Updated on: August 28, 2024
In a recent Q&A with SafetyDetectives, Justin Maile, CEO of CipherBlade, shared his insights on the complexities of cryptocurrency forensics and the challenges faced by victims of crypto scams. Maile, who has a background in network security and pentesting, transitioned to cryptocurrency investigations after being intrigued by the potential impact of digital currencies on the financial market. He has since become a leading expert in tracing digital assets and has helped build CipherBlade into a trusted name in the field. He discussed the mission of CipherBlade, their flagship services, and the growing need for cooperation between private firms and law enforcement to combat crypto-related crimes effectively. Maile also highlighted the ongoing trends and common tactics used by crypto scammers, providing valuable advice for individuals to protect themselves.
Can you tell us about your background and how you became the CEO of CipherBlade in the US?
I’ve been doing cryptocurrency forensics professionally for about seven years now. My background is originally in network security and pentesting, which I did first in the US Marine Corps and then as a government contractor. When I heard from a client how they were concerned about how cryptocurrencies, which had long fascinated me as a hobby, would affect the banking business and the greater financial market, I decided that it was time to really dive in and learn about it. I attended training for Reactor, a forensics software created by Chainalysis that visualizes the blockchain and allows investigators to trace the flow of asset, assigning attribution to blockchain addresses and clusters them if they are controlled by the same entities, collating data from in-house research, partnerships, and heuristics. I was so engrossed in the topic that, when I spent my lunch break digging into the Silk Road address clusters and applying what I had just learned to identify vendors and where fees and admin payments were being transferred, one of Chainalysis’ co-founders, Jonathan Levin, offered me a job on the spot on their newly-formed investigation team.
Starting with only three investigators, the team had the mission of supporting Chainalysis’ law enforcement customers to assist with investigations and teach them how to use the software, and also beta-testing new features and developing new analytical techniques. We grew rapidly and within a few years were handling hundreds of investigation support requests from law enforcement and some corporate clients. At that point, I had already begun working with the partnerships team to develop a program to train and certify companies to be Investigation Partners using Chainalysis software. I joined the partnerships team officially and defined much of the reporting standards that are used by investigators across the industry and certified many of the companies in this space that do similar work.
In early 2023, I was looking for a new challenge and opportunity. I had already worked with the CipherBlade team for years, as they were the first investigation partner at Chainalysis, and they were at the time looking to expand their team and presence. So I joined them and was originally supposed to build a team to support civil litigation, but the role quickly expanded thanks to mounting opportunities. I eventually took over the helm as CEO and owner of the main operating company of the CipherBlade brand after my predecessor dropped out from the operations and came into conflict with the owner of the trademark, ultimately resulting in the termination of his license.
Over the last year and half, I have been successful in building out our industry presence in the form of a network of collaborations and partnerships. We are now partnered with multiple law firms in order to offer different types of legal support to clients; multiple forensics software providers so as to use redundant tools for better asset coverage as well as to contribute to the development of better tools for the industry; crypto media publications; and cybersecurity companies to handle the technical and hardware sides of incident response and investigations, and have continued to build relationships and brand reputation across the industry.
What is the mission of CipherBlade and what are your flagship services?
We love cryptocurrencies. We think they’re a great innovation and a lot of our clients, especially internationally, use them to pay us. But they are also used for untoward purposes in novel ways – less than people think, actually, but it’s still a major issue. And we’re here to use our skills to do what we can to combat that.
Fundamentally, our core service is the tracing of cryptocurrencies. Any time you want to know where cryptos went or where they come from, or how much was moved when, you come to us. We do in-depth analysis combining our forensics software (the same things law enforcement uses) and the experience of our experts. There is so much more to it than just calling an API that spits out a risk score.
That obviously comes into play for victims of crime who have lost cryptocurrencies, where we trace the stolen funds and support the client with course-of-action advice and by liaising with law enforcement and, if applicable, lawyers in our network.
But our second major client group is people (or their lawyers) who have a court case involving cryptocurrencies. For example, someone gets divorced, but their ex-partner thinks cryptos are easy to hide and fails to declare them to the court for asset separation purposes. Then they can engage us and we work with their lawyer, utilizing our investigative resources together with the legal process, to find those concealed assets. That’s not the only type of case we can be useful in, of course – we’ve also worked on estate matters, business disputes, tax cases, criminal defense, and other things. For more details on any of the services we provide, please check our website.
How does CipherBlade help the victims of crypto scams?
It remains the case that law enforcement globally faces a lack of capacity and/or competency when it comes to cryptocurrency-related crime. What we do is trace the flow of funds, identify attribution points, and, where appropriate, supplement this with additional investigative steps, such as software forensics or OSINT, the ultimate objective being to either find the perpetrator or identify assets that can be seized. Then we help the victim navigate the process of reporting to law enforcement, which they can then do with our report in hand. That way, a lot of the work is taken off law enforcement’s plate and they can take on investigations and help victims where they otherwise would have to reject the case. Our report also comes with course-of-action recommendations and we continue to liaise with law enforcement and help them navigate the case. Sometimes the situation warrants filing a lawsuit as a faster or more promising route, and of course we have national and international law firms we’ve worked with in our network to refer such cases to.
What are some of the biggest challenges CipherBlade faces in tracking and recovering stolen cryptocurrency?
Crypto investigations and recoveries are an endeavor that requires the cooperation of multiple parties. As a private company, we have no legal power to compel disclosure of information or seize assets. Of course, sometimes, you can get things resolved on an informal level, but mostly we need the cooperation of law enforcement or the courts. And sometimes you’re unlucky and you can’t get that for whatever reason, if you’re unlucky and your case gets assigned to an officer who just wants to minimize his number of open cases and isn’t interested or open-minded enough. Sometimes you can then get things done by initiating civil litigation, but that can be expensive. So lack of cooperation from law enforcement can be a problem.
The other big problem is bad-faith actors in the cryptocurrency space. Many, many exchanges operate in good faith and cooperate with authorities even when maybe they strictly speaking wouldn’t have to, in recognition of the unprecedented international nature of crypto. But there are still bad sheep which facilitate money laundering essentially as part of their business model and which are systematically uncooperative – usually by making you jump through hoops that they know you’ll never get to the end of. Then you have to do things like start a legal case in Seychelles, which you can do, but it’s not exactly routine and often regrettably not worth it.
In some jurisdictions, we also run into hurdles that arise from legislation. Some countries’ laws are ill-equipped to deal with the specific ways in which cryptocurrencies are often laundered. That can lead to a situation where you have assets sitting in an account that received the funds stolen in the incident you’re investigating, and from looking at that account’s behavior and you immediately know that it’s engaged in systematic money laundering – but your victim happens to be in the wrong country and you can’t get a court order for them to seize the funds because the conditions aren’t just right. It’s really frustrating, to be honest.
What trends do you currently see in the cryptocurrency industry that people should be aware of?
Actually, I would say what’s more notable at the moment is really the absence of major developments. The threat landscape hasn’t really changed all that much in the last couple of years and it’s still the same best practices that will keep you safe. It also remains true that an ounce of prevention is worth a pound of cure.
One thing we’ve seen happen is the way that expectations for forensic analysis have become more stringent and standardized, on the part of both industry participants and courts. You may have heard about the somewhat-recent kerfuffle around the challenge to expert testimony from Chainalysis, and there is increasing awareness around this from law enforcement and attorneys. This is, of course, very exciting to us, but it isn’t really something that has an impact on the experience of cryptocurrency users.
What are some common tactics used by crypto scammers, and how can individuals protect themselves?
By far the most prevalent kind of incident that victims come to us with are fake investment platforms and generally fake investment schemes of various kinds. A lot of these fall under what’s called “pig butchering scams”. A scammer will approach a victim through social media or messaging apps (including dating apps) with a made-up persona and build a relationship with them to build trust. Sometimes, there is a romance scam component to it. That trust is then used to induce the victim to invest in some scheme or deposit funds to a supposed trading platform. Fake trading profits are shown as a proof of concept, maybe even a first withdrawal is processed, and the victim is persuaded to invest more money over some time. When the victim eventually tries to withdraw, they are met with various stories why the withdrawal can’t be processed and often even asked to send more money for alleged fees or taxes, after which they will supposedly be able to withdraw. Of course, that never happens, and eventually both the scammer contact and the platform just disappear.
If you are contacted out of the blue by someone you don’t know who seems friendly, ignore them. There’s more red flags along the way: when they start talking about investments, bring up opportunities that are too good to be true, and recommend you to send money anywhere.
In addition, we are still seeing a lot of what’s called “address poisoning”. Here a scammer looks at your address’s history, picks the most recent address you have interacted with, and generates an address that looks superficially similar – with roughly the same initial and final characters, since often only those are checked or even displayed. Then they send a small amount from there to your address, or they create a fake token with the ticker of a familiar one and make it look like you sent that token to their address. This exploits the fact that people sometimes copy-paste addresses to send to from their own wallet history. For example, they know the last transaction they made was to their exchange account, and they just take the deposit address from their wallet history, not noticing that the attacker has meanwhile inserted a fake token transaction. They inadvertently copy the hacker’s address. The address generation and the poisoning transactions are all done in an automated fashion – the software for this is for sale on hacker forums.
These attacks are actually easy to defend against: never, ever copy an address from your wallet history. Just always copy it from the proper source. Even if you’re depositing to your exchange account to which you’ve already made a hundred transactions – make sure to copy it from the exchange website every single time. That’s it, that’s all people need to do to avoid issues. The only reason these attacks work is that they are done at scale on thousands of addresses and someone, somewhere is a bit lazy or tired and slips up by trying to avoid a few clicks.
Finally, a type of scam I would like to draw attention to is recovery scams – where the scammers contact people who have already been victimized and scam them a second time by pretending to provide investigation or recovery services. A lot of the time, they just directly impersonate a known cryptocurrency investigation company like CipherBlade. It’s awful because you see already-vulnerable people being victimized a second time and generally people being turned off from getting the help they need. And you can’t do all that much about it because these scams are individually for relatively small amounts, so it’s just not viable to spend resources on actually investigating them. You’re basically stuck playing whack-a-mole with fraudulent web pages and e-mail accounts and telling people to please stay vigilant. There’s a bunch of giveaways – from absurdly bad web design to funny-looking domain names, e-mail addresses with typos, refusal to get on voice or video calls or unsolicited calls on Facebook messenger, and implausible promises like “hacking the perpetrators”. We actually just published a post on our Facebook and Instagram (and soon to be LinkedIn) to make our followers aware of the red flags.