Spurt in crypto-related scams, thefts continues to dog law enforcement agencies

Triveni Singh, IPS, SP, cybercrime, Uttar Pradesh Police fails to hide his disappointment when speaking about the surge in crypto-related scams and thefts over the past year, and the slow progress that law enforcement agencies are making in stemming such crimes. “Investigating crypto crimes is technically challenging. The success rate is very low and we have managed to crack very few cases so far,” he rues.

In most cases, criminals lure people into investing in fake mining scams or trick them into joining fake exchanges and wallets created for the sole purpose of stealing cryptos. "I've also come across cases where criminals hack into genuine wallets and then transfer the cryptocurrencies to wallets controlled by them," he explains.

Singh and many others in law enforcement agencies in India are struggling to keep up with and track such crimes. Unlike the theft of fiat money from online wallets or bank accounts, which can be traced to destination accounts or wallets, tracking stolen cryptos is trickier due to the decentralized nature of blockchain platforms — the underlying technology behind cryptos that are designed to protect anonymity of users.

Vicky Ray, principal researcher, Unit 42, the threat intelligence arm of security firm Palo Alto Networks, points out that criminals have made tracking crypto crimes more complex by moving money from one wallet to multiple wallets and then using mixers, which convert one cryptocurrency into another, making tracking even more difficult. The anonymity associated with cryptos are being used in India and elsewhere for tax evasion, money laundering, and to buy illicit goods and services.

However, it’s not that the anonymity makes tracking impossible. It's just that it takes a very long time and success rates are low. Mukul Shrivastava, partner, Forensic and Integrity Services, EY India points out, criminals can be traced by tracking trading on crypto exchanges, tracking IP (internet protocol or web) addresses, and more. However, in most cases transactions are carried out using spoofed IP addresses, virtual private networks (VPN), or on public WiFi systems, which make things a tad more difficult. In such cases, it might be a good idea to use a web crawler for gathering information, and using predictive modelling and artificial intelligence (AI)-based technologies.

While blockchain platforms may be designed for anonymity, they also leave a trail of transactions that cannot be deleted. “But to trace this trail can take years,” says Shrivastava. According to Singh, law enforcement agencies often seek assistance from crypto exchanges for information on transactions. They also use open-source forensic analysis tools to get transaction details on public Blockchains. Blockparser and Blockchain Explorer are some of the tools that are commonly used by law enforcement agencies to analyse Blockchain ledgers.

However, there’s still work to be done. Shrivastava laments that tracking crypto crimes is still a grey area. “This space is evolving so fast that catching up will always be a challenge for any enforcement agency, be it in India or globally,” he explains.

To be sure, crypto crimes have been growing globally. A January 2022 report from blockchain tracking firm Chainalysis shows that cybercriminals laundered $8.6 billion worth of cryptocurrency in 2021 globally by transferring cryptos from illicit addresses to addresses hosted by services. India, on its part, does not have a legal framework for cryptos yet. Crypto frauds are handled under existing cyber laws. Despite this, crypto transactions in the country have soared. Though there is some dispute over the actual number of crypto investors in India, some of the biggest crypto exchanges such as CoinSwitch Kuber claim to have over 15 million users.

According to Pavan Duggal, a leading cyberlaw expert and Supreme Court advocate, Indian law enforcement agencies are ill-prepared to deal with crypto crimes. "There is a lack of capacity building, requisite tools as well as people who understand Web3 platforms. Many times, law enforcement agencies end up tampering with the electronic records due to lack of awareness, diminishing the chances of getting a potential conviction," he adds.

Duggal insists that law enforcement agencies need to hire experts who are well versed in cryptocurrencies and blockchains. EY’s Shrivastava agrees. He points out that agencies need to ensure that the cybercrime investigator understands these technologies and knows their way around them. “You also need expert ethical hackers. The best enforcement agencies in the world have these kinds of people working for them,” he adds.

Globally there are examples of law enforcement successfully tracking crypto crimes, even though they have taken a significant amount of time. For instance, in February, the US Department of Justice (DOJ) recovered cryptos valued at approximately $4.5 billion and arrested two people for conspiracy to launder it. The cryptos were stolen in 2016 after a cyberattack on the crypto exchange Bitfinex. The culprits were identified after they transferred the funds into their financial accounts. Similarly, last week, the DOJ charged two people for their alleged role in a million-dollar non-fungible token (NFT) scam.

Indian law enforcement agencies, too, are working on upskilling to fight crypto crimes until they have resources to hire crypto experts. According to Singh, the police is working with technical bodies like the Centre for Development of Advanced Computing (CDAC) to provide crypto-related training to cybercrime units.