Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency

by Andy Greenberg

In Alford’s telling, the Baltimore team’s work sounded remarkably messy. There were other rumors about Force, too: that years earlier he’d spent time cooling off in rehab after an undercover narcotics investigation. He’d gotten in too deep, the story went, inhabiting the role of the drug dealer he was playing a bit too fully, maybe losing track of which side he was on. Now a lawyer for Bitstamp was warning them that this same DEA agent was cashing out mysterious six-figure bitcoin stashes? Carl Mark Force IV, Gambaryan could see, was worthy of his full attention.

That lawlessness left a deep mark on Gambaryan—as well as an almost zealous, black-and-white starkness to his ideas of criminality. Even today he says the sense remains with him that there are real elements of corruption and chaos in every society, that the “law of the land” he witnessed in Moscow lies just beneath the surface, everywhere, ready to emerge whenever people have a sense of impunity from consequences. “Americans don’t know how good they have it,” Gambaryan says. “You let it slip, it turns into the chaos that I saw.”

“Participants can be anonymous,” he had read. But if this blockchain truly recorded every transaction in the entire Bitcoin economy, then it sounded like the precise opposite of anonymity: a trail of bread crumbs left behind by every single payment. A forensic accountant’s dream.

Satoshi had, in fact, never spoken to a reporter. It would turn out that emailed response Andresen had received, refusing my request for an interview, would be one of Satoshi’s last known communications with anyone, to this day. Bitcoin’s creator disappeared from the internet less than two weeks after my article appeared, never to return. Their identity remains unknown—one of the greatest mysteries in the history of technology.

I was, by late 2012, obsessed with the Dread Pirate Roberts. Here was someone making millions of dollars in highly illegal narcotics sales—a study by Carnegie Mellon’s Christin earlier that year had estimated that the Silk Road was moving $15 million in narcotics annually—while evading every global law enforcement agency. All of this after the DEA and Justice Department had been explicitly ordered by two U.S. senators to hunt him down and take his market off-line. The fact that he remained free more than a year after Schumer’s press conference seemed to testify to the very real power and impunity granted by encryption tools like Tor and Bitcoin. And DPR was publicly flaunting that impunity in the face of the most powerful government on the planet.

Still, eCash had a unique advantage that made it a fascinating system to work on: The anonymity it offered was truly uncrackable. In fact, eCash was based on a mathematical technique called zero-knowledge proofs, which could establish the validity of a payment without the bank or recipient learning anything else at all about the spender or their money.

With just the 30 addresses she had identified by moving coins into and out of Mt. Gox, for instance, she could now link more than 500,000 addresses to the exchange. And based on just four deposits and seven withdrawals into wallets on the Silk Road, she was able to identify nearly 300,000 of the black market’s addresses.

By early March, he and Møller had figured out another optimization trick to vastly speed up their queries of the blockchain. On one of their pine-forest walks, Møller had realized that labeling every transaction with their own chronological identifiers rather than Bitcoin’s native transaction IDs would reduce the size of the data their software needed to analyze by as much as 90 percent. That meant they could store the database of all the blockchain’s transactions entirely in a PC’s memory, rather than on its hard drive.

Whoever controlled that Number13 account was almost certainly the thief, in other words. And the email Alford had dug up seemed to show that just two days before the heist, Number13 had belonged to Shaun Bridges. No wonder Bridges had been so hostile on their fact-finding call about Force, Gambaryan marveled. The very Secret Service agent whom Bitstamp’s lawyer George Frost had turned to for help with his Carl Force problem had apparently pulled off a massive cryptocurrency theft of his own.

Most surprising of all, two years later, as the San Francisco team investigating Bridges’s theft searched through the Baltimore Task Force’s correspondence, they found no evidence that Bridges and Force had collaborated in their schemes. By all appearances, Frentzen says, the two men didn’t even particularly like each other. Amazingly, each seems to not have been aware of the other’s crimes, like a pair of robbers quietly burglarizing different rooms of the same house without ever crossing paths.

BTC-e’s infrastructure was being hosted by a company not in Bulgaria, Cyprus, the Seychelles, or any of the other far-flung locations its owners had pointed to in their attempt to throw off snoops. They were in Northern Virginia. In fact, the IP addresses led to a data center just six miles away from Gambaryan’s desk at the NCIJTF in Washington, D.C. For a brief moment, Gambaryan wondered if BTC-e might even secretly be a CIA honeypot, then dismissed that theory as too absurd.

The IP address for the account trading in stolen Mt. Gox coins on BTC-e matched one of the few IP addresses on the BTC-e server’s allow list for the administrators’ connections. In other words, the person who had siphoned hundreds of thousands of bitcoins from Mt. Gox into BTC-e wasn’t just any BTC-e user. They were a BTC-e administrator. Specifically, an admin with the username WME.

Even the crowded movie theater trick, it turns out, breaks down when the robber is carrying a large enough sack of loot and the cops are watching every exit.

Pisal had chosen the two women for their role in part because he’d guessed that Cazes’s misogyny would prevent him from imagining they could possibly be undercover agents. As Cazes walked toward them, Nueng and her partner got back in the car and drove it onto the spec house’s driveway, ostensibly to get it out of the way.

But unlike Rabenn, Hemesath, or Sanchez, Bonakdar immediately doubted the story that his client had killed himself, and he told Rabenn as much. Bonakdar had never experienced a client committing suicide, but he’d heard defendants consider it in moments of despair. “I know someone who’s on the edge when I speak to them,” Bonakdar says. “I just never got the sense from Cazes that he felt all was lost, that there was no recovering from this, that he was a dead man.” Over the months that followed, Bonakdar says he asked U.S. prosecutors and the Thai government for video footage of Cazes’s cell at the time of his death. He received neither.

So, one night about three weeks after the AlphaBay takedown, Gambaryan took a carefully timed nap at his desk in the IRS’s D.C. office. He woke before dawn to start coordinating his team. There were Secret Service agents in Greece, the prosecutor Alden Pelker on her couch in her home across the Potomac, and Excygent’s Aaron Bice, who was inside a data center in New Jersey. Since Gambaryan had first tracked down BTC-e’s servers in Virginia, its administrators had moved them to a hosting company a few states north.

When agents searched the car of a Chinese national living near Seattle with a job at Amazon, they found a teddy bear along with a map of playgrounds in the area, despite the man having no children of his own. The man subsequently fled to China and, as far as the prosecutors know, was never located again.

“Every Bitcoin user has access to the public Bitcoin blockchain and can see every Bitcoin address and its respective transfers. Due to this publicity, it is possible to determine the identities of Bitcoin address owners by analyzing the blockchain,” the ruling read. “There is no intrusion into a constitutionally protected area because there is no constitutional privacy interest in the information on the blockchain.”

“You have the names of people who did this. But does that matter?” Gronager asked. “It means that they’re not going on vacation outside of Russia.” When it comes to the global affliction of ransomware, he made clear, privacy coins or any other tool designed to defy tracing methods aren’t the problem. The real problem remains rogue countries like Russia and North Korea—countries whose governments allow their citizens to defy global law enforcement action even when their activities are fully visible on the blockchain.