Cryptocurrency – The Final OSINT Frontier?

Share This Post

Unless you have been living under a proverbial rock for the past few years, you have undoubtedly heard about cryptocurrencies. Whether its Bitcoin, blockchain, NFTs…it is safe to say that cryptocurrency isn’t going anywhere, and will likely continue to assimilate into our daily lives. As somebody who has investigated cryptocurrency transactions as part of criminal cases for close to a decade, bearing witness to the evolution of the crypto emerging from the shadows of the “dark web” underworld to a society where a Bitcoin ATM is at a local gas station has been nothing short of astounding. With more platforms like CashApp, PayPal and Revolut incorporating cryptocurrencies into their payment services, as well as countries like El Salvador and Central African Republic leveraging their economic development on Bitcoin, cryptocurrencies have become a pivot point for both commerce and geopolitics.

As much as I’ll paean about the evolution of the cryptocurrency ecosystem to where it is today, one thing I feel is often overlooked is the incorporation of cryptocurrencies into OSINT. In 2021 at OSMOSISCon, I had the pleasure of hearing OSINT pioneer Arno Reuser speak about open source evolution, and the one thing Reuser said that really resounded with me was: “OSINT is a discipline”. How true that statement is! When I think of juxtaposing OSINT’s evolution to cryptocurrency evolution, I’m sure you will see as many similarities as I do. Which leads me to ask the question: Is cryptocurrency the final frontier for OSINT as we know it?

For many who do not understand cryptocurrency, they in return also don’t understand about the blockchain foundation in which cryptocurrency is built. The blockchain is public ledger, as there would be no other way to verify transactions. Even the anonymity enhanced coins, or “privacy coins”, have a form of public ledger (like Monero for example). Being viewable to the public, whether through or incorporates the first foundation of OSINT – open source. This is essential as we start to talk about NFTs (non-fungible tokens) on the Ethereum blockchain, as the ownership of the NFTs needs to be public. Attribution to individuals based on a cryptocurrency wallet address listed publicly has become more common.  And I would be remiss if I did not mention the other elephant in the room as we start to talk about cryptocurrencies and the blockchain: Web3.

Many may have heard the buzzword “web3” used in some regard, similar to the advent of cellular service providers incorporating 5G (and now 6G) networks. But, what does this all mean? And in the same respect, what does web3 have to do with OSINT? For starters, the framework of web3 is nothing new. In fact, the “dark nets” like ZeroNet, LokiNet, and IPFS have incorporated decentralized or distributed services for over 5 years now. Messaging platforms like ToxChat and Matrix have also incorporated the distributed web3 framework successfully.

While the focus of the aforementioned “dark nets” and messaging platforms is privacy for the users, the infrastructure is public. For example, ToxChat publicly lists its bootstrap nodes. The “dark net” LokiNet is built on the cryptocurrency Oxen blockchain, while ZeroNet is built on the Bitcoin blockchain, all of which is viewable and searchable. In my opinion, it is important for OSINT investigators to understand these web3 precursor networks and be familiar with them. As web3 expands, more DNS providers will shift to hosting domains on the various blockchains (see NameCoin or ENS Domains for example).

One of the famous literary quotes that comes to mind when I think of cryptocurrency, blockchain, or web3 is: “When beholding the tranquil beauty and brilliancy of the ocean’s skin, one forgets the tiger heart that pants beneath it; and would not willingly remember that this velvet paw but conceals a remorseless fang” – Herman Melville. How blockchain technology and cryptocurrency has evolved since the mysterious Satoshi Nakamoto published the white paper on digital currency in 2008 has been remarkable, but we cannot negate how it shaped the criminal underworld. What we know as dark net markets would not be able to function without cryptocurrency for transactions. As the migration from traditional cryptocurrency exchanges continues towards defi (decentralized platforms) and the incorporation of trustless swaps, as investigators we see cybercriminals taking advantage. However, similar to how OSINT helped identify Ross Ulbricht as the administrator of the Silk Road, the public ledger of the blockchain has helped attribute wallet addresses to criminal actors.

Today, you can search the Silk Road original Bitcoin wallet address on the blockchain to see exposure to other wallets. The Anti-Human Trafficking Intelligence Initiative maintains the Hades platform, which is a searchable database that has indexed previously observed cryptocurrency wallet addresses attributed to illicit activity. Blockchain analytics companies, like CipherTrace, offer tools for investigators to trace cryptocurrency transactions linking exposure to OFAC sanctioned wallets or exchanges. This is crucial in investigations either involving fraud, ransomware, or even terrorism. Dark web monitoring platform CyberSixgill can search wallet addresses and attribute to actors on the dark web, end-to-end encryption platforms like Telegram, and forums like “4Chan” or “8Kun”. With the confluence of blockchain analysis and the indexing of wallet addresses attributed to persons or entities, it is easy to see why it assimilates into the OSINT discipline.

I often hear the metaphor that OSINT is “trying to drink from a firehose”, and as humorous as that equation is, it remains a humbling truth. The adoption of cryptocurrency in global commerce, the migration towards reshaping the internet as we know to incorporate the blockchain, and the myriad of other technologic nuances create a tidal wave of open source data. While we continue to try to drink from the proverbial firehouse, or rather drink the entirety of an ocean through a straw, its my belief that we are reaching the final frontier for OSINT. Implementing cryptocurrency, blockchain technology, and web3 creates a more open internet. Are we, as investigators, prepared for this new data to digest?

Written by Keven Hendricks

More Articles


Navigating SEC Regulations In Cybersecurity And Incident Response

Free video resource for cybersecurity professionals. As 2024 approaches, we all know how vital it is to keep up to date with regulatory changes that affect our work. We get it – it’s a lot to juggle, especially when you’re in the trenches working on an investigation, handling, and responding to incidents.


BFU – Seeing is Believing

Oh no, the device is in BFU. This is the common reaction; a device needs extracting, and you find it in a BFU state. Often, there’s an assumption that a BFU extraction will only acquire basic information, but that isn’t always the case.