True Crime Tales from the Crypto Detectives. Interview with Mark Bailey & Josh Ho, Crypto Forensic Investigations -Hall Chadwick

Transcript

Nick Abrahams:
Welcome everyone. My name’s Nick Abrahams. Welcome to Web3 From Mystery to Mainstreet. And today we’ve got a very interesting discussion with Mark Bailey and Josh Ho, who are in the Crypto Forensics Team at Hall Chadwick. And so, what we’re going to talk about today is this concept of the anonymity of blockchain crypto. And I know, certainly in my experience, had a number of potential clients come to me with propositions around setting up Dows or other things, and they seem to be basing the notion on the anonymity of the Dow or the anonymity of wallets and so forth. And the blockchain’s ability to in some way, obfuscate who’s actually responsible for the transaction.

Nick Abrahams:
Generally speaking, I’m not super comfortable in working with folks on that basis because I do come from a belief that ultimately particularly the tax office will find out who’s making money off things. So, and it’s not just the tax office, what we have seen in large disputes, people are prepared to put a lot of money into forensics teams like Mark and Josh and try to find out exactly what’s happening in the transaction. So, Mark and Josh Crypto Forensics, welcome to the team.

Mark Bailey:
Excellent.

Josh Ho:
Good to be here.

Nick Abrahams:
So, let’s just maybe just starting off a little bit, which is, can you describe I guess the services that the Crypto Forensics team offers?

Mark Bailey:
Sure. I might go back a little bit in terms of the journey in terms of how we ended up here today in some ways about I think it was four or five years ago. I was appointed by the Supreme Court in Victoria for taking a big account in respect to a company whose records weren’t able to I guess evidence and a lack of transparency in terms of what went on. And one of the issues was a number of cryptocurrency transactions. So that was our starting point and then over time, the inquiry continued to increase in terms of tracing assets or finding assets and making sense of crypto and the blockchain. And certainly five years ago, I struggled with it. And so, we’ve invested a lot of time and resources into building a team and the technologies and the experience.

Mark Bailey:
And as you know, Nick, the area it just changes by the day. So yeah, investing a lot of time in trying to keep up with the entrepreneurs and the things that they’re up to. So, that’s led us to developing a team that now can trace and quite quickly sometimes. And when say quickly, I mean within minutes sometimes for some jobs, transactions across the blockchain. So, essentially what that means is as you know the blockchain’s a permanent record of what’s happened going back to day one and the blockchain is anonymous. However, the on and off ramps are not anonymous. So, that’s where our work is either with the starting point of we know who the person might be. So, we’re going into the blockchain to find out what they may have been up to or it’s a case of not knowing who the person is, or yeah, mainly we don’t know who the person is, but we can follow through the blockchain to an on or off point to work out their identity. So, there’s two I guess, very different situations.

Mark Bailey:
So, that means verifying assets, finding wallets, hidden wallets, people not disclosing wallets, the type of situations might unfortunately for a lot of fraud related matters of people… It’s like, I explained to someone the other day, the coliseum’s real, you go to the coliseum but at the front down the lane, there’s some pretty dodgy people selling tickets. So, if you buy the ticket from the wrong person, you don’t get to go in and see the coliseum then. And think that’s speaking to some people that haven’t been involved so much in crypto, that there are people that are scared. They’re interested, but they’re scared, they don’t really know how to even go and buy crypto. And they’re worried that they’ll be buying the ticket from the dodgy bloke in the lane and not get to see the coliseum.

Mark Bailey:
So, we’re doing a lot of work in the fraud space, commercial disputes. So, it’s companies that have raised money in crypto or during the last couple of years with the volatility of business, some people have speculated with the company’s money in terms of investing in crypto and that doesn’t always go well. So, was a really lost in transacting and investing or did the money kind of skip across to someone’s mate’s wallet and they’ve tried to exit. And the other big one for us is in the family law where people aren’t disclosing their crypto investments or they’re under disclosing and not a big thing in terms of work that’s come to us, but I’m sure it’s a big one out there is in the self-managed Super Fund space.

Mark Bailey:
And yeah, I worry a bit for SMSF auditors because once somebody starts buying and selling crypto, as opposed to just buying, how would a self-managed Super Fund order to actually know what’s happening in terms of were the crypto investments just sold on the market or were they actually transferred off into someone’s private wallet? And we have looked at a couple and determined it’s not what the self-managed fund auditor thought. And without the tools and the skill that there’s just no way you could sign off on a elf-managed Super Fund audit. So, I think that one’s coming.

Nick Abrahams:
I feel like there’s a TV show in this, it’s Mark and [inaudible 00:07:22] sort of CSI type stuff. What’s fascinating is off and on the show, we talk to people it’s all about the positivity of crypto and NFTs and so well, and there is a lot of that and a lot of enthusiasm around the space. But I guess, as Mark, Josh, and myself know that there’s always a corollary to this, which is people don’t make money just adding for item that it’s not always a bull market. And so, the services that you are offering often it’s when things have come a little awry and as you mentioned, it’s fine or someone may be punting some of the company’s money on crypto, and it’s not a problem until it’s a problem.

Nick Abrahams:
Until the crypto market tanks in some way and then they get themselves caught. And this is as the oldest time itself, it’s that we’ve seen this across organizations for many, many years. So, it is interesting that you’re starting to see a much bigger flow of work. I agree entirely in the self-managed Super Fund space and I think most advisors would say it’s a difficult asset to hold directly in an SMSF. Obviously there are some funds around, which can be held. But indeed, one of the problems that we came across the other day was even just with people transacting. Buying things with crypto and so forth, it becomes very awkward because buying things with crypto and so forth. It becomes very awkward because the crypto was bought at a particular price point. And then when they buy something, even something as simple as a cup of coffee at Starbucks or something, you immediately crystallize a transaction which, for the sake of the tax laws, then becomes a capital gains tax event, just the buying of a cup of coffee, because you’ve gone from effectively transferring an asset which was a Bitcoin or part of a Bitcoin into then a coffee.

Nick Abrahams:
So a lot of complexity. It comes as no surprise to me that the SMSF auditors would struggle in this space. Are there any specific cases that you could drill into around what people have been doing, and how they’ve been hoping to hide them?

Mark Bailey:
Yeah, I’ll let Josh tell a few stories.

Nick Abrahams:
Here we go. This is what we came for. No names though, Josh. [inaudible 00:10:04].

Josh Ho:
No names, no names.

Nick Abrahams:
Everyone loves a good story.

Josh Ho:
There’s this specific assignment. We were approached to provide our feedback on this party’s AssetCo links where crypto assets was involved. And what we had to do was to verify the assets and liabilities of this individual. And I can’t say much apart from describing what we did.

Josh Ho:
So the individual came in, declared that he holds cryptocurrencies, put it on the assets and liabilities statement. On paper, it was nothing extraordinary. He provided some statements, some screenshots of his wallet balances. It’s nothing extraordinary at first glance. He made some profits trading crypto, converted to Australian dollars, or in the world of cryptocurrency, we call it fiat. Transferred back and forth between his bank account, crypto exchange. His crypto holdings did not appear to be significant either. It’s a few thousand dollars in Ethereum and Bitcoin.

Josh Ho:
As I say, at first glance, it looked quite straightforward, but the documents that we had only told us half of the story. They were useful to tell us what he had at that point in time or what we wanted to know. But we wanted to know if there were other exchanges or personal wallets or non-custodial wallets that this individual had used in the past, and not disclosed. And we were able to do that by reviewing the transactions that occurred on the blockchain or on chain transactions.

Josh Ho:
We looked at the withdrawals that he had made over a period of time from the exchange, and all the interactions that he had between his private wallets and the exchange. And surprise, surprise, we uncovered a few private wallets or personal wallet that this individual holds outside an exchange and a number of exchanges that get used in the past, which he did not disclose.

Josh Ho:
Now, not only that. One of the private wallets, personal wallets, holds a stash of very, very valuable non-fungible tokens, NFTs, and I’m talking about Bored Ape, digital land parcels in Decentraland, Sandbox and so on.

Nick Abrahams:
Wow. Oh my gosh.

Josh Ho:
And I was quite surprised-

Nick Abrahams:
Josh is on the trail.

Josh Ho:
Looking at the behavior, you would think that he would know all this are public information, but chose not to disclose it. And the other party had no idea of all the secret wallets. So the discovery was very, very useful to the party that engaged us to do the work. It wasn’t a complex exercise, but it worked because of the blockchain we looked at, the transactions, and because of how transparent the blockchain is. You hop on to the internet, you put in the wallet details or transaction on the public ledger, and everything is there.

Nick Abrahams:
So let’s drop into that a little bit because we talk about the blockchain. Obviously there’s not one universal blockchain, there’s a number of, I guess, layer ones is what you are talking about, what sort of, I assume, you’re looking. How does that roll out technically, I mean, without dropping into exactly the technical details? So you know one wallet address. I assume it was sitting on an Ethereum. And so you were able to look at that. And then, is it possible for anyone without consent necessarily, to look at all the transactions of that wallet, to and from? Is that how that works?

Josh Ho:
Yeah, absolutely. All you need to do is go to a specific website, enter the wallet details, or if you have the transaction details, you can see everything that the wallet has interaction since the creation of the wallet. Every single transaction since it was created to the date when you access the wallet. So everything is up there, it’s public. All you need, it’s just a piece of information and a tracker.

Nick Abrahams:
Right. And then you go from that one wallet, you can then see, okay, well, there’s been a bunch of transactions involving that wallet. And then you go to the other wallets that are transacted with-

Josh Ho:
Correct.

Nick Abrahams:
… and then you follow the chain.

Josh Ho:
Correct. You follow the money. You follow the money, you follow the transactions. And that leads to every single transactions that one wallet interacted with another, it’s all linked together. As long as you follow the money, you uncover. Sometimes you uncover nothing. Sometimes you find out things that… Yeah.

Nick Abrahams:
Wow. [crosstalk 00:14:47]

Mark Bailey:
Yeah. They’re very powerful tools. And as you probably know, Nick, regulators all around the world, watching the blockchain and they’re designating risk wallets from big crime perspective and they’re catching the serious big players. It’s the same kind of tools and techniques that we’re using in a… We’re not chasing the Lazarus Group and those types. So we’re dealing with more mainstream activity, if you like, in terms of whether people have done the wrong thing, not disclosing, or smaller scale fraud, but the tools are very powerful. People think they can get away with something today, and maybe they will get away with it today, but because it’s permanent…

Nick Abrahams:
Yeah. I-

Mark Bailey:
In a year or two, someone will come back and look at it.

Nick Abrahams:
Yeah, yeah. No, it was interesting. I noticed on, you know how on your myGov account, that you can go on there and the tax office tells you what they know about you, what account you have. Last year they had… It was the first time I recall seeing it. They said, we know that you have some cryptocurrency. They didn’t have any details of it, interestingly enough. There’s a section on there saying, be sure to report your cryptocurrency trades. And I was like, “Wow, that is interesting.”

Nick Abrahams:
So I think for those folks who, particularly what we have seen, if you look at the last two to three years, there’ve been some astronomical gains we see on crypto. Things leveled out about a year ago and obviously, perhaps in some cases gone negative, but I do wonder how this will wash up, because I think there’s a lot of people keeping money or keeping crypto on chain. We’re obviously seeing the growth of the NFT market and so forth giving a digital asset that could stay on chain so they don’t have to off-ramp into fiat. But I do wonder whether we’re going to see, folks like the tax office ultimately get around to audits and so forth. Do you see that as a likely scenario?

Mark Bailey:
Absolutely. Yeah. Absolutely. Because as I said, some of the jobs that we’ve done, it’s only taken a couple of minutes for us to work out what people have actually been doing compared to what they say that they’ve been doing. Yeah. So absolutely, from a tax office perspective, I think they’ll be coming.

Nick Abrahams:
Yeah. Yeah. I feel like-

Mark Bailey:
And as you say, they do have a program that’s building a year or two. If you went back a couple of years ago, there’d be nothing from a crypto perspective on if people have been to the website and see what the ATOs got on you in terms of your dividends and your bank accounts. And then, last year they started saying, “Oh, we think you’ve got crypto.” That’s in progress. That will only become stronger and stronger over time.

Nick Abrahams:
Yeah. I feel like there’s going be collective sense of, “Oh my God,” from a lot of the audience members here listening to this. Because I do sense that there is a perception within some crypto players that this is just an unregulated world that.

Nick Abrahams:
And I often, well, I find myself with some folks who see me as a bit of a buzzkill because I’m like, “Well we got to think about how there’s KYC and there’s AML and there’s whole range of issues associated with crypto.” And I do hit that wall where people are like, “Ah, but it’s just going to be wallet based.” Yeah.

Mark Bailey:
Yeah. I think, my reading is that whilst the Bitcoin white paper talks about anonymity, I think it’s been taken out of context that the purpose of the anonymity is to enable transactions to happen efficiently. And not get caught up in this transaction is with this person and this one is with this company. And we’re going to block that one or we’re going to defuse that one.

Mark Bailey:
It’s part, and the trust and transparency element, yes, it’s reduced to this pseudo anonymous concept of wallet numbers, et cetera. But I cannot imagine that the idea of the anonymity was to enable a market where people can do whatever they want, because that market, surely it’s either limited in its life or from a regulation perspective or it will just implode.

Mark Bailey:
The anonymity part is to enable an efficient transaction system. And whilst it sounds a bit cloak and dagger and negative in terms of the things that we’re discussing. I think it’s really, in many ways, it’s a positive and really important that people like us are in there trying to assist with the transparency and trust part of it, because that will bring more people to the crypto world. I spoke about some people that there are a lot of people that are very scared and there are obviously a lot of people that have been burnt. But it’s not by the technology. It’s by the people on the outside trying to scam the system.

Mark Bailey:
Regulation’s clearly coming and the faster it comes, the better. Last week alone, we had five people contact us re crypto fraud. And as I say, now these are the blokes down the lane selling the dodgy tickets to the Colosseum. I guess in terms of people listening, just because the website that you’re dealing with looks like it’s big UK investment company, doesn’t mean it is.

Mark Bailey:
People really do need to do their homework in terms of who they’re dealing with before they hand over their money. And when somebody says, “Before I give you your investment returns, you have to give some more crypto.” You are not in a good situation.

Nick Abrahams:
Oh my gosh.

Josh Ho:
It’s a classic behavior.

Nick Abrahams:
Yeah. It’s the Nigerian loan scam reimagined.

Mark Bailey:
Yeah. Yeah. This stuff to me, it’s really important for the entrepreneurs that are out there trying to do fantastic things, they need the trust, the certainty, the clarity, the transparency. It’s just crucial for the technology to develop further.

Nick Abrahams:
Yeah, yeah. No, I think you’re absolutely right. That even you look at rug pulls that we’ve seen in relation to various NFT releases. And the NFT market, it’s come off a little bit. Although some of the legacy stuff, Josh, you mentioned Apes and so forth, the pricing on that still stays pretty good. But we’ve seen some terrible situations with scams in relation to NFTs.

Nick Abrahams:
Maybe just changing tack slightly, so we see a lot of ransomware around the place, right at the moment. It’s really developed over the last couple of years. Then there was the Centennial pipeline case in the US where there was quite a significant ransom pay there. And the FBI was able to trap and lock and recover, not all of it, but a decent amount of the ransomware.

Nick Abrahams:
Can you talk a little bit about, is that possible in the case of, so with ransomware payments, for example, we know that, I’ve acted on a number of these cases where we’re forced to pay ransom in Bitcoin. But how simple or hard is it to track where that payment goes to, and then actually trapping it so that it’s not able to go, and then you can recover it? It sounds complex to me, but interested in your views.

Josh Ho:
Yep. I’ll tick this. I think you are referring to the Colonial Pipeline.

Nick Abrahams:
Yeah. Colonial. [inaudible 00:24:13]

Josh Ho:
Yeah. Colonial. Colonial, a bit of a background. Colonial Pipeline is an American oil pipeline system originated in Houston, Texas. And I think in May last year, their computer system was hacked. And it was through one of the user’s account password that was compromised, from what I read. And they had no choice but to shut down the system. And apparently it was the largest cyber attack on the oil infrastructure, in the history of the United States. And I think Joe Biden declared a state of emergency of the day of the attack.

Nick Abrahams:
No, correct. Yeah.

Josh Ho:
Now, what the hacker did is they requested a ransom of 75 Bitcoins at that time, or equivalent to 4.4 million. They had no choice. They had to pay the ransom. And it was a huge disruption to the system. And in return, I think after they make the payment, the hacker send them some sort of application to resume their system operation.

Josh Ho:
Now, they also stole I think 100 gigabytes of data from Colonial Pipeline and threatened to leak it if the ransom wasn’t paid. They did make the payment and subsequently, FBI was involved in the matter, and a number of government agencies were also involved too. But because of the blockchain, I think using the blockchain technology and some traditional investigative tools, the US government managed to trace the movement of funds and recovered 63 Bitcoin from the hackers, which was equivalent to the 2.3 million at the time.

Josh Ho:
Now this was not confirmed. Apparently, I think the US government managed to get hold of the private key of probably one or two or some of the wallets. But if the movement of funds is fully visible on the blockchain, if you use a visualization tool, you can see the crypto funds being paid out of the Gemini crypto exchange, because that’s where it was paid out, to a number of wallets associate to the hackers.

Josh Ho:
And I think the group name, I can’t remember the group name now. You can see the flows of funds move several hops through a number of wallets. Then it went to a group of wallets that was flagged by the authority as related to this hackers group. And when the US government managed to recover the Bitcoin, you can see the amount leaving the group of wallets controlled by the hackers, out of those wallets to the government controlled wallet. Everything is visible on the blockchain.

Nick Abrahams:
Yeah. That’s phenomenal. Okay. It was just good investigative techniques that allowed the government to [inaudible 00:26:54]. And I mean, does it then become at some stage, how do they off ramp that money? And how do they off-ramp that money at… As in, for the perpetrator, because at some stage I assume, they need to eat. And so, if you can continually watch that go through all of the wallets, an infinite number of times, does it just become so complicated that you can’t see where it off-ramps? Or will you always be able to see where it off-ramps?

Josh Ho:
I think based on our experience so far, this is not Colonial Pipeline, but typical fraud or scam matter, you see that they transfer money out of the wallet that the victim paid money into, and move into several wallets. But there is always an exit point where they want to cash down. And that’s the point we usually trace to, to provide some sort of bullet to the victim or the lawyers to say, “Hey, we managed to link all these transactions from this wallet to an exit point,” say a crypto exchange, then that’s where the person can take further action.

Nick Abrahams:
Yeah. Yeah. Fantastic. Josh and Mark, this has been fascinating. I guess, we’re obviously seeing a lot of organizations looking to embrace crypto and NFTs and so forth, and the blockchain more generally. Just maybe to finish up, what’s some advice around how organizations can do that?

Nick Abrahams:
And then I guess, a secondary question will be also, to the extent that someone feels like they’ve got some sort of crypto fraud or something, what could happen with that? But maybe just first off, some ideas around what should organizations be looking for as far as internal controls and things of that nature?

Josh Ho:
First point, of course you find a reputable exchange. And if you’re a company, check whether the exchange supports company’s accounts or not, rather than individual, and then from there you have your KYC process that you have to go through, and everything is in one place.

Josh Ho:
Whereas if you set up a private account or a private wallet, there’s no… You don’t have to go through all those process. So it’s really hard to prove your identity if you have a personal wallet or non-custodial wallet. That’s my first thought. But then what do you think, Mark?

Mark Bailey:
Yeah, I think, when you start dealing in private wallets for a company, that’s going to be really dangerous. I guess in the best case, it will be expensive because you’ll need somebody like us to be either post-reviewing what happened with that wallet, or we can monitor wallets in real time of course, as well. But it’s just an expensive way to do business.

Mark Bailey:
I guess it’s a little bit the same in terms of the transactions that Josh spoke about, and that there are ways and techniques that those that are super savvy and high risk takers can undertake, to make it very hard for people like us to trace transactions. So there’s always going to be a cost trade-off.

Mark Bailey:
In terms of using cryptocurrency at the moment as an on-balance sheet thing, whilst we take crypto payments because we’re providing services in the crypto world and some of the entrepreneurs and NFT businesses, et cetera, they want to pay in cryptos. So we only accept that in stable coins, or Ethereum or Bitcoin. So the major coins, and we cash out straight away. Because we’re not-

Nick Abrahams:
Okay, but you will accept-

Mark Bailey:
We’re an accounting firm. We’re not in the business of investing in crypto.

Mark Bailey:
So I think that’s an important discipline to have in the business. Businesses need to stick to doing what they do best, and not go off on tangents. If their business is around crypto currencies, such as exchanges, we audit a number of exchanges. And we also audit their compliance plans, in terms of their compliance procedures for the AUSTRAC and the anti-money laundering things, which I’m not sure if the viewers understand the… Whilst crypto is seen to be unregulated at the moment, there are current regulations and serious regulations around the exchanges being registered with AUSTRAC in Australia.

Nick Abrahams:
Sorry.

Mark Bailey:
And hence why there’s the Know Your Client concept and the anti-money laundering. And I know some of players in the crypto world that have provided services to facilitate anonymity, they’re even stepping up their game now, in terms of… For their longevity in the business. So they’re now taking steps to not deal with wallets that have been marked by authorities as either suspicious or known organized crime links.

Mark Bailey:
So the space is constantly changing and improving and I think becoming more transparent and trustworthy. So from a corporate perspective, it’s not a case of “will”, it’s really… Or “if,” it’s “when” will it be right for a company to be involved.

Nick Abrahams:
Yeah. Yeah. Terrific. Well, I mean, that’s been fantastic. And I guess, any anyone out there who I guess has any questions around the space, or particularly if you have been a victim of crypto fraud or want to track some crypto transactions, please do reach out to Mark Bailey and Josh Ho in the crypto forensics team at Hall Chadwick.

Nick Abrahams:
So thanks guys. We will let you get back to your day of sleuthing after the perpetrators, and good luck with that. It’s been fascinating and we look forward to working together with you and also hearing more in the future. Thanks very much, Mark Bailey and Josh Ho.

Mark Bailey:
Fantastic Nick.

Josh Ho:
Thanks for having us.