Crypto-assets help to disrupt the business of private wealth managers because HNWs invest in them directly without any middlemen. Family offices, however, also invest in them on behalf of the HNWs in wealthy families. What happens when things go wrong?

We have all become increasingly familiar with the trials and tribulations of the crypto world - an initial coin offering (ICO) turning out to be nothing more than an elaborate fraud; an exchange being hacked with empty wallets uncovered in the aftermath; and regulators becoming increasingly agitated over an asset class, which is difficult to explain and understand, let alone regulate.

You will note that we have used the term “asset” rather than “currency” when referring to crypto and this is deliberate. The notion that 'crypto' is solely something that meets the traditional definition of a currency is long gone. People do not use it much as a means of exchange. Instead, they generally trade in it. It is clearly an asset class, although a highly volatile one.

Cryptos and the wealth industry

Crypto-assets help to 'disrupt' the business of private wealth managers because HNWs invest in them directly without any middlemen. Family offices, however, also invest in them on behalf of the HNWs in wealthy families and (although we have not come across it) it is possible that trusts set up by - or acting on behalf of - HNWs or their relatives do as well. We are seeing an increasing number of incidents related to people who use ICOs to raise capital, which they usually acquire from HNW individuals in the first instance.

The world of investigations

When crypto-assets go bad, how do the affected exchanges, ICO companies, businesses that accept payments from customers in digital assets and FinTech businesses such as Coinbase carry out investigations and what common themes arise? We frequently act as financial investigators on behalf of receivers or court-appointed officials and have worked on a number of investigations involving crypto-assets. In the course of our adventures, we have made a few discoveries.

The most pressing job that we face at the beginning of such cases is that of identifying and controlling the crypto-assets in question. HNWs and/or their family offices hold these assets in e-wallets that are encrypted with private keys. In every case we find it imperative to obtain access to them and control the wallet encryption keys at an early stage. Unfortunately, in the case of fraud, this is often the crucial stumbling block.

If we are successful, we are able to reconstruct fund flows. Just as importantly, and drawing on a unique feature of crypto-assets, we are able to trace the initial and subsequent transactions on the blockchain, which acts as a permanent, accurate and immutable record of each and every transaction.

The nature of the blockchain also enables investigators to spot fraudulent recordkeeping or, in the case of an ICO, regulatory malfeasance. Using bespoke IT tools, for example, they can cross-reference internal books and records against the blockchain and identify thousands of transactions that had been fraudulently recorded internally but had not appeared in the blockchain. By doing this, they can quantify the fraud accurately.

Custodial banks do not seem to keep e-wallets on behalf of people and some people are so security-conscious that they keep their wallets offline. The wealthy hide millions of dollars' worth of Bitcoin offline in bunkers and in Switzerland (in the bosom of an unnamed mountain on the shores of Lake Lucerne) there is a huge and very secret Xapo crypto-vault where millionaires and family offices stash their cryptos. Otherwise, HNWs and family offices hold money at crypto-exchanges.

HNWs' e-wallets, when not held in bunkers, are major targets for fraudsters and criminals. Anyone who has the right key to an account can access it. If it is linked to the Internet, practically anybody can see how much is in it. The owners of these wallets often realise that they have been compromised only when they are locked out of their accounts or the funds have been transferred without their authorisation. Sometimes 'insiders' at family offices are involved too.

Skulduggery at the exchange

In one case we used digital forensic tools to uncover unusual patterns of activity on a series of accounts. We analysed the nature of this activity and compared it with that of the exchange's wider customer base. In this way, we could connect the incidents together. While we were in the middle of this operation, we realised that all the attacks were the handiwork of the same people. At one point, digital clues such as IP addresses led us to someone who had established a 'test' account in an effort to probe an exchange’s defences shortly before targeting other accounts.

At this juncture, we leave the digital world and move into the real world of people. The exchange, in the European Union's phrase, had "done customer due diligence" (CDD) by collecting background information about its HNW customer. We then probed some of his real-world connections by exploring links on social media. He had business and personal associations with people who had been convicted and had served sentences for serious organised criminal offences. He was also known to at least one of the exchange's customers whose accounts were compromised.

With a working hypothesis and some facts established, we concentrated on tracing the movement of the funds. Financial criminals had moved the crypto-assets out to a series of other accounts and then dispersed them. Again, using the unique characteristics of the blockchain, we found out where they had sent the funds without having to ask a civil court to compel financial institutions to hand over transactional data by issuing a Norwich Pharmacal order.

Going ex parte

When we are contemplating (or even in the middle of) legal proceedings against someone and we have a third party who is not subject to the claim (i.e. who has not taken part in the supposed wrondoing) but holds information that might help us against our target, our law firm prevails on a civil court to grant a Norwich Pharmacal order. The court might grant this civil disclosure order against a bank, a social media platform, an internet service provider or a telecom provider. The information might be account information, message data or something else.

As investigators we usually go ex parte when asking for this information. Ex parte means 'for one party' and refers to motions, hearings or orders granted at the behest of (and for the benefit of) one party only. This goes against the basic rule of court procedure that both parties must be present at any argument before a judge, and to the otherwise strict rule that a lawyer may not notify a judge without previously notifying the opposition. Alongside this ex parte order, we generally ask for a gagging order to stop the bank, exchange or other service provider in question from telling the targeted customer about it.

Partial retrieval

Criminals perform professional services (such as money laundering) for each other in the crypto world, just as they do everywhere else. In the case we have just described, the criminals channelled crypto-assets through 'mixers,' which are basically money laundering machines.
 
In countries whose regulators were effective in this area, we were able to recover funds. (Crypto-investigations also suffer from some of the same problems that investigators face when they try to trace fiat currency through the global banking system.) Unfortunately, we are still trying to retrieve them in countries where regulatory regimes are weak. By now, the criminals have converted some of the funds into traditional currencies through payment processors.

These processors are a very interesting part of the market. They connect e-commerce businesses to the traditional banking system. If an HNW goes on holiday, Paypal might be his payment processor, giving him an account from which he pays for various goods and services, as long as his Paypal account is connected to the vendor in question.

A learning process

As with all technology, the blockchain can serve both legitimate and illegitimate purposes. Wherever there is a weakness or some opacity in a financial system and its regulation, criminals will always find a way to exploit it and the crypto-environment is no different, even if their methods are different. Law enforcers, regulators and financial firms are becoming increasingly aware of the risks in this area. This explains to a very large extent why governments are taking an incremental approach towards allowing crypto-assets to become part of everyday life. We are at the early stages in our efforts to understand the mechanisms that criminals use in this environment, but we are already having many a success where previously an investigation would have led to a dead end.

* Will Scott-Gall can be reached on +44 0 207 029 5374 or at wscott-gall@kroll.com; Ed Shorrock can be reached on +44 1534 603 134 or at ed.shorrock@duffandphelps.com.