Are You a Victim of Crypto Crime? Good Luck Getting Help

WHEN CHRIS GOLAS called the cops to report that he had been the victim of crypto crime, he was met with total incomprehension. “People didn’t even know what I was talking about,” he recalls.

Golas, a project manager, had tried to invest using Digifox, a cryptocurrency platform founded by the influential YouTuber Nicholas Merton in 2019. The platform was plagued by technical problems, and Golas found himself unable to make swaps after depositing funds. He got error message after error message. He kept reporting the issue, and customer service representatives told him a solution was in the works. Then in April of 2022, Digifox announced that the platform would be shutting down all operations that June.

Golas did as the platform advised and immediately started trying to withdraw his funds. But he would never see that money again. “I just kept getting errors trying to get my tokens out,” he says. At first, the platform’s representatives were responsive, assuring Golas that they just needed a few more days. But months went by. Digifox stopped responding to his pleas, and the platform ultimately shuttered. All told, Golas lost about $6,000.

That was when Golas reached out to his local police department outside of Philadelphia. He felt like he was working with a blank slate, forced to use imperfect analogies to convince the police that he had been the victim of an illegal rug pull. The officer he spoke to “had heard of Madoff and all those scams, but this was really different. It’s a foreign language.” Golas “had to explain basically everything” and was not surprised when no one followed up.

While Golas’s experience of losing money to a dubious crypto venture is far from rare, his story is unusual in that he went to the police for assistance. Cybercrimes involving crypto are on the rise, but many victims don’t report them. Some of those victims may be hard-line libertarians who embrace fully decentralized solutions to crypto crime problems. But others don’t report simply because they’re skeptical that the police will have the inclination or ability to help. Some have arrived at this perspective after being unimpressed by law enforcement’s response to their previous appeals for assistance with cybercrime.

For example, comedian Hannah Trav was recently targeted by a nationwide scam involving an unnerving call from a brusque man impersonating a US Marshal. The scammer attempted to convince Trav to deposit money into a Bitcoin ATM in order to avoid threatened criminal prosecution. Trav didn’t fall for it, but she also didn’t report it to her local police department, as she had a few years ago when it appeared that someone had stolen her identity and rented a car in her name.

On that occasion, Trav says, the Philadelphia police took her statement and told her, “We have a detective who specializes in internet fraud. He’ll contact you this week.” Trav never heard from him. To get to the bottom of the matter herself, she spent hours and hours on the phone with customer service departments in different parts of the country. Her DIY investigation ultimately led her to a private airport in Florida, where she learned that the rental’s attribution to her was the result of a one-digit Hertz employee typo, not fraud after all. Weeks later, Trav received a “What to Do If Your Identity Is Stolen” pamphlet from the police department in the mail. As far as the police know, she’s still waiting for them to catch the bad guy. The episode didn’t inspire much confidence.

As platforms overwhelmed by fraud and theft begin looking to traditional law enforcement to assist with crypto crime-fighting efforts, victims may have no choice but to throw themselves at the mercy of the police, and it’s difficult to imagine the crypto crime wave subsiding any time soon if the police prove unequal to the task. Last month, the NFT platform OpenSea announced an important change to its stolen item policy. While OpenSea has previously required police reports only for “escalated” disputes involving stolen NFTs, the platform now requires anyone reporting a token stolen to produce a police report corroborating the theft within seven days. With the report, OpenSea will freeze the NFT, making it impossible for anyone to transfer the digital asset. Without the report, OpenSea will re-enable trading of the asset, potentially making it easier for bad actors to flip their ill-gotten Apes and make off with the proceeds.

Some have praised the policy change as a sensible way to cut down on the number of false reports that have led OpenSea to freeze the assets of innocent NFT holders. But the new policy also sharpens questions about whether traditional law enforcement can be effective partners in fighting crypto crime. “This new OpenSea policy exemplifies a struggle that many companies operating in the space and in big tech generally are facing, which is that they don’t have guidance,” says cybersecurity expert Leeza Garber. While OpenSea may only be turning to the police to add a level of bureaucracy to its reporting structure, those looking for real help from law enforcement are often disappointed.

Crypto crime can happen anywhere with an internet connection, and victims generally have to file police reports where they live. Had Golas tried to report his Digifox debacle to the police in a larger city with a more sophisticated cybercrime unit, he likely would have been told to go home. Timing is also an issue. Some police departments allow victims to report certain types of crimes online and will instantly provide a copy of the report. But others will produce a copy only once the report has been reviewed and approved. And the process of obtaining a police report in countries outside of the US varies widely.

Federal agencies, including the Department of Justice and Federal Trade Commission, have been ramping up efforts to go after crypto criminals. The FBI has a crypto-focused task force and operates the Internet Crime Complaint Center, but most crimes won’t be deemed high-stakes enough to warrant intervention by these agencies. Elvis Chan, FBI assistant special agent in charge of the San Francisco office’s cyber branch, says that a $7 million cryptocurrency case would generally be considered too insignificant for the FBI. “I know $7 million is a lot to me and you, but I couldn’t get an assistant US attorney to open a case on that just because they happen frequently,” Chan says. “I probably get calls on a weekly basis about that type of stuff.” (Chan does still encourage everyone to report even small-time crimes to because it provides data that can help with investigating larger criminal operations.)

These types of crimes were inconceivable just a few years ago, but the alarming number of people being harmed by them today need help. “We need to normalize cybercrime as real crime, and we need to normalize getting law enforcement involved,” says Garber. “That means better education on both the consumer end and the law enforcement end.”

The FBI is trying to do its part, but Chan says, “We’re in the crawling phase, before we even walk.” He notes that internal crypto training for the FBI’s own employees was only recently released. “In terms of a national-level training for state, local, or tribal agencies,” he says, “I know that we’re working on it. I don’t have any timeline for that, unfortunately.”

Meanwhile, in recognition of the fact that traditional law enforcement often lacks the resources and know-how to solve crypto mysteries, many government agencies are turning to private companies that hold themselves out as experts in blockchain analysis. Chan says the FBI tries not to “outsource” any of its investigative work, “because if we’re outsourcing, that means it’s another entity that would have to testify in a court of law,” and most juries are going to be more inclined to trust a special agent than an employee of some startup no one has ever heard of. Chan has agents on his team doing their own blockchain analysis, working in tandem with private platforms to trace stolen virtual assets. “At least on the federal level, I feel pretty good about our cryptocurrency tracking and analysis,” he says. But, once again, things are “not quite as firm at the state and local level.”

Those state and local entities may not have the expertise to be responsible stewards of the tools private companies are making available. And as we’ve seen with private prisons and military contractors, privatizing traditional law enforcement functions isn’t cost-free. State actors investigating crimes are subject to more stringent accountability and oversight mechanisms than private actors. Criminal defendants have raised questions about the reliability and admissibility of private blockchain analysis evidence. Legal remedies for those harmed by private security operatives are also different from those available to individuals harmed by government actors. Ultimately, profit-motivated corporations are not obligated to care about the public interest, and they are not necessarily obligated to uphold civil rights like privacy.

If local law enforcement is falling short, we need to fix law enforcement, not consign the problem to tech companies beholden to no one but their investors. Departments should start taking crimes involving even the goofiest-sounding NFTs seriously. To develop the skills they need, officers need to work these cases. Chan says his office is currently working a handful of NFT hijacking cases, even though it’s not clear they would meet the FBI’s ordinary financial damage threshold, “just because we need to get some muscle memory going on these types of cases.” Investigators at all levels should be doing the same.

Leave a comment