Decoding

Crypto
Crime
A Guide for
Law Enforcement
Disclaimer
This publication has been prepared from the original material as submitted by the author. It has not
undergone editing by the editorial staff of the OSCE. The views expressed remain the responsibility of the
author and do not necessarily represent the views of the OSCE, Missions, or its participating States.

The OSCE, its Missions, and its participating States disclaim any responsibility for any consequences
that may result from the utilization of this publication. This publication does not address questions of
responsibility, legal or otherwise, for acts or omissions on the part of any person. The mention or reference
to specific countries or territories in this publication does not signify any stance by the OSCE regarding their
legal status, their governing authorities, institutions, or the delineation of their borders.
Decoding
Crypto
Crime
A Guide for
Law Enforcement

Decoding Crypto Crime: A Guide for Law Enforcement 3

Table of contents

Acronyms, abbreviations and key terms with explanations 6

Introduction 8
Goal of this guide 8
Structure of the guide 9
Background 9
About the OSCE 11
Understanding digital assets: A simplified guide 13
Cryptocurrencies vs. FIAT 15
Underlying technology: Blockchain 15
Types of cryptocurrencies 16
Convertible and non-convertible currencies 16
Centralized and decentralized currencies 17
Pseudo currencies and privacy coins 17
Crypto wallets 18
Crypto wallet addresses 18
Crypto wallet explorers 19
Exchanging cryptocurrencies 19
Mixers and tumblers 19
VASPs and CASPs 20
Protocol for handling digital asset-related crimes 21
The four most important pieces of information to collect 22
Time 22
Financial institution 22
Size 22
Type of cryptocurrency 22
Best practice for each type of transaction 24
Gathering evidence 27
Gathering information from an individual 28
Collecting cryptocurrency wallet addresses 28
Requesting data from VASPs 29
Format information for VASP data 31
Reliability of obtained IP addresses 31
Collecting IP addresses 31
Other documents to request 32
Taking cases to court 33
Prosecutors of virtual asset cases 34
Investigative stage 34
Trial or investigation preparation 34
Recommendations and contacts for complex cases 35
Support for victims 37
Challenges victims should be warned about 38

4
Selected types of crimes committed involving cryptocurrencies 39
Cryptocurrency investment schemes 40
What is it? 40
Different types of this scam 40
How to address it 40
Extortion and sextortion 41
What is it? 41
How to address it 43
“Rug pull” scams 44
What is it? 44
Phishing scams 44
What is it? 44
Different types of this scam 44
What can be done to avoid it? 45
Man-in-the-middle attacks 45
What is it? 45
How to address or avoid this? 45
Fake websites imitating cryptocurrency exchanges 45
What is it? 45
How to address or avoid this? 45
Secondary scams 45
Further tools for virtual asset crime investigations 47
Blockchain analytics tools 48
Information offered by wallet explorers 48
Real-world examples 48
Examples of free blockchain analytics tools 48
Blockchain analytics providers 49
Co-operation with experts on digital assets 51
Identifying local expertise 52
International support 52
Europol Platform For Experts (EPE) 52
INTERPOL’s Financial Crime and Anti-Corruption Centre (IFCACC) 53
UNODC Virtual Assets Programs Against Cybercrime and Money Laundering
and Investigation Workshops 53
Basel Institute on Governance 54
FinCrime Fighters Foundation 54
Recommendations for law enforcement post-reporting 55
Summary and principles of co-operation with the OSCE 57
The OSCE’s Virtual Assets Support Initiative 58
Who we are 58
A short selection of further reading 59
About the author 60
Acknowledgements 61

Decoding Crypto Crime: A Guide for Law Enforcement 5

Acronyms, abbreviations and
key terms with explanations

5th AML Directive Directive (EU) 2018/843 of the European Parliament and of the Council of
30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the
financial system for the purposes of money laundering or terrorist financing, and
amending Directives 2009/138/EC and 2013/36/EU (Text with EEA relevance).
This directive added crypto assets to its scope. By 10 January 2020, Member States
must implement the required laws and regulations to follow this directive.

AML Anti-money laundering – Refers to laws, regulations, and procedures intended to

prevent criminals from disguising illegally obtained funds as legitimate income.

CASP Crypto asset service providers – Entities that offer services related to crypto assets
to the public. These services can encompass a wide range of activities, including but
not limited to:
1. Exchange Services: Facilitating the buying and selling of crypto assets for FIAT
money or other crypto assets.
2. Wallet Providers: Offering custodial or non-custodial wallets to store, manage, and
transfer crypto assets.
3. Transfer Services: Enabling the transfer of crypto assets from one address or
account to another.
4. Financial Advisory: Providing advice on the buying, selling, or holding of crypto
assets.
5. Custody Services: Holding and safeguarding crypto assets on behalf of clients.
(See p. 20 for more information.)

COE Council of Europe – An international organization dedicated to upholding human

rights, democracy, and the rule of law in Europe.

CTF Counter-terrorism financing – Refers to policies and actions to prevent the funding of
terrorist activities. It seeks to detect and halt the flow of money, from both legitimate
and illicit sources, to groups intending to carry out acts of terror.

ERC20 Tokens Ethereum request for comment 20 Tokens – Implemented in 2015, this is a technical
standard used for creating and issuing smart contracts on the Ethereum blockchain.

EU European Union – A political and economic organisation of 27 European countries

that are located in Europe.

EPE Europol Platform for Experts – A Europol lead space for law enforcement experts to
share knowledge, best practices and non-personal data on crime.

EUROPOL European Union Agency for Law Enforcement Cooperation – The European Union’s
law enforcement agency that assists its Member States in their fight against serious
international crime and terrorism.

FATF Financial Action Task Force – An intergovernmental standard setting body founded
to develop policies to combat money laundering and terrorism financing.

6
 FinCEN The Financial Crimes Enforcement Network – A bureau of the United States
Department of the Treasury that collects and analyses information about financial
transactions.

FIU Financial intelligence unit – A government agency responsible for collecting,

analyzing, and disseminating financial information and intelligence on suspected
money laundering and terrorism financing activities.

IP Internet protocol – A set of rules governing the format of data sent over the internet
or other networks.

LER Law enforcement request – A request made by law enforcement agencies to

companies or individuals seeking information for investigations.

MiCA Regulation (EU) 2023/1114 of the European Parliament and of the Council of 31 May
2023 on markets in crypto-assets, and amending Regulations (EU) No 1093/2010
and (EU) No 1095/2010 and Directives 2013/36/EU and (EU) 2019/1937.
This is a new EU Regulation governing crypto assets. It will be in force from
30 December 2024.

ML Money laundering – The illegal process of making large amounts of money generated
by a criminal activity falsely appear to have come from legitimate sources.

MultiSig Wallet Multi-signature cryptocurrency wallet – Type of cryptocurrency wallet that requires
multiple private keys to authorize a transaction.

OCEEA The OSCE’s Office of the Co-ordinator of Economic and Environmental Activities

OSCE Organization for Security and Co-operation in Europe – A regional security

organization in Europe focused on promoting dialogue and comprehensive
co‑operation across military, political, environmental, and economic dimensions.

OSINT Open source intelligence – Information collected from publicly available sources
used in an investigation context.

OTC Over the counter – The trading of virtual assets securities between two parties with
or without a central exchange or broker.

UNODC United Nations Office on Drugs and Crime – An office operating within the United
Nations responsible for producing and disseminating data on drugs and crime.

VASP Virtual asset service provider – A term introduced by the FATF to denote an entity
that conducts activities or operations for virtual assets.
(See p. 20 for more information.)

VPN Virtual private network – Technology that allows to create a secure connection over
a less secure network between an individual’s computer and the internet, sometimes
but not always to hide the location of the user.

Decoding Crypto Crime: A Guide for Law Enforcement 7

Introduction

Goal of this guide

This document serves as a It also intentionally focuses on the is globally available from day one,
comprehensive guide for law interactions between law enforcement while best practices in cryptocurrency
enforcement officers, including police and natural persons. Information on investigations continue to lag behind.
officers, prosecutors, state and federal STRs (Suspicious Transaction Reports) In response to this growing challenge,
agents, as well as tax and forensic or SARs (Suspicious Activity Reports) we have developed this guide that
specialists who have been newly used by financial institutions or financial outlines how law enforcement should
introduced to cryptocurrencies and intelligence units (or their equivalents) proceed in investigations and in
other virtual assets. It’s tailored for has been disregarded. assisting potential victims who report a
those who are increasingly tasked with cryptocurrency-related crime.
investigating crimes related to crypto Multiple issues had been identified in
assets. the current way cryptocurrency cases Recognizing the complexities of the
have been dealt with, for example, topic and the diversity of legal situations
It focuses on the most common types due to incomplete data collection, and practices across various different
of scams and fraudulent behaviour, investigators reported that they had to OSCE participating States, our goal is
explains the best practices for officers, get in contact with victims to gather not to offer an exhaustive guide, but
which actions to take and what type information like a cryptocurrency wallet rather a practical manual that can be
of information can be recorded from address, without which an investigation used on an ad hoc basis by first line
potential victims, especially during the remains impossible. Officers need law enforcement agents that receive
initial evidence-gathering process at to understand which information is reports from citizens. It is intended
local police stations. vital to collect and which is not. Such to prompt conversations on how
miscommunication often results in days to enhance internal best practices,
This guide has been written of delays, since victims may not fully particularly if existing guidelines do
and designed to be a guide understand which information is relevant not cover cryptocurrencies. The most
for law enforcement officers. It for law enforcement. common fraudulent practices have
purposefully does not cover areas been summarized as they stand today
of cryptocurrencies that are unlikely This knowledge gap is not just an and introductory material is provided to
to be important in police cases in inconvenience; it has been exploited by facilitate a deeper understanding of the
connection with individual victims. criminals who recognize that technology subject.

8
This guide serves as an essential guide may need to be supplemented and continuous learning within the
stepping stone in bridging the gap with additional knowledge. community. The ultimate aim is to
between law enforcement and the equip law enforcement officers with the
constantly changing world of virtual This guide emphasizes not only knowledge and confidence needed to
assets. It should be recognized that the the tools and strategies necessary confront the unique challenges posed
Web3 space in which cryptocurrencies for effective investigations, but by cryptocurrency-related crimes.
operate is rapidly evolving and that this also aims to foster collaboration

Structure of the guide

The primary aim of this guide is to will be examined to ensure a clear victims, data to share with virtual asset
educate law enforcement officers who understanding. Additionally, the potential service providers, and information that
are new to the field of virtual asset uses and misuses of cryptocurrencies can be obtained from virtual asset
crimes, and to support victims reporting and the technology that supports them exchanges.
such crimes. With this objective in mind, will be discussed.
the guide is structured as follows: Accessibility and language simplification:
After establishing a foundational Due to the complexity of the field, the
Firstly, a concise overview of digital understanding of virtual assets, the authors have used simplified, non-
assets is offered. Digital assets can guide presents the common crimes technical language to make this report
be thought of as a large umbrella associated with them. It then describes accessible to beginners. By avoiding
term that includes subjects like standard protocols for dealing with jargon, the aim is to ensure that the
cryptocurrencies such as Bitcoin and these crimes, identifying which can be content is clear and understandable
Ethereum. An explanation of what they quickly addressed and which require for all readers. Finally, the guide offers
are and how they are similar or different more thorough investigations. The victim support resources and presents
from one another will be provided. guide also covers evidence collection various suggestions that can help
Their differences and similarities for each crime, questions to ask prevent cryptocurrency-related crimes.

Background
Investigations centred around crypto us to determine the perpetrators of with updated standards issued by the
assets might appear intimidating at first, cryptocurrency criminal cases. These Financial Action Task Force (FATF). This
particularly given the misconceptions tools are becoming increasingly user- development means that companies
surrounding the difficulty of asset friendly and widespread, heralding a operating with cryptocurrencies must
recovery. It is a myth that once a change in the investigative landscape. now adhere to processes initially
national currency has been converted designed for traditional banking
into a cryptocurrency like Bitcoin, Despite all of these tools, we do still institutions. They are requested to
the funds are irretrievably lost, see many investigations conducted by verify the identities of their customers,
leaving victims helpless and forcing local police officers closing prematurely scrutinize the sources of funds, and
investigators to close their cases. This due to limited understanding and monitor where cryptocurrencies are
perception was accurate until a few knowledge. Contrary to common belief, being sent.
years ago, but times have changed. cryptocurrency transactions can be
traced. By accurately recording data Recognizing these shifts, the OSCE
This progress in technology has at the onset, there’s a heightened Virtual Asset Expert team has decided
opened new doors, similar to how likelihood of linking transactions to a to launch a support guide specifically
DNA verification has allowed cold potential suspect, seamlessly merging tailored to members of local law
cases to be reopened and solved. virtual and tangible evidence. enforcement units. This guide will not
We can now reopen previously closed only illuminate the new possibilities in
cryptocurrency cases. The ever- In recent years, several OSCE cryptocurrency investigations, but also
growing accessibility of tools designed participating States have begun empower law enforcement officers with
to detect and review cryptocurrency integrating cryptocurrencies and other the knowledge and tools they need
transactions on blockchain and virtual assets into their national anti- to pursue justice in this complex and
changes in international law allows money laundering regulations in line evolving field.

Decoding Crypto Crime: A Guide for Law Enforcement 9

10
About the OSCE

The OSCE is the Organization for by nature not limited to a single country specific vulnerabilities. Throughout
Security and Co-operation in Europe. or currency, and thus cross-border the implementation of the project,
It operates as a regional security co‑operation is vital. the OCEEA, together with the United
organization with the purpose of Nations Office on Drugs and Crime’s
promoting dialogue and co‑operation The OSCE also encourages the Global Programme against Money
and takes a comprehensive view of establishment of legal frameworks Laundering (UNODC GPML), has
security, encompassing everything and robust regulatory measures to continued to assist three countries
from the military and political to tackle both classic money laundering in Eastern Europe and Caucasus —
the environmental and economic and terrorist financing, as well as Georgia, Moldova, and Ukraine — in
dimensions. to implement measures to detect bringing their virtual assets (VA) and
and prevent illicit activities involving virtual assets service provider (VASP)
The OSCE was established during cryptocurrencies. This includes ensuring regulatory framework in compliance
the Cold War in 1975 and currently that participating States comply with with the FATF Recommendations while
consists of 57 participating States. international anti-money laundering providing relevant law enforcement
These States are predominantly in (AML) and counter-terrorism financing agencies in these three countries with
Europe, where much of the work of (CTF) standards. capacity-building and technical support.
the OSCE is focused, but also include
Canada and the United States in North Training programmes and workshops To enhance the efficiency of the project,
America, as well as countries such as are run by the OSCE in aid of this, with the OSCE team has partnered with
Kazakhstan, Kyrgyzstan and Uzbekistan the intention of improving the expertise the UNODC, which has contributed its
in Central Asia. It operates on the of law enforcement agencies, financial in-house expertise and practical training
principles of comprehensive security, institutions, and other relevant actors programmes on cryptocurrencies,
which encompasses military, political, in dealing with financial and crypto money laundering (ML) and terrorist
economic, environmental, and human crimes. These efforts aim to improve financing (TF) risks, investigation,
dimensions. investigative techniques and the use of seizure and confiscation, regulation,
cutting-edge technologies to detect and and customer due diligence. The
In Europe, the OSCE works to combat cybercrime and crypto-related OCEEA continues to support relevant
foster stability and address security criminal activities. authorities, such as central banks,
challenges. Its primary aim is to compliance departments of key financial
prevent conflicts and promote regional For the purpose of this publication, institutions, financial intelligence units,
co‑operation through mechanisms the OSCE is responding to the need general prosecutor’s offices, ministries
such as diplomatic negotiations, of specific participating States to of justice and internal affairs, by
conflict resolution initiatives, and arms address the risks posed by the use of assisting in drafting regulations and
control agreements. In addition, there virtual assets for criminal purposes and instructions for personnel, organizing
is work that the OSCE does to support for the circumvention of international awareness-raising activities and
democratic and human rights, such as sanctions. This addressing of risk is the facilitating interagency and international
monitoring elections. essential goal of the project “Innovative co-operation in the investigation of
policy solutions to mitigate money crimes conducted with the use of
When it comes to the topic of financial laundering risks of virtual assets”, which cryptocurrencies.
crime and crypto crime, the OSCE is being led by the OSCE’s Office of
helps to combat these challenges by the Co-ordinator of Economic and This publication has been created as a
facilitating intelligence exchange and Environmental Activities (OCEEA). part of the innovative policy solutions
capacity-building among its participating to mitigate money laundering risks of
States, which works to improve the The ultimate objective of this project virtual assets projects, financed by
flow of cross-border information. This is is to build the capacities of national Germany, Italy, Poland, Romania, the
important work, since crypto crimes are authorities to counter these virtual asset United Kingdom, and the United States.

Decoding Crypto Crime: A Guide for Law Enforcement 11

Greta Barkauskienė leading a workshop for investigators in Astana, Kazakhstan. Drawing on her extensive expertise as an AML expert and as
the national tactical co-operation group co-ordinator for the Lithuanian PPP Center of Excellence in Anti-Money Laundering, she brings best
practices from both public and private stakeholders to empower beneficiary countries.

Investigators’ workshops held in Tbilisi, Georgia, focused on key aspects of cryptocurrency asset seizure, including the preparation of secure
facilities for potential confiscations. These workshops were closely linked to a follow-up exercise aimed at enhancing skills in identifying,
transferring, and recovering cryptocurrency assets on the Blockchain. Photo: Michal Gromek.

12
Understanding
digital assets:
A simplified guide

Decoding Crypto Crime: A Guide for Law Enforcement 13

Understanding digital assets:
A simplified guide

This section will cover the differences between various

digital assets, FIAT and cryptocurrencies. We will also
distinguish the differences between various types of
cryptocurrencies and the infrastructure around them.

There is often confusion as to what the prominent type of distributed ledger

difference is between digital assets, technology, but there are other DLT
virtual assets, crypto assets and technologies, such as Hashgraph, Iota Types of digital assets
cryptocurrency. Tangle, R3 Corda and multiple others.
For the purpose of this guide we are H O W T O D I F F E R E N T I AT E B E T W E E N
DIFFERENT TYPES BASED ON TECHNOLOGY
Simply put, a digital asset is the focusing on blockchain-based finance. AND PURPOSE

broadest term. It is an asset that exists

in digital form. This includes images, Within digital assets, there are many
DIGITAL ASSETS
videos, music, as for example in different types of assets, including The broadest
term
MP3 format, documents, and virtual cryptocurrencies, which are new types
Any asset that exists in
currencies. of currency that work using blockchain digital form. This
includes images, videos,
music, documents, and
technology, and non-fungible tokens virtual currencies.

A virtual asset is a narrower set of (NFTs), which are image-based assets.

digital assets. According to the FATF,1 VIRTUAL ASSETS
Possibility to trade
virtual assets (crypto assets) refer to any Thus, once a crypto asset is developed
A digital representation
digital representation of value that can to be traded, transferred or used for of value that can be
digitally traded, or
transferred.
be digitally traded, transferred or used payment, we would refer to it as a
for payment. It does not include digital cryptocurrency. You may also come
representation of FIAT currencies. across the term virtual currency, which
CRYPTO ASSETS
is often used interchangeably with Technology
specific
By contrast, a crypto asset has an cryptocurrency. The distinguishing factor
A type of asset that is
even narrower niche. It is an asset that between cryptocurrency and virtual built on a distributed
ledger (DLT) or similar
technology as part of
stores value but must be transferred currency is the underlying technology. their perceived value.

by distributed ledger technology (DLT). Cryptocurrencies use blockchain,

CRYPTO
Blockchain is a type of DLT. You can whereas virtual currencies are not CURRENCIES
have a virtual asset like a coin in an necessarily built on blockchain. Trade & payment
Are DLT-based assets are
online game that is not a crypto asset traded, transferred or
used for payment.
because it is transferred between This guide will predominantly
players in the game without employing focus on crimes committed with
distributed ledger technology. cryptocurrencies.
Blockchain is currently the most

With the permission of the author

(from Alexandra Andhov, Computational
Law, Karnov, 2022).

1 Financial Action Task Force, source: https://www.fatf-gafi.org/en/topics/virtual-assets.html#:~:text=Virtual%20assets%20(crypto%20assets)%20refer,digital%20

representation%20of%20fiat%20currencies (accessed: 26 Sept. 2023).

14
Cryptocurrencies vs. FIAT

Traditional coins and paper money, facilitating electronic transactions currencies, with its value soaring to
known as “FIAT currency,” have been without changing its value. E-money is a remarkable heights. Back in 2021, it
the backbone of our economies digital representation of fiat currency. reached a value of over $64,000 per
for centuries. But with the rise of coin. Cryptocurrencies, such as Bitcoin
technology, new forms of money have Contrary to FIAT, cryptocurrencies and Tether, are not guaranteed by any
emerged, blurring the lines between operate in a decentralized environment. government or central bank. Whilst not
the tangible and the virtual. When They aren’t tied to any government anywhere near as old as FIAT currency,
individuals make electronic transfers or central bank, and various factors, virtual currencies are not as novel as
of FIAT currency from one person to including demand, technology, and most people presume. One of the first
another, they use “e-money.” E-money, trust, determine their value. Bitcoin, virtual currencies — E-Gold — was
or electronic money, represents our a leading name in this realm, has already introduced almost 30 years ago,
familiar FIAT currency in a digital form, showcased the potential of these in 1996.

Summary of E-Gold

One of the first popular virtual currencies was called “E-Gold.” First established in 1996 by Douglas
Jackson and Barry Downey, E-Gold allowed users to open an account with a value denominated in
grams of gold (or other precious metals) and the ability to make instant transfers of value to other E-Gold
accounts.

In 2005, E-Gold had 2.5 million account holders, performing daily transactions at a typical value of
US$6.3 million. It was popular due to its efficiency, low fees, and global accessibility. However, its lack of
strict regulations also attracted illicit activities. In 2007, E-Gold was indicted by a grand jury in the United
States, whereby the company was accused of money laundering, conspiracy and operating an unlicensed
money-transmitting business, ultimately leading to the shutdown of E-Gold by the US courts in 2009.
E-Gold spawned a range of copycats, such as e-Bullion.com, Pecunix.com and others.2

It is important to be specific when currencies can refer to both e-money become confusing. In this guide, we
discussing this field, since virtual and cryptocurrencies. This can quickly focus on cryptocurrencies.

Underlying technology: Blockchain

Blockchain is a type of distributed by a majority of users to become different purpose, when you look
ledger technology (DLT). This new permanent. underneath, nearly all buildings have
technology first emerged in 2008 in been built with bricks and cement.
a white paper published by Satoshi There are many different blockchains.
Nakomoto.3 It is defined as being Blockchain simply refers to the Just as with buildings, some
decentralized, since there is no single underlying technology. Imagine each blockchains can be accessed by
control center or person in charge. blockchain as a building. While each anyone without needing permission,
Instead, changes can be made by any can look very different on the outside, while some require approval before
user, but they have to be accepted and each building can have a very you’re allowed to join.

2 “Feds accuse E-Gold of helping cybercrooks”, NBC News, May 2007.

(Available: http://redtape.nbcnews.com/_news/2007/05/02/6346006-feds-accuse-e-gold-of-helpingcybercrooks (accessed: 24 August 2023).
“Internet currency firm pleads guilty to money laundering”, The Industry Standard, July 2008. Available at: http://web.archive.org/web/20090414185759/http://
www.thestandard.com/news/2008/07/22/internet-currency-firm-pleads-guilty-money-laundering (accessed: 24 Aug. 2023). Synopsis of e-gold Transactions
(1996) E-Gold. Available at: http://www.e-gold.com/unsecure/synopsis.htm (accessed: 24 Aug. 2023).
3 Nakamoto, S. (2008) A peer-to-peer electronic cash system, Bitcoin. Available at: https://bitcoin.org/en/bitcoin-paper (accessed: 26 Aug. 2023).

Decoding Crypto Crime: A Guide for Law Enforcement 15

In this regard we distinguish between have to validate the new block allows investigators to conduct
public and private blockchains. using “consensus methods” (this investigations. Because of the
Public blockchains are called involves quite complex mathematical distribution of the blockchain ledger
“permissionless” and tend to require equations, to ensure it can be trusted). to every user, blockchain is called
less transparency or control, while Because the blocks are all linked “distributed ledger technology” or DLT.
“permissioned” blockchains are often together, it is nearly impossible to go It is like a “google sheet” upon which
used for enterprise purposes and to a previous block and change it. everyone can collaborate and see the
require the person wanting to join to This means that the system cannot be previous versions. Since everything is
be approved. tampered with. Any new information, visible and cannot be altered without
including changes of old information, is everyone being able to see it, there
The blockchain is named this way recorded in a new block. is a high level of transparency, trust
because users add or change “blocks” and security. There is also a high
of data, and these blocks are tied Blockchain works by allowing all level of resilience to attacks: Because
together in a chain chronologically users connected to that chain to see every single person has a copy of the
(by time). When one user makes or the entire history of the chain (the blockchain and there is no centralized
uploads a new block (for example, “ledger”). Therefore, with a bitcoin version, even if one user (“node” in
a new transaction with a bitcoin), blockchain the users can see every blockchain terminology) gets attacked
all other users on the blockchain transaction that has occurred. This and fails, the system can still operate.

Block 1 Block 2 Block 2

• Hash 1 • Hash 1 • Hash 2

• Time stamp • Hash 2 • Hash 3
1 (20:10:22, • Time stamp • Time stamp
11/10/2019) 2 (20:11:31, 3 (20:10:41,
11/10/2019) 11/10/2019)

With the permission of the author (from Alexandra Andhov, Computational Law, Karnov, 2022).

Types of cryptocurrencies

There are two ways of distinguishing Convertible and crimes occur. Examples of convertible
between cryptocurrencies: non-convertible currencies currencies include Bitcoin and E-Gold.

• Whether they are convertible or Convertible currencies have an Non-convertible currencies are like the
nonconvertible equivalent value in FIAT currency and gold coins that stay within a computer
can be exchanged back for “normal” game. Crime committed with these is
• Whether they are centralized or money. This convertibility is not less likely, since they don’t hold real
decentralized guaranteed since cryptocurrencies world value. However, some individuals
are not backed by any government find a way to trade them outside the
These distinguishing characteristics are or institution. The convertibility of a boundaries of the game they exist in,
described in more detail below. cryptocurrency to a FIAT currency making them convertible outside the
is based on the market and private game, even if it’s against the game’s
offers being accepted. This is the rules. For example, somebody can
type of cryptocurrency where most transfer “collected gold coins” from one

16
player to another player in a game, with centralized (since, for example, one entire internet, a decentralized system
the transaction paid offline in cash. can’t have a currency within a game doesn’t have one main controller. Even
without the game being in charge of though most people use the internet
the currency). When exchanging a daily, there’s no single company that is
Centralized and centralized convertible currency, the paid; instead, various providers are paid
decentralized currencies exchange rate is determined by market for different services. This is how the
supply and demand, or it is fixed by blockchain network technology behind
Centralized cryptocurrencies are the administrator. A good example of a cryptocurrencies like Bitcoin is used.
overseen by a single authority that centralized currency is E-Gold. Transactions are managed through
issues the currency, sets its rules, the network and there is no other
maintains a payment ledger, and Decentralized currencies, on the monitoring by any authority.
has the power to withdraw it from other hand, lack a central authority
circulation. and operate based on a peer-to-peer A selection of ten cryptocurrencies
Centralized currencies can be network. Think of a decentralized with the largest market caps as of
convertible or nonconvertible. Non- system like the internet. Just as there 23 August 2023 are listed below, as
convertible currencies are always is no one supervisor in charge of the based on the link in the footnote.4

Comparable to the gross

Name Symbol Market cap (23 Aug. 2023) domestic product of the
following country5

Bitcoin BTC $514,912,135,787 Sudan

Ethereum ETH $201,475,414,760 Haiti

Tether USDt USDT $82,835,552,223 Somalia

BNB BNB $33,285,580,473 Andorra

XRP XRP $27,991,699,189 Curacao

USD Coin USDC $26,005,195,827 Lesotho

St. Vincent and the

Cardano ADA $9,357,776,591
Grenadines

Dogecoin DOGE $8,965,846,112 Northern Mariana Islands

Solana SOL $8,792,761,272 Samoa

TRON TRX $6,938,358,042 American Samoa

Pseudo currencies and privacy coins

Pseudo-anonymous currencies involve cryptocurrency is linked to identifiable transaction details and associated
accounts that use pseudonyms, data. Coins within this category include identities, making it challenging to
meaning that while transactions aren’t Bitcoin and Ether. trace them back to the original user.
directly tied to personal identities, Examples of such coins are Monero
some identifying information remains. Conversely, privacy coins offer greater and Zcash.
For instance, a typical FIAT currency anonymity by employing advanced
bank account used to purchase cryptographic methods to obscure

4 All cryptocurrencies (2023) CoinMarketCap. Available at: https://coinmarketcap.com/all/views/all/ (accessed: 24 Aug. 2023).
5 Based on the World Bank GDP data (current US$), https://data.worldbank.org/indicator/NY.GDP.MKTP.CD?most_recent_value_desc=false (accessed on
23 Aug. 2023).

Decoding Crypto Crime: A Guide for Law Enforcement 17

Crypto wallets

A cryptocurrency wallet is where different forms as well: an app on the Crypto wallet addresses
cryptocurrency is stored. A useful phone, a device that looks like a USB
analogy is to imagine how money is drive, or just a piece of software (a bit Cryptocurrency wallet addresses are
stored around the globe today. similar to your email address) to which similar to a bank account number.
you will have access after typing in a Having somebody’s bank account
Money comes in different forms. Some login and password. Even though there number doesn’t mean having access
of it is stored in gold bars hosted by are different kinds of cryptocurrency to somebody’s money. Crypto wallet
large banks, some of it circulates in wallets, they use the same technology. addresses have long, complicated
the form of paper banknotes, online Most have 12-, 18-, or 24-word sequences with many case-sensitive
bank transfers or cryptocurrencies. recovery passwords that can re-open letters and numbers. Here are two
Cryptocurrency wallets come in the wallet. examples:

A cryptocurrency wallet for the currency TRON

TYm3NTSyk85t9UHSd68DY4vGWQADHXpaXJ

A cryptocurrency wallet for Bitcoin

Bc1qu5z7kn0v2krhglsnan4c0m5f76xk69p53wjwgh

The difference between traditional bank decode an IBAN number and contact the country’s code, a two-digit safety
account numbers and crypto wallet the relevant authority. check, and then details about the bank
addresses is that compared to a crypto and the account. Sometimes different
wallet address, a lot of information An IBAN is an international bank countries format these bank details
can be gathered from a bank account account number. It can have up to differently. For example:
number. Law enforcement can easily 34 letters and numbers. It starts with

IBAN:
• LT44 3250047338696265
LT identifies the Republic of Lithuania,
32500 identifies the Revolut Bank UAB
47338696265 is the account number of the user6

If an IBAN bank account number like this For pseudo-anonymous In order to find identification information
appears in an investigation, the officer cryptocurrencies like Bitcoin, no law of the owner, a specialized software is
would know to contact the Lithuanian enforcement office will be able to needed, as for example, a blockchain
Bank Revolut. This information can identify personal information about the analytics provider.
be obtained from so-called “IBAN account holder based on an account
validators,” such as iban.com or https:// number like this: Blockchain analytics providers can reveal
wise.com/gb/iban/checker. Then the bc1qu5z7kn0v2krhglsnan4c0m5f76xk- the identification information of users
process to obtain personal information 69p53wjwgh. and track transactions across different
about the account user can be started. cryptocurrencies, a common tactic

6 IBAN and financial institution codes, Bank Of Lithuania, https://www.lb.lt/en/iban-and-financial-institution-codes (accessed 25 Sept. 2023).

18
used with stolen cryptocurrencies. The cryptocurrency, an explorer can be exchangers (CEX) and decentralized
ability of such providers to identify which used to confirm this by searching for exchangers (DEX).
financial institutions or crypto exchanges the transaction using the transaction
(VASPs – vrtual asset service providers) ID or a wallet address. P2P stands for peer-to-peer, and
have this identity information depends thus person-to-person or, more often,
on the laws of the country in which they • Auditing and record-keeping: For user-to-user (since legal entities can
operate. For this reason, international individuals or businesses that need sell or offer their assets). Here users
actors like the OSCE are helping to maintain records of transactions, are not buying from the exchange itself,
their participating States align with explorers can provide detailed but from other users. An example of
international best practices in this area. information when a transaction such a P2P exchange that has ceased
occurred, how much was sent, and operation was the Finnish provider
the involved addresses. called LocalBitcoin.com.
Crypto wallet explorers
• Research and analysis: Developers, Such exchangers sell their own virtual
Because the leading types of public researchers, and analysts often use assets and do not match users with
blockchain are open to everyone, one wallet explorers to study the overall each other.
can look through all of the transactions health and activity of a blockchain.
that happen in a wallet using a “crypto They can see how many transactions Peer-to-peer changes are subject to
wallet explorer.” are taking place, the size of AML and CTF regulation7 and require
transactions, and more. detailed user information. They also
A crypto wallet explorer is a search must follow certain rules in the countries
engine designed specifically to navigate • Wallet balance: By entering a they operate.
blockchain data. It provides detailed wallet address into an explorer, one
information about individual blocks, can view the balance of a particular Decentralized exchanges claim that they
transactions, and associated wallets. cryptocurrency wallet and see its function like automatic file converters
Think of it as “Google” for blockchain transaction history. (e.g., .doc to .pdf). They are mostly
transactions. used for crypto-to-crypto transactions
and less frequently for FIAT-to-
Free wallet explorers: crypto exchanges. Funds involved
It is easy to find crypto wallet explorers in decentralized exchanges require
Watch out: for each type of cryptocurrency simply specialized support for tracing.
by typing “best free XXX cryptocurrency
One might need a different wallet explorer” into a normal internet This is just the tip of the iceberg. There
wallet explorer for each type search engine. are also new types of exchanges, as
of cryptocurrency. Best the above-mentioned decentralized
practice is to type the name Using these tools, anyone can explore exchanges, OTC exchanges, mixers
of the cryptocurrency one and verify transactions on a blockchain, and tumblers. This is a rapidly evolving
desires to review and add the even without owning cryptocurrency or technology that is being developed with
expression “wallet explorer” having an in-depth knowledge of the the purpose to hide traces of users’
or “blockchain explorer” into technology. In the same way we can transactions. Many OSCE participating
a search engine to review search the internet with solid search States are taking actions to limit the
the leading providers. Such tools, we can search blockchains. usage of such tools.
services are generally free.

Exchanging cryptocurrencies Mixers and tumblers

Main uses of crypto wallet explorers: Similarly to “normal” money, one needs Mixers and tumblers are services
to use a specific platform to exchange designed to enhance the privacy and
• Transaction verification: Wallet one type of cryptocurrency to another anonymity of cryptocurrency transactions.
explorers allow users to verify that or to FIAT currency. There are three Their primary function is to mix the funds
a transaction has taken place. main types of platforms: peer-to- of various users, thereby obfuscating the
When someone claims they sent peer exchanges (P2P), centralized original source of the funds.

7 This applies only for crypto-exchanges operating in countries that have implemented the FATF’s recommendation 15, which requests countries to incorporate
financial entities dealing with cryptocurrencies into their AML and CTF framework.

Decoding Crypto Crime: A Guide for Law Enforcement 19

Mixers these coins with other users or its the coins. However, centralized mixers
These are centralized or decentralized own coins. Once the “mixing process” are operated by a single entity, which
services that mix cryptocurrency funds is complete, the service sends the can potentially log the transactions. The
from various sources to hide their origin. equivalent amount of coins minus a Europol EC3 team is offering courses
Users send their cryptocurrencies (like fee to the user’s specified address, in demixing, courses available for
Bitcoin) to a mixer, which then shuffles making it difficult to trace the origin of confirmed law enforcement only.

Mixer-like related services in traditional banking

Mixers operate similarly to conventional banks where funds are deposited and withdrawn. Consider a
large financial institution where various individuals deposit money. If this institution aggregated all these
deposits and then dispersed them to account holders without specifying the origin of each dollar, this
would resemble the mixing process. Funds are overseen by a known entity, such as a centralized mixer,
and once inside, these funds intermingle with others. Leading blockchain analytics providers claim to
offer automatic or manual “demixing” services for most of the leading mixers, allowing these providers to
review the transactions across such services.8

Tumblers tumbler is also to improve transactional ensure the mixed coins cannot be linked
Tumblers are similar to mixers, and privacy. Some consider tumblers as back to their original sources.
in many contexts the terms are used more sophisticated versions of mixers.
interchangeably. The primary goal of a They use advanced algorithms to

Tumber-like related services in traditional banking

Tumblers can be compared to bank accounts in countries that are defined as tax havens, or offshore
banks reputed for offering enhanced confidentiality and privacy. Such banks typically employ intricate
structures and services tailored for privacy and asset safeguarding. In the realm of cryptocurrency,
tumblers utilize cutting-edge mathematical algorithms to maintain the anonymity of transactions, affording
a more refined level of concealment than standard mixers. Tracing a transaction across a tumbler is
complex and time-consuming, but not impossible.

Differences and similarities VASPs and CASPs There are a number of terms used
While both mixers and tumblers serve interchangeably when it comes to
the same purpose of enhancing A virtual asset service provider (VASP) VASPs. “VASP” was decided on by
transactional privacy, the nuances undertakes the following activities: the Financial Action Task Force (FATF).
between them often come down However, “CASP,” standing for crypto
to their methods and level of • Facilitating the exchange between asset service provider, is commonly
sophistication. It’s like comparing virtual assets and FIAT currencies; used in the EU instead of VASP. The
basic web browsers to those offering number of services defined under
enhanced privacy features. Both • Facilitating the exchange between CASPs is wider than those of VASPs.
allow you to browse the internet, but one or more forms of virtual assets; The terms “exchanges” and “brokers”
one offers more advanced tools for are also sometimes used, but they
maintaining anonymity. • Facilitating the transfer of virtual represent only one of many types of
assets from one wallet to another, VASP or CASP.

• Providing financial services related to

the sale of virtual assets.

8 The author was unable to confirm or deny those claims prior to the editorial deadline of this publication.

20
Protocol for handling
digital asset-related
crimes

Decoding Crypto Crime: A Guide for Law Enforcement 21

Protocol for handling digital
asset-related crimes
The four most important pieces of information to collect

When a potential victim arrives at a Size this is reported to law enforcement

police station and claims that they have on Saturday morning, then it is still
been subject to cryptocurrency fraud, The third most important question possible to contact the bank and
there are four vital pieces of information is the size of the transaction, since stop the transaction. If the victim has
that must be collected. large amounts of funds crossing the not contacted the bank, they should
anti‑money laundering threshold are immediately do so.
Cryptocurrency transactions are subject to verification by a VASP or (See INTERPOL’S IGrip solution, p. 23)
irreversible — once they are completed CASP. If the victim has made a large
and have entered the blockchain, it will transfer to a licensed exchange, it may Example 2: Even if the victim has
require significant effort to return those be possible to contact this exchange transferred a larger amount from their
funds to the victim. And yet, while and stop the transfer from being bank account to a cryptocurrency
the effort is truly substantial, it is not changed to cryptocurrencies. broker and the transfer has already
impossible. left the victim’s account, there might
be information in the customer bank
Type of cryptocurrency account showing the name of the
Time VASP/CASP to which the transfer
Finally, the last key question is what has been sent. In this example, if the
The first key element is time. type of cryptocurrency or virtual asset transfer has been sent to one of the
Cryptocurrency transactions do has been purchased. Some types larger brokers, such as Binance, the
not always immediately enter the can be easily traced, such as Bitcoin. customer should immediately contact
blockchain. There is often some Other types of cryptocurrency known their customer service via a chat
amount of time when the funds as privacy coins, such as Monero and window or send an email with a title:
are held at a bank or a licenced ZCash, have been designed to make “Urgent: Stop exchange – fraud”
cryptocurrency broker before tracing and investigations more difficult, to [email protected] or
being recorded on the blockchain. but even these are possible to trace [email protected]
Establishing whether this is the case, with some effort. to inform them that the transfer coming
is the first and most crucial question, from a particular IBAN, of a particular
since it offers the chance to still reverse If the transaction from the victim’s size and in a particular timeframe is not
the transaction. bank account is very recent, all efforts to be processed.
should be placed on stopping it from
entering the blockchain. Receiving a Members of law enforcement can also
Financial institution case at the station and passing on for request the funds to be stopped, via for
pre‑investigation to other colleagues example Binance’s Government Law
The next most important question is who might only pick it up days later Enforcement Request System:
to ask the victim which cryptocurrency can significantly decrease the chances https://www.binance.com/en/support/
broker or financial institution was of success. law-enforcement.
used when the FIAT currency was Larger brokers or exchanges and other
transferred. Here are three examples that are VASPs usually have a proceeding
common and illustrative of this in place that can help enforcement
If the transfer has been conducted to concept: agencies to locate and stop the transfer.
a broker in a low-risk jurisdiction that The majority of players in the industry
has enforced anti-money laundering Example 1: If in the case of a potential will have email addresses like
regulations on financial institutions, victim, the transfer of FIAT from an [email protected]
there is a possibility that the transaction international bank is, for example, or [email protected]
can be stopped. initiated on Friday evening and that can be used to report urgent cases.

22
 <I-GRIP work flow>9

Report to Inform on
authority suspicious transactions
LEA LEA
of victim’s jurisdiction of VASP’s jurisdiction
Take compulsory
Victim measures VASP

I-GRIP
Request to withhold
NCB of criminal proceeds NCB of
victim’s jurisdiction VASP’s jurisdiction

Procedure to request:
a. Put email title ’[I-GRIP]’
b. Include IFCACC in email copy ([email protected] and [email protected])
c. Write sufficient details

Source: Image courtesy of INTERPOL

At the same time, the LEA of the the LEA can open their own domestic or an email postbox, where funds are
victim’s jurisdiction can make a stop criminal investigation parallel to the stored. With a bit of skill funds in such
payment request through INTERPOL investigation carried out by the I-GRIP a wallet can be recovered or frozen.
with a tool called Global Rapid requesting jurisdictions and issue Even though such a combination of
Intervention of Payment (I-GRIP). a criminal seizure order against the letters and numbers looks unusual
This is a channel to the LEA of the suspicious account. for individuals who are unfamilar
jurisdiction where the VASP is located. with cryptocurrency, for investigators
INTERPOL launched I-GRIP to make If the legal framework in the OSCE experienced in the space, such
international co‑operation speedy participating State allows it, another combinations of letters and number
enough to effectuate initial stages of possibility might be to file the case provide information similar to a credit
asset recovery. immediately, together with the potential card number. Having a cryptocurrency
victim’s reporting, since time is one of wallet address is similar to having
Once the LEA of the jurisdiction where most crucial aspects in cryptocurrency a credit card number, but without
the VASP is located receives an I-GRIP investigations. personal details such as the name
request, they can take necessary or the issuing bank. A credit card
measures to withhold the criminal Example 3: If the potential victim is number indicates the issuer of the
proceeds from being processed further not fully sure to which cryptocurrency card and the card’s type. Similarly,
in accordance with their national law. broker the funds have been sent and once a cryptocurrency wallet address
The necessary measures can take there are abbreviations of letters and has been reported by a victim to
various forms. They can simply inform numbers that look similar to this on the law enforcement, with the help of
the receiver VASP about the suspicious transfer details: external tools there are possibilities
transaction, so the VASP can make (which are not always successful) to
its own voluntary business judgement 1C5Eu4UpeK5djG3QiKwhcLELtFwHT146dG connect a wallet address to a particular
to suspend the suspicious account or cryptocurrency or a specific VASP or
even to recall the transactions. Also, this could indicate that the funds financial intermediary.
LEAs can utilize their administrative have been or will be exchanged to a (For more information, see the section
power to mandate a VASP to suspend cryptocurrency wallet. Such wallets “Further tools for virtual asset crime
the suspicious account. Additionally, can be compared to bank accounts investigations,” p. 47.)

9 INTERPOL, Guidelines for Seizing Virtual Assets (October 2023), p. 40.

Decoding Crypto Crime: A Guide for Law Enforcement 23

Best practice for each type of transaction

There are three types of transactions on blockchains that are relevant for investigators to know about, since they may need the
co‑operation of virtual asset service providers (VASP).

Type of
Description Impact for the investigation
transactions

FIAT A victim has completed a Best practice 1

currency to pay in, via bank transfer, Try to stop or revert a transfer to a cryptocurrency
cryptocurrency card payment, mobile broker if possible.
pay or cash in a national
currency to a VASP, which The largest failure at the reporting stage is to record
exchanges funds into the suspected crime and assign a person within the
cryptocurrencies. office to conduct a pre-investigation. This delays the
initial contact with the victim. If there is no delay, the
transaction potentially could still be stopped.

If the transaction has been completed outside of

banking hours or on the weekend, it may still be
possible to stop the outgoing bank transfer from being
undertaken, since some banks process bank transfers
the next business day.

If the transaction has been completed with a card

payment, it may be possible to get in touch with a card
issuer to potentially return or stop the transfer of the
payment.

A key aspect is to find out which financial institution

carried out the bank transfer. This will be visible on the
bank statement.

Best practice 2
If stopping the transaction is unsuccessful, try to
identify which VASP the transfer has been sent
to, with the goal for them to stop the transaction
and freeze the funds if possible.

If the cryptocurrency broker operates in a low risk

country that has introduced AML/CTF regulations for
cryptocurrency assets, then it is possible to contact
the broker without a delay and request the funds to
be frozen or returned, if they have not already been
exchanged.

Sometimes this process can be initiated by the victims

themselves. Brokers might then stop the exchange of
the funds, since AML laws indicate that funds can only
be transfered if the origin of the funds is known and it is
clear where the funds are being sent. Letting the VASP
know that the destination of a cryptocurrency wallet is
a scam will force them to take action to stop it due to
money laundering regulations.

24
 Type of
Description Impact for the investigation
transactions

Although this depends on the internal compliance

policies of the VASP, a temporary freezing of funds for
a couple of business days will allow law enforcement or
prosecutors to step in with an official request to return
the funds. This is possible if one acts quickly and the
cryptocurrency broker is responsive.

If both processes failed, the third possibility is to

contact the VASP that has been identified and ask for all
evidence from their databases about the identity of the
user that has created an user account (since it is likely
to be the scammer, or a fake identity), their identification
information and the transaction hash.

Cryptocurrency A victim reports fraud that Best practice 1

to is exclusively within the Search for potential licensed financial
cryptocurrency blockchain technology, intermediaries, so‑called “centralized
with no links to traditional exchanges,” that have been involved in the
financial institutions that exchange. If they can be found, it may be possible
process FIAT currencies. to collect identity information about the parties
involved through this intermediary.
For example, a fraud has
occurred in which a user Best practices 2
has been tricked into Often, victims have been subject to social
purchasing a different engineering, which leaves a significant amount of
cryptocurrency product cybersecurity traces. For example, suspects often
(such as NFT, Staking, ask victims to connect with them via remote-
etc.), resulting in financial display management apps, emails, phone calls,
losses. initial bank transfers, sms, or communicator
messages.

In this scenario, the victims are usually experienced with

blockchain based finance. The initial task is to collect
the most accurate and updated transfer information:
transaction times, the types of currencies used by
the victim, information about cryptocurrency wallets,
receipts, emails, sms confirmations, and other types
of information. (More details can be found in the next
section “Gathering evidence,” p. 27).

Decoding Crypto Crime: A Guide for Law Enforcement 25

 Type of
Description Impact for the investigation
transactions

Cryptocurrency A victim reports the theft In this scenario, the victim already possessed
to FIAT or loss of funds cryptocurrencies that have been sent to a
currency cryptocurrency exchange and then have been
exchanged to a national currency to be most likely paid
out by means of a bank transfer or in cash at a physical
office.

Similarly to transfers from FIAT to cryptocurrency, here

there is a need to search for the financial intermediary
that has conducted the exchange into the national
currency and initiated the bank transfer. If a large
amount is involved and the financial institution is
located in a low‑risk jurisdiction, then this institution
must review where the funds have come from, a step
that is conducted manually by compliance employees.
If such a review occurs, it usually takes place between
24 hours to a couple of business days from the time of
the transaction.

If possible, type in the cryptocurrency wallet address

into a blockchain-wallet-explorer to check it and review
if it is connected to a financial intermediary that could
be contacted (see the section “Further tools for virtual
crime investigators,” p. 40, for more details). If such a
search is unsuccessful, then one must use a dedicated
software (a blockchain analytics provider) that might
indicate whether an address has been connected to a
known financial institution.

26
Gathering evidence

Decoding Crypto Crime: A Guide for Law Enforcement 27

Gathering evidence
Gathering information from an individual

10 pieces of information crucial for request data from VASPs, see the section below,
an investigation “Requesting data from VASPs,” p. 29. The names of
exchanges can often be found on transaction receipts.
• Nature of the asset: which cryptocurrency project
or NFT was involved, including its name, symbol, and • Referral information: Information on how the victim
specifics of the underlying technology. got to know about the asset, be it through a referral, an
online advertisement, word of mouth, etc.
• Transaction details: Information on transactions made
by the victim, such as date, time, amount, currency, and • Coding anomalies: If available, any evidence of
transaction IDs (for example receipts from a VASP). manipulated code that prevents selling or any other
anomalies. Any hyperlinks to websites used to
• Wallet addresses: Details of the cryptocurrency wallet support the crime, and depending on the jurisdiction,
addresses involved, both of the victim and the suspected when the victim has detached its financial data, any
scammer. login credentials that would help law enforcement to
understand the software.
• Communication records: Any communications the
victim had with the alleged scammers, be it via email, • Financial records: Bank statements, credit card
social media, chat applications, phone calls or forums. statements, or other financial records showing the
transfer of funds related to the investment.
• Promotional material: Any advertisements, online
posts, or other promotional materials related to the virtual • Identity information: Any details that can help identify
assets that have been received by the victims. With the scammer, such as usernames, social media profiles,
copies of emails, make sure the hyperlinks are included email addresses, or any other contact information that
in them, ideally on USB drivers. Warning! While recording has been used during the interaction with the victim on
such material, do not click on any hyperlinks provided in the victim’s computer.
the electronic material as they might be infected.
• Technological anomalies: Has the victim installed any
• Platform details: Any details of the VASP (see software apps during the process of being scammed?
the section “VASPs and CASPs,” p. 20) platform Has this software been uninstalled or is it still on the
or exchange where the victim purchased the computer? Is it possible to determine the source or origin
cryptocurrency asset. For information on how to of the software?

If a cryptocurrency transaction has not been suspended, it is vital to obtain the cryptocurrency wallet address where the funds
were either sent to or received from.

Collecting cryptocurrency wallet addresses

What are the most crucial pieces of cryptocurrency wallet addresses, since type a recorded cryptocurrency wallet
information needed for an investigation these involve long strings of numbers address into an internet search engine,
on the blockchain? and letters. like google or bing, to see whether it
can be identified. If the address does
Transaction details: Cryptocurrency Example 4: When recording a not come up immediately, a wallet
wallet address and Hash numbers cryptocurrency wallet address, etc., explorer tool can be used.
the number zero “0” can easily be (See also the section “Further tools for
A common failure is the incorrect confused with the letter O, or the virtual asset crime investigators,” p. 47.)
recording of the relevant letter q with g, A best practice is to

28
If the cryptocurrency wallet address is • Timezone customization: Certain keys to authorize a transaction. One
correct, there will be instant information platforms offer the ability to change person could possess multiple private
displayed that allows one to extract the the default UTC timezone. For keys, or multiple individuals could be
following information: instance, users can adjust it to their involved in asset management, each
local timezone, aiding in evidence with their own private key.
Always for Bitcoin: collection.
A visualization of this concept can
• Amount of the transaction: You can Is it possible for one be likened to the distinction between
see the amount of Bitcoin that was cryptocurrency wallet address smartphone types and the operating
sent or received in each transaction. to store different types of systems or applications they support.
cryptocurrencies? Certain apps are designed exclusively
• Time of the transaction: for Apple’s iOS and require an iPhone,
A timestamp indicating when a The potential for a user to employ while others are tailored for Android
transaction was included in a block is a singular application to access and won’t function on Apple devices.
visible. various virtual assets using identical However, various apps developed
credentials is embodied by the by different programmers can run on
• The current balance of the multi‑signature (MultiSig) wallet. the Android platform and be sourced
cryptocurrency wallet: You can view MultiSig utilizes a single application from the Google Play Store. Similarly,
the total amount of Bitcoin currently in to manage diverse virtual assets with cryptocurrencies unified by a common
the wallet. the same credentials, streamlining technology, such as ERC20 tokens
the process of handling different built on the Ethereum blockchain, can
• Transaction Hash: This is a unique cryptocurrencies. be managed within a single Ethereum-
identifier for every transaction, like based wallet address.
a transaction-ID used by payment Much like how banks assign unique
service providers serving as its account numbers for various This mirrors how a single app store
“fingerprint.” currencies—one for USD, another facilitates the download of numerous
for EUR—cryptocurrencies based on apps developed on the same
Available at some services but not all: different blockchain technologies, such platform. Likewise, cryptocurrencies
as Bitcoin and Tron, require unique developed on the same blockchain,
• Transaction size: Some services wallet addresses. like Ethereum, can be consolidated
provide details about the size of within a single Ethereum-based
the transaction, often exchanged in MultiSig wallets do not necessarily wallet address, allowing for a more
leading FIAT currencies such as USD require multiple individuals; instead, streamlined user experience.
or EUR. they refer to the use of multiple private

Requesting data from VASPs

If the victim doesn’t know to which Member States must be registered they were sent, the name of the
virtual asset service provider (VASP) and must comply with a variety of anti- VASP can sometimes be found on
the money has been sent, they money laundering obligations. the victim’s bank statement or card
might have a receipt showing wallet statement.
addresses. If not, this data can be If the victim knows which VASP the
often visible using a blockchain funds were sent to or came from and Some of the names of virtual assets
analytics provider software. Such still has (or can recover) the login or exchanges include PanCake Swap
providers are registered in countries credentials, then the first step is to (https://pancakeswap.finance/); Wasabi
where laws clearly state that virtual extract all transfer information from the Wallet (https://wasabiwallet.io); Doge
assets must follow anti‑money exchange. This transfer information Coin (https://dogecoin.com/); and Shit
laundering guidelines. As per these will include conducted transactions, Coin (https://www.investopedia.com/
rules, VASPs must verify the identity the cryptocurrencies sent and their terms/s/shitcoin.asp). While these
of their users and record transactions. cryptocurrency wallet addresses. would not be instantly familiar to those
For example, within the European not active in the cryptocurrency world,
Union, according to the Fifth EU If the victim is unsure where the funds they are commonly used.
AML Directive, VASPs across the EU have been transferred or from where

Decoding Crypto Crime: A Guide for Law Enforcement 29

Even platforms that claim to be fully • Confirmation time of Sanction • Browser and the version used for
decentralized, such as Uniswap, offer a Screening and Politically Exposed accessing the service: Opera, Chrome,
transaction history possibility for users in Person Screening and the types of Safari, Internet Explorer or similar
.csv that can help with an investigation. watchlists that have been used.
• Background checks on the customer,
With hundreds of exchanges worldwide, • Cryptocurrency wallet address or conducted with Open Source
only a few names might be easily addresses if multiple transactions and Intelligence (OSINT)15
recognizable to the general public or currencies exist
law enforcement. • Comments of VASP employes with
• Transaction hashes to conducted regard to a particular user or its
If an individual cannot retrieve access transactions transactions
to their account at a VASP, it remains
possible to reach a centralized VASP or • Any blockchain analytic investigations
a cryptocurrency wallet (custodianship It is less likely but still possible to receive conducted on the user or its
provider) for help. the following information: transactions by VASP employes

Following best practices, VASPs will • Customer number or ID registered • Any enquiries about the particular
usually not provide any information within the agent user from other law enforcement
over the phone, so there is a need for a agencies or financial institutions
Law Enforcement Request (LER) to the • Declared residence address13 of the
VASP or other financial institutions that customer • Any transaction that has been initiated
processed the exchange of the victim’s by the user but not completed
funds. The process of filling in an LER to • Registered address of the customer14
a VASP is described on page 22. • For physical offices or ATMs, there
• Social security number, depending might be a video recording of
The information you’re likely to receive on the country where the platform is individuals using the premises
from a centralized VASP is the following: registered
• Request all of the documents the
• First name • Interactions between the agent users have uploaded (including
(VASP/CASP) and the customer proof of source of funds and proof
• Last name (often in the form of a PDF, since of source of wealth), as well as all
customer service is often conducted interactions with customer service
• Date of birth with external software providers such
as Intercom or ZenDesk) Police officers can collect more
• Copies of identity documents10 information from the victim about their
• All documents providing proof of own bank account details, which helps
• Size of completed transactions funds – uploaded to and from the filter the information collected from
users VASPs. This information will only be
• Timestamp of transactions11 available for FIAT to crypto transactions
• IP address (which might be misleading (not for crypto to FIAT transactions).
• FIAT and cryptocurrency of the since users tend to use VPNs)
transaction12 • The bank account number of the
• Device used for login, such as a victim that was used to conduct a
• Size of the agent’s commission mobile phone or a desktop computer transfer to and from a VASP account.

10 This can include a passport, identity card, or e-identification. However, this process is vulnerable to the same issues as traditional cybercrime, such as the use of
fake or collectible items that imitate real identity documents (for example, “collectable documents” available on websites like dokumencik.pl).
11 It is important to determine which time zone the timestamp refers to. For example all Bitcoin blockchain transactions are registered with UTC (London time)
independently of where the user comes from. The problem of connecting incorrect transaction timestamps to other evidence has sometimes been critical.
12 Both virtual assets and FIAT.
13 If allowed in the jurisdiction, it is possible to review whether the platform has other customers registered at the same address who have conducted transactions.
14 Whether the platform extracts such information from a public data basis.
15 Which might include extractions from publicly available data sources, such as criminal record certificates or information about the UBO of particular ventures,
that might have been extracted by compliance employees of the platform.

30
• Phone number: Some users use their connect the address to particular users
phone’s payment system It is recommended to refrain who signed a contract for their services.
from requesting “.xml” or Unfortunately, even if the user does not
• Card information from the credit, “.xls” files from VASPs. use VPN, this information is not always
debit or prepaid card that was used Specifically, the use of “.xlsx” reliable. Since users might provide WIFI
for the transaction. The provider’s files is discouraged due to networks without passwords, there
account might have additional cybersecurity concerns. could be times when someone else’s
information such as a second level of There’s a risk that data IP address is used.
confirmation via a mobile bank app or provided by VASPs in “.xlsx”
the SMS service called 3D secure that format could harbour viruses, Knowing an IP address alone doesn’t
could be obtained particularly in the macros always provide exact information
embedded within the file, about who performed a specific action
• For countries using “open banking,” which may compromise the online. In environments such as public
additional information might be security of LEA computer offices, schools, or workplaces, multiple
available from payment service systems. individuals might share the same
providers that conduct those internet connection, further complicating
transactions (if those transactions have the attribution of online actions to a
been completed using open banking) Reliability of obtained specific individual.
IP addresses
Finally, VPNs are engineered to hide a
Format information An Internet Protocol (IP) can often user’s actual IP address by projecting
for VASP data be obtained from a VASP through a the appearance that the connection
law enforcement request process. An originates from a different location.
For optimal efficiency, it’s advisable to IP address is a unique identifier of a However, even with a VPN there might
obtain the required transactional data in a device like a smartphone or a laptop be a possibility to connect a certain
“.csv” format, facilitating straightforward on the internet network. Think of an user behaviour with visits of particular
integration into law enforcement IP address as a unique set of numbers, websites, associating them with a
systems. Typically, responses to Law like a phone number. For example, particular IP within a specific timeframe.
Enforcement Requests (LERs) are 193.46.242.201 points to Stockholm, This implies that while VPNs enhance
delivered in two formats: Sweden. But just as one landline phone user anonymity, they do not render
number can be shared by multiple online actions completely untraceable.
• A “.pdf” where the Virtual Asset family members in a house, thanks Discerning entities might still be able to
Provider offers direct responses to a technology called NAT (Network link online activities to individual users
to inquiries made by the Law Address Translation), multiple devices under certain circumstances.
Enforcement Agency (LEA) can use the same IP address.

• A ”.csv” file comprising transactional VASPs often claim that they can Collecting IP addresses
data export IP addresses which have been
captured during the login process of Arguments for:
Often, VASPs maintain a folder with users, however the reliability of this • Traceability: IP addresses can serve
consolidated customer data. This information for investigations ought to as a starting point to trace back
folder includes crucial documents be questioned. IP addresses only show potential suspects or identify the
such as proof of funds (POF) and which device accessed the internet, not origin of suspicious activities. There
other uploaded files. Large VASPs who specifically used it. They can be might be a possibility that they can be
normally have a set way of responding camouflaged by scammers using virtual connected to other investigations.
to law enforcement requests. When private networks (VPNs), and therefore
interacting with smaller institutions, law should only be used in cases in which • Deterrence: Knowing that
enforcement may be able to specify there is other evidence that can link the IP addresses are monitored may
their preferred data format for receiving user’s IP to potential criminal activity. deter potential criminals from using
the required information. their own networks for illicit activities.
Companies providing internet access
However, customer identity can to users’ homes (called internet service • Collaborative evidence: In
sometimes be captured in diverse providers, “ISPs”) can often identify conjunction with other pieces of
formats, such as a “.pdf” or a “.jpeg” of who used a specific IP address at a evidence, IP addresses can help
an ID document or a video that exists in certain time. During an investigation, to build a stronger case against
formats like “.avi” or “.mov”. such companies might be requested, to suspects.

Decoding Crypto Crime: A Guide for Law Enforcement 31

Roman Bieda conducting a hands-on workshop for investigators in Kazakhstan. As a former product owner of a blockchain analysis tool and
an expert witness in courts in Europe and the United States, he focuses on sharing not only knowledge, but also best practices and insights
into the challenges faced during the evidence collection process. The aim of the OSCE workshops are to ensure that challenges experienced
in one participating State do not need to be repeated in others.

Arguments against: approached with caution and seen as security in monitoring the flow of
• Inaccuracy: Since multiple devices part of a larger toolkit. virtual assets.
can share a single IP address, and
with the use of VPNs and other If law enforcement agencies lack
obfuscating tools, relying solely Other documents to request access to such blockchain analytics
on IP addresses might lead to tools, they can request the VASP to
misidentification. In some OSCE participating States, share details for the investigation. This
companies that handle virtual assets information could be in an accessible
• Privacy concerns: Collecting (like cryptocurrencies) are considered and editable format, such as a PDF or
IP addresses en masse may infringe “obliged financial institutions” or an image file.
on individuals’ privacy rights, intermediaries. This means they have
especially if done without proper to regularly monitor their customers’ This implies that while the tools are
justification. activities. They are required to review instrumental in maintaining the integrity
customers and transactions that of transactions and identifying illicit
• Resource Intensive: Tracing and exhibit suspicious behaviour, often activities, there are procedural and legal
verifying IP addresses, especially employing blockchain analytics tools considerations to be observed when
when VPNs or other masking tools to identify potential sources of risk. sharing information derived from these
are involved, can be time-consuming Once these checks are conducted and tools. For example, multiple blockchain
and divert resources from other vital documented, law enforcement can analysis providers and compliance
investigative activities. request to see them. solution providers might have specific
protocols and agreements in place that
In conclusion, while IP addresses For example, in the Republic of limit the sharing of sensitive or editable
can provide additional insights about Georgia, companies providing information even with law enforcement
a device’s activity and location of a exchange services that are registered — without prior authorization. This
particular device at a given time, they with the National Bank of Georgia are might create problems for VASPs to be
don’t conclusively identify individual obligated to use specialized tools to willing to disclose reliable information vs.
users. Investigations based on analyse blockchain transactions. This being obliged to limit evidence due to
IP addresses are only useful when ensures a layer of transparency and agreement constraints.

32
Taking cases to court

Decoding Crypto Crime: A Guide for Law Enforcement 33

Taking cases to court
Prosecutors of virtual asset cases

To ensure that prosecutors have a money laundering, such as • Present a clear and concise digital
solid foundation to work from, law through “tumbling” or “mixing” trail of the money laundering process,
enforcement officers should be well- services that aim to obscure from the source of the illicit funds
versed in evidence collection related to the source of funds. Some of to their final destination. It has been
anti-money Laundering (AML) activities, the leading blockchain analytics recommended to create visual
especially in the rapidly growing field of providers offer “demixing props and to use easy non‑technical
virtual assets and cryptocurrencies. services” which claim to be able language when presenting evidence,
to disassemble the transactions since many prosecutors or judges
Investigative stage that have been processed might not yet be fully familiar with the
across a mixer. If the case is complexities of cryptocurrencies.
• Seek digital evidence: Understand of severe importance there are
and monitor the transactions demixing services offered by both Additional evidence:
on blockchain technology and blockchain analytics providers • Crypto exchange records: These
distributed ledgers. and courses on demixing offered can provide user activity details,
• Analyse information: Recognize by law enforcement agencies like wallet addresses, IP logs, transaction
patterns that might suggest Europol. amounts, and dates.
money laundering, such as rapid • Use the ledger of blockchain • Blockchain analysis software: Such
and high-volume transactions on transactions to prove the elements software can visualize the flow of
cryptocurrency exchanges. of the crime. digital currencies.
• Follow digital leads: Trace the • Digital wallet examinations: Investigate
flow of assets across multiple c. Linking criminal activity to hardware wallets, mobile wallets,
virtual wallets and platforms, using assets: and desktop wallets. They might
specialized software if needed. • Trace any movement from have records, transaction history, or
• Evaluate the credibility of cryptocurrency wallets to the metadata that can be useful.
all received identification purchase of tangible or other • IP address tracking: Track
information, received from VASPs virtual assets. This could involve the IP addresses associated
(See challenges with “Copies of looking at the movement of with transactions to locate the
Identity documents,” p. 30) cryptocurrency from an exchange geographical location of the
to a private wallet and then to suspects. (see p. 31 for the
Trial or investigation another entity or service. limitations of IP addresses)
preparation • Identify any anonymizing services • Collaboration with international
or techniques used, and attempt agencies: Due to the decentralized
a. Case overview: to trace assets despite these nature of cryptocurrencies,
• There should be a focus on crypto challenges. international co‑operation can be
wallets, IP addresses, transaction • Recognize patterns that may crucial for tracking cross-border
timestamps, and the amounts indicate criminal intent like money transactions. However, such
exchanged in the digital realm. laundering, such as splitting large co‑operation is usually started at a
• The first intention should be to amounts of cryptocurrency across later stage by a leading investigator.16
understand the conversion of multiple wallets or using privacy
virtual assets to tangible assets, coins like Monero or Zcash. By collecting comprehensive evidence
like property or goods, and trace related to cryptocurrency transactions
their origins. Presentation of evidence: and activities, police officers can
• Clearly explain how cryptocurrencies provide their investigation colleagues
b. Identifying the type of offence: and blockchain work, since many as well as prosecutors a robust base to
• Recognize the signs of court officials may not be familiar with build their case and ensure that culprits
cryptocurrency being used for this technology. are held accountable.

16 Finance Intelligence Units that work together with the Egmont Group have developed an exchange system mechanism that can be accessed here:
https://egmontgroup.org/wp-content/uploads/2022/07/2.-Principles-Information-Exchange-With-Glossary_April2023.pdf (accessed 15 Feb. 2024)

34
Recommendations
and contacts for
complex cases

Decoding Crypto Crime: A Guide for Law Enforcement 35

Recommendations and contacts
for complex cases
Dedicated teams and expertise programmes often culminate in various enforcement agencies like INTERPOL
levels of certification, which not only or Europol offer dedicated support and
Leading providers of blockchain validate the skills of law enforcement training for investigators (see section
analytics software frequently establish personnel but also amplify their “Co‑operation with experts on digital
dedicated teams composed of experts efficiency in handling blockchain- assets,” p. 51). If your team would like
in both the realms of cryptocurrency related investigations. While some to join available training events, please
and investigative processes. These services, like consultancy support, contact [email protected] for
teams specialize in assisting law may require additional funding, additional information.
enforcement agencies in navigating the long-term returns in terms of
the intricacies of blockchain analytics, enhanced investigative capabilities can
ensuring that the tools are used be substantial. Proceed with caution
to their maximum potential. It is
recommended to check your agency’s However, while the advantages of
intranet to see which departments External support for in‑depth external providers are numerous,
are already using blockchain-based investigations agencies must also be cognizant of
analytics software, since colleagues in potential challenges. Engaging external
those departments are likely to have Beyond in-house teams and training, entities like consultancy agencies
the most insights into this matter. there is an expanding spectrum of or blockchain‑based analytics
external commercial providers adept at providers in sensitive investigations
conducting exhaustive investigations can introduce complications in case
Training and certification of cryptocurrency transactions on the proceedings. There is also the critical
blockchain. These entities operate as matter of data security. The transfer
Recognizing the complexities of contractors, offering their specialized of sensitive information to external
blockchain technologies and the skills to law enforcement agencies. Their parties must be approached with
importance of robust knowledge expertise can prove invaluable, especially utmost caution to ensure that data
management, many blockchain in complex cases where in-depth integrity is maintained and that there is
analytics software providers also offer analysis and multifaceted investigative no inadvertent breach of confidential
structured training programmes. These techniques are required. Law information.

Maciej Szulc leading a train-the-trainer workshop in Gdansk, where policymakers from OSCE participating States share best practices for
resolving complex cases and assisting national stakeholders. The focus extends beyond content quality to effective delivery methods.

36
Support for victims

Decoding Crypto Crime: A Guide for Law Enforcement 37

Support for victims
Challenges victims should be warned about

Victims of one cryptocurrency • The “Whistleblower” Ruse: In another exceeding 40 pages, that often detail
scam can easily fall prey to another. guise, scammers might pose as fundamental cornerstones of the
Organized fraud rings don’t just strike disgruntled ex-employees of the anti-money laundering (AML) and
once, but instead target their victims fraudulent enterprise, asserting inside counter-terrorism financing (CTF)
repeatedly and strategically. Below are knowledge that can supposedly legislation but have limited legal
details of common secondary scams: help victims reclaim their assets. value. Unfortunately, the documents
The process is the same as with that have been used are mostly
• The “Saviour” Deception: After an the saviour — funds must be paid generic and 99% of them remain
individual’s initial entanglement in advance and then the contact unchanged, so the VASP is flooded
with a scam network, a different person usually disappears. with the same documents with minor
wing of the same syndicate customizations. Victims are charged
extends an offer, pretending to • The Mirage of Legal Recourse: exorbitant rates for these largely
be a professional who can help These are scenarios where redundant efforts. It is essential
recoup their lost investments. This victims are approached by a legal to realize that with most VASPs,
seemingly generous offer comes at professional who pledges to get transactions, once executed, are
a price, with the victim expected to the money back, particularly when irreversible. Claiming “credit card
pay a service company to recover VASPs come into play. After the chargebacks” has slim chances of
the lost funds. After the funds have vicitm agrees on an hourly rate, success. Hence, such legal action
been transferred, the “saviour” often these lawyers claim to have created points are usually of low value and
disappears, together with lost funds. extensive documents, sometimes rather deplete a victim’s wallet.

Olga de Truchis, an OSCE Virtual Asset Expert and Co-Driver of the Europol Financial Intelligence Public–Private Partnership (EFIPPP)
Crypto‑Assets Workstream, led a session on best practices for traditional financial providers in managing financial crime risks associated
with virtual assets and virtual asset service providers. The workshop, hosted at the premises of the National Bank of Latvia (Latvijas Banka),
included representatives from four additional OSCE participating States.

38
Selected types of
crimes committed
involving
cryptocurrencies

Decoding Crypto Crime: A Guide for Law Enforcement 39

Selected types of crimes
committed involving
cryptocurrencies

Below are details about the most common types of crimes committed
with cryptocurrencies. At the very least, one should be aware of these
types of crimes, but also know that this is not a comprehensive list.

Cryptocurrency investment schemes

What is it? initiate the process, they mandate request personal identification
an initial commitment, from 250 EUR details of the victim, purportedly
Cryptocurrency investment scams to 1000 EUR (or equivalent in the for fund transfers or deposits.
are some of the most common types national currency in question) usually However, instead of assisting in an
of fraud schemes. Initially, this scam at the lower end of this range.Upon investment, they gain unauthorized
targeted wealthy senior citizens in receiving this initial payment, a access to the personal and financial
high-income countries. However, scammer simply disappears post- details of the victim. Victims forget
the tactics have evolved, with stock payment, leaving the victim financially to block their identity documents at
market investors and those nearing diminished with no prospective the financial institution, or even send
retirement increasingly being targeted. investment to show for it. copies of this information to the
It is crucial to remain vigilant and scammer.
attuned to the evolutions of this scam • In a more complex approach,
in the future. the process involves a live video
call, during which the scammer How to address it
This scam works by scammers showcases a “financial account”
contacting wealthy individuals and that is claimed to belong to the • Do not complete any additional
presenting them with lucrative future victim who is experiencing a transfers. Often scammers speak
investment opportunities. Typically, substantial influx of money. While about small transfer costs, or payout
a scammer, pretending to be a these accounts are designed costs that appear very small in
seasoned crypto investor, approaches to appear legitimate, they are comparison with the total amount of
unsuspecting individuals displaying actually design copies and have no the scam. Example: a 600 EUR fee
significant amounts of wealth. connection to traditional financial for a 60,000 EUR scam.
institutions.
• The vicitm should not break
Different types of this scam • Sometimes victims receive a “first the contact. Usually by the time a
payout” of for example 50 EUR to victim approaches law enforcement,
There are usually different types of 100 EUR, which the scammers claim their contact with the scammer has
claims: to be interest on their investments, to already been broken. But if it is not,
lure the victim to pay more. then it might help the investigation
• Upfront fees: Scammers lure for the victim to maintain their
individuals with the promise of high • Identity theft: To create an illusion contact to enable a search for the
returns on investments. However, to of legitimacy, scammers might cybercrime tools being used.

40
 For users who are less experienced in investments, in front of it. This is useful for troubleshooting
finance or the usage of online tools, scammers issues, providing remote support, or accessing
often install remote-access software. files.

This software is primarily designed for remote • File transfer: Software that allows users
access, control, and support. It allows users to to transfer files between computers. This
remotely access and control their desktop or laptop sometimes leads to the instalment of a
and servers from anywhere. The victim often installs “keylogger,” a type of spyware that monitors
such software with the help of a scammer. Once everything the user types and can share it with
the connection has been established, the victims scammers for years after it has been installed on
often forget to uninstall the software. Traces left a computer.
with the software can be a good support for law
enforcement investigation, if secured correctly. • Remote access: This lets scammers access
the victim’s computer or server remotely
Depending on the type of software, there are and modify files, install programs or initiate
various types of features, including: connections.

• Remote control: Users can control a computer • Mobile access: This allows the remote control
from another location as if they were sitting right of devices from smartphones and tablets.

• Victims should not uninstall any • Review what personal information situation. For further details, see the
software that has been placed on has been released. If possible, section “Best practice for each type
their devices, since these might change bank logins, and order new of transaction,” p. 24.
leave cybersecurity traces useful for passwords for e‑identification tools if
investigations. However, the victim such tools are used. A further twist to this scam is the
should be aware of the possibility of use of fake celebrity endorsements.
having software on their device that • Review the section on secondary Scammers misappropriate real photos
tracks what they are typing, or that scams found above on p. 38. and combine them with fabricated
keeps the camera turned on, etc. If accounts or promotional materials,
this is the case, the vicitm should limit • The appropriate steps to take making it appear as if renowned
the use of their device. depend on the victim’s specific personalities vouch for the scheme.

Extortion and sextortion

In cases of extortion, individuals victim’s computer or smartphone “evidence” of their claims, the hacker
often receive a sophisticated email and obtained access to the camera. typically provides a list of usernames
falsely informing them that a hacker In sextortion cases, the scammer and passwords associated with
has obtained access to the victim’s then claims that they have recorded various websites, suggesting that
computer and can connect to the footage of the victim during an act the victim used identical credentials
camera of a laptop or a smartphone. of masturbation and will publish the across multiple adult content sites.
When it comes to sextortion, the claim video if the victim does not pay them
is usually that the hacker filmed the in cryptocurrency.
victim during an act of masturbation.
The victim is prompted to transfer
funds to a specified cryptocurrency
What is it? wallet within a tight deadline to
prevent the release of such purported
An individual receives an email footage to business and private
from a scammer. This email says contacts, who the hacker claims
that the scammer has hacked the to have found on the device. As

Decoding Crypto Crime: A Guide for Law Enforcement 41

An original email message sent to the author of this publication:

Topic: I recorded you - (here the scammer passes on the password that was found in the breach)
Date: 2023-06-22 3:32
Sender: “Save Your Life “ <[email protected]>
Receiver: [email protected]

Hi, I’m a hacker and programmer, I know one of your passwords is: (password of the user
extracted from password leaks)

Your computer was infected with my private malware, because your browser wasn’t updated/
patched, in such a case it’s enough just to visit some website where my iframe is placed to get
automatically infected if you want to find out more - Google: “Drive-by exploit”.

My malware gave me full access to all your accounts (see password above), full control over your
computer and it was possible for me to spy on you over your webcam.

I collected all your private data, recorded a few videos of you (through your webcam) and I
RECORDED YOU SATISFYING YOURSELF!!!

I can publish all your private data everywhere, including the darknet, where very sick people
are, and the videos of you, send them to your contacts and post them on social networks and
everywhere else!

Only you can prevent me from doing this, and only I can help you out. There are no traces left, as
I removed my malware after my job was done and this email(s) has been sent from some hacked
server…

The only way to stop me is to pay exactly 400$ in bitcoin (BTC).

It’s a very good offer, compared to all that HORRIBLE shit that will happen if you don’t pay!
You can easily buy bitcoin here: www.xxxxxxx.com, www.xxxxx.com , www.xxxxxx.com or check
for a bitcoin ATM near you or Google for other exchanges.

You can send the Bitcoin directly to my wallet or create your own wallet first here:

www.login.xxxxx.com/en/#/signup/, then receive and send to mine.

My Bitcoin wallet is: 17yshaYmvdp4yjU3WoCwowh6HHjTfEGDuG
Copy and paste it; it’s (cAsE-sEnSEtiVE).
You got 3 days.

As I got access to this email account, I will know if this email has been read.

If you get this email multiple times, it’s to make sure that you read it, my mailer script is configured
like this and after payment, you can ignore it.

After receiving the payment, I remove all your data and you can live your life in peace like before.
Next time, update your browser before browsing the web!

42
Nina-Louise Siedler, in Riga, leading a workshop for policymakers from five participating States, sharing insights from virtual asset regulatory
roundtables. The session focused on pan-European legislation related to virtual assets, aiming to identify regulatory shortcomings and
highlight novel developments of relevance to the participating States.

How to address it as “wallet explorers.” For instance,

the mentioned cryptocurrency wallet When investigating
Best practices in supporting victims can be examined using the following individuals suspected of
who report extortion emails. link: extortion, tracing payments
to their cryptocurrency
• Stay calm: If the user has received https://www.blockchain.com/explor- wallets is essential.
a sextortion email, there is a need er/addresses/btc/17yshaYmvdp4yjU-
to remain calm. The example of the 3WoCwowh6HHjTfEGDuG. By doing this, one can see if
email presented above shows that any wallets are tied to official
criminals use strong adjectives, with • Upon initial investigation, which financial platforms, which
the goal to instil fear, create urgency, remains free of charge and takes can help law enforcement
and induce shame as well as panic. less than 10 seconds, it becomes identify who sent money to
evident that this wallet has received the suspect. While paying
• Victim shall not engage with the multiple transactions. This often into an extortion wallet isn’t
sender in any way: Sextortion emails contradicts the hacker’s claim that a crime, those who did might
usually do not send anything as proof, this is a unique and singularly used have relevant information or
or contain attachments. If there are cryptocurrency wallet address. faced similar threats from the
any links sent with the email, the user Multiple transactions suggest same person, which can aid
shall not open them. that several individuals may have an investigation.
transferred funds to it.
• The user must be prohibited from
exchanging FIAT to cryptocurrency • Using the market of stolen account details. By entering their
and transfering it to a suspect account credentials for the email or username, users can see
cryptocurrency wallet. advantage of the victims: Victims if their information appears in any
may use free-of-charge services like: known breaches. If the attacker
• Verify cryptocurrency wallet: One https://haveibeenpwned.com, which showcases a password that is being
way to assess the authenticity of allow them to check if their data has used, change it immediately across all
a cryptocurrency wallet address is been exposed to data breaches by platforms where it’s employed.
through tools commonly referred to combing through billions of leaked

Decoding Crypto Crime: A Guide for Law Enforcement 43

At the OSCE Secretariat Vienna, training is held for Ukrainian policymakers on regulatory gaps in virtual assets, with a focus on
decentralized exchanges.

“Rug Pull” scams

Exit scams, pump-and-dump scams, What is it? producing fewer developments of

or “rug pull” scams (after the metaphor the asset. In the case of the latter, it
“pulling the rug out from under The objective of this type of scam is can sometimes be hard to distinguish
someone”) are schemes in which to get as many buyers or investors as between a true “rug pull” fraud or just a
scammer create a lot of excitement possible for the new digital asset, and to badly handled, unsuccessful project.
around a new digital asset. It can be artificially inflate its perceived value to be
any type of digital asset, not just a new as high as possible. Once the scammers In either case, the exit of the scammers
cryptocurrency. Such scams have have collected enough money, they means the asset is shown to be fake
been pulled with projects and non- vanish (the “exit” of the exit scam) and and becomes valueless. The victims are
fungible tokens (NFTs), too. Scammers take the money for themselves. This left either with multiple coins or tokens
then quickly exit the project, stealing exit can happen quickly, with everyone that are worth a fraction of what they
investors’ money and leaving the digital suddenly disappearing, or over time, paid for them, if they can find a buyer,
asset worthless. with money slowly taken out of the or the digital asset contains a code that
scam and the developers intentionally indicates the asset can’t be sold at all.

Phishing scams

Phishing scammers is a common scam leading to their fake version of a Different types of
in many areas of the internet. It is also a website. This website is created to of this scam
common and effective scam related to allow logins and store every visitor’s
digital assets. personal information as well as all According to a report released by
crypto addresses and passwords one blockchain analytics provider,17
(called “crypto wallet keys”) that they new types of phishing scams involve
What is it? type. This is especially important playing off of “FOMO” (fear of missing
for crypto crime, since unlike other out) in new crypto investors, by getting
Scammers pretend to represent kinds of accounts, if a crypto wallet’s victims to send money to the wrong
an official business with legitimate- private key is stolen, then the account account in the hope of buying an NFT.
looking websites or company is nearly impossible to retrieve. This This meant that victims lose only the
documents and send out thousands means that the funds within the wallet amount of money they sent to the
of emails and messages with links are lost forever. wrong account, not their entire wallet.

17 Illicit Crypto Ecosystem Report. (2023), available at: https://www.trmlabs.com/report (accessed: Aug. 2023).

44
Another type of scam variation Double-check addresses: possible. This adds an extra layer of
gaining popularity is “address • Always double-check the address one security, making it more difficult for
poisoning,” in which a scammer is sending funds to, especially when scammers to access accounts.
creates an address that resembles dealing with large amounts. Do not
one to which the intended victim rely solely on clipboard functions (the • Regularly update and run anti-
previously sent funds. The scammer so‑called copy‑paste function), since malware software to detect and
then sends a small amount of malware can manipulate them to remove potential threats on your
cryptocurrency to the target in the paste cryptocurrency wallet address device. Some malware strains
hope that they will unwittingly make other than what the victim believed to are designed to monitor crypto
a future payment to the same scam have copied. transactions or to modify clipboard
address in place of their intended data.
recipient. • Use bookmarks for frequently visited
crypto sites. This avoids the risk of Use password managers: Password
mis‑typing or landing on a phishing managers are software tools designed
What can be done to avoid it? site that looks similar. to store, manage, and auto-fill
passwords. They also often allow users
People should be aware of fake Enable additional security measures: to create safe notes that can securely
phishing links and check all links. • It is recommended to use two‑factor save cryptocurrency wallet numbers for
authentication (2FA) wherever various online accounts.

Man-in-the-middle attacks

What is it? the wallet keys, and then use this to individuals to see what websites
take over the account. are visited or what is typed. It also
In this type of scam, scammers don’t conceals the user’s original IP address,
directly target a victim, but instead allowing for anonymous browsing and
intercept the data transmission How to address or avoid this? stopping the user’s actual geographical
when someone accesses their location from being visible. This allows
cryptocurrency account on a public or This type of scam can be avoided with users to have remote access to their
unsecured wifi network, that is, where the use of a virtual private network organization’s resources, or for them to
the websites visited and the information (VPN). These are fairly cheap, usually bypass censorship.
sent from computer to website is not only 3 to 4 EUR a month. VPNs encrypt (See more in the section “Collecting
private. The scammers collect the the user’s connection to the internet, IP addresses,” p. 31.)
crypto wallet address, login details and making it harder for unauthorized

Fake websites imitating cryptocurrency exchanges

What is it? steal their details and the deposited into your exchange. This additional layer
cryptocurrency. of verification can involve receiving a one-
Instead of creating a fake cryptocurrency, time code via SMS or email, which you
the scammer creates websites that look need to input during the login process.
like cryptocurrency exchanges. When the How to address or avoid this? Alternatively, if the OSCE participating
victim goes to this website to exchange State offers an e-identification solution,
their type of cryptocurrency for a different To bolster security, always employ two- consider utilising it for an added measure
type or for FIAT currency, the scammers factor authentication (2FA) when logging of protection during sign-in.

Secondary scams

There are also secondary scams that once. These are covered in the section
occur after a victim has been scammed “Support for the victims,” p. 37.

Decoding Crypto Crime: A Guide for Law Enforcement 45

From left to right: Marcin Zarakowski, Michal Gromek, Anna Pajewska, and Nina-Louise Siedler, who led an independent workshop
focused on the challenges and advantages of supervizing virtual asset service providers (VASPs) for the Ukrainian delegation. The session
included representatives from key Ukrainian institutions, such as the National Bank of Ukraine (NBU), the State Financial Monitoring
Service of Ukraine (SFMS), the Ministry for Digital Transformation, and the National Securities and Stock Market Commission (NSSMC).
The workshop was hosted at the Polish Ministry of Finance, which continues to generously offer its facilities free of charge for a series of
training sessions for Ukrainian delegates.

46
Further tools for
virtual asset crime
investigations

Decoding Crypto Crime: A Guide for Law Enforcement 47

Further tools for virtual asset
crime investigations
Blockchain analytics tools

A good blockchain analytics tool or • Total funds received by the explorer that collects feedback from
wallet explorer means that police cryptocurrency wallet. users, and Chain Abuse
officers can conduct part of their
investigations without needing to • Total funds sent from the Similar to all open source intelligence
rely on information from VASPs, cryptocurrency wallet. sources, any data obtained from such
which can be slow or incomplete. explorers should be approached
Furthermore not all VASPs are yet • Timestamps for transactions. (Note: with scepticism and verified before
using blockchain analytics tools. transaction times may vary based drawing any conclusions.
on the cryptocurrency’s time zone).

• Fees incurred on the blockchain. Examples of free blockchain

Why this matters: analytics tools:
• Source cryptocurrency wallet
Law enforcement agencies addresses (from where funds were • Block Explorer: This is a
frequently request transferred). straightforward tool that provides
detailed information about
information about the
• Destination cryptocurrency wallet Bitcoin blocks, addresses, and
current balance of specific
addresses (to which funds were transactions. It is a good starting
cryptocurrency wallet sent). point for beginners.
addresses from VASPs. While
VASP compliance teams To those unfamiliar with blockchain • Etherscan: This tool is specifically
are equipped to respond analytics, this data might seem for the Ethereum blockchain, and
to these queries, doing so superficial. However, for investigative can offer detailed transaction and
becomes a considerable purposes, it can provide valuable address analytics.
insights, such as showing a pattern
administrative task. A more
of many small incoming transactions, • Blockchair: This tool covers
efficient alternative is to
coupled with fewer large outgoing multiple blockchains, from Bitcoin
input the cryptocurrency
transactions. This type of pattern to Ethereum, making it versatile for
wallet address into a might suggest activities resembling those looking to analyse different
wallet explorer, which those of a drug dealer. networks.
then quickly provides the
needed information for a
majority but not all leading Real-world examples:
cryptocurrencies.
The following wallets have been found
to have been used in criminal cases:

• Cryptocurrency wallet linked to

Information offered by a sextortion case: Blockchain
wallet explorers: Explorer

• Current balance in cryptocurrency • Cryptocurrency wallet associated

and major FIAT currencies, e.g., USD. with the Twitter Hack, a wallet

48
Olga de Truchis and Greta Barkauskiené, OSCE Virtual Asset Experts and Co-Drivers of the Europol Financial Intelligence Public–Private
Partnership (EFIPPP) Crypto-Assets Workstream, participated in the EFIPPP April 2024 Plenary at Europol’s headquarters in The Hague.
Together, they facilitated knowledge-sharing sessions in which participants from various countries, including OSCE beneficiary countries,
explored and discussed emerging modus operandi of organized crime in the virtual asset space.

Blockchain analytics providers

Blockchain analytics providers are funds and identifying any potential landscape that can be helpful for
the commercial counterparts of wallet illegal activities. larger numbers of of investigations.
explorers.
• Visualization: These tools often • Demixing services: Some
They use specialized software provide visual schemes and charts to providers claim that their services
designed to monitor, analyse, and make it easier to grasp large amounts are able to display transactions
visualize activities on blockchain of data at a glance and connect across mixers and tumblers, which
networks. These tools help cryptocurrency wallets to financial are services designed to enhance
investigators to uncover patterns, institutions, or link transactions or the privacy and anonymity of
follow transactions, and gain insights wallet providers together. cryptocurrency transactions.
into the vast and complex world of (For more information, see the
blockchain. • Risk assessment: By analysing section “Mixers and tumblers,” p. 19,
transaction patterns, some tools as well as the discussion of demixing
Beyond the data available by using a can assess the risk associated with services in the section “Taking cases
wallet explorer, blockchain analytics particular wallets or transactions, to court,” p. 34.)
providers offer: offering valuable insights for financial
institutions and regulators. By leveraging these tools, investigators
• Tracking & tracing: Most analytics can better understand the intricate
tools can track and trace the journey • Comprehensive data: These tools dynamics of the blockchain world,
of a cryptocurrency transaction from can pull and integrate data from ensuring informed decisions and
its source to its destination. This is various blockchains, giving users a a deeper comprehension of this
vital for understanding the flow of holistic view of the cryptocurrency revolutionary technology.

Decoding Crypto Crime: A Guide for Law Enforcement 49

At the HQ of the National Bank of Georgia, the Virtual Asset Team has received crucial support from OSCE Virtual Asset Experts over the past
two years. As a result, Georgia’s score in MONEYVAL has been elevated to “Largely Compliant” with FATF Recommendation 15.

50
Co-operation with
experts on digital
assets

Decoding Crypto Crime: A Guide for Law Enforcement 51

Co‑operation with experts
on digital assets

When dealing with digital assets and their associated reports at a

law enforcement agency (LEA) station, collaboration with external
entities becomes essential. These entities include international police
organizations, banks, and specialized units within certain countries.
Their expertise aids in the effective handling of investigations.

Identifying local expertise

It is invaluable to identify local members • Purpose: To field questions and that can act as a sound board for
of a law enforcement agency who have gain insights during reporting complicated cases. Inspiration for
experience in virtual assets. Having processes. how to organize co‑operation within
their contact details can be beneficial law enforcement with regard to virtual
for the following reasons: • Example: The United Kingdom’s assets can also be found in the
National Crime Agency (NCA) has Typologies Report 2023 compiled by
created a dedicated crypto unit Council of Europe.18

International support

Europol Platform For Experts (EPE):

• Description: This is a free platform as contact details to stakeholders, a work email and specify what
for hands-on assistance on virtual conferences, and other learning connects you to virtual assets and
assets for members of LEAs. resources. how your knowledge will benefit
others.
• Eligibility: To be eligible for the • Joining process: If an OSCE
EPE (https://epe.europol.europa. participating State is part of the - Clearly specifying the reason for
eu/), a country must be a Member of operational agreement20 Budapest joining, specifically as related to
the European Union or be part of a Memorandum (list provided virtual assets.
so‑called operational agreement.19 separately), they can apply for
access. The process involves: • Who can join: While the platform
• Benefits: EPE offers best practices is primarily designed for law
on virtual asset investigations. It also - Contact the designated authority enforcement officials, experts outside
provides access to webinars, as well at o3 (at) europol.europa.eu using of this circle both public and private

18 Look out for ‘Case Boxes’ -Typologies Report 2023 - Money Laundering and Terrorist Financing Risks in the World of Virtual Assets, Moneyval, Council of
Europe https://rm.coe.int/moneyval-2023-12-vasp-typologies-report/1680abdec4 (accessed 25 Feb. 2024).
19 Agreements & Working Arrangements with Countries. Europol
https://www.europol.europa.eu/partners-collaboration/agreements (accessed 26 Nov. 2023).
20 Agreements & Working Arrangements with Countries. Europol
https://www.europol.europa.eu/partners-collaboration/agreements (accessed 26 Nov. 2023).

52
 can also apply. However, the depth • Cost: There’s no fee involved. They have been updated several times,
of accessible information might be Access is entirely free. and feature multiple cryptocurrencies.
limited for non-law enforcement They remain free of charge for agents
professionals. In October 2019, Europol launched two from EU Member States. See:
educational games called “Cryptopol.” [email protected].

INTERPOL’s Financial Crime and Anti-Corruption Centre (IFCACC)

INTERPOL’s Financial Crime • Oversight in anti-corruption practices, the IFCACC. However, the depth of
and Anti-Corruption Centre from sports-related concerns to high- collaboration might vary based on the
(IFCACC): This is a centre dedicated level political discrepancies. nature and purpose of the association.
to countering transnational financial
crimes in order to safeguard global Joining process: Since IFCACC Cost: Since INTERPOL is an
financial systems. operates on a multi-agency model, international organization, there is no
potential collaborations involve: cost associated with engaging with its
Eligibility: Addressing the growing • Establishing contact with the General Secretariat.
concern of globalized financial crimes, INTERPOL General Secretariat or
INTERPOL introduced IFCACC as a with the INTERPOL National Central For additional information about the
consolidated response to assist in Bureau, which usually sits under IFCACC and I-GRIP, see:
battling these challenges. This extends a State’s ministry of justice and its • [email protected]
beyond mere law enforcement, being judicial police. • [email protected]
also relevant to international bodies and • Demonstrating clear alignment of
stakeholders. goals against financial crimes and For further information related to
corruption. virtual assets technicalities, members
Benefits: IFCACC facilitates: • Expressing potential areas of of law enforcement can send an
• Support in fraud, payment crime, collaboration or needs. email to: [email protected]
and cross-border inquiries from law
enforcement. Who can join: In addition to law Additional resource: members of law
• Assistance in anti-money laundering, enforcement, financial institutions, enforcement agencies can request
asset recovery, and understanding of international entities, and private sector INTERPOL’s Guidelines for Seizing
virtual assets. representatives can engage with Virtual Assets: [email protected]

UNODC virtual assets programmes against cybercrime and

money laundering and investigation workshops
Overview: Eligibility: • Transaction dynamics: Decode
Led by the United Nations Office on This specialized training is curated for the life cycle of blockchain
Drugs and Crime (UNODC) team, this professionals spanning various sectors, transactions, from inception to
comprehensive workshop series offers such as law enforcement, financial culmination.
an in-depth exploration of virtual assets, institutions, technology enterprises, • Blockchain in-depth: Uncover
financial crime, and the pivotal realm of and educational fields. It stands as an the processes through which
compliance. invaluable resource for policymakers, transactions are logged, ratified, and
regulators, investigative officers, and all archived on the blockchain.
The curriculum is structured into basic, professionals intent on decoding the • Blockchain forensics: Become
advanced, and cascade sessions, complexities of virtual assets, blockchain proficient in real-time transaction
defined as training‑the‑trainers, the dynamics, and the art of financial crime surveillance and discerning patterns
latter encouraging the propagation of mitigation. employed by malefactors to obscure
industry best practices. The workshops their identities.
blend rigorous theoretical constructs Key focus areas: • AML/CTF tactics: Assimilate
with tangible exercises, equipping • Virtual asset essentials: Delve how to calibrate anti‑money
participants from law enforcement deep into the genesis, evolution, laundering and counter-terrorism
with invaluable skills in tracking, and intricate facets of continuously financing protocols to align with the
investigating, and adeptly managing evolving virtual assets and their metamorphic landscape of virtual
virtual assets. underpinning technologies. assets.

Decoding Crypto Crime: A Guide for Law Enforcement 53

• Risk governance: To familiarize • Thoroughly peruse and concur to USD20,000 depending on the
participants with the gold standards with the explicit training terms of participant count. Preferential pricing is
in mitigating the distinct risks engagement. potentially accessible for public sector
tethered to virtual assets. delegates, academicians, non-profit
• Asset oversight: To provide the Target audience: entities, and media personnel.
participant best practices in the art The workshops are tailored to resonate Further information on the training
of aptly confiscating and stewarding with a diverse audience, encompassing scope can be requested by contacting
virtual assets amidst probes. investigators, legal aficionados, financial the UNODC Virtual Assets Training
regulatory personnel, tech pioneers, Division via email:
Enrollment steps: journalists, and more. They serve both [email protected]
Prospective attendees can: the public and private sectors, catering
• Review forthcoming workshop to those captivated by virtual assets Additional features:
timelines and secure their spots. and correlated fiscal norms. The e-learning platform of UNODC can
• Ascertain potential fee concessions be found at the following link:
based on their professional spectrum Fee Structure: Estimates for a training https://www.unodc.org/elearning/en/
via the specified form. session charges range from USD10,000 courses/course-catalogue.html

Basel Institute on Governance

Basel Institute on Governance: interested in virtual assets, blockchain, • Asset seizure: Procedures and
This is an independent, non-profit and financial crime mitigation. nuances in crypto asset confiscation,
organization focused on enhancing wallet management, and more.
governance and countering financial Benefits: The Basel Institute workshop
crimes globally. Based in Basel, offers insights into: Who can join: The course is tailored
Switzerland, it also operates in various • Cryptocurrency basics: for investigators, lawyers, AML/CTF
African countries, collaborating closely Understanding the foundation, professionals, members of financial
with the University of Basel. emergence, and scope of virtual intelligence units, FinTech practitioners,
assets, distributed ledger technology, journalists, and more. It is designed
The Basel Institute’s cryptocurrency and more. for both public and private sector
workshop: Offers a comprehensive • Transaction mechanics: Grasping professionals interested in navigating
4-day virtual training centred on the how the Bitcoin network functions, the world of virtual assets and financial
fundamentals of cryptocurrencies, cryptography, and transaction crime.
financial crime, and anti-money management.
laundering (AML) compliance. The • Blockchain & mining: Learning how Cost: CHF 750 per person with a
course encompasses a practical money transactions are secured, stored, and reduced rate of CHF 300 for specific
laundering scenario, guiding participants validated in the blockchain. members, such as those in the public
through tracing blockchain transactions • Blockchain analysis: Techniques sector, academics, non-profits, and
for illicit activities. for real-time transaction monitoring, journalists.
anonymity evasion by criminals, and
Eligibility: Open to professionals across tool utilisation. For more details:
the spectrum, from law enforcement, • Due diligence: Adapting AML/CTF [email protected]
financial sectors, businesses, and programmes to new payment modes.
even students. The content is tailored • Risk management: Best practices Course details and registration links
to benefit policymakers, regulators, and sources for managing virtual for available dates can be found on the
investigative journalists, and anyone assets risks. Basel Institute’s social media platforms.

FinCrime Fighters Foundation

The FinCrime Fighters Foundation is a connected with blockchain based reviewing newest reports, including
Stockholm-based foundation that has finance and Web 3. material from the OSCE that has been
been created by experts of the Digital released publicly. Regulations can be
Asset Task Force of the Global Coalition The foundation provides a free token searched with a Chat GPT-like system
To Fight Financial Crime. The goal of pool to the generative AI Assistant, to help practitioners to be up to date on
the tool has been to receive quick and dedicated exclusively to public and regulatory changes on a daily basis.
reference-supported answers to issues private financial crime fighters. The
team is constantly uploading and https://www.fincrimefighters.com/

54
Recommendations
for law enforcement
post-reporting

Decoding Crypto Crime: A Guide for Law Enforcement 55

Recommendations for law
enforcement post-reporting
• Provide immediate support: understand their loss, potential exchanges to track and possibly
Ensure that victims are given tax implications, and strategies to freeze scammers’ assets, making it
immediate guidance on how to recover or mitigate losses over time. harder for them to cash out their ill-
secure their remaining digital gotten gains.
assets and reduce the risk of • Educate: Launch public awareness
further financial loss. This could campaigns and workshops about • Cross-jurisdictional
involve guidance on how to change such scams. The more informed collaboration: Since digital scams
passwords, secure wallets, or shift the public is, the harder it becomes often cross borders, collaborate
assets to a more secure platform. for scammers to deceive potential with international law enforcement
investors. agencies to trace, apprehend, and
• Financial counselling: Connect prosecute culprits.
victims with financial counselling • Collaborate with exchanges:
services that can help them Work closely with cryptocurrency

Mariam Grigalashvili sharing insights from Georgia and the National Bank of Georgia with colleagues from the Central Bank of Armenia in
Yerevan during a workshop focused on cryptocurrency taxation and its relationship to AML and CTF policies.

56
Summary and
principles of
co-operation
with the OSCE

Decoding Crypto Crime: A Guide for Law Enforcement 57

Summary and principles of
co‑operation with the OSCE
The OSCE’s Virtual Assets Support Initiative

Who we are • Training & expertise development: that we resolve challenges before
The OSCE Virtual Asset Expert Team We offer comprehensive virtual assets they actually happen.
is uniquely poised to respond to the training programmes. Our team,
evolving challenges presented by which is a mix of policymakers, law • Scalability & continuity: Our
virtual assets for policymakers and enforcement, members of compliance cascade-training system includes a
law enforcement. Drawing on nearly teams of traditional banks, and WEB3 “train-the-trainers” model, in which
nearly fifty years of of excellence in companies, prioritizes hands-on we equip experts with the ability to
providing technical expertise, we assist learning, with a limited but concise return to their own jurisdiction to
policy members and law enforcement theoretical component. The primary disseminate this knowledge further.
in navigating the complexities of focus is on practical exercises, This ensures a wider reach and
virtual assets within the OSCE’s ensuring real‑world applicability. continuity in expertise development in
57 participating States. Notably, past participants have seen home countries.
direct results, including the successful
The value we create for law investigation of complex money • Building a safer digital
enforcement and policymakers laundering cases. environment: By ensuring that
policymakers and law enforcement
• Cutting-edge knowledge: Our • Resource provision: We collaborate are well equipped to deal with virtual
training equips law enforcement and with leading blockchain experts. assets, we contribute significantly
policymakers with up-to-date insights This hands-on experience with to creating a more secure and
and strategies, tailored to address professional tools empowers transparent digital financial landscape.
challenges unique to the realm of members to implement their learning
virtual assets. effectively in deep‑dive sessions and Join us in shaping the future of
workshops, in which we translate cybersecurity and ensuring a safer,
• Operational efficiency: With complex developments into exercises. more transparent digital realm for all.
hands‑on training, we provide
the logistics, book venues, invite • Case analysis: Our training often Get in touch with us at:
pre‑vetted virtual asset experts from encompasses real-time case studies [email protected]
OSCE participating States, propose and legislative support that visualize
an agenda, and put together the on‑going developments to ensure
learning objectives.

58
A short selection of
further reading

Decoding Crypto Crime: A Guide for Law Enforcement 59

A short selection of
further reading
United Nations Office on Organization for Security and U.S. Department of Justice
Drugs and Crime (UNODC) Co‑operation in Europe (OSCE)

Basic Manual on the Detection Handbook for Dealing with Virtual The Role Of Law Enforcement
And Investigation of the Laundering Currencies in Criminal Proceedings In Detecting, Investigating, And
of Crime Proceeds Using Virtual (2022) Prosecuting Criminal Activity Related
Currencies (2014) To Digital Assets (2022)

Despite being published by UNODC https://www.osce.org/files/f/ https://www.justice.gov/d9/2022-12/

more than ten years ago, in 2014, this documents/2/0/522754.pdf The%20Report%20of%20the%20
comprehensive 200-page document Attorney%20General%20Pursuant%20
delves deeply into various terms, and to%20Section.pdf
provides context for terms described in
this review. It also features detailed self- Published by the U.S. Department
assessment questionnaires: of Justice, the report serves as a
companion to the International Law
https://www.unodc.org/documents/ Enforcement Cooperation Report and
middleeastandnorthafrica/ updates the Cryptocurrency Enforcement
money-laundering/FULL10- Framework. It provides a comprehensive
UNODCVirtualCurrencies-final.pdf.pdf overview for future reference.

About the author

This review was created by Michal the Global Coalition to Fight Financial participating States. He gained his
Gromek, a leading virtual asset expert Crime, a collaboration established expertise through former roles as a
in the OSCE project aimed at mitigating between Europol, the World Economic FinTech executive and as a programme
money laundering risks associated with Forum, and London Stock Exchange director of the Executive Education
virtual assets and cryptocurrencies Risk Solutions. Gromek is also an division at the Stockholm School of
being conducted at the Office of the executive team member of the Global Economics. He worked with on Fintech
Co-ordinator of OSCE Economic and Coalition to Fight Financial Crime. and Virtual Assets Compliance for
Environmental Activities (OCEEA). He continues to conduct training over a decade. His findings have been
Gromek is a former Chief Compliance sessions for governments and law published on Forbes.com, as well as in
Officer of the Stockholm-based enforcement agencies, providing a number of books and journals.
Nasdaq-traded VASP Safello. He chairs support in crafting legislation to
the Digital Asset Task Force within prevent challenges faced by OSCE

60
Acknowledgements

A significant enhancement to this guide To ensure the highest possible Further editorial support was provided
has been the review and contributions readability and quality, the document by Greta Barkauskienė, Emilia
made by Dr. Alexandra Andhov. language was edited by multiple Pachomow, Sungyong Kang, and
Her legal expertise and insights individuals, predominantly by Grace Vincent Danjean. Additional review and
have greatly elevated the accuracy, Marshall, ensuring clarity and coherence suggestions for edits were conducted
relevance, and depth of the content throughout the publication. As the by the INTERPOL Financial Crime
presented. With her background as Secretary-General of the Global and Anti-Corruption Centre (IFCACC),
associate professor at the University Coalition to Fight Financial Crime, she particularly by Mona Hessein, as well as
of Copenhagen Faculty of Law, she helped adapt the information for a members of the European Cybercrime
provided invaluable assessments general audience. Centre (EC3), specifically Gert Jan van
and recommendations in the writing Hardeveld.
of this document. Dr. Andhov is In addition to Ms. Marshall, Denisse
experienced with the intersection of Rudich provided many hours of support The OSCE’s OCEEA team is thankful for
law and technology, contributing to a in assessing and editing the document, such strong support.
significant number of projects in this bringing her extensive experience within
area, particularly as the co-founder and the space to the table. Her insights into
chief legal officer of the Financial Crime both the content and the language were
Fighters organization. indispensable.

Our sincere thanks to the Latvian Financial Intelligence Unit for their crucial role in identifying and selecting ecosystem leaders for a study
visit to the Baltics focusing on virtual assets. We also extend our appreciation to the Polish Ministry of Finance for its continued support in
providing training facilities. Furthermore, we are deeply grateful to the many institutions and individuals from a wide range of sectors whose
contributions were instrumental in the successful progress of the project.

Decoding Crypto Crime: A Guide for Law Enforcement 61

Notes

62
OSCE Secretariat

Office of the Co-ordinator of OSCE Economic

and Environmental Activities

Economic Governance Unit

Wallnerstrasse 6

1010 Vienna, Austria

E-mail: [email protected]

www.osce.org/eea