They were under the impression that their payments were untraceable. They were completely incorrect. The secret narrative behind the lawsuit that shattered Bitcoin's anonymity myth.
Chris Janczewski stood alone inside the threshold of a home he had not been allowed to enter early one fall morning in 2017, in a middle-class suburb on the outskirts of Atlanta.
Armed Homeland Security Investigations officers in bulletproof vests had gathered around the clean two-story brick house moments before, hammered on the front door, and poured inside when a member of the family living there opened it. Janczewski, a criminal investigator for the Internal Revenue Service, trailed silently behind. He was now standing in the entranceway, in the midst of a flurry of activity, watching the agents examine the premises and take electronic equipment.
They divided the family, putting the father, an assistant principle at the local high school who was the subject of their inquiry, in one room, his wife in another, and the two children in a third. In an attempt to distract the youngsters from the invasion of their home and the interrogation of their parents, an agent turned on a television and turned on Mickey Mouse Clubhouse.
Janczewski was merely there as an observer, a guest brought in from Washington, DC, to keep an eye on and assist the local Homeland Security team while it carried out its warrant. But it was Janczewski's inquiry that led the agents here, to this ordinary-looking house with a well-kept yard among all the ordinary-looking residences they might have found anyplace in the United States. He'd brought them there on the basis of some bizarre, fledgling proof. Janczewski had tracked the Bitcoin blockchain's linkages, dragging on the chain until it connected this ordinary home to an incredibly horrible location on the internet—and then to hundreds more guys all across the world. They're all part of the same vast network of horrible cruelty. All of these people are now on Janczewski's hit list.
Over the previous few years, Janczewski, his partner Tigran Gambaryan, and a small group of investigators from a growing list of three-letter American agencies had used this newfound technique to crack one criminal case after another on an unprecedented, epic scale, tracing a cryptocurrency that had previously seemed untraceable. But such approaches had never led them to a case like this one, where the destiny of so many individuals, both victims and perpetrators, seemed to hang in the balance. Janczewski's stakes were real for the first time during that morning's hunt in a suburb near Atlanta. It was "a proof of concept," as he subsequently phrased it.
Janczewski could hear the Homeland Security officials speaking to the father from his front porch, and the father answered in a broken, resigned tone. He overheard the agents interviewing the man's wife in another room, and she replied that she had seen specific photographs on her husband's computer, but that he had downloaded them by accident while pirating music. And he could hear two grade-school-aged children—kids approximately Janczewski's age—watching TV in the third room. They requested a snack, totally unaware of the catastrophe that was developing for their family.
Janczewski recalls the severity of the situation sinking in: he was a high school principal, a spouse, and a father of two children. Whether he was guilty or not, the charges leveled against him by these group of law enforcement agents—their sheer presence in his home—would almost surely wreck his life.
Janczewski considered the research process that had led them here as a digital divining rod, uncovering a secret layer of criminal links under the surface. For the umpteenth time, he hoped it hadn't led him wrong.
A UK-born South African IT entrepreneur called Jonathan Levin had stepped into the plain brick offices of the UK's National Crime Agency—counterpart Britain's to the FBI—on the south bank of the Thames a few months earlier on a summer's day in London. A pleasant representative brought him to the second level of the building and into the office kitchen, where he was offered a cup of tea. Levin agreed to leave the tea bag in, as he normally did while visiting the NCA.
The two guys sat at the agent's desk amid a cluster of cubicles, drinks in hand. Levin was on his way to a regular client visit to see how the agent and his coworkers were utilizing the software that he'd cofounded. Chainalysis was the world's first software startup to focus completely on a task that seemed like an oxymoron only a few years ago: tracking bitcoin. Hundreds of law enforcement organizations across the world had learnt to utilize Chainalysis' software to transform the digital underworld's favored mode of trade into its Achilles' heel.
When Bitcoin originally launched in 2008, one of its main promises was that it would only tell which currencies were stored at which Bitcoin addresses—long, unique sequences of letters and numbers—without revealing any information about the owners of those coins. Many early adopters were under the impression that Bitcoin could be the fully anonymous internet cash that libertarian cypherpunks and crypto-anarchists had been waiting for: a new financial netherworld where digital briefcases full of unmarked bills could change hands across the globe in an instant.
In an early email outlining Bitcoin, Satoshi Nakamoto, the mystery creator of the cryptocurrency, even said that "participants can remain anonymous." Thousands of users on dark-web illegal markets such as Silk Road had adopted Bitcoin as their primary payment method. But the paradoxical fact about Bitcoin, on which Chainalysis had built its company, was this: Every Bitcoin payment is recorded in the blockchain, which is a permanent, immutable, and completely public record of every transaction in the Bitcoin network. The blockchain prevents currency from being counterfeit or spent multiple times. But it does it by making every transaction visible to everyone in the Bitcoin ecosystem. Every illicit payment is, in some ways, a visible smoking gun.
Academic security researchers—and subsequently organizations like Chainalysis—began ripping massive holes in the masks between Bitcoin users' addresses and their real-world identities within a few years of Bitcoin's inception. They could track bitcoins as they went from address to address on the blockchain until they found one that was linked to a recognized person. An investigator might learn someone's Bitcoin addresses by trading with them, similar to how an undercover narcotics agent would conduct a buy-and-bust operation. In other circumstances, they might track a target's coins to an account at a cryptocurrency exchange where users had to authenticate their identities due to banking rules. A brief subpoena to the exchange from one of Chainalysis' law enforcement customers was all it took to dispel any illusions about Bitcoin's privacy.
Chainalysis had coupled these approaches for de-anonymizing Bitcoin users with methods that allowed it to "cluster" addresses, revealing that a single individual or group may own hundreds to millions of addresses. When coins from two or more addresses were spent in a single transaction, for example, Chainalysis discovered that whomever produced the "multi-input" transaction had control of both spender addresses, allowing Chainalysis to group them together as a single identity. In other circumstances, Chainalysis and its users might follow a "peel chain," which is similar to tracing a single wad of cash as it is repeatedly taken out, peeled off a few dollars, and reinserted into a new pocket. Bitcoins would be transferred out of one address when a fraction was paid to a recipient, and the remaining returned to the spender at a "change" address in those peel chains. Separating those change addresses may allow a detective to track a quantity of money as it moved from one address to the next, tracing its route through the Bitcoin blockchain's noise.
Bitcoin has turned out to be the polar opposite of untraceable thanks to techniques like these: a type of honeypot for cyber criminals who had meticulously and irreversibly logged proof of their bad dealings for years. By 2017, law enforcement organizations such as the FBI, the Drug Enforcement Administration, and the Internal Revenue Service's Criminal Investigation Division (or IRS-CI) have traced Bitcoin transactions to conduct one investigation after another, frequently with the aid of Chainalysis.
The cases had started as modest but quickly grew in size. Investigators had tracked the movements of two dishonest federal officials and discovered that one had stolen bitcoins from Silk Road and the other had sold law enforcement information to its inventor, Ross Ulbricht, before the dark-web market's takedown in 2013. They then traced down half a billion dollars in bitcoins stolen from the Mt. Gox exchange and demonstrated that the money were laundered by the Russian administrator of another cryptocurrency exchange, BTC-e, finally finding the business's servers in New Jersey. Finally, they tracked down the creator of AlphaBay, a dark-web bazaar that had grown to ten times the size of Silk Road, using bitcoin traces. (A coalition of half a dozen law enforcement agencies was converging in Bangkok to arrest AlphaBay's inventor even as Levin was seated in London talking to the NCA agent.)
Levin was on the watch for Chainalysis' next major investigation, as he usually was. After going over a few ongoing cases with him, the NCA agent brought up an ominous dark web site that had lately come to the agency's attention. Welcome to Video was the name of the show.
"What he saw astounded him: a whole network of illicit payments, all designed to remain hidden, was laid open in front of him."
The webpage was discovered by the NCA while investigating a horrible case involving an offender named Matthew Falder. Falder, a Manchester-based scholar, pretended to be a female artist and solicited nude pictures from strangers on the internet, threatening to share the photos with relatives or friends unless the victims filmed themselves performing progressively degrading and immoral behaviors. He'd eventually push his victims to self-harm and even sexually assault others in front of the camera. He had targeted 50 persons by the time he was apprehended, at least three of them had attempted suicide.
The NCA discovered that Falder was a registered user of Welcome to Video on his computers, a criminal operation that dwarfed even Falder's crimes in scope. The evidence had subsequently been sent from the NCA's child exploitation investigations unit to the computer crime team, which included the cryptocurrency-focused agent at Levin's desk. Welcome to Video seems to be one of the few sites selling access to child sexual assault clips in return for bitcoin. At first look, it was evident that its collection of photographs and films was unusually extensive, and that it was being accessed—and constantly renewed with brand-new content—by a global user base.
The kind of images that was traded on Welcome to Video was often referred to as "child pornography," but child activists and law enforcement are increasingly referring to it as "child sexual abuse material" to eliminate any question that it contains acts of violence against children. For years, CSAM, as it is commonly shortened, has been a large undercurrent of the dark web, a collection of thousands of websites secured by anonymity technologies such as Tor and I2P. Those anonymity technologies, which were utilized by millions of people throughout the world to escape online monitoring, had also become the backbone of a heinous network of abuse, which frequently thwarted law enforcement efforts to identify CSAM site users and administrators.
Levin was shown a Bitcoin address that the NCA had discovered was part of Welcome to Video's financial network. Levin proposed they run it via Chainalysis' Reactor crypto-tracing program. He put down his tea and drew his chair closer to the agent's laptop, where he began mapping out the site's collection of Bitcoin blockchain addresses, which represented the wallets where Welcome to Video had received payments from thousands of consumers.
He was astounded by what he saw: many of the users on this child abuse website—and, by all appearances, the site's administrators—had done practically little to hide their bitcoin tracks. He was confronted with a whole network of illicit payments, all of which were supposed to be kept hidden.
Levin had observed as certain dark-web operators picked up on his firm's crypto-tracing tactics over the years. They'd send money through a series of intermediate addresses or "mixer" services to confuse investigators, or they'd use the cryptocurrency Monero, which is supposed to be significantly more difficult to track. However, Levin could tell by glancing at the Welcome to Video cluster at the NCA office that day that its users were significantly more ignorant. Many others had simply bought bitcoins on cryptocurrency exchanges and then deposited them directly from their wallets to Welcome to Video's account.
The contents of the website's wallets were then liquidated at a few exchanges—Bithumb and Coinone in South Korea, and Huobi in China—and changed back into conventional cash. Someone appeared to be constantly using massive, multi-input transactions to collect and pay out the site's money. Reactor was able to cluster hundreds of addresses rapidly and automatically, concluding that they all belonged to a single service, which Levin could now identify in the program as Welcome to Video. Furthermore, Levin could see that the network of exchanges around and connecting to that cluster certainly included the information needed to identify a large number of the site's anonymous users—not only who was cashing out bitcoins, but who was buying bitcoins to put into it. The blockchain linkages between Welcome to Video and its consumers were among Levin's most blatantly damning connections.
These victims of child sexual assault appeared to be completely unprepared for the current state of blockchain financial forensics. Welcome to Video was a poor rodent that had never faced a predator by the criteria of the cat-and-mouse game Levin had been playing for years.
As Levin sat in front of the NCA agent's laptop, it seemed to him, maybe more vividly than ever before, that he was living in the "golden era" of bitcoin tracing—that blockchain investigators like those at Chainalysis had a large lead on those they were pursuing. He recalls thinking, "We've produced something really strong, and we're a step ahead of these sorts of operators." "You've got a horrendous crime, a terrible thing occurring in the world, and our technology has broken through in an instant and shown who's behind it in very obvious reasoning."
Levin could already surmise that the administrator was in South Korea since someone was paying out the majority of Welcome to Video's income through the two exchanges there. Many of the site's customers appeared to be paying it straight from the addresses where they'd bought the coins on US-based exchanges like Coinbase and Circle. Bringing down this worldwide child abuse network may be as simple as enlisting the help of another law enforcement agency in the US or Korea, one that could demand identifying information from those transactions. Levin had a certain agency in mind.
He informed his NCA host, "I have several folks that might be interested."
But first, Levin discreetly recalled the first five characters of the Welcome to Video address the agent had shown him as he prepared to depart. The Reactor software from Chainalysis provided an autocomplete option for Bitcoin addresses based on the first few unique digits or characters. A single simple password would be enough to open the living map of a worldwide criminal enterprise.
=======
Levin chatted with Chris Janczewski and Tigran Gambaryan in the evening in Thailand. The two IRS Criminal Investigation special agents were seated in Bangkok's Suvarnabhumi Airport that night in early July 2017, stewing over their disappointment at being left out of the largest dark-web market takedown in history.
By 2017, the IRS had amassed a team of some of the best bitcoin tracers in the country. Gambaryan, in reality, was the one who tracked down the two corrupt Silk Road operatives' bitcoins and ultimately broke the BTC-e money laundering case. Gambaryan had even tracked down the AlphaBay server, placing it at a data center in Lithuania, thanks to Levin's help.
When Gambaryan and Janczewski arrived in Bangkok to arrest AlphaBay's administrator, the French-Canadian Alexandre Cazes, they were mainly excluded from the operation's inner circle of DEA and FBI agents. They hadn't been invited to Cazes' arrest scene, or even to the office where other agents and prosecutors were watching a video streaming of the arrest.
The story was completely typical for Gambaryan and Janczewski. IRS-CI agents, like their FBI and DEA counterparts, undertook shoe-leather investigative work, carried firearms, and made arrests. However, due of the IRS's shabby public image, they frequently encountered other agents who viewed them as accountants. When they were presented at meetings, their friends from other law enforcement agencies would jest, "Don't audit me." The remark had been repeated so many times by IRS-CI agents that it elicited an automatic eye roll.
Gambaryan and Janczewski were stuck in Bangkok and spent much of their time lazily pondering what their next case should be, scouring Chainalysis' blockchain-tracing program Reactor for inspiration. The Thailand operation appeared to have left dark-web markets like AlphaBay in shambles, and it would take months, if not years, for them to recover. A dark-web gaming site was examined by the agents as a target. Illegal internet casinos, on the other hand, did not appear to be worth their time.
Gambaryan and Janczewski arrived at the airport on the day of their departure from Thailand to discover that their flight to Washington, DC had been severely delayed. They sat half-awake and bored in the airport, literally looking at the wall, with hours to kill. Gambaryan decided to phone Chainalysis' Levin to discuss the future cases to pass the time. Levin had some good news to give as he picked up the phone. He'd been investigating a website that didn't suit the IRS's regular targets but that he thought they'd be prepared to investigate: Hello and welcome to Video.
The FBI and Homeland Security Investigations have generally been the focus of child sexual exploitation prosecutions, not the IRS. Part of this was due to the fact that most child sexual assault photographs and films were traded without payment, in what investigators dubbed a "baseball card trading" scheme, putting them outside the IRS's purview. Welcome to Video was a unique experience. There was a money trail, and it appeared to be extremely evident.
Soon after they returned to DC, Gambaryan and Janczewski engaged the help of Aaron Bice, a technical analyst from the contract technology firm Excygent, with whom they'd previously studied the crypto exchange BTC-e. Together, they mapped out Welcome to Video in Reactor and realized what Levin had already noticed: how obvious it was as a target. Thousands of clustered bitcoin addresses were set out in front of them, many with scarcely veiled pay-ins and cash-outs at exchanges they knew they could push for identifying information. It indeed appear to be a "slam dunk," as Levin put it. Janczewski quickly presented the evidence to Zia Faruqui, a federal prosecutor, who was immediately convinced on the concept of prosecuting Welcome to Video and formally launched an inquiry.
Gambaryan, Janczewski, Bice, and Faruqui formed an odd team to investigate a large-scale child trafficking ring. Janczewski was a tall Midwestern agent with a square jaw who wore horn-rimmed glasses when staring at a computer screen, appearing like a cross between Sam Rockwell and Chris Evans. After demonstrating his worth in a slew of counterterrorism, drug trafficking, government corruption, and tax evasion cases, he'd been recruited to the DC computer crimes team from the IRS office in Indiana. Bice was a specialist in data analysis and, as Janczewski put it, "half robot" when it came to computer abilities. Faruqui was a seasoned US attorney with a track record of prosecuting national security and money laundering cases. He exhibited an almost frantic focus and intensity, spoke in a hilariously quick patter, and appeared to be scarcely sleeping, according to his coworkers. Then there was Gambaryan, an IRS agent with buzzed hair and a tidy beard who had earned a reputation as the IRS's bitcoin whisperer and dark-web specialist by 2017. He was dubbed "Bitcoin Jesus" by Faruqui.
The team came to understand that, as straightforward as this "slam dunk" case appeared to be, it was actually rather intricate.
Despite this, none of the four had ever worked on a case involving child sexual exploitation. They had no experience dealing with photographs and films of child abuse, which were illegal in the hands of ordinary Americans. They'd never seen these kinds of radioactively distressing things before, and they didn't have any emotional or psychological preparation for the vivid nature of what they were going to view.
Despite their lack of expertise in the field of child abuse, Faruqui was unfazed when the two agents showed him what they found on the blockchain. As a money-laundering attorney, he saw no reason why they couldn't approach Welcome to Video as a financial inquiry based on the proof of unlawful payments Janczewski and Gambaryan had provided him.
Levin chatted with Chris Janczewski and Tigran Gambaryan in the evening in Thailand. The two IRS Criminal Investigation special agents were seated in Bangkok's Suvarnabhumi Airport that night in early July 2017, stewing over their disappointment at being left out of the largest dark-web market takedown in history.
By 2017, the IRS had amassed a team of some of the best bitcoin tracers in the country. Gambaryan, in reality, was the one who tracked down the two corrupt Silk Road operatives' bitcoins and ultimately broke the BTC-e money laundering case. Gambaryan had even tracked down the AlphaBay server, placing it at a data center in Lithuania, thanks to Levin's help.
When Gambaryan and Janczewski arrived in Bangkok to arrest AlphaBay's administrator, the French-Canadian Alexandre Cazes, they were mainly excluded from the operation's inner circle of DEA and FBI agents. They hadn't been invited to Cazes' arrest scene, or even to the office where other agents and prosecutors were watching a video streaming of the arrest.
The story was completely typical for Gambaryan and Janczewski. IRS-CI agents, like their FBI and DEA counterparts, undertook shoe-leather investigative work, carried firearms, and made arrests. However, due of the IRS's shabby public image, they frequently encountered other agents who viewed them as accountants. When they were presented at meetings, their friends from other law enforcement agencies would jest, "Don't audit me." The remark had been repeated so many times by IRS-CI agents that it elicited an automatic eye roll.
Gambaryan and Janczewski were stuck in Bangkok and spent much of their time lazily pondering what their next case should be, scouring Chainalysis' blockchain-tracing program Reactor for inspiration. The Thailand operation appeared to have left dark-web markets like AlphaBay in shambles, and it would take months, if not years, for them to recover. A dark-web gaming site was examined by the agents as a target. Illegal internet casinos, on the other hand, did not appear to be worth their time.
Gambaryan and Janczewski arrived at the airport on the day of their departure from Thailand to discover that their flight to Washington, DC had been severely delayed. They sat half-awake and bored in the airport, literally looking at the wall, with hours to kill. Gambaryan decided to phone Chainalysis' Levin to discuss the future cases to pass the time. Levin had some good news to give as he picked up the phone. He'd been investigating a website that didn't suit the IRS's regular targets but that he thought they'd be prepared to investigate: Hello and welcome to Video.
The FBI and Homeland Security Investigations have generally been the focus of child sexual exploitation prosecutions, not the IRS. Part of this was due to the fact that most child sexual assault photographs and films were traded without payment, in what investigators dubbed a "baseball card trading" scheme, putting them outside the IRS's purview. Welcome to Video was a unique experience. There was a money trail, and it appeared to be extremely evident.
Soon after they returned to DC, Gambaryan and Janczewski engaged the help of Aaron Bice, a technical analyst from the contract technology firm Excygent, with whom they'd previously studied the crypto exchange BTC-e. Together, they mapped out Welcome to Video in Reactor and realized what Levin had already noticed: how obvious it was as a target. Thousands of clustered bitcoin addresses were set out in front of them, many with scarcely veiled pay-ins and cash-outs at exchanges they knew they could push for identifying information. It indeed appear to be a "slam dunk," as Levin put it. Janczewski quickly presented the evidence to Zia Faruqui, a federal prosecutor, who was immediately convinced on the concept of prosecuting Welcome to Video and formally launched an inquiry.
Gambaryan, Janczewski, Bice, and Faruqui formed an odd team to investigate a large-scale child trafficking ring. Janczewski was a tall Midwestern agent with a square jaw who wore horn-rimmed glasses when staring at a computer screen, appearing like a cross between Sam Rockwell and Chris Evans. After demonstrating his worth in a slew of counterterrorism, drug trafficking, government corruption, and tax evasion cases, he'd been recruited to the DC computer crimes team from the IRS office in Indiana. Bice was a specialist in data analysis and, as Janczewski put it, "half robot" when it came to computer abilities. Faruqui was a seasoned US attorney with a track record of prosecuting national security and money laundering cases. He exhibited an almost frantic focus and intensity, spoke in a hilariously quick patter, and appeared to be scarcely sleeping, according to his coworkers. Then there was Gambaryan, an IRS agent with buzzed hair and a tidy beard who had earned a reputation as the IRS's bitcoin whisperer and dark-web specialist by 2017. He was dubbed "Bitcoin Jesus" by Faruqui.
The team came to understand that, as straightforward as this "slam dunk" case appeared to be, it was actually rather intricate.
Despite this, none of the four had ever worked on a case involving child sexual exploitation. They had no experience dealing with photographs and films of child abuse, which were illegal in the hands of ordinary Americans. They'd never seen these kinds of radioactively distressing things before, and they didn't have any emotional or psychological preparation for the vivid nature of what they were going to view.
Despite their lack of expertise in the field of child abuse, Faruqui was unfazed when the two agents showed him what they found on the blockchain. As a money-laundering attorney, he saw no reason why they couldn't approach Welcome to Video as a financial inquiry based on the proof of unlawful payments Janczewski and Gambaryan had provided him.
“We’re going to treat this case like we would any other,” he said. “We are going to investigate this by following the money.”
** Information on these pages contains forward-looking statements that involve risks and uncertainties. Markets and instruments profiled on this page are for informational purposes only and should not in any way come across as a recommendation to buy or sell in these assets. You should do your own thorough research before making any investment decisions. All risks, losses and costs associated with investing, including total loss of principal, are your responsibility. The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of USA GAG nor its advertisers. The author will not be held responsible for information that is found at the end of links posted on this page.