Crypto-Asset Recovery

The international community continues to face challenges in recovering criminal proceeds. Financial crime risk practitioners recognise the recovery of criminal proceeds as a crucial component in combating illicit finance, as it reduces the profitability of crime and deters potential offenders. It also serves as a primary indicator for the effectiveness of countries’ counter-proliferation and anti-money-laundering efforts.

Yet problems persist with international cooperation, information sharing and a lack of appropriate legislative tools, resources and training. The nature of crypto assets also introduces an additional layer of complexity to an already difficult process. Furthermore, sanctioned actors exploiting crypto assets for obfuscation and sanctions evasion exacerbate the issue.

In this context, jurisdictions seeking to combat proliferation finance and money laundering must prioritise the development of effective and robust crypto-asset recovery frameworks.

This guide aims to support less crypto-mature jurisdictions by highlighting the challenges that law enforcement and crypto-asset service providers (CASPs) face throughout the crypto-asset recovery lifecycle. It also documents existing practices and mitigating strategies to tackle such challenges. This guide does not provide recommendations on legal and legislative matters, as those are beyond its scope and purpose.

Informed by expert interviews and a review of grey and academic literature, the guide identifies three key challenges to effective crypto-asset recovery:

1. Uncertain legislative, regulatory and supervisory frameworks.

2. Limited international coordination.

3. Limited education, training and practice of crypto-asset tracing and confiscation.

The guide also provides an overview of observed practices and strategies identified and discussed in interviews. These strategies target specific issues facing practitioners and tackle a wide range of approaches adopted by subject matter experts (SMEs) across the end-to-end crypto-asset recovery lifecycle. These can be categorised under the following headings:

• Clarifying communication formats between law enforcement agencies and CASPs.

• Improving cross-border cooperation.

• Enhancing education and training on asset tracing, pre-seizure planning, storage and volatility management (including guidance to navigate uncertain legislative, regulatory and supervisory frameworks).

Finally, the guide explores the challenges associated with tracing and seizing North Korean crypto assets as reported by SMEs. The crypto community is aware of North Korea’s exploitation of crypto assets to generate revenue and evade international sanctions. It seeks to support global efforts to restrict North Korea’s access to this significant revenue source, which could be used to acquire goods or services that advance its WMD programmes, posing a serious threat to global security.

Introduction

In recent years, asset recovery has become a key policy and legislative priority in combating illicit financial flows. Research highlights several reasons asset recovery could be an effective crime-reduction strategy: it reduces the profitability of crime, and deters potential offenders by demonstrating that “crime does not pay”. In addition, recovering criminal proceeds prevents their reinvestment into illicit activities, disrupting the criminal lifecycle.

Asset recovery also promotes fairness towards victims and, in corruption cases, enables the reinvestment of stolen assets into other sectors, bolstering public trust and confidence in government institutions and the rule of law.

Despite its importance, the recovery of criminal proceeds has proven challenging for the international community. This is due to limited international cooperation, inadequate legislative tools, poor asset seizure planning, and difficulties in monitoring, managing and disposing of recovered assets. These elements are essential for effective asset recovery, particularly in the fight against money laundering (ML) and proliferation finance (PF).

In this context, crypto-asset recovery introduces an additional layer of complexity to an already-difficult process. The speed, novelty and complexity of crypto-asset transactions, combined with tracing challenges and their borderless nature, significantly amplify the difficulties typically associated with asset recovery. Given the growing volume of crypto-related fraud, criminal revenues from cyber attacks targeting crypto-asset-related companies, and the ongoing exploitation of crypto assets by sanctioned actors, it is crucial to understand the challenges, observed practices and strategies for effective crypto-asset recovery.

This guide is designed to support jurisdictions in the early stages of developing crypto-asset recovery frameworks. It offers guidance on crafting mitigating strategies and adopting practices that could enhance the effectiveness of confiscation efforts.

The key questions underlying this guide are:

• What challenges do law enforcement agencies (LEAs) and crypto-asset service providers (CASPs) face in the crypto-asset recovery lifecycle?

• What practices and observed mitigating strategies exist to overcome these obstacles?

This guide offers valuable support to LEAs, CASPs and competent authorities (such as regulators, supervisors and/or policymaking bodies) operating in less crypto-mature jurisdictions.

Scope, Definitions, Methodology and Limitations

This guide documents challenges and observed best practices for crypto-asset confiscation to support jurisdictions seeking to develop crypto-asset recovery frameworks. Recommendations, especially on legal or legislative matters, are outside the scope of the guide.

The authors adopt the Financial Action Task Force (FATF) definition of crypto assets: a “digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”.

The research for this guide is informed by semi-structured interviews with 27 crypto-asset recovery subject matter experts (SMEs) working in LEAs, CASPs and blockchain analytics tool companies. The experts are based in the US, Europe, Africa and Southeast Asia. The interviews and literature review were conducted between May and July 2024. Interviewees were selected based on their first-hand knowledge of cryptocurrency and asset recovery. The interviews were supplemented and validated through a review of relevant policy and academic literature, reports from competent authorities across relevant jurisdictions, and grey literature. They were not selected based on their geographical location. All interviews were conducted online. Furthermore, while it identifies mitigating strategies and best practices from several jurisdictions, this guide is not a comparative study across jurisdictions. The countries and institutions that were sampled for the research have been anonymised.

Due to time constraints, the authors were not able to interview practitioners and experts operating in Latin America, Central Asia or Australia. This may limit the generalisability of the data collated.

This guide has two chapters. Chapter I provides an overview of the current crypto-asset recovery landscape and discusses the challenges that stakeholders face when dealing with this process. Chapter II presents observed practices and measures to tackle these challenges and explores the difficulties in tracing and seizing North Korean crypto assets. This is crucial to supporting the international community’s efforts to restrict North Korea’s ability to advance its WMD programme.

I. Context and Challenges

This chapter outlines the traditional asset recovery process and the challenges that LEAs, stakeholders and competent authorities face in seizing the proceeds of criminal activities. It also highlights the steps involved in the confiscation of crypto assets and examines the challenges identified by the SMEs specialising in crypto-assets seizure who were interviewed for this guide. On the basis of these interviews, the challenges are grouped into three main themes:

1. Uncertain legislative, regulatory and supervisory frameworks.

2. Limited international coordination.

3. Limited education, training and practice of asset tracing and confiscation.

The Asset Recovery Process

To understand the challenges of crypto-asset recovery, it is essential to understand both the traditional asset recovery process and challenges that LEAs, stakeholders and competent authorities face when seizing the proceeds of criminal activities more broadly.

The asset recovery process typically consists of four phases:

• Asset tracing: The collection of intelligence and evidence on the location and beneficial ownership of alleged proceeds of crime.

• Asset freezing and seizing: The temporary physical retaining of property pending a final judgment, aimed at preventing asset dissipation.

  • Asset management: The securing and preservation of value of property until confiscation or release.

• Asset confiscation or forfeiture: The permanent deprivation of assets following a judgment, which transfers the title to government without compensation to the asset holder. Forfeiture can result from criminal or civil proceedings:

  • Criminal forfeiture targets an individual associated with the property and requires a conviction based on the highest standard of proof (“beyond reasonable doubt”).

  • Civil forfeiture (“non-conviction-based confiscation”) targets the property itself, requiring proof on a lower standard (“balance of probability”) that the property is more likely than not to be associated with proceeds of crime.

• Asset realisation: The liquidation or return of the assets to the victims of the crime or, in the case of corruption, to the origin country.

Regardless of the asset type, the asset recovery process follows these same stages. With the increasing exploitation of crypto assets in various crimes – such as murder for hire, fraud, ML, PF and ransomware – crypto-asset recovery has become a key focus for policymakers worldwide.

While the overall process is similar, there are several unique elements to crypto-asset recovery (see Figure 1). The primary challenge lies in controlling the assets. Effective recovery requires a strong partnership among LEAs, which aim to gain control of the assets early in the investigation, and CASPs, which are expected to cooperate with LEAs while still meeting their commercial obligations to users.

▲ Figure 1: The Crypto-Asset Recovery Process. Source: The authors. Note: Figure developed based on authors’ interview 6 with asset-seizure expert, 15 May 2024; authors’ interview 7 with CASP representative, 17 May 2024; authors’ interview 12 with asset-seizure expert, 29 May 2024; authors’ interviews 19 and 20 with asset-seizure experts, 18 June 2024. While Figure 1 illustrates the formal steps towards confiscation, most crypto-asset recovery processes typically begin via informal channels, which is explored in this chapter and Chapter II.

As shown in Figure 1, the crypto-asset recovery process consists of four phases: asset tracing, asset freezing and seizing, asset confiscation and asset realisation. Authorities should plan the seizure process in advance, to ensure the process is robust, consistent and auditable. The details to consider while defining a protocol are outlined in Chapter II.

During the asset-tracing phase, authorities may identify that funds are sent to a service provider in a foreign jurisdiction and therefore need to follow the mutual legal assistance (MLA) process (discussed later in this chapter).

In addition, a fundamental aspect of the recovery process is the ability to determine the jurisdictions in which CASPs and/or crypto platforms are licensed or registered, including associated entities, such as holding companies. This will inform the CASP’s attitude to the formal request process and associated orders, as well as informal requests and cooperation.

However, if the CASP is domiciled within the same jurisdiction as the investigative authorities, the latter can reach out to the registered or licensed CASP to request information and issue a freeze order. Once sufficient evidence is acquired, a seizure order can be issued to transfer funds to a pre-arranged police account at a CASP or a government-controlled wallet.

Alternatively, authorities may receive a warrant and, during the search of the premises, come across information, such as a seed phrase, hardware or software wallet, or private key(s). In this case, authorities with a warrant can seize the information or device. After a criminal or civil proceeding in favour of the authorities, the assets can then be confiscated and liquidated or returned to victims or the government.

Uncertain Legislative, Regulatory and Supervisory Frameworks

Legislative Frameworks

Interviews with law enforcement experts suggest that, where applicable, crypto-asset seizure legislation in their jurisdictions is generally fit for purpose, enabling competent authorities to confiscate the crypto proceeds of crime. In some jurisdictions, legislation on the recovery of proceeds of crime covers both tangible and intangible assets, with crypto assets recognised as property. As a result, seizure frameworks designed for fiat money and more traditional assets, such as cars, yachts or livestock, are typically sufficient. According to one interviewee, “crypto is property, and once that is defined, the rest falls into place because you have the right mechanisms to support you”. Another expert reinforced this, stating that “if you can seize cars, you can seize crypto”.

Another element raised by all but one interviewee is the advantage of non-conviction-based civil forfeiture, which enables law enforcement to go after the assets at a lower standard of proof. Indeed, there is a growing consensus that, while criminal proceedings should remain the primary method for securing a conviction, civil confiscation is “a useful supplementary tool” for recovering assets. The literature highlights as major benefits the ability to confiscate regardless of a criminal conviction and to reverse the burden of proving the assets are not linked to criminal activity. The latter facilitates the work of law enforcement in providing evidence, especially in cross-border cases.

However, the legislative challenges faced by practitioners working in CASPs and blockchain analytics firms differ from those encountered by those working in law enforcement. CASPs, especially large central exchanges, typically operate across multiple jurisdictions, even servicing clients residing in jurisdictions other than where the CASP itself is headquartered or incorporated. As a result, they manage requests for information from domestic and foreign LEAs. This exposes them to a wide range of legislative frameworks, many of which lack clear regulations on crypto-asset seizure, creating additional complexity for compliance and cooperation efforts.

Some limitations stem from legislation not addressing whether crypto assets are considered value, property or a claim. Jurisdictions must provide a clear definition of what is being seized when it comes to crypto assets. This is particularly relevant as it drives what CASPs are expected to do when freezing assets. For example, some countries will want to seize the actual amount of crypto assets, while others will seek to seize the value of the assets – which presents its own set of challenges, such as whether to use the value on the date of the seizure or the date of the issued order. As such, the CASP may be asked to convert the assets’ value depending on the jurisdiction making the request. Likewise, in jurisdictions without robust crypto-asset regulation, the lack of legal recognition of crypto assets as property remains a key challenge.

Additional challenges exist with the operationalisation of crypto-asset seizure. In some jurisdictions, crypto-asset legislation has been modelled on existing traditional asset-seizure legislation, modified to account for the practicalities of seizing crypto. However, other jurisdictions have drafted specific crypto-seizure legislation, but have failed to issue practical guidance on how to implement and enforce it. This inconsistency in asset-seizure practices across jurisdictions has proven challenging for many CASPs, creating a vulnerability that hinders jurisdictions’ overall ability to effectively recover crypto assets.

Guidance

A common theme during the interviews was that law enforcement, regardless of the maturity of asset-seizure legislation, needs additional guidance and standard operating procedures (SOPs) within their respective jurisdictions to better understand how to apply relevant legislation for each step of the crypto-asset seizure lifecycle. This includes understanding how to serve orders or what to consider when seizing and forfeiting crypto assets. In sum, despite some countries having a robust legal framework for crypto assets, the novelty of crypto prevails, with interviewees reporting that associated practice and procedures are limited. This is due to “the perceived complexity around crypto-asset seizures, and that people need to seek comfort in guidance and standard operating procedures. The purpose of such SOPs is to provide reassurance necessary to empower law enforcement”.

SOPs relating to regulation also support law enforcement. For instance, law enforcement may face resistance from CASPs and data controllers that challenge the legitimacy of requests, refusing to share information due to privacy concerns and associated data-protection legislation. One expert noted that, in their previous role in law enforcement, they encountered resistance from UK-based CASPs claiming that requests for information violate the Human Rights Act. Accordingly, to prevent such issues when navigating regulations in different jurisdictions, guiding principles are essential to better support law enforcement at the investigative stage of the process – especially as there are often challenges associated with cross-jurisdictional elements.

Similarly, concerns relating to potential data-protection breaches arise when a CASP receives a request from a jurisdiction in which it is operating but not based. This may arise, for instance, when a request for information related to a non-EU-based customer is issued by EU law enforcement. Under such circumstances, less cooperative CASPs may push back on such requests, with law enforcement unaware that there may be overlaps across countries’ respective regulations and therefore ways to make them applicable across jurisdictions. Some CASPs will look at relevant legislation available in a jurisdiction and assess how they can support law enforcement, explaining which request cannot be made while guiding it towards the one that can be made to enable the CASP to provide the data. As a CASP representative noted, “we typically comply with requests from around the world, but we want to make sure there is no overreach, that law enforcement makes requests that are proportionate and in line with its local framework”. It is important to note that this approach may not be common practice. Indeed, interviews with law enforcement representatives challenge and denounce the lack of CASP cooperation. This point is further explored below.

Regulatory and Supervisory Frameworks

The final issue that experts raised was about the lack of effective supervision for crypto assets, which undermines the asset-seizure process. As one expert noted: “We need to remember that what we do is not just about financial crime and AML. Consumer protection and the health of the whole market is also fundamental”.

Another LEA expert explained that when

CASPs are not supervised by a strong body, they lack clear channels of communication with law enforcement. Hence, CASPs do not know how to support law enforcement and, in turn, law enforcement has no clear contact point at supervisory level to adequately engage with CASPs. This may limit support with regards to suspicious activity report quality, for instance.

Thus, an ambiguous, weak or inexistent supervisory regime for CASPs and crypto assets has wider implications, having a broader impact on law enforcement and the overall effectiveness of the asset-seizure process.

Limited International Coordination

A further key challenge identified relates to the lack of international consensus and coordination. This is particularly problematic considering the cross-border nature of crypto assets and the speed of transactions typically observed with, for instance, North Korean-linked sanctions obfuscation tactics.

Gathering evidence and executing legal orders outside jurisdictional borders present unique challenges, especially for cross-jurisdictional coordination. For instance, authorities might not be aware of how to begin international cooperation if “a CASP is incorporated in country A, its servers are in country B, its customers in country C, with employees in country D”. This is particularly challenging when law enforcement is limited to the confines of its own jurisdiction’s legal remit, with CASPs operating across multiple countries with their own legal frameworks.

Geographical Location of Data

According to one expert, in their jurisdiction, crypto assets are recognised as property for legal purposes. However, authorities need to consider the location of that property: “Where is that data stored, where are the data senders, where are people accessing wallets from?” Indeed, a suspect under investigation may have a wallet that is hosted on a sub-server within a structure that is outsourced to another server in yet another country. Regulatory arbitrage may occur, with CASPs sometimes moving to jurisdictions with light-touch crypto-asset regulation that often lack the capacity to deal with the flow of foreign information and disclosure requests. Alternatively, local law enforcement might lack resources or have limited crypto-asset-relevant training. Hence, when receiving MLA requests on crypto-related cases, the receiving authority may have a limited understanding of the documentation.

MLA requests need at least one staff member on the receiving end who understands the information and agrees to put their name to the request, liaise with the relevant exchange and follow through. This can sometimes be a challenge because of limited resources and knowledge, which may lead concerned members of staff to hesitate in signing off the request.

MLAs are pathways to getting a foreign jurisdiction to recognise and realise an order issued by another. However, interviewees stated that this process is resource- and time-consuming, and varies across countries. This statement holds true even when processes are standardised across countries such as EU member states. Ultimately, authorities attempt to get a request to the right place at the right time, but it remains an archaic process. By the time authorities go through the MLA, the assets will have moved to another jurisdiction. The borderless nature of crypto assets and the high speed of transactions “capitalise on every failure of slow bureaucratic governments: where we can’t move with speed, crypto crime wins”.

Indeed, when funds are traced to an entity within a jurisdiction, the crypto assets can move to another foreign entity before authorities can get to a country-to-country engagement. For example, illicitly acquired assets, such as North Korean crypto assets, are generally transferred to CASPs in uncooperative or less regulated jurisdictions or to CASPs that are unresponsive to law enforcement requests. The laundering process by North Korean cyber-criminals emphasises that the MLA model is not fit for purpose.

Channels of Informal Engagement

As an additional method alongside the MLA process, authorities sometimes obtain information through informal channels, leveraging relationships built with jurisdictions that are developed though goodwill and traditional networking. Although information obtained through informal channels (namely, not through the MLA process) cannot be used in court, some experts indicate that engaging with counterparts in such a way enables law enforcement to obtain support, target their applications appropriately or advise that a formal request is coming, thus speeding up MLA. For instance, this process enables law enforcement in one jurisdiction to identify whether authorities in other jurisdictions have contacts or robust cooperation from local CASPs, which may in turn support the foreign LEA. It is important to note that authorities cannot overstep the formal MLA process, but informal engagements can maximise the chances of smooth asset recovery.

Limited Education, Training and Practice of Crypto-Asset Tracing and Confiscation

SMEs reported that the challenges discussed in previous sections are exacerbated by a lack of education and awareness. This impacts the effectiveness of crypto-asset recovery in general and law enforcement’s ability to “go after” ill-acquired assets.

The root cause is the combination of limited knowledge on asset recovery and the perceived complexity of the recovery of crypto assets. One expert stated that “crime that includes crypto assets exacerbates the two biggest problems that law enforcement has: a failure to understand technology and a failure to do asset recovery”. This is compounded by the difficulty of retaining talent. Once individuals have been trained in the public sector, they are typically headhunted by CASPs and blockchain analytics tool companies offering greater monetary compensation schemes than those of the public sector. Consequently, corporate knowledge across the public sector stagnates.

SMEs identified asset tracing and asset confiscation as key focus points for education and training.

Asset Tracing

Tracing and identifying illicit crypto assets are key challenges. This stems from the fact that authorities receive limited training in relation to tracing crypto-asset transactions, together with the sophistication of techniques used by illicit actors such as North Korea. Indeed North Korea uses a trial-and-error approach to obfuscating and laundering funds. Cyber-criminals operating on Pyongyang’s behalf develop and test “playbooks” of obfuscation techniques, including the use of continuous layering, straw accounts at large exchanges, mixers, bridges, and setting up of new accounts and wallets. According to an asset-seizure expert: “They have a library of techniques that they try and then archive should they not be successful”. Accordingly, blockchain analytics companies and competent authorities need to coordinate closely to follow the spiderweb of transactions and trace the movement of funds.

Law enforcement may encounter difficulties associated with understanding the types of coins being traced, such as privacy coins for instance, as well as obfuscation techniques deployed by suspects. With some agents sometimes feeling they are left on their own for this process, robust education and training is needed. This is particularly key as commercial tools have their limitations and may, for example, not successfully attribute an entity to an address. Law enforcement should therefore receive adequate training on open-source analytics, digital forensics, public records analysis, human intelligence and dark web research. A blockchain analytics representative added: “Never trust a tool. Teach people open source first”.

Unfortunately, interviewees indicated that adequate educational support for law enforcement is lacking. This point was echoed by experts operating within CASPs, who explain that they often verify the tracing as law enforcement can get it wrong, impacting not only investigations but also CASPs’ business relationships with their customers. It should be noted, however, that law enforcement is equally sceptical of pushback from CASPs, with one representative stating: “Certainly, bad tracing due to limited training happens, but CASPs will have their own motivation and will want to protect themselves”. It should be noted that regional centres of excellence can support law enforcement to prevent skills erosion and provide continuous practical training.

Interviewees also noted that blockchain analytics tool providers do not provide full coverage in terms of crypto addresses attribution and on-the-ground intelligence gathering relating to illicit activities across all jurisdictions, which limits the reach of such tools. As such, the analysis may come down to an authority’s level of education and skill. Law enforcement must be able to read the blockchain to understand the situation at each junction and identify whether another entity is involved between transactions (also called “hops”). Likewise, law enforcement needs to understand when analytics tools may not successfully address an attribution.

With such caveats, some CASPs verify the tracing that law enforcement performs. However, regardless of tracing quality, CASPs still need to comply when a court issues a legal order. Under such circumstances, CASPs face challenges as they want to foment and preserve partnerships with LEAs while also fulfilling their responsibility and accountability to their customers. This can generate issues and potentially conflict should customers challenge decisions that impact access to products and services.

Asset Seizure (and Storage)

Seizing self-hosted wallets is another ongoing challenge for law enforcement. For instance, police officers and investigators may not know how to detect information related to crypto assets during a search operation, and might overlook a hardware wallet without knowing what it is and how it needs to be seized.

Other challenges also exist around law enforcement gaining control of the private key and thus the suspect’s assets. For example, authorities may identify a seed phrase to recreate the wallet. Research identified multiple cautionary tales where officers are said to have seized a hardware wallet and put it into an evidence bag that went straight into the safe. At this point, officers thought they had seized Bitcoin. Unfortunately, a third-party may also have access to the private key and could therefore transfer the funds to a new address. Consequently, the officers would lose the assets.

Another challenge raised by experts was the lack of planning by law enforcement regarding the asset-seizure process and protocol. Ultimately, if law enforcement wants to recover assets, authorities need to have an account with a third-party provider or a self-hosted wallet that can be properly secured. For example, one interviewee explained: “If you search a drug dealer’s home, and their laptop is open, if there is a crypto wallet there, you will want to seize the assets. Under such circumstances, you will need a wallet or a facility to receive all the tokens and crypto that they hold. What happens if you have not planned for such a contingency?”.

Similarly, despite some preplanning, some LEAs do not know how to receive crypto assets. Under such circumstances, CASPs may support law enforcement and guide them to set up an account or wallet. Should this option be unsuitable for law enforcement needs, CASPs can convert the funds to fiat money and send it on to an LEA’s traditional banking account. If funds are transferred to an address held by a third party and credited to a police account, the CASP will need to receive relevant legal documentation to verify it is dealing with law enforcement. This may be done through third-party checks or confirmation with the judge who has signed the order before transferring the funds. To avoid any liability, a test transaction may be performed to ensure that all data provided is correct. Once this is validated, the full amount is transferred. There are additional layers of verification to ensure that an officer has not “gone rogue” and sent the assets to another address or a personal wallet. This is discussed further in Chapter II.

Some experts identified a lack of awareness of such processes and practices by law enforcement operating in less crypto-mature jurisdictions. For instance, if an agency is waiting for new SOPs to be signed off by senior management, it may rely on a third party to retain the funds before transferring the asset to the agency’s self-hosted wallet addresses. However, a robust procurement process should be in place to ensure the agency can trust the third-party service provider. Similarly, other experts highlighted additional challenges on whether assets need to be converted to fiat money or not (to prevent acute fluctuations in value in view of the volatility of crypto assets), as well as how to return assets to victims or segregate assets.

II. Observed Practices and Mitigation Strategies

While Chapter I discussed the key challenges to effective crypto-asset recovery, this chapter details observed practices and strategies implemented by law enforcement and CASPs to facilitate the operationalisation of crypto-asset recovery and tackle some of the identified challenges. It is important to note that the practices and strategies discussed comply with the relevant local legislation and regulations.

Practices and strategies that were observed and discussed as part of the research for this guide concern the following elements, which are discussed in turn:

• Enhanced education and training.

• Communication between LEAs and CASPs.

• Improving cross-border cooperation.

This chapter concludes with a discussion on the challenges of restricting North Korea’s access to illicitly acquired crypto assets, which are used to fund its WMD programme and pose a significant threat to international security.

Enhanced Education and Training

Interviews held with SMEs indicate that LEAs should be trained on asset tracing, including understanding the limitations of blockchain analytics tools and how to circumvent them, pre-seizure planning, asset storage and managing the volatility of seized crypto assets. These elements are discussed below.

Asset Tracing

As discussed in Chapter I, blockchain analytics tool attributions vary between vendors, and criminal attributions may slightly vary between vendors based on gathered intelligence. Currently, efficiently resourced authorities resolve the issue of data variations by having access to different blockchain analytics tools to cross-check and complement information. However, resource constraints make this solution challenging for some jurisdictions. An expert identified that a potential solution to this problem may be having a multi-jurisdictional LEA to retain a list of criminal attributions linked to crypto-asset addresses fed into vetted blockchain analytics tools. Another expert challenged this solution, stating that blockchain analytics companies spend many hours collecting needed attributions. As such, the designated authority for identifying criminal attributions may not have the resources nor the capacity to develop a model similar to blockchain analytics tools. Instead, a partnership can be formed. For example, a regional agency, such as FATF-style regional bodies, may partner with blockchain analytics tools to support guidance to small or medium-sized VASPs on attributions of significant concern, such as those linked to terrorism or PF.

Authorities tracing crypto assets need to understand when blockchain analytics tools attribute an address held at a CASP, as it may be tied to an omnibus customer account, which is an account that contains a portion of multiple customers’ funds. Therefore, authorities should take one “hop” or trace back on the blockchain from the omnibus customer account and provide that address and other relevant transaction information to the CASP when requesting information. Law enforcement can also provide the name and identification number of the suspect to the CASP to cross-check accounts. In addition, when requesting funds, law enforcement can request the CASP to provide the internal identification number linked to the customer’s funds in the pooled wallet. This allows them to receive a court order to target that specific number rather than the entire omnibus account. This way, the CASP can comply without affecting other customers’ assets or disrupting its business.

Pre-Seizure Planning

Chapter I discussed challenges associated with storage methods for securing virtual assets (VAs). The storage of seized assets by law enforcement needs to be identified within the pre-seizure planning process. Variations of this process exist, ranging from law enforcement setting up an account at a third-party exchange (vetted as per internal procurement policy and processes) to authorities retaining their own private keys in a self-hosted wallet.

To seize assets, authorities typically partner with a third-party service provider or set up a hardware or software wallet at an early stage, engaging all key stakeholders within the organisation. Although these stakeholders vary between jurisdictions, they can include law enforcement officers conducting a search with a warrant, a manager or higher-level officer, and potentially the prosecutor’s office. This planning process prepares law enforcement to seize an asset during a search or a trace to a CASP. Secure custody processes must be in place, with the ability to switch custody of the crypto asset if the third-party provider can no longer act as a custodian or if law enforcement is ordered to transfer the assets.

In addition, it is imperative to ensure that custody methods are flexible, as some assets may not be supported by the selected platform or hardware wallet. Planning for such a contingency prevents having to go through a new procurement process under such circumstances. Furthermore, law enforcement needs to be aware of risks associated with sweeping wallets (during seizure) that contain malicious malware and what to do to prevent this.

F or hardware wallets containing seized assets, as part of the pre-seizure planning, a standard property management process needs to be put in place, as one would set up for any criminal case and investigation. This entails having secure property areas in various locations around the country that can receive hardware wallets at any time of day. The hardware wallet needs to be treated like cash: in a safe in the property management room, with secure access, CCTV, swipe cards to get in and out of the room, and access logs. Access must be verified and supervised, with nobody going to the safe on their own. There should always be at least two people for verification. In addition, the overall process needs to be audited as per the relevant internal procedures.

Alternatively, when law enforcement decides to partner with a CASP and set up a police account to store seized assets at the centralised entity, the procurement process needs to be respected with robust due diligence. This includes assessing: whether the entity is regulated and audited; where it operates; what its client base is; whether there is any adverse media associated with its owners, partners or operations; whether it has robust cyber security controls in place; and whether it has insurance in case of a hack or bankruptcy.

In turn, CASPs acting as the custodian should have a process in place to ensure that they are indeed holding the asset on behalf of law enforcement. For instance, this may be through confirmation by the relevant judge or review of relevant court orders. Verifying this information is necessary, as it avoids accusations of bias and enables third parties to carry out Know Your Customer (KYC) obligations in respect of provenance of funds. Similarly, CASPs should ensure that their platforms can hold crypto assets that are generally considered of a higher risk to financial crime, such as privacy coins. Sign-off should be obtained by relevant stakeholders, such as the board, the general counsel, the chief risk officer and/or the ML reporting officer.

Under circumstances where no pre-seizure planning has been done, senior management must ensure that law enforcement can seek support to seize crypto assets. Management should communicate and socialise the contact details of experts with practical crypto-asset recovery experience who can easily be reached at any time and provide support. This can be communicated at a local level or through Interpol and Europol. Such an expert, either from the private sector or law enforcement, provides a walkthrough to agents who do not know how to receive funds or who are not acquainted with the seizure process.

To avoid potential issues associated with procurement, one jurisdiction developed its own software to store seized crypto assets, citing that the process is simple with the right technical expertise. Each jurisdiction should evaluate its current situation to determine the level of knowledge on the use of crypto assets when assessing the right storage approach.

Storage of Crypto Assets

It is critical for authorities to assess the benefits and risks of the storage model used for seized assets. The options discussed by SMEs are multi-signature and multi-party computation (MPC) wallets. Multi-signature allows for multiple authorities to sign a transaction before it is executed. Alternatively, MPC allows for multiple authorities to receive a share of a single private key. When the solution is identified, authorities need to configure controls, checks and balances to ensure a transparent and auditable process.

Jurisdictions should consider a separation of responsibility for government-controlled wallets, which can vary based on the size and type of the case. For example, one interviewee noted that with a multi-signature option of needing two out of three authorisations for transactions, these three individuals may sit in three different teams. By requiring multiple stakeholders, concerns over compromise by a corrupt public sector official can be reduced and the overall auditability of the recovery process can be improved. Along with defining responsible authorities, jurisdictions need to consider how to store the device or private key(s) to mitigate risks stemming from an insider threat or technical failure.

Managing the Volatility of Seized Crypto Assets

As noted in Chapter I, jurisdictions face an operational challenge regarding the price volatility of crypto assets. Similar to assets, such as cars or live animals, that require maintenance, the highly volatile nature of crypto assets requires management. This is essential to avoid liability with individuals whose assets were seized and then returned after experiencing severe devaluation.

Case Study 1: Sweden Returning Funds to an Illicit Actor

Sweden faced a value retention challenge following the seizure of 36 Bitcoin from a drug dealer. At the time of prosecution, the Bitcoin’s total value was approximately $150,000. By the time the Swedish Enforcement Authority was able to auction the Bitcoin, its value had risen substantially. As a result, only three tokens needed to be auctioned to recover the original seized value. However, because the authorities recorded the value in fiat currency rather than Bitcoin, the drug dealer was entitled to the remaining 33 Bitcoin. To prevent such outcomes in the future, seizures should be recorded in their original value rather than the fiat equivalent.

Source: Jamie Crawley, “Sweden’s Government Forced to Return $1.5M in Bitcoin to Drug Dealer: Report”, CoinDesk, 20 August 2021, last updated 14 September 2021.

To combat price volatility, authorities can sell seized assets in separate auctions. In the US, stipulations for interlocutory sales can be granted to auction seized assets prior to the conclusion of the formal forfeiture process. However, experts indicate that there is no one-size-fits-all approach when it comes to deciding whether assets should be converted to fiat money or not. Some jurisdictions have a senior legal officer, appointed by the court, who is empowered to make any decisions related to the asset. Other jurisdictions seek to convert the assets immediately, provided they have the defendant’s permission. If this is not granted, law enforcement makes an application to the court to convert the asset. In countries such as the Netherlands, assets are converted within a three-month period unless an exception is granted.

Communication Between LEAs and CASPs

Transparent and smooth communication between LEAs and CASPs is fundamental to effective asset recovery. Authentication of relevant parties as well as clear, precise and complete data requests and data provision are key to successful communication.

Authentication

For law enforcement, when funds are traced to a centralised entity, they must confirm that they are in contact with the correct individual at the company. It is also important for authorities to ensure the correct legal entity is identified and regularly updated, especially when global company structures and data controllers change frequently. Cross-border forums exist between law enforcement across jurisdictions to share information about the correct contacts at CASPs to ensure a relatively swift response. However, some jurisdictions may not have access to these information-sharing groups, requiring authorities to create their own contact list or purchase third-party software to obtain this information.

In any case, it is critical that law enforcement updates contact information for CASPs every year. This database should include CASP details, such as the physical address, email address and specific legal documents required to request information or freeze an asset. Regular updates are necessary as CASPs change their place of domicile. When an investigation into misconduct occurs, law enforcement must have this information on hand to ensure a timely response.

However, CASPs need to ensure that the authority reaching out with a request for information or freeze order is legitimate and not an individual falsifying identification. To verify this, CASPs may request identification or a letter from the commissioner. One interviewee suggested that a verification system is required for law enforcement from a multi-jurisdictional or international organisation to avoid sharing personally identifiable information with medium- or high-risk CASPs.

Requesting Data from CASPs

If funds are traced to a CASP and a request for information is issued, law enforcement needs more than an email address provided by the entity. In the best-case scenario, the CASP can provide account information, such as KYC. To further the investigation, authorities – with legal grounds to do so – can request the following information from CASPs, with the caveat that the CASP may or may not have access to the information, depending on the resources available:

• KYC information, including an identification number.

• Internal transactions by the customer.

• Deposits and withdrawal information in fiat and crypto assets.

• Crypto-asset types held by the customer.

• Customer access logs.

• Other customer accounts tied to the customer.

• Amount of crypto assets held by the customer.

• Beneficiary information on transactions by the customer.

• Associated bank account information for the customer.

• IP address or geolocation data to determine variation in the customer’s location.

• Data related to the integration of cookies:

  • Device(s) used by the customer.

  • The language used by the customer in the browser or application.

• Phone number and email address.

Similar to requesting information from financial institutions, one expert interviewed detailed that any interaction between law enforcement and CASPs needs to be submitted in a non-editable document. For example, if a letterhead is included in a Word document submitted when requesting information, this document could be altered and potentially used for fraudulent purposes. However, another expert noted that only the official legal document from the prosecutor’s office needs to be in PDF format. If crypto-asset transaction details are provided in PDF formats – whether to the CASP or law enforcement – rather than an editable format, the investigation may be slowed.

In the freeze letter, law enforcement can ask the CASP to freeze the suspect’s claim of the funds in the omnibus customer account held by the company, restrict the trading and withdrawal functions of the suspect’s account, or impose full restrictions on the suspect’s access to the account. The threshold for this request is at the discretion of law enforcement and typically depends on the severity of the situation, such as involvement in sanctions evasion. However, an evidentiary threshold must be met to request the freeze, as CASPs face significant risks in carrying out this process, including the potential breach of the terms and conditions provided to their customers.

CASPs have different processes for cooperation with law enforcement and sometimes adapt the approach over time. Some offer a courtesy freeze period for law enforcement, so authorities have ample time to get the necessary legal order. For example, if law enforcement reaches out with evidence, the exchange may voluntarily freeze the account for seven days.

This courtesy period was longer in the past, but was reduced due to delays in law enforcement’s response with a freeze letter. Nonetheless, for cooperative CASPs, this voluntary freeze period can be extended if law enforcement provides further evidence. Notably, law enforcement may ultimately require more time to obtain the necessary legal order, especially if subject to the MLA process.

In practice, if law enforcement reaches out to a cooperative CASP about an urgent matter and provides sufficient evidence, the CASP can disable the trade and withdrawal functions to review the account. Alternatively, the CASP can disable the withdrawal function and enable an additional KYC check for a soft freeze of the account.

Providing Data to LEAs

CASPs respond to information requests from LEAs, provided they comply with local legal requirements and are accompanied by the seizure warrant. Some CASPs with highly experienced in-house investigators may request details about the type of suspected crime and any supporting evidence, but law enforcement may push back to avoid compromising the investigation.

When providing the data requested by law enforcement, observed practice is to have a pre-designed Excel spreadsheet (PDFs make data extraction and manipulation difficult) that documents the following information in separate tabs:

• Transactions in fiat money and crypto assets.

• Transactions performed on the CASP platform internally.

• All asset types held by the suspect.

• All products and services that the suspect has purchased (for example, futures, derivatives).

• Deposits.

• Withdrawals.

• KYC information.

Some jurisdictions have platforms that enable CASPs to submit information electronically. These platforms provide pre-documented options, such as drop-down menus, making it easier for CASPs to submit the necessary information and streamlining the process for both LEAs and CASPs.

Improving Cross-Border Cooperation

As explored in Chapter I, a key challenge is the MLA process, which SMEs have labelled as outdated in light of fast, borderless crypto operations. Experts interviewed explained that the Camden Asset Recovery Inter-Agency Network reinforces cross-border cooperation and information exchange. This informal inter-agency network supports law enforcement and judicial practitioners in member jurisdictions throughout the asset recovery process.

Another example of best practice is investigators collaborating across jurisdictions on cases. In these instances, each country takes the lead on gathering information in its own jurisdiction and shares relevant data through secure channels.

There are few additional examples of best practice, despite SMEs being open to exploring avenues to enhance cross-border cooperation. Some experts suggested that a centralised digital repository, where all prosecutors across multiple jurisdictions can send requests, would be beneficial. However, they noted that this would require the creation of a central authority to prioritise requests.

Another expert suggested the creation of a private sector-funded joint taskforce of investigators, prosecutors and law enforcement from multiple jurisdictions with the sole purpose of tackling crypto crime. To avoid the need for multiple MLAs, one country would be designated as the lead. Again, the challenge here would be developing terms of reference relating to funding, structure and staffing, along with criteria and indicators to determine the prioritisation of cases. Indeed, each jurisdiction would have different areas of interest and focus. For instance, should a jurisdiction investigate one contract killing paid for with $10,000 in crypto assets, or should it focus instead on investigating related crypto scams, which have lower individual losses but affect a larger number of victims?

Finally, although the focus of asset recovery is on the seizure of crypto assets from organised crime groups and other non-state-based actors, the international community is increasingly aware that it is key to impeding North Korea’s WMD programme. The following section considers related challenges.

Case Study 2: Luxembourg Coordination with Foreign Financial Intelligence Unit

In its December 2020 sectoral VA risk assessment, Luxembourg provided a case study based on a request from a foreign financial intelligence unit (FIU) involving suspected terrorism and TF. The suspect, with known offences for drug trafficking and associations with terrorist groups, had converted approximately €7,500 into Bitcoin and transferred the funds to an address linked to a terrorist cluster.

According to the case study, “multiple addresses had links to a Luxembourgish entity”. To further the investigation, the country’s own FIU requested information from the entity to determine the beneficiary of the transfers related to the terrorist cluster. As a result of this information, the FIU identified an additional individual who was initially unknown to the foreign FIU.

In addition to reaching out to this entity with links to multiple addresses, the Luxembourg FIU requested information from other reporting entities that it believed held further information on the suspects. This action resulted in the identification of additional accounts linked to the suspects that had yet to be used.

Coordination with the foreign FIU provided additional accounts that had links to darknet markets and potentially drug trafficking.

Source: Government of the Grand Duchy of Luxembourg Ministry of Justice, “ML/TF Vertical Risk Assessment: Virtual Asset Service Providers”, December 2020, p. 27.

Restricting Access to Proliferating States

The international community is increasingly aware of the exploitation of crypto assets and CASPs by proliferating states to generate revenue and evade sanctions. North Korea’s cyber-criminals, for example, are estimated to have generated $3 billion in revenue from cyber attacks on crypto-related companies between 2017 and 2023. Accordingly, crypto-asset seizure is not just a matter of depriving criminals of their profits; it restricts North Korea’s access to an important source of revenue that can potentially support the purchasing of goods or services to advance its WMD programme.

Interviewees indicated that an additional challenge faced by CASPs is identifying activity linked to North Korea in real time. North Korea “moves so much money that it will not necessarily use good obfuscation techniques”, one expert noted. “However, it is very good at structuring cash out and doing it fast. We know what North Korea will do but we don’t know when and where”.

For example, North Korea-linked individuals, similar to criminal organisations and other illicit actors, can set up or acquire multiple accounts at exchanges – often through illicit means – to convert crypto assets into fiat currency. In the Axie Infinity theft (see Case Study 3), where North Korean cyber-criminals stole approximately $600 million from the Ronin Network, the former CEO of Binance noted that individuals laundering the funds sent a portion to Binance, spreading it across 86 accounts at the exchange.

Notably, when blockchain analytics tools attribute an address to illicit actors, retrospective alerts will be generated. Thus, with new intelligence, the CASP’s internal controls detect all past related transactions and an alert is raised. Once a suspicious activity report is submitted, these can further financial investigations into North Korean sanctions evasion activity. However, there remains a challenge in converting intelligence into evidence for financial investigations related to PF or sanctions evasion.

Case Study 3: The Axie Infinity Case

In 2022, Axie Infinity, a strategy game built on the Ronin blockchain that facilitates the transfer of assets and liquidity, lost $650 million due to a hack carried out by North Korea-sponsored cyber-criminals known as the Lazarus Group. In the hours following the heist, the hackers swiftly moved the stolen assets, switched wallets and divided the assets across multiple wallets, exchanging them for other crypto assets. The operation was described as highly choreographed, with assets transferred at timed intervals into mixers, including Tornado Cash, which has since been sanctioned.

Investigators followed the stolen assets and waited for North Korea to off ramp them at centralised exchanges. Once this happened, the team reached out to relevant CASPs, asking them to put a temporary hold on the accounts. They then contacted the FBI to obtain US government-issued warrants to freeze the crypto assets.

In a 2023 podcast, Erin Plante, a Chainalysis investigator who led the investigation, explained that a number of exchanges initially would not respond to their requests. Eventually, conversations with exchanges became easier once CASPs had greater awareness of the investigation. She stated that “these seizures would not have been possible without collaboration across the public and private sectors”.

Overall, the US government recovered $30 million. Recently, the Norwegian authorities announced they had recovered almost $6 million.

Sources: NPR, “How to Launder $600 Million on the Internet”, Planet Money podcast, 15 September 2023; Wahid Pessarlay, “Law Enforcement Agencies Recover $30M Worth of Assets from North Korean Hackers”, Coingeek, 13 September 2022; Jim Haastrup, “Axie Infinity Gets Back $5.7 Million Stolen in Ronin Hack”, Voice of Crypto, 9 June 2024.

In addition, to restrict North Korea’s access to stolen funds, public-sector-led initiatives whereby an address is made public to provide the entire crypto-asset industry with the opportunity to help law enforcement may be a useful tool. The Norwegian National Authority for Investigations and Prosecution of Economic Crime publicises VA addresses linked to criminal proceeds and requests individuals and companies that receive funds from the published address to withhold them and contact the police. In a similar manner, the FBI has released a number of North Korean-controlled VA addresses that are linked to stolen assets. The publicisation of cryptocurrency addresses attributed to North Korean cyber-criminals might be worth considering within the newly developed multinational team to monitor sanctions enforcement.

An interviewee suggested that, to identify North Korean accounts, CASPs could review existing KYC data linked to the country to better understand account profiles. This could include analysing factors such as the device(s) used by the customer and language settings in the browser or application.

Case Study 4: Harmony’s Horizon Bridge

In June 2022, the Lazarus Group exploited Harmony’s Horizon cross-chain bridge, stealing an estimated $99.6 million worth of crypto assets. Investigators from a blockchain analytics firm traced the funds through the Tornado Cash mixer and monitored them for movement. According to Elliptic, investigators identified that the funds moved through complex chains of transactions to exchanges, which they promptly notified so the assets could be frozen and the accounts suspended.

Binance and Huobi (another cryptocurrency exchange), in return, froze accounts with approximately $1.4-million worth of crypto assets from the hack.

Source: Elliptic, “Elliptic Collaborates with Binance and Huobi to Freeze Lazarus Group Hack Proceeds”, 14 February 2023.

Conclusion

This guide aims to support less crypto-mature jurisdictions by identifying the challenges faced by law enforcement agencies and CASPs in the crypto-asset recovery lifecycle. It also documents existing practices and observed strategies to address these challenges.

The challenges highlighted by SMEs during the research for this guide include:

1. Legislative and supervisory uncertainty.

2. Difficulties with international coordination and cooperation.

3. Limited education and training relating to asset tracing, confiscation and storage.

The strategies and best practices outlined in this guide focus on:

• Enhancing education and training on asset tracing, pre-seizure planning, storage and volatility management.

• Improving and clarifying communication formats between LEAs and CASPs.

• Strengthening cross-border cooperation beyond the MLA process.

Once implemented, this guide will help less crypto-mature jurisdictions recover crypto assets more effectively and prevent illicit actors from cashing out criminal crypto assets. It serves as a useful starting point for jurisdictions to identify the next steps in strengthening their crypto-asset recovery frameworks, addressing gaps proactively and limiting the impact of ML, PF and sanctions violations on the international community.

Noémi També is an Associate Fellow at RUSI’s Centre for Finance and Security and an independent financial crime consultant, published author, researcher and trainer.

Allison Owen is an Associate Fellow at RUSI’s Centre for Finance and Security. Her primary research projects focus on the policy and security dimensions of cryptocurrency and new payment methods.

Maria Nizzero is a Research Fellow at RUSI’s Centre for Finance and Security. Her research examines the UK and global financial crime landscape, asset recovery and sanctions, and the foreign policy dimension of illicit finance.