Cryptocriminals Can’t Hide—Investigative Blockchain Technology Sniffs Out Illicit Activity

Co-Authored Article Between Chainalysis and Guidehouse

Cryptocurrencies could present money laundering and terrorism risks because they have been and continue to be used by bad actors for the purpose of avoiding the financial system to transmit the proceeds of illicit activities. There are tools and technology available to mitigate the risk of criminals who use cryptocurrencies rather than dollars or other fiat currency.

Investigative blockchain technology has created opportunities for financial institutions to mitigate their financial crime risk and increase payment transparency. While many of the investigative techniques for cryptocurrency will be familiar to investigators, there are specific concepts and protocols that are unique. Guidehouse operates at the forefront of these technological developments and can offer stakeholders unique insights and practical techniques to investigate, identify, and root out financial crime on the blockchain, including by investigating indirect financial crime exposure.

What is Indirect Exposure 

Chainalysis, a premier blockchain data platform, defines exposure as the relationship between entities that is created through transactions. Indirect exposure is the indirect connection between the source and the first service that is encountered. Investigating indirect activity reflects an understanding of how money launderers actually work. In most situations, as with fiat currency, money launderers look for ways to layer the movement of illicit funds to obfuscate the source of their ill-gotten gains. Criminals in the cryptocurrency space typically hide the source of the funds by sending the proceeds of illicit activity through multiple intermediary wallets and through “mixers” and “tumblers” before the funds are sent to an exchange or a cash-out service.

The very nature of the multiple movements underscores the necessity for financial institutions to look beyond their direct exposure, to their indirect exposure. To do this, any institution that engages in cryptocurrency should develop and implement robust blockchain analytics protocols and technology.

How to Investigate Indirect Exposure

There is no one-size-fits-all approach to investigating indirect exposure in cryptocurrency transactions. However, the first step in conducting any cryptocurrency investigation is choosing the appropriate tool for the job. In most cases, this will be an enterprise blockchain analytics platform1. These platforms combine on-chain data with open-source intelligence (OSINT) and other methods to identify addresses and wallets that can be attributed with a high degree of certainty to a single controlling entity. This grouping is called “clustering.” Using these clusters, investigators can determine if a counterparty is a commercial exchange, a mixing service, or a sanctioned entity.

Not all addresses can, however, be easily clustered, as it is not always possible to definitively cluster intermediary addresses, thus giving rise to the concept of indirect exposure. However, just because a blockchain analytics platform is not able to cluster a particular address, that does not mean an investigator cannot ascertain whether an intermediary address in a transaction is controlled by a bona fide third party or whether it is potentially being used to obfuscate a source or destination of funds.

While each blockchain has particularities in how to investigate, understand, and attribute indirect exposure, there are several overarching methods that an investigator can use to clarify indirect exposure:

Use a risk-based investigative approach.

It may not be feasible to investigate every instance of indirect exposure. While there are some risks that institutions have a zero-tolerance threshold (such as sanctioned entities, terrorist financing, and child abuse materials), other risks may only be worth investigating based on an institution’s risk and threshold tolerance. 

Evaluate a cluster’s transaction risk characteristics.

Clusters with numerous, recent, or high value indirect exposure to high-risk counterparties likely require more scrutiny than those that have limited, historic, and low value transactions.

Evaluate a wallet’s transaction risk characteristics.

If an intermediary address conducts hundreds of transactions worth thousands of dollars per week it is likely a service (such as an exchange) and likely represents a change in control of the cryptocurrency.

Transfers through numerous addresses do not necessarily represent a change in control.

Given the ease of conducting transactions on blockchains, an investigator cannot rely on a large number of intermediary addresses to indicate that a cryptocurrency has changed hands. It is relatively easy to route a transaction through dozens or even hundreds of addresses controlled by a single entity in an attempt at obfuscation. 

Transfers in round cryptocurrency or fiat values can be payments for legal goods and services.

While cryptocurrency is not as widely adopted as fiat currency, it is often used to pay for legal goods and services. Transfers in round cryptocurrency or fiat values are indications that the transfer may be a payment and therefore could be a change in control of the cryptocurrency.

Pay attention to a transfer’s value and timing.

When viewing a chain of transfers, those of the same or similar value sent soon after one another could indicate a continuity of control. Similarly, if an address holds funds for a long period of time before transferring them, this could indicate a change of ownership.

OSINT can identify addresses.

While enterprise blockchain analytics tools conduct their own OSINT, it is not possible for them to capture everything. Investigators can and should supplement this by conducting their own desktop research to attempt to identify addresses.

It is important to remember that while the above methods apply generally across blockchains, each specific protocol has specific methods for understanding indirect exposure that are unique to that blockchain. Engaging highly trained investigators is vital to understanding and applying these nuances.

How Can Guidehouse Help?

Guidehouse’s team has in-depth knowledge of blockchain analysis and investigation in the US, Europe, and globally, and understands best practices operated by cryptocurrency providers. Our team includes compliance officers, attorneys, bankers, former regulators, prosecutors, law enforcement officers, accountants, and IT professionals. Our professionals bring to bear critical expertise and resources to help clients rapidly conduct blockchain investigations and assess your financial crime framework to determine whether it is operationally effective and meets regulatory expectations. 

Our relevant expertise includes the following: 

  •  Compliance Program and Policy and Procedure Reviews
  • Transaction Reviews
  • Anti-money laundering (AML) and Sanctions Consulting
  • Customer Reviews
  • Global Investigative and Operational Services
  • Technological Services 
  • Vendor Sourcing and Governance
  • Training and Quality Assurance
  • Outsourced AML Officer Services

Guidehouse can quickly review and assess your AML and Sanctions compliance program to determine whether it is sound, to identify gaps or weaknesses, and/or to conduct training on AML and Sanctions investigations and compliance. 
Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to heightened regulatory requirements.

 Special thanks to Nick Bohmann for contributing to this article. 


1 Notable blockchain analytics platforms include Chainalysis, CipherTrace, TRM Labs, and Elliptic

Download PDF

About the Experts

Back to top