In technical terms, blockchain forensics is the use of science and technology to investigate and establish facts in criminal or civil courts of law. In other words, blockchain forensics deals primarily with the recovery and analysis of latent evidence left on the blockchain digital ledger as the results of transaction activities on a blockchain.
Blockchain forensics enable organizations and experts to manage financial crime and reputational risks associated with cryptocurrencies and other blockchain applications from the onboarding of new customers and ongoing maintenance for existing customers. Blockchain forensics brings user trust to the blockchain ecosystem and provides transparency to the blockchain transactions to deter possible usage from illicit transactions.
In the case of this year’s high-profile Colonial Pipeline ransomware attack, the organization was ransomed for 75 Bitcoins. Through the use of blockchain forensics and other undisclosed techniques and methods, the US FBI was able to recover 63.7 Bitcoins after the ransom was paid. The ransom payment was necessary to enable the FBI to follow the money to trace specific transactions and to possibly identify IP addresses of the perpetrators. Once the IP address had been obtained, the FBI was able to geolocate the host running the Bitcoin core operated by the DarkSide affiliate and seize the host along with the private keys via a seizure warrant.
The event showcased several other techniques to look up partial blockchain addresses, the challenges of seizing custodial vs. noncustodial addresses and clustering techniques, among other issues. The Colonial Pipeline case demonstrates that, in the hands of skilled investigators, crime still does not pay, as it is still possible to identify the perpetrators using a pseudo-anonymous blockchain platform such as Bitcoin using a combination of skills, tools and techniques, and to recover any ill-gotten gains or ransom payments.
Blockchain implementation has significantly advanced in the past year with exploding use cases as proof of ownership for tangible digital goods such as collectables, music and arts via the implementation of non-fungible tokens (NFTs). Decentralized finance or DeFi has also emerged as one of the newest and most efficient paths to generate additional income for existing cryptocurrency holders through yield farming or, for the bad actors, a highly liquid mechanism to launder ill-gotten gains. DeFi remains the crypto Wild West due to lack of regulatory guidance and oversight and the autonomous nature of these DeFi smart contracts.
I am looking forward to sharing the specifics of some of the open source intelligence (OSINT) tools and techniques utilized in deciphering the Colonial Pipeline hack and other investigations at my presentation later this month at ISACA’s Evolve emerging tech virtual conference. Blockchain forensics is becoming an important skill to embrace for cybersecurity and auditing professionals, as blockchain technology, use of cryptocurrencies, and the derived applications are here to stay.
Editor’s note: For more blockchain insights, see this recent ISACA Live episode