Having investigated many crypto incidents, we have encountered both popular and unique cases of cryptoasset theft. That's why we know what to look out for.
Detailed interviews help us gather the right data and leads for subsequent OSINT and blockchain analysis.
The information collected about the victim's interactions with the intruders is carefully parsed by the analysts. All valuable information (blockchain addresses, nicknames, websites, contacts, etc.) is extracted from the content of their correspondence and enriched with data from public sources.
All of this can give analysts leads and connections, even if the communication channels found are no longer in use. Sometimes, just these actions are enough to identify the intruder.
No matter how many transit addresses and transactions the intruder uses, we can analyze them all. A prime example is our investigation where the intruder created over 113,000 crypto addresses in order to hide his tracks. This factor made it impossible to conduct analytics using blockchain browsers.
We use our own software “EYE”, which allows us to track the flow of funds between addresses, the transfer of assets through DEX to other blockchain networks, and automatically searches hundreds of different databases for new valuable information. The result is an answer to the question of where funds have settled, whether they went out through exchanges with KYC, and whether mixers were used to obfuscate the traces.
At the end of the job, you get a detailed report with as much data on the incident as possible.
For law enforcement agencies, this report will be the basis for initiating proceedings, as well as simplify and speed up the process.
The security services do not have enough dedicated specialists for a proper response to all incidents, and our report will simplify their work. The only thing left is to send the appropriate requests to exchanges, domain name registrars, and sites advertising phishing sites, or to immediately conduct investigative actions against the identified intruder.
As a result of the interview we found out that a couple of months ago the user bought a new device and installed the Metamask Wallet on it. Our initial hunch that the user had been exposed to a phishing site was confirmed. After collecting all available information, we started our investigation.
Investigated address: 0xbfe... on the FTM Fantom network. Funds are stolen on the FTM network, so we go to the Fantom explorer (blockchain browser) and look for transactions on it.
Depending on the circumstances of the case, we recommend to contact the law enforcement agencies, depending on the location: the victim / exchanges to which the funds were withdrawn / the intruder (if his alleged location became known during our investigation) / in a place with a more well-regulated law. Each of the options has its own characteristics.