Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Behind the Scenes of One of the Largest US Forfeiture Actions

Unpacking How the Feds Confiscated $34M in Crypto Tied to Illicit Activity
Behind the Scenes of One of the Largest US Forfeiture Actions
Operation TORnado targeted hackers using TOR for darknet access. (Source: Shutterstock)

Last week, the U.S. Department of Justice said that law enforcement authorities had made "one of the largest cryptocurrency forfeiture actions ever filed by the United States," confiscating about $34 million worth of cryptocurrency "tied to illegal dark web activity." Here's how they made it happen.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

The funds were seized from an unnamed South Florida resident who made more than "100,000 sales of illicit items and hacked online account information on several of the world's largest dark web marketplaces," to rake in millions, the DOJ says, citing the U.S. government’s civil forfeiture complaint.

A civil forfeiture complaint is a court proceeding against the property rather than a person. This type of action doesn't require the suspect to be convicted for the assets to be confiscated.

"The South Florida resident sold hacked online account information for popular services such as HBO, Netflix and Uber, among others, and accessed the dark web by using The Onion Router [TOR] network," the agency adds.

Operation TORnado

The DOJ's latest forfeiture was part of an operation called TORnado. It was conducted by the Organized Crime Drug Enforcement Task Forces, a partnership between federal, state and local law enforcement agencies. Participating agencies for this case included the Internal Revenue Service - Criminal Investigation, the Federal Bureau of Investigation, the U.S. Drug Enforcement Administration, Homeland Security Investigations and the U.S. Postal Inspection Service.

The U.S. government agency previously seized $45 billion worth of cryptocurrency in the 2022 Bitfinex hack case - the biggest such financial seizure in DOJ history. Other significant actions include its $1 billion forfeiture from the Silk Road prosecution case in 2020 and a $56 million seizure in the BitConnect fraud case in 2021. The DOJ's Asset Forfeiture Division declined ISMG's request for details on its past actions and where the latest case ranks on its list of forfeitures.

Cryptocurrency forfeitures are difficult to measure in terms of scale and size as the value of the funds varies greatly over time [with fluctuations in the value of cryptocurrencies in fiat terms], says John Hammond, senior threat researcher at cybersecurity company Huntress.

A court document, detailing the case against the accused, shows that in Parkland, Florida, law enforcement officers seized from the suspect approximately 919.3 Ether coins around May 16, 2017; 2.6 Bitcoins about June 30, 2017; and about 640.26 Bitcoins, 640.27 Bitcoin Cash, 640.27 Bitcoin Gold, and 640.27 Bitcoin SV between June 16 and 19, 2017. The forfeiture is "currently valued at approximately $47 million, and constitutes proceeds from computer fraud and property involved in money laundering transactions," it says.

While the court document states that the value of the forfeiture is $47 million, the DOJ statement puts the figure at $34 million. A spokesperson for the agency tells ISMG that the conversion rate of the virtual currencies to U.S. dollar at the time of filing of the complaint was approximately $47 million, while the value fluctuated to about $34 million when the DOJ released its statement last week.

The agency did not address why it only announced the forfeiture now, when the funds appear to have been seized about five years ago. It also declined to comment on other aspects of the case, including whether the suspect had been arrested or charged, saying that it "cannot comment at this time about the operation."

Timeline of Events

In January 2017, law enforcement agents reviewed, for reasons not described, the sales feedback of a vendor on several unidentified darknet marketplaces. Sales feedback on the dark web is similar to seller/product reviews on e-commerce websites.

But even before the reviews caught their eye, law enforcement officials had been tracking this individual.

Using the online alias Moniker 1, the vendor appeared to have conducted more than 100,000 dark web transactions, selling unidentified illicit items as well as hacked online account credentials to various platforms, starting in October 2015.

The law enforcement agents, posing as genuine buyers, contacted the accused, seeking usernames and passwords for multiple platforms. Through January 2016 and March 2107, they bought 10 Netflix, one World Wrestling Entertainment, 60 Uber, three Xfinity, one HBOGO and one Showtime login credentials for 0. 1468 bitcoins.

The agents then confirmed via relevant online service providers, including Netflix and Uber, that the credentials belonged to real subscribers - subscribers who did not know that their access information had been sold on the dark web.

Netflix and Uber did not immediately respond to ISMG's request for comments.

In 2016, the agents identified two residences in Florida linked to Moniker 1. The accused had previously provided these addresses as the delivery destination for narcotics purchased on the dark web.

The occupant of one of the addresses, which was in Parkland, Florida, had a Comcast IP address. An analysis of the resident's internet traffic between December 2016 and March 2017 showed that they had connected to the TOR network on multiple occasions that correlated to the time Moniker 1 received messages from the undercover law enforcement agents making credential purchases via the dark web.

The agents identified this individual as owning a bank account at PNC Bank, whose funds history was consistent with Moniker 1's transactions using his illicitly gained cryptocurrency via virtual currency exchange platform LocalBitcoins.com.

Law enforcement authorities made their first seizure of the illicit virtual funds from Moniker 1 on May 16, 2017, and the individual confirmed his or her online use of Moniker 1.

The accused, according to the DOJ statement, used crypto tumblers and chain-hopping techniques to hide their tracks and launder the stolen funds. This made it tougher, but not impossible, to trace the flow of funds or indeed recover them.

A crypto tumbler helps obscure the original source of funds. For instance, if you put in one crypto coin that needs obfuscation, the tumbler breaks it up into multiple pieces, mixes the pieces up - or tumbles them - with other clean coins, and then redistributes random increments of the tumbled coins to designated cryptocurrency wallets at random times.

Chain hopping refers to using illegal dark web money transmitter services to launder one cryptocurrency by exchanging it for another.

Trans-Agency Effort

Ari Redbord, head of legal and government affairs at TRM Labs and an ISMG contributor, says this is yet another example of the DOJ "going after the illicit underbelly of the cryptocurrency ecosystem."

"We have seen cases against darknet mixing services such as Helix and Bitcoin Fog. We have seen Treasury actions against parasite, noncompliant exchanges like Russia-based Suex and Chatex, and we have seen the takedown of darknet markets, including the takedown today [April 5, 2022] by U.S. and German law enforcement of Hydra, the largest darknet market," he tells ISMG.

"An extraordinary part of this case is the amazing coordination of U.S. law enforcement - FBI, IRS-CI, HSI and the Postal Service - all worked together to stop this conduct and seize the ill-gotten gains."

Echoing Redbord's comments, Karl Steinkamp, director at cybersecurity advisory firm Coalfire, tells ISMG that the forfeiture of the crypto assets is a "key milestone to demonstrate that the agency is able to continue to follow the (digital) money, despite the difficulty posed by criminals' use of obfuscation techniques."

The case also brings up this question from Justin Fier, vice president of tactical risk and response at cybersecurity firm Darktrace: "How were the law enforcement authorities able to unmask the alleged perpetrator's identity after using The Onion Router network for years? Did the perpetrators make a mistake with their operational security?"

Time to Move Offshore?

Marc Grens, founding member of the Cryptocurrency Compliance Cooperative, says that the forfeiture may be the largest in the U.S. in terms of U.S. dollar value, but there have been other larger forfeitures overseas in the past, such as the seizure of the Mt. Gox bitcoin exchange assets.

Grens say a majority of hacks and illicit enterprises are domiciled outside the United States, which makes it difficult for U.S. law enforcement agencies and court systems to have jurisdiction. This case is unique, he tells ISMG, in that "an enterprise has been able to operate on U.S. soil for so long and accumulate such a large honeypot of cryptocurrencies."


About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.