing the requisite evidence needed to obtain a subpoena or court order within the appropriate jurisdiction. Such an approach now coincides with international regulatory and law-enforcement pressure over recent years to bring exchanges into compliance with traditional financial oversight provisions. The practical import of this coincidence is that reputable exchanges are eager to cooperate with lawful requests concerning their accountholders. Indeed, many exchanges have entire departments established for such requests, with detailed protocols to ensure that they cooperate with lawful requests for information about their accountholders.

Assuming the accountholder-identity question gets solved at this juncture, the investigative team now has additional options. The information provided by the exchanges typically leads into more traditional asset-recovery territory, but additional asset tracing could be required before a “freeze order” or injunctive relief can be levied against a traditional financial institution (for the accountholder in question).

Outside of securing the intramural records of a given exchange, digital asset tracing for so-called on-chain transactions is a blockchain-by-blockchain proposition. This stems from the fact that blockchain architectures can vary widely from one blockchain to another.

To illustrate, transactions on the Bitcoin blockchain (as well as other “Satoshi like” blockchains) have certain characteristics not necessarily shared with other blockchains. One such characteristic involves the manner by which multiple lesser-value input addresses may be used in concert to fund a larger transaction. This would be akin to paying cash for something expensive using a variety of low-value dollar bills and varied coins.

If any of these lesser-value input addresses have been used in the past, they may lend themselves to something called a “common spend” analysis. This analysis effectively enables a blockchain investigator to identify cryptocurrency addresses that—of logical necessity—were controlled by the same person or entity to conduct transactions. Such an analysis can be immensely valuable when investigators are trying to ascertain the “ownership” of a given address—especially when nothing else about the address is known to the investigators. Put differently, the architecture of Satoshi-style blockchains permits certain inferences related to a given address (attributable to a target or entity) via “related transactions” associated with that address via separate transactions.

As a general proposition, the “flow of funds” analysis in digital asset tracing is relatively straightforward from available public ledger data. That said, the particular architecture of a given blockchain may allow for the attribution of the actor behind otherwise anonymous transactions (vis-à-vis that same public ledger data).

The Formula Is Solved

The adoption of digital assets is on track to both continue and expand. Put differently, the mythology that cryptocurrency is nothing but a playground for criminals and miscreants is demonstrably false. Mainstream adoption continues unabated, and this adoption is taking on all manner of different forms, including digital assets held in corporate treasuries.

To the extent that there are concerns among those interested in this adoption, particularly about fraud, adopters are not without traditional remedies. Forensic and legal specialists have adapted established frameworks to trace and recover digital assets, leading to meaningful results for organizations that are victims of fraud and theft involving digital assets.

    The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

    Johnny Lee

    Grant Thornton

    Johnny Lee is a principal in the forensic advisory practice and the national practice leader of the forensic technology practice with Grant Thornton in Atlanta, Georgia.