It is challenging for law enforcement to track down and trace illicit activities conducted through digital currencies. The process can be very time- and resource-intensive.  Further, securing charges and arrests, and subsequent convictions, often requires the strong support of traditional sources of evidence, such as fact witness testimony and electronic communications.  Nonetheless, blockchain analytics is a key component of the government’s ability to pursue such cases.

On March 12, a jury in the United States District Court for the District of Columbia found Roman Sterlingov guilty on charges of money laundering conspiracy, so-called “sting” money laundering, operating an unlicensed money transmitting business, and violations of the D.C. Money Transmitters Act.  We blogged about the initial criminal complaint issued against Sterlingov here.  Sterlingov allegedly laundered $400 million through Bitcoin Fog, a bitcoin mixing service which can be used to obscure the origins of cryptocurrency transactions. 

Shortly before the trial and guilty verdicts, the Court issued an order addressing the admissibility of expert testimony related to blockchain analysis software under the factors established by the Supreme Court’s decision in Daubert v. Merrell Dow Pharmaceuticals, Inc. to assess the reliability of expert testimony under Federal Rule of Evidence 702.  This blog post focuses on that order.

Specifically, the Court addressed proprietary software used by the private digital asset forensic firm Chainalysis, Chainalysis Reactor (“Reactor”), and whether expert testimony by witnesses propounded by the government – Luke Scholl (“Scholl”) from the FBI, and Elizabeth Bisbee (“Bisbee”) from Chainalysis – could rely upon Reactor under Daubert.  Reactor is a software used to dissect bitcoin transactions, utilizing techniques like co-spend analysis to connect multiple addresses to a single entity. The defense raised significant concerns about the reliability of Reactor.

The Court found the expert testimony admissible under Daubert.  Importantly, the Court also noted that while Reactor was important to the government’s case, it was not the sole basis for the prosecution’s theories. Other evidence, such as materials found in Sterlingov’s possession, online forum posts, IP analyses, and traditional blockchain tracing, also supported the prosecution.

The Court’s decision has potentially significant implications for future cases involving cryptocurrency transactions and digital currency-related crimes. It establishes a precedent regarding the potential admissibility of evidence derived from such software tools and underscores the evolving challenges and complexities of investigating financial crimes in the digital age.

Bitcoin and Reactor

Bitcoin relies on cryptographic protection and a peer-to-peer network for transactions.  Simplifying greatly, Bitcoin transactions involve a sending address, a receiving address, and a private encryption key. These transactions are recorded on the blockchain, a decentralized and public ledger. Each address is associated with a public key derived from a private key, with transactions forming a chain that can be verified through digital signatures.  When a transaction occurs, it must include the amount of bitcoin, the sending and receiving addresses, and the sender’s public key.  The government’s experts in this case used Reactor to identify over 900,000 addresses associated with Bitcoin Fog, and traced substantial amounts of Bitcoin transactions to and from Sterlingov, as well as several darknet market sites. 

As the Court explained, Reactor operates using three primary heuristics. A “heuristic” refers to a computational function or technique used to solve problems or make decisions based on available information. It is essentially a method for finding a solution that might not be perfect but is practical and efficient.  Heuristics are used to cluster cryptocurrency addresses by identifying patterns or characteristics in the blockchain data that suggest they are controlled by the same entity. These heuristics help identify relationships between addresses and attribute them to specific entities or activities.  This is critical in regards to tracing, because knowing that a crypto transaction involved a certain address does not reveal specifically who is associated with that address.

The first heuristic, known as Heuristic 1, relies on the co-spend or common spend feature of the blockchain, where multiple input addresses are used in a single transaction. This heuristic assumes that multiple addresses funding a single transaction are controlled by a single entity, because sharing private keys among different entities is highly unlikely.

The second heuristic, Heuristic 2, observes and tracks specific on-chain behaviors and patterns unique to individual entities, allowing for the clustering of addresses based on these patterns.

The third heuristic, Heuristic 3, utilizes off-chain information obtained from sources such as data leaks, court documents, and exchanges to attribute addresses to specific entities.

Legal Standards

Rule 702 governs the admission of expert testimony.  Criteria under Rule 702 include demonstrating that the expert’s knowledge will aid the trier of fact in understanding the evidence or determining a fact at issue; ensuring the testimony is based on sufficient facts or data; confirming the testimony relies on reliable principles and methods; and ensuring the expert’s opinion reflects a reliable application of those principles and methods to the case’s facts. 

Under Daubert, four flexible factors to assess the reliability of expert testimony include whether the expert’s theory or technique has been tested; subjected to peer review and publication; has a known or potential error rate; and has gained acceptance within the relevant scientific community.

Reliability Under Rule 702(c)

The defense challenge to Reactor’s reliability focused on Rule 702(c), contending that Reactor has not been peer reviewed and has no known error rate.  Consequently, any testimony based on Reactor is not the “product of reliable principles and methods.” Despite the defense’s concerns, the Court found Reactor’s reliability supported by sufficient corroborating evidence.

The Court noted Scholl’s extensive experience as a cybersecurity specialist with the FBI and current role as the lead tracing analyst for the Department of Justice’s National Cryptocurrency Enforcement Team.  Scholl detailed his extensive use of Reactor since 2016 in various investigations, attesting to its high reliability based on real-world application.  Specifically, Scholl elucidated how Reactor’s clustering was routinely validated through legal processes, such as subpoenas to exchanges. He described a systematic process where the attribution of Bitcoin addresses by Chainalysis consistently aligned with exchange records, thereby validating Reactor’s clustering accuracy. According to Scholl, this validation, occurring on a daily basis in blockchain analysis, underscored Reactor’s reliability in attributing addresses to specific entities or activities.

Similarly, Bisbee, drawing from her former experience at the Drug Enforcement Agency and current experience at Chainalysis, emphasized Reactor’s consistent clustering accuracy across numerous investigations. According to Bisbee, Reactor’s results tend to be under inclusive due to its conservative approach, reinforcing its reliability by erring on the side of caution.

The government offered additional corroboration of Reactor’s reliability, pointing to a confidential cooperating defendant’s review of clustered addresses. This review revealed an accuracy rate of 99.9146%, affirming Reactor’s effectiveness in attributing addresses.

Moreover, Reactor’s performance in this case was validated through undercover transactions with Bitcoin Fog, in which Reactor accurately attributed addresses, as confirmed by manual tracing conducted by Scholl. This meticulous manual tracing served as a tangible validation of Reactor’s clustering accuracy, solidifying its reliability in practical investigative scenarios.

The Court found that Reactor’s reliability was corroborated further by evidence presented by the defense. Sterlingov’s pretrial testimony, acknowledging Reactor’s accuracy in linking Bitcoin Fog to his accounts, aligned with the government’s findings, further supporting Reactor’s reliability.  Finally, the Court found that the defense had received extensive information from the government about how Reactor works and had the opportunity to verify its results.

Analysis of Daubert Factors

In a detailed analysis, the Court addressed the defense’s argument that Reactor software failed to meet the Daubert factors. The Court emphasized that the Daubert factors are not a definitive checklist and that the determination of reliability is within the trial judge’s discretion.  Ultimately, the Court deemed the government’s proffered expert evidence admissible for jury consideration, emphasizing the roles of cross-examination and potentially contrary evidence from the defense.

Regarding the first factor, the Court found that Reactor’s clustering can be and has been tested, citing examples of manual tracing and utilizing competitor software, which produced similar but slightly different results, affirming the testability of Reactor’s methodology. 

As to the second factor, which considers peer review and publication, the Court acknowledged Reactor itself hasn’t undergone peer review. Still, the Court highlighted the widespread academic approval of the underlying techniques, particularly noting the academic recognition of Reactor’s co-spend heuristic. Additionally, the Court found that Reactor’s unique algorithms tailored for specific cases would not naturally fit the traditional model of peer review. 

Regarding the third factor, focusing on the method’s error rate, the Court found that although Reactor lacks a compiled error rate due to its conservative approach, the Court emphasized the absence of false positives, corroborated by clustering results from other methods. 

Lastly, the Court evaluated the fourth factor, which considers general acceptance in the scientific community. The Court underscored the extensive adoption of blockchain tracing tools like Reactor in both law enforcement and business sectors, citing Chainalysis as an industry standard tool used by various government agencies and financial institutions.

If you would like to remain updated on these issues, please click here to subscribe to Money Laundering Watch. To learn more about Ballard Spahr’s Anti-Money Laundering Team, please click here.