Intelligence Analyst in Washington, D.C.
In September 2021, the IRS published a request for proposal titled, “Development of Exploitation Techniques Against Cryptowallets.” According to supporting documentation, it appears that the digital forensics unit of their Criminal Investigations branch has repeatedly run into scenarios involving the seizure of crypto hardware wallets (also known as cold storage devices) that could not be accessed due to their security features. The growing interest by law enforcement and tax authorities in this issue is long overdue. Although hardware wallets are one of the most effective ways for everyday crypto investors to keep their holdings safe, some devices contain features that can be grossly exploited, potentially facilitating the undetectable transfer of millions of illicit dollars every day.
In the world of cryptocurrency, the security of a wallet’s private key is paramount since it prevents the theft of a wallet’s holdings by essentially serving as its password. Crypto exchanges such as Coinbase offer clients the ability to keep their holdings in a hosted wallet through taking custody of their private key. However, a long history of cyberattacks targeting crypto exchanges has taught experienced investors to avoid entrusting their private keys to third parties. The dilemma has given rise to increasingly sophisticated hardware wallets that store private keys offline while allowing users to connect their device to the internet whenever they need to make a transaction or check their balances. Hardware wallets such as Trezor have countermeasures to protect against everything from brute force attacks to physical theft, making them both highly secure and popular. However, these devices have proven so impenetrable and anonymous that they have also attracted the attention of the criminal underworld.
Hardware wallets can be purchased online for less than $100. Since vendors rely upon self-reported customer information for purchases, there is no verifiability regarding the identity of a hardware wallet owner. In other words, the purchase can be made anonymously with minimal effort. Once in a bad actor’s possession, they only need to avoid transacting with wallets hosted on crypto exchanges that conduct KYC/AML activities in order to maintain a low profile. This means they can both receive funds from and send funds to self-hosted wallets (i.e., hardware wallets) around the world with minimal risk of third-party monitoring. Some devices also allow users to purchase crypto through an interface with higher risk exchanges that perform varying levels of KYC/AML which can be easily circumvented. These exchanges can also be used to convert one crypto to another (i.e., bitcoin to Monero) which can serve as a countermeasure against blockchain forensics.
Perhaps the greatest opportunity to exploit hardware wallets comes in the form of abusing their recovery seed, a code that can be used to regain access to a hardware wallet’s contents in the event that the device is lost or stolen. For example, if an individual’s home was burglarized, he could purchase another hardware wallet and enter his recovery seed that would immediately restore full access to the funds in the original wallet along with passwords and other device data. In the hands of bad actors, a recovery seed becomes an extraordinarily useful method to transfer money between two parties who can avoid meeting face-to-face and who will leave no trace of a crypto transaction on a blockchain. Consider the below example:
A drug cartel member living in El Paso, Texas, has been asked by management to transfer $500,000 to a colleague in Ciudad Juárez, Mexico, within the next 24 hours. This cartel member knows he is under surveillance by U.S. law enforcement and must act discreetly. As such, he contacts his colleague through an end-to-end encrypted communications app and provides recovery seed information to his hardware wallet containing $500,000 in cryptocurrency. In turn, his colleague uses a newly purchased hardware wallet to enter the recovery seed and is now in full possession of the funds. No actual transaction has been recorded on a blockchain, and it is almost as if the event never occurred in the first place.
Recovery seeds can also have unexpected consequences for asset forfeiture cases tied to any sort of organized crime where two or more people are working together. Consider the below example:
Law enforcement arrests a known drug cartel member in possession of a hardware wallet. The cartel member refuses to talk to law enforcement without a lawyer present who is likely being paid with cartel funds. Upon learning of the cartel member’s arrest, cartel leaders immediately use the recovery seed to transfer all crypto off the wallet associated with the confiscated device. As a result, the evidence has disappeared and the asset forfeiture opportunity is gone.
There are no reliable statistics regarding the percentage of hardware wallets involved in suspicious activity. It is probably in the low single digits. But when it does happen, the transgressions can be egregious. With cryptocurrency at a $2.5 trillion market cap and growing, the demand for hardware wallets will likely continue to rise for the foreseeable future. Consequently, having an in-depth understanding of the functionality and vulnerabilities of popular hardware wallets is a good starting point for law enforcement. Encouraging their manufacturers to collaborate with authorities on ways to reduce their use in illicit activity will be just as important.
SOURCE: ACFE Insights – A Publication of the Association of Certified Fraud Examiners