Chainalysis in Action

Chainalysis in Action: Analyzing a Fentanyl Dealer’s Cryptocurrency Transactions

The United States is in the throes of a serious opioid epidemic, with overdose deaths rising nearly every year since 2007. One of the most significant drivers of the crisis is fentanyl, a synthetic opioid up to 100x more powerful than morphine and highly profitable for dealers. To complicate matters more, many have turned to darknet markets and cryptocurrency to facilitate fentanyl sales.

But tools like Chainalysis help law enforcement investigate fentanyl trafficking by making relevant cryptocurrency transactions traceable. Read on to see our analysis of cryptocurrency transactions conducted by ETIKING, a notorious fentanyl dealer active on the darknet until his arrest last year. You’ll see exactly how law enforcement could use Chainalysis to turn a Bitcoin address like ETIKING’s into tangible leads and start building a compelling case.

First, let’s examine the deadly fentanyl problem

When most people think of the opioid epidemic, they probably think of street drugs like heroin or prescription drugs like Oxycontin. But the data suggests that’s not the whole story. Since 1997, illegal synthetic opioids have driven the greatest number of overdose deaths, with fentanyl causing the most fatalities.

Fentanyl is dangerous because of its extreme potency; a lethal dose can be as low as two milligrams. That potency is also what makes it so appealing to criminals. Drug dealers—mostly overseas—can easily manufacture fentanyl, smuggle it into the U.S., and sell it at a high profit margin because it takes so little product for users to get high. In fact, we estimate that with just $1,000 in up-front costs, drug dealers can make enough fentanyl to turn a profit of $7.8 million, compared to just $4,000 for heroin. For many, the financial incentive is substantial enough to overlook the danger of the drug.

Cryptocurrency facilitates many fentanyl sales on darknet markets like Nightmare Market and Empire Market. While several marketplaces have banned fentanyl due to its extremely dangerous nature, many sellers will still list fentanyl disguised under an alias like “China White.” Some sellers will even add fentanyl to different counterfeit drugs, putting their end users at great risk of overdosing.

The use of cryptocurrency on darknet markets adds a layer of anonymity for both buyers and sellers. However, cryptocurrency transactions also leave a permanent record on the blockchain, which creates an opportunity for law enforcement to investigate the sales. With Chainalysis, analysts can follow funds along the blockchain, view data on cryptocurrency transactions, and ultimately connect those transactions to a real-world entity. We’ll show you how with a quick analysis of cryptocurrency transactions conducted by ETIKING, a fentanyl dealer who was active on AlphaBay until his arrest in 2018.

Tracking ETIKING: What Chainalysis can reveal about darknet fentanyl transactions

In 2017, a Florida woman died after overdosing on a fentanyl analog purchased on AlphaBay from a vendor known as ETIKING. Relying mostly on informants rather than investigation of his cryptocurrency transactions, DEA agents were able to identify ETIKING as Jeremy Achey and make the arrest.

When we heard about this, we decided to analyze ETIKING’s cryptocurrency activity ourselves using Chainalysis Reactor. Our goal was to learn if the tool would be helpful for similar investigations in the future, and we weren’t disappointed. Reactor surfaced a wealth of information and potential leads law enforcement could have pursued to identify ETIKING, starting with nothing more than his Bitcoin address. We’ll show you how below.

ETIKING’s customers paid him for drugs using the Bitcoin address: 16ozAi11YWScC88FL5tDiUbhCLLt1FHeSu

Entering that address into Reactor allows analysts to see connected counterparties and trace funds back to known services, like cryptocurrency exchanges, or to other previously identified bad actors.

The above shows a general breakdown of activity with ETIKING’s address. “Receiving Exposure” shows where funds are flowing in from, while “Sending Exposure” shows where funds are sent.

Looking closely at Receiving Exposure on the left, we see the different types of counterparties sending cryptocurrency to ETIKING. He appears to be receiving a significant amount of Bitcoin from darknet markets, which would fit with the intel previously gathered by law enforcement. On the right, we see that he’s mostly sending Bitcoin to exchanges, as well as a few other types of services like P2P exchanges, merchant services, and more. Presumably, these are the services ETIKING uses to convert Bitcoin into fiat currency. On either the Sending or Receiving Exposure, analysts could click on any of the categories shown to pull up a list of the services ETIKING has transacted with.

For instance, if we go deeper on the darknet markets category under ETIKING’s Receiving Exposure, we see that he’s primarily receiving funds from two darknet markets: AlphaBay and Dream Market. We can illustrate this by adding those markets to our Reactor graph, as seen below.

We could then analyze ETIKING’s Sending Exposure in more detail to learn that he primarily sends Bitcoin to four different exchanges.

Law enforcement would likely want to dig deeper on ETIKING’s receiving addresses at these exchanges, and we’ll get into exactly how they could follow up later. But first, let’s see what other leads could be uncovered using Reactor.

We can find one interesting tidbit by looking more closely at an unusual transaction in ETIKING’s sending exposure. Between 2015 and 2016, we see that he sent 0.71 Bitcoin to Energy Control International, a Barcelona-based drug potency testing lab.

These transactions suggest that ETIKING sought the lab’s help in testing his drugs’ quality, and may be another lead for law enforcement to follow up on.

Finally, by backtracking ETIKING’s deposits, we can identify another cluster of addresses making deposits to the same addresses at three of the exchanges ETIKING favors (the green arrows), and receiving funds from the same darknet markets (the blue arrows). This new cluster of addresses is also likely to be controlled by ETIKING.

Putting it all together, we have an extensive graph that shines a huge light on ETIKING’s operation.

What might law enforcement do with this information? We alluded to it earlier, but one course of action could be to follow up with the exchanges to which ETIKING deposits his Bitcoin — they’re the real goldmine here. Agents could subpoena those exchanges and get more information associated with his accounts. From there, they could figure out that ETIKING is Jeremy Achey, make the arrest, and start building their case, supported by the transaction patterns revealed by Reactor.

Blockchain analysis moves the needle on drug investigations

As the opioid crisis continues to claim lives, darknet markets represent a new, seemingly anonymous sales channel for drug dealers. But as the ETIKING case shows, that anonymity exists only at the surface if law enforcement has the right investigation tools. Tools like Chainalysis give law enforcement deep insight into illegal activity starting with nothing more than a Bitcoin address, allowing them to monitor transactions, identify criminals, and build a case juries can understand. If you’d like to learn more about how Chainalysis Reactor can enhance your department’s investigations, you can read up and book a demo here.