Blockchain Sleuth Says OKEx, Huobi Stonewalled Him in Child Porn Investigation

"Why would an exchange or any service in this industry that's claiming to want to do the right thing refuse to speak at all?" says CipherBlade's Rich Sanders.

AccessTimeIconMar 4, 2021 at 7:55 p.m. UTC
Updated Feb 9, 2023 at 1:18 p.m. UTC
10 Years of Decentralizing the Future
May 29-31, 2024 - Austin, TexasThe biggest and most established global hub for everything crypto, blockchain and Web3.Register Now

Fed up with what he sees as cryptocurrency firms stalling his investigations of one of the most heinous crimes imaginable, Rich Sanders is going on the record – and naming names.

The lead investigator and principal of blockchain analytics provider CipherBlade said he's used to being fobbed off by exchanges when trying to trace funds from hacks and scams. But his frustration boiled over recently when conducting an investigation into wallets linked to child sexual exploitation material (CSEM).

Firms like Sanders’ are hired by law enforcement agencies, regulators and crypto businesses trying to follow the money on nefarious cryptocurrency transactions. However, in the case of CSEM-related crypto, Sanders is conducting his investigation on a pro bono basis, that is to say, not on anyone’s behalf.

In regards to this investigation, he's publicly calling out Huobi, OKEx, both high-ranking exchanges, and a smaller outfit called MorphToken for being unresponsive and unhelpful when presented with evidence of CSEM flowing in from the dark web.

“Why would an exchange or any service in this industry that's claiming to want to do the right thing refuse to speak at all?” Sanders said. “Whether it's OKEx, Huobi, MorphToken or whoever, they're placing these barriers that are not designed to bolster data privacy nor anti-money laundering [efforts]. These things are put in place to frustrate investigators’ efforts or police efforts.”

Huobi and OKEx said they employ their own blockchain analytics tools and take a proactive approach with things like CSEM. MorphToken did not respond to requests for comment.

Around the world, a new breed of forensic investigator is illuminating the darker side of cryptocurrency using the underlying record of transactions, the blockchain, to track flows of funds – a science far less-well defined with cash.

CipherBlade CEO Rich Sanders
CipherBlade CEO Rich Sanders

While bad actors make up just a sliver of crypto transactions, detectives armed with the right tools and know-how can see criminals’ fingerprints scattered across an indelible map of blockchain transactions. Those hardened blockchain sleuths have a good idea of when exchanges – the places where criminals must ultimately go to convert or cash out funds – are taking part in what Sanders calls “compliance theater,” and paying mere lip service when it comes to assisting in investigations.

This scenario raises difficult questions. To what extent should crypto service providers be required to reveal information about their customers? Is a new approach to crypto investigations needed? Is it beneficial to call out the names of firms reputed to be less than cooperative with private blockchain investigators?

Lives on the line

To be clear: Crypto firms are under no legal obligation to cooperate with blockchain investigators such as CipherBlade. That’s a relationship these firms have with law enforcement.

“If a private party comes knocking on the door, there's certainly no obligation under U.S. law to be responsive to that private party,” said Carol Van Cleef, an attorney specializing in blockchain work at Washington, D.C., law firm Bradley Arant Boult Cummings LLP. “And, in fact, if it involves in any way nonpublic personal information, then there's an imperative not to provide that information to a non-official party.”

However, it does put an exchange that’s regulated in the U.S. and subject to the Bank Secrecy Act in an interesting position, Van Cleef added.

“It puts them on notice of potential activity and, especially when coming from a credible party, could be indicative of suspicious activity that's happening through their exchange,” she said.

Sanders said his firm does not request private information but facilitates the handoff of relevant data between exchanges and law enforcement, under appropriate legal process. Notifying firms of such suspicious activity means they can take appropriate action pending law enforcement contact, he said.

He said he can appreciate exchanges are on the receiving end of a lot of inquiries from theft victims who trace their pilfered funds using block explorer websites. But Sanders argued that CipherBlade is a known commodity in the cryptocurrency compliance world. (Sanders himself is a certified investigation partner of blockchain analytics firm Chainalysis, which provides the tools and training for the work his firm does.)

“I get hit with the same ever-shifting yardstick of information requirements from OKEx, Huobi and others when it comes to hacks and scams,” Sanders said. “It’s bad enough to be complacent when it’s people losing money, but when it comes to CSEM that’s people’s lives we’re talking about.”

Brick walls and workflows

Whether it’s CSEM or simply a scam or hack, Malta-based OKEx and Seychelles-based Huobi put up “a familiarbrick wall,” said Sanders, whereby his firm is told that local law enforcement should get in touch instead.

For its part, OKEx told CoinDesk it has an advanced risk management and know-your-customer (KYC) system, adding that the exchange also works with third-party blockchain analytics provider Elliptic.

“We have tools that flag any illicit or fraudulent activity so that we can block those addresses – whether it is child pornography, hacked funds or any other type of crime,” OKEx CEO Jay Hao told CoinDesk via email. “So, for example, say there was a child pornography site that accepted crypto as payment, the wallet address would be flagged and tracked by various tools, including ours, and we would ban any deposits coming from there.”

But Sanders argues that just having a know-your-transaction (KYT) tool like Chainalysis or Elliptic does not necessarily equal a comprehensive compliance program.

“Just having a KYT tool is not compliance; it’s compliance theatre,” Sanders said. “KYT tools are an essential part of a compliance program, but they will not have all addresses attributed and thus can not prevent all illicit/fraudulent activity. This is especially true for fresh scam/hack cases as well as CSEM as the addresses are new and will not be in a database.”

Sanders said the main difference between Huobi and OKEx, from an investigation perspective, is he has stopped bothering to email Huobi. “I would just never get responses,” he said.

A Huobi representative told CoinDesk it was likely Sanders’ email had ended up in the spam account of Compliance Officer Yanmei Bi.

“Huobi has developed an on-chain asset flow monitoring system which is used to help the police,” said Ciara Sun, vice president of global markets at Huobi Global, via email. “For the sake of protecting users’ privacy and concerns of the validity of the information provided by a third party, Huobi currently doesn’t share information [with] the third party.”

Sun said the exchange’s “ears are always open for community feedback,” and that there is a workflow mechanism and email correspondence for dealing with cases like the one Sanders has flagged.

“The word might need spreading and we will continue to improve our workflow,” Sun added.

Dark web marketing

When Sanders’ CSEM investigation in November of last year led him to Panama-based MorphToken, a no-KYC instant crypto exchange, he said the company enlisted the help of an external legal counsel to give him the brush-off.

“You could say they lawyered up,” said Sanders.

During his forays around the dark web, Sanders said he would see advertisements for MorphToken pop up from time to time.

“You're literally advertising to a target audience of criminals,” he said.

While it’s unusual for compliance pros to finger specific firms, Sanders’ overall frustrations are shared by others in the field.

Lawyers who are experienced in working with cryptocurrency service firms said there is a spectrum, with highly regulated exchanges – the Coinbases of this world – at one end, downright egregious dark web mixers at the other and various shades of gray in between.

Ryón Nixon, founding partner at boutique firm Horizons Law and Consulting, who represents a number of crypto companies, said there is a lot of ambiguity and in some cases exchanges are taking advantage of this.

“It comes down to the exchange’s sense of moral responsibility,” said Nixon in an interview. “It's not like the exchanges are evil, but turning a blind eye maybe makes good business sense.”

Pulling teeth

Similarly, major blockchain analytics firms are typically careful not to name names, but agree it’s normal for some exchanges to be less cooperative than others – even when it comes to pursuing CSEM.

“I would say it's normal for some,” said Jesse Spiro, global head of policy and regulatory Affairs for Chainalysis. “It's normal for a number of them to take a more defensive position, while at the same time doing very little, in my opinion, to mitigate that activity that is flowing through their institution.”

The recent Chainalysis crime report shows close to $1 million in CSEM transactions linked to two dark web businesses – Welcome to Video and Dark Scandal – that the firm helped law enforcement take down and bring charges against the proprietors.

“Regardless of where the operators of an exchange fall in relation to their views on privacy and data protection, and accessibility of crypto, etc., there are, I hope, very few individuals in the world that want their platform to enable human trafficking, sex trafficking, child exploitation,” Spiro said.

screen-shot-2021-03-01-at-11-36-44-am-1
Images courtesy of Chainalysis
Images courtesy of Chainalysis

CipherTrace, another well-known blockchain analytics provider (not to be confused with Sanders’ firm CipherBlade), echoed Chainalysis’ assessment.

“Though most exchanges do cooperate with law enforcement, there are some that have been less than helpful in supporting in CSEM and human trafficking investigations,” said Pamela Clegg, director of financial investigations and education for CipherTrace. The firm is collaborating with the nonprofit Anti-Human Trafficking Intelligence Initiative (ATII) to freely share blockchain evidence to combat global human trafficking, she said.

“Some exchanges are demanding waivers of responsibility from law enforcement before responding to subpoenas if they are from countries outside their regulatory jurisdiction,” CipherTrace CEO Dave Jevans added.

Tom Robinson, chief scientist and cofounder of Elliptic, agreed there is some variation between crypto exchanges in how willing they are to share data with law enforcement.

“Sometimes this is due to legal concerns, especially when it comes to sending customer data overseas,” Robinson said via email. “The trend is positive, though. As exchanges become increasingly professionalized and the regulatory environment tightens, overall they are working far more closely with law enforcement to ensure that financial crime in crypto is pursued and prosecuted.”

Fighting words

So where does this leave the likes of Sanders, who appears to be on a mission to clean up crypto?

An unfortunate side effect of the direct approach taken by Sanders is that things can quickly become acrimonious. This happened recently when CipherBlade approached Sweden-based Bitrefill, which is not an exchange but allows customers to buy a range of gift cards using cryptocurrency.

Bitrefill founder and CEO Sergej Kotliar said CipherBlade approached his company to flag some fraudulent transactions that were of low value (around $50).

“This was the first and only time Bitrefill was approached by a ‘private investigator’ requesting information from us,” Kotliar told CoinDesk. “Our policy is to not disclose anything to ‘private investigators’ unless we are requested to do so by public authorities.”

A barrage of email requests followed, which included threats to badmouth Bitrefill to regulators for having weak compliance, according to Kotliar. He responded that Bitrefill does not provide financial services and is not regulated under the same rules as cryptocurrency exchanges.

“Even though we are not an obliged entity under AML rules, we pride ourselves in going above what is required of us,” Kotliar said in an interview. This does not include using the type of KYT tools used by blockchain analytics companies, he added.

“It’s a trade-off whether to use a service like that,” Kotliar said. “It’s not all upside, despite what a company like Chainalysis might say. These tools are very inaccurate. You can get directional information but it’s not a golden solution. There is also a general question of whether it’s a good thing or not to deanonymize the network.”

Sanders said he cannot fathom why Bitrefill eschews blockchain analytics and KYT tools.

“It’s literally impossible for them to have any idea where their funds are coming from without those tools,” said Sanders. “It’s just baffling that it’s 2021 and it’s still this bad. The naivety excuse is out the window; at this point, it’s deliberate. It’s a conscious choice not to use them, which is effectively a choice to not have a compliance program.”

Call to arms?

Perhaps there’s a need for a fresh approach that might also involve governmental help. Lawyers specializing in cryptocurrency think so.

In September of last year, van Cleef gave a presentation to the Cambridge International Symposium on Financial Crime, calling for a change in the way private entities such as crypto exchanges and private investigation firms are incentivized to fight criminals. (The U.S. Treasury Department’s Financial Crimes Enforcement Network, or FinCEN, has commended companies in the virtual asset space for preparing some of the best suspicious activity reports received by the agency, van Cleef pointed out.)

“Enlist the companies to use their resources to help in investigations,” said van Cleef in her presentation. “Agree to a fixed rate or reward them for contributing to an indictment, arrest, conviction or other agreed upon result. Award them a share of what is recovered as a result of the joint effort through asset forfeiture or imposition of monetary penalties.”

Nixon of Horizons Law and Consulting said incentives are a good idea, but said cryptocurrency service firms need to try once again to come together in a concerted effort to clean up the space.

This means going above and beyond the work done by non-profit groups, said Nixon, referring to the likes of the Crypto Defenders Alliance (CDA) and the ATII.

“Maybe we need a call to arms,” he said.

Disclosure

Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.

Ian Allison

Ian Allison is an award-winning senior reporter at CoinDesk. He holds ETH.