Episode 66 of the Public Key podcast is here! Privacy pools, protocols and coins are once again a hot topic so we sat down with blockchain investigations expert, Rick Harmsen, Cryptocurrency and Blockchain Specialist & Trainer at DataExpert, to discuss how to balance privacy, anonymity and compliance while conducting blockchain investigations.
You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 66.
Public Key Episode 66: Privacy is not anonymity: how blockchain investigations balance both
One of the biggest challenges in overseeing the evolving blockchain space is balancing privacy with blockchain investigations.
In this episode, Ian Andrews sits down with blockchain investigations specialist and trainer, Rick Harmsen, Cryptocurrency and Blockchain Specialist & Trainer at DataExpert, to discuss the challenges faced by law enforcement in combating crypto cybercrime. He details the recent trends that law enforcement have seen recently in investigative activity, including Pig Butchering, Chain-hopping and other obfuscation methods.
Rick touches on the importance of privacy in the crypto space and the development of decentralized finance (DeFi) platforms, decentralized mixers and the emergence of Privacy Pools.
The discussion highlighted the importance of education and training in the crypto and blockchain industry and Rick explains why he doesn’t think the Metaverse is dead and how future generations will prioritize web3 ecosystems.
Quote of the episode
“But we do see a big shift in how criminals are operating right now. So, in terms of obfuscating the path of where the transactions are going to, we see a lot of chain-hopping, a lot of swaps between different kinds of [crypto]currencies.” – Rick Harmsen (Cryptocurrency and Blockchain Specialist & Trainer, DataExpert)
Minute-by-minute episode breakdown
- (2:45) – Rick’s career transition from law enforcement to cryptocurrency and blockchain investigations specialist and trainer at Data Experts
- (6:35) – Is Law Enforcement trained to fight sophisticated crypto and cyber attacks and nation state sponsored hackers?
- (9:45) – Why are more and more compliance professionals obtaining crypto compliance and blockchain investigations training?
- (10::37) – The biggest trends in crypto and DeFi criminal activity from pig butchering to chain-hopping
- (16:54) – How do we secure privacy on the blockchain without facilitating criminal activity and complying to regulatory requirements?
- (23:02) – Digital Experience Nordic Conference and the growing trends discussed by cyber investigators and counter-fraud organizations
- (26:50) – Why Rick thinks the Metaverse isn’t dead and will be at the forefront of web3 technology and gaming in the coming years
Related resources
Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.
- Website: DataExpert: Digital Investigation & Cyber Security Solutions
- Training: DataExpert Academy – Analytics | Cryptocurrency | Cybercrime | OSINT | Digital Forensics | Cyber Security | FEC
- Event: Digital Experience Nordic – Stockholm Sweden
- Report: The Chainalysis Guide to On-Chain User Segmentation for Crypto Exchanges
- Blog: How Did Crypto Markets React to Judge’s Ruling that Ripple Exchange Sales Did Not Violate Securities Law?
- Blog: Understanding Tornado Cash, Its Sanctions Implications, and Key Compliance Questions
- YouTube: Chainalysis YouTube page
- Twitter: Chainalysis Twitter: BuildCareers at Chainalysising trust in blockchain
- Tik Tok: Building trust in #blockchains among people, businesses, and governments.
- Telegram: Chainalysis on Telegram
Speakers on today’s episode
- Ian Andrews * Host * (Chief Marketing Officer, Chainalysis)
- Rick Harmsen (Cryptocurrency and Blockchain Specialist & Trainer, DataExpert)
This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.
Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.
Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material.
Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company.
Transcript
Ian:
Yeah, I traveled with it actually. This is my setup from home actually, I guess.
Rick:
Oh, nice.
Ian:
I flew over with it. All right. Hey everybody, we are live from Amsterdam with another episode of Public Key. This is your host, Ian Andrews. I’m joined by Rick Harmson, who is a cryptocurrency and blockchain specialist with a partner of ours Data Expert. Rick, welcome to the podcast.
Rick:
Thank you. Great to be here.
Ian:
I think you have maybe one of the best titles that we’ve had on the podcast, cryptocurrency and blockchain specialist. Unpack that for us a little bit. What do you actually do at Data Expert?
Rick:
Yeah, so it is a broad title, right? It’s a very broad title, but the area I work in is also within different fields of expertise. So I work for Data Expert as a crypto and blockchain specialist, and most of my job is director to compliancy investigations as well as training people, training teams basically, but also doing investigations myself with a lot of experts within Data Experts itself also.
Ian:
Oh boy. We’re going to get into the investigations a little bit as we get into the podcast. I’m curious, how do you get to this role? When did you first get into cryptocurrency? How did you build the expertise to actually then go and train other people?
Rick:
So I think with most people you stumble upon crypto on a certain time and I think the earliest I heard about crypto was somewhere around 2014, 2015 and a-
Ian:
Early.
Rick:
Yeah, it was very early, but still kind of new to me back then. I like tech, I like everything with cybersecurity and so it appealed to me, but I heard about it, I looked into it, fooled around with it a little bit, and I really think it was around 2016, early 2017 where we really dived into it so a lot deeper and that’s basically how it all started. Very basic stuff in the beginning, centralized exchange and stuff, which are interesting to dive into it in the beginning, but later on of course you want to learn more and more and more and just dive into the whole Defi side and all the other stuff.
Ian:
And how do you go from maybe personally investing or exploring these platforms, figuring out how they work to being an investigator? What was that transition like?
Rick:
Yeah, so my job back then was law enforcement amongst others working in the cyber crime team, so doing a lot of investigations and that kind of appeals to also the tech side, not only the personal interest that you got in crypto and I’m all blockchain, I love it. But of course you also get cases that involve cryptocurrency and the basic stuff like scams and things we see right now with investment scams or roaming scams and all those kinds of subjects. So eventually it helps that you are already interested within blockchain and we think cryptocurrencies and then certainly you also got certain kind of cases popping up and you really are thinking like, “All right, how can I follow the money? How can we see what really happened on the victim’s side and what might the suspect be doing?” So that’s really how I really dived into the whole blockchain sector I made in my day-to-day job right now.
Ian:
Yeah. That’s amazing. And so talk to us a little bit about Data Experts business because I think you’re working with a quite wide range of clients and not just on blockchain it’s broader than that, it’s broadly cybersecurity, if I understand correctly.
Rick:
So Data Expert is a knowledge and technology company. If you just take it in a broad picture. So we are active in quite a lot of different fields all related to cyber, so cyber security, but also in preventing or investigating cyber crime. So we offer products to clients and you can think about investigative software for mobile forensics, all kind of different forensic specialties basically, but also products for analytics like analysis for example. But next to the products that we are offering, we also try to specialize itself within training those because there’s a lot of product training in the markets, which is great, which we also offer, which we’ve also got a very dedicated team, which different kind of specialists who are also focused upon delivering training to those products or a combination of products within the field that investigators might be working in. So we’ve got a lot of different employees, which are colleagues which are working, have worked within law enforcement and are now working for us. So we can really specialize in different topics.
Ian:
I think this is one of the most important things going right now, which is the criminals have a bit of an advantage over law enforcement many places because the criminals seem to understand crypto better than law enforcement. But it feels like in the last year or so, that balance of power is starting to shift a little bit. I think in part due to your company doing all that training. What’s your perspective on where this is? How much further do we have to go to have broadly law enforcement capable of fighting cyber criminals who are using cryptocurrency?
Rick:
I do think we still got a long way to go because the whole crypto and blockchain sector is of course very, very wide within different kind of expertises also. We’ve got a lot of serious knowledge proof things going on right now when we got the Defi side going on and then suddenly different kind of scams are popping up everywhere. I think it’s quite normal because as a criminal, when you are starting a scam or if it’s a roaming scam or an investment scam, you are building it up right and you might be rolling into it a little bit slowly in the beginning and just building it out and then suddenly you’ve got all these reports coming in. So I think you’re always behind for a certain bit within the skill set that you can build as an investigator. But I do think we are coming a long way right now.
This is what we are focusing on, delivering that skill set as a training so that you are ahead of the curve instead of behind of it. They’re doing a lot of investigations for it right now, but also on the Defi side and on the roaming scams and it’s really come together right now. You need to learn how to follow the money with analytic tooling but also need to understand how it works on a personal side. How do you use MetaMask for example? How can you get scanned with MetaMask for example? That’s all those things that you need to learn. So it’s a big skill set to build, but from there on you can basically get all these different kind of cases related to the tech only.
Ian:
Are the groups that you’re training, are they starting as the technology experts? Is it people who are already specializing in cyber who then say, I want to add cryptocurrency or is it people coming from other disciplines as well in the law enforcement side?
Rick:
So it kind of differs. So from law enforcement, because we are trained public and private sector, and I think if you take it as a whole, which is in general the way how people are rolling into the trainings, I think about three years ago you really saw technology experts rolling in and wanted to follow training. They were already into the tech, they already loved computer forensic and maybe they were even ethical hackers or something like that. So they already had a certain kind of skill set and they basically want to build on from there. But right now you also see, and I think that basically also has to do with it’s more publicly known right now, blockchain technology and cryptocurrencies. So you also see people who are interested in it just want to build it from the ground level up. So they really want to know, “All right, I know what blockchain is on the broad spectrum. I know what crypto is, but how does it really work? How do these blocks work? How does hashing work? How does this whole computation of power work and then how does cryptocurrency fit into it?” And then build on from there to basically try and do some analytics following money or discovering when people are communicating of blockchain technology or whatever.
Ian:
On the private sector side, is that work primarily with compliance professionals or financial crimes professionals in banking and crypto businesses or are there other groups you’re working with there?
Rick:
So of course they are the ones following training but also from a lot of other different private sector sites, companies or just individuals on its own. I think you can already see a lot of people who are trying to specialize themselves into blockchain and into crypto to basically do maybe a shift in the work that they’re doing right now. They are seeing potential in this technology and it’s an interesting field to work in. There’s not one day that’s the same as the previous one. So that’s kind of nice to see you really get a very broad group of an audience basically who wants to follow this training of different kind of trainings as well as just knowledge or just immediately hopping into doing the analytic side of it.
Ian:
Yeah. All right. I’m curious maybe some of the trends that you’re seeing on the investigative side. So in 2021 we kind of named the year, the year of ransomware and maybe that’s a little bit of an American centric view, but it really seemed to spike in terms of the volume of payments. It was the largest that we had recorded ever in terms of on chain ransomware payments that subsided a little bit in 2022 and we really saw financial scams, some of the pig butchering romance scams accelerated. What’s been your view? What have you seen over the last couple years and what seems to be the hottest area that’s driving the investigative activity?
Rick:
So what I see, I agree with ransomware side, it was big and it was trending and a lot of what’s happening and there were quite a lot of exploits also, but right now big butchering romance scams for a certain amount also was still investment scams, even though it’s gone down quite a lot because of the bigger market. But that’s what we’re seeing also right now. But we do see a big shift in how criminals are operating right now. So in terms of skating the path of where the transactions are going to interesting, we see a lot of chain hopping, a lot of swaps between different kind of currencies. So that’s quite interesting to see this really a trend that is popping up. So basically where we had normal Ethereum flows, normal Bitcoin flows from basically one starting point to another to another endpoint and it was quite easy to follow. Basically analytics you could follow is quite nicely, quite easily of course with some challenges here and there, but right now just chain hopping and doing all kinds of different swaps constantly, which isn’t impossible to follow, but you see that they are trying to obfuscate-
Ian:
The sophistication of the movement of funds and the attempt to launder them has gone way up.
Rick:
Which is normal. Defi has been around for quite a while right now. And also with bridging and chain upping.
Ian:
Yes. I mean this drove us to build the storyline product, right? Because we were recognizing that there was an acceleration of how people were attempting to cover their tracks. And it was particularly taking advantage of this kind of cross chain, cross asset behavior as one tactic move from Ethereum to Tron or Tron to BSC or back to Ethereum or into Bitcoin swapping from ETH to wrapped ETH to native Bitcoin. That type of activity I think would be complex to a novice investigator. Obviously doesn’t slow you down, but for some folks it would be quite challenging to trace some of that activity, right?
Rick:
Especially if you just started within crypto analytics. And I agree with storyline and that’s a nice thing to see. All these kind of shifts within investigations are also thriving for basically new technologies for analytical software to pop up. And you need that. You want to stay ahead of the curve and follow this money just hopping from chain to chain or between token to token. And that’s where you really need software to be able to trace it.
Ian:
Well, one of the things we’ve noticed over the last year is it seems like an accelerating focus on Defi platforms. And this may be just shifting attention to software targets. It’s like most of the big exchanges have matured in terms of security policy and process and procedure. Some of these Defi platforms are quite new, code is kind of untested in the wild, but they have lots of assets. So high value target, potentially lower barrier to compromise for some of them. What are you seeing in the world of Defi and do you foresee a change in that trend over time? Are the Defi platforms getting more secure?
Rick:
I don’t think that you can see that Defi is at least focusing a lot upon security and also compliance I think. There’s a lot of questions right now, especially with new regulation popping up. Is it really still easy enough to build a Defi platform and run it without too much regulation trying to get involved within it? And those are questions from both sides as well. From the Defi perspective as well, from the regulated perspective, how are you going to act upon these new… Not new technologies, but new in terms of adoption? So there’s a big shift, but I don’t think it will stop Defi. I think Defi in my opinion, is great. It gives a lot of opportunity for a lot of people to build new stuff, to test new certain kind of products. Basically financial services in a whole new different kind of spectrum.
And I think you can still see it right now. Yeah, Defi platforms are popping up on all kinds of different chains, arbitrary life and all these techs are popping up so it won’t stop it, but I think people are thinking more about how can we comply to the current landscape that we are in right now? And I’ve seen that with talks also. I’ve met some people within Defi also, and you can see that they are focusing upon what is our exposure and that’s interesting, what is our exposure right now, which people are buying, which kind of wallets are involved and stuff like that. That’s very interesting to see that they are focusing upon it. And there’s a lot of open source software that you can use. There’s a lot of analytical tooling that can be used for this. So I’m curious how they are going to adopt this. You got the anonymous side and people who want to be a little bit more on the foreground.
Ian:
I’m curious your take on a related topic. You mentioned Tornado Cash earlier. With the sanctioning of Tornado Cash, the arrest of one of the developers, it hasn’t stopped the platform. And the interesting thing from our analysis is prior to the sanctions, Tornado Cash had a mix of funds falling through it. Some that were clearly illicit, quite a lot of stolen funds that appeared to be stolen by the North Koreans and part of their laundering was using Tornado Cash that probably led to the sanctions, but there was also a lot of activity that appeared to be innocent. People who just legitimately were seeking privacy, didn’t want the world to… Because their wallet is well known to know that they were moving funds in a particular way.
So now that the sanctions have been put in place, all of that legitimate activity is gone, but the criminal activity levels are actually roughly the same as they were to the sanctions. So I think there’s a point of view in the industry that privacy is a necessary feature. And so we’re seeing people spawn new versions. There’s something called privacy pools, there’s a lot of activity around ZK or zero knowledge proofs coming into play. What’s your take on this area? Do you think they should exist? Is there a place for them in the ecosystem? And is there a way to do it that’s sort of safe and compliant? So we get privacy without facilitating criminal activity.
Rick:
And internet cash really opened up the topics upon privacy versus can you comply to regulation with these kind of different kind of privacy pools basically where you are based upon serial knowledge, proof or anything else. And privacy is normal. People want privacy. It is impossible to think that people do not like privacy. And I always try to compare it with Ethereum for example, if you’ve got an Ethereum account and it’s known to someone, then people can see what your funds are and you might spread it around between different kind of wallets. But if shifts some Ethereum to one of these wallets, you can still try and relate certain kind of addresses together like these are belonging to one person, for example. So in a certain way it’s quite easy to see the balance. And right now in the current scene, there are a lot of people working DOWs for example, and they’re getting paid from the DOW because they have some nice activity in there. So people were focused on how can I get my funds somewhere where I can’t be followed by let’s say everyone with Zoom working in DOW.
Ian:
Yeah.
Rick:
And that’s where activity from Tornado Cash for example, came from, right? People working in DOWs for example, they put it to Tornado Cash and not everybody is well known within what reflex might be if you try to cash it out on exchange for example, and they just did it and they were like, “All right, at least I can’t be followed by just everyone right now.” You wouldn’t want to reach your bank account, you don’t want the API on your bank account just following what your balance is all the time. And that’s exactly the same basically within Ethereum like this.
Ian:
The way I put it to people who aren’t in the space is if you’re in a queue at a store and you go up to pay, you tap your credit card on the merchant’s terminal, the merchant knows something about you, right? They’ve collected your card because you’ve bought a product from them, you’ve paid them, the payment network Visa or MasterCard, they have your information, they’re running fraud checks to make sure that the transaction doesn’t appear to be maybe a stolen card. You’re actually the person who’s supposed to be able to spend money on it. And your issuing bank for the card also does something similar. So there’s kind of four parties that are involved in the transaction and obviously the payment processor, the bank sees all your transactions. The merchant only sees the one that you’re participating in, but no one in the line behind you gets to see all your transactions. They don’t know anything about your bank account balance or how much credit you’ve spent on your card. All of that is private and it’s maintained for you, but it’s not anonymous. There’s very little in this world that I can imagine that is truly anonymous. And so it seems like we’re struggling to find the right line to draw in the world of cryptocurrency where we enable privacy for most people, but we still enable law enforcement to stop really bad criminals doing terrible things.
Rick:
And it’s a fine line with things like Tornado Cash. It isn’t impossible to trace through if people are compliant within the information that they’re giving if there are any questions, for example, you want to cash out of the broker or the funds are going into an exchange. So it’s not like it’s impossible. And with a lot of cases, we’ve seen it through time where it was possible to follow funds through Tornado Cash even when you didn’t even know any other kinds of information just by looking at certain kind of behavior. it really brought up the whole topic, especially what you use as analogy. You don’t want a big sign above your head, “All right now, yes, this left in his bank account.” So that’s why these private pools are existing. And our regulation of course is looking at the effect, all right, should you allow this kind of behavior for… Should you allow funds coming from this kind of pools flowing into other centralized bodies, for example? And the topic is quite interesting because you already see a lot of different protocols like privacy pools-
Ian:
As tech is gaining some popularity right now.
Rick:
And let’s say stealth addresses that was immediately brought forward by Vitalik and a lot of different product were even certain kind of privacy future exist right now where you can just transact a certain kind of token without even having to use Ethereum on the Ethereum blockchain itself as guest fee in your wallet immediately present. So the whole network just arranges this from one token on its own. And so you see a lot of different, more difficult privacy futures popping up now. So it really brought up a lot of new technical capabilities where a lot of the developers are focusing upon, but also a lot of topics for the regulation side. And I’m interested in how it’s in outward, but you can’t stop Defi. It’ll happen anyways, in my opinion, at least. If people want to develop it will be developed. So you can’t really rule it out as the whole sector of Defi, all right, only compliant with this and that and so on, because people can develop whatever they want.
Ian:
And I think the perspective of the industry, even prior to cryptocurrency, open source software development, it’s like yes, anyone can write anything and make it available on the internet and there’s not liability to the developer, it’s the person using it. If you’re using it for good or using it for bad, well that’s the user’s responsibility, not necessarily the original creator. And I think it’ll be a very interesting kind of legal precedent to original developers bear meaningful responsibility for their creations. I don’t know if you have a perspective on that.
Rick:
So within these kind of cases, people always talk about what’s the intent when you’re developing this kind of code and when you’re putting it open source and people can just also use this code for their own purposes again and try to build further on it. And it’s hard. I think it might be a problem for certain kind of developers, all right, I’m not going to try to write this right now because it might have some backfire effect on me later on. And some people are like, “Well, I’m all about privacy, I’m all about open software and I’m just going to write it right now and I’ll put it online and I’ll see what happens.” And I think that that’s really the core of blockchain and crypto on its own. Some people really want to drive for technology and some people right now might be a little bit more hesitant because they also just want to participate in a normal day-to-day job that are maybe working in right now and I don’t want to get ruled out because they went to jail for six months or writing a certain kind of code that… Or just without the knowing are going to be used within a criminal access somewhere.
So it’s a difficult subject to think about if you are developing real open source technology right now that you just put online for everybody to use.
Ian:
Different topic. So we’re obviously a chain analysis annual conference here for our European customers, but you just had your company’s annual conference in Stockholm, right? Tell us a little bit about that. What were the themes of the conference? What did folks talk about?
Rick:
So the themes on our conference are very, very wide. We have we got cyber, we got crypto of course, which is amazing old track on crypto also. And we’ve got all kind of vendors who are present over there and within crypto I think we see a lot of basically what we are talking about right now. I think that is why we are talking about it. It is all these different kind of new technologies popping up in blockchain technology. So a lot about zero knowledge, Defi and the biggest focus is upon basically how can we look at these transactions, still follow them, still be compliant for example, from all kinds of different perspectives, which is good because that is essentially what will form the whole debate on or what should be allowed, what shouldn’t be allowed or how can we just comply even if it’s totally decentralized. And that’s very interesting to talk about. And of course we are talking about certain cases that have happened and so on to really understand how certain technologies work and it’s nice to see that crypto, even with and all kind of topics are really intertwined right now. So everybody wants to learn or use blockchain technology to that advantage. So I think we’ll see a lot of new adoption happening in the coming time, in the coming years.
Ian:
That’s exciting. Last question before I let you get back to the conference. What are you excited about when you look to the coming year? What’s an area you’re either planning to invest some time learning about or a thing that you think we’re all going to be talking about by the end of the year?
Rick:
I think we’re not done with Metaverses yet.
Ian:
Oh, interesting. That’s it. I would not have expected that prediction. Okay.
Rick:
For me, that’s just very interesting. I love the whole concept of it. I think if you look at the current sector right now with what kids and so on are playing around 14, 15, 16 years, it’s already a close metaphor what they’re using, whether they’re playing all these games and they’re growing older, so they will dive into this kind of new technologies and see how can we use that for basically what we are doing right now. Would maybe even to really own a certain piece of item and to be able to transit it for money. And we see it with different kind of companies already where skins are being sold and so on.
Ian:
My 11-year old is a huge Fortnite player for his birthday. He got a ton of V bucks and to buy skins. Those were the most popular present he got.
Rick:
Yeah. I could relate to that with our little one. And they just love it, right? And all of that. They grow and they already heard about blockchain technology and cryptocurrencies. So with things like Sandbox and the central land and all these kind of Metaverses popping up. Yeah we entered the bigger market and people are a little bit hesitant and now AI is totally trending and well at the moment it’s meme coins, right? So that’s also trending. But it’s a very good technology, I think. How you incorporate blockchain technology in crypto and in game environments. So I don’t think we’re done with it. I’m looking forward to train people in those kind of areas because it’s still all related also with transactions and when things are being sold or passed over. So there’s a lot of ground to gain in there.
Ian:
I love it. I would not have guessed you were going to say Metaverses at all. That’s a great place to end. Rick, thanks so much for being on the podcast.
Rick:
Thanks.