Episode 101: Crypto Fraud with Brett Johnson, CPA, CFE, CFF, CFI

In this season of The Data Sleuth Podcast, titled "From Numbers to Narratives," guest host Justin Burns, tackles topics including FBI Investigations, Anti-Money Laundering, Family Fraud, IRS Investigations, and more. In each episode, Justin is joined by an industry expert to help tell the story behind the numbers and explore the latest in fraud detection and prevention.

In today’s episode we discuss crypto fraud with Brett Johnson, CPA, CFE, CFF.  In this episode, Justin and Brett discuss:

·       How are crypto assets stolen?

·       Possibly (hopefully) the first time the word “fart” has been used on this podcast.

·       The investigative approach to tracing cryptocurrency.

GUEST BIO

Brett is a partner within Eide Bailly’s Fraud and Forensic Advisory Department. Brett has provided fraud detection, investigation, and prevention consulting services for more than 20 years. He has extensive experience tracing, documenting, and identifying employee fraud schemes in all industries, and has provided expert testimony in federal, state and tribal court systems. Brett also serves as an internal control consultant to help strengthen controls over assets. Additionally, he leads Eide Bailly’s cryptocurrency tracing investigations and blockchain forensic services. He has provided training on fraud investigative methods to dozens of organizations and associations across the country.

Email: bjohnson@eidebailly.com

LinkedIn: Brett A. Johnson

RESOURCES MENTIONED IN TODAY’S EPISODE

To learn more about the Data Sleuth® Dashboard for professionals, visit: datasleuths.com/pro

Order your copy of Leah’s book, Data Sleuth: Using Data in Forensic Accounting and Fraud Investigations today on Amazon!

CONNECT WITH WORKMAN FORENSICS

YouTube: @WorkmanForensics

Facebook: @wforensics

Twitter: @wforensics

Instagram: @wforensics

LinkedIn: @workmanforensics

CONNECT WITH JUSTIN BURNS, CPA, CFE

LinkedIn: Justin Burns, CPA, CFE

Transcript

Leah Wietholter:

Hi, I'm Leah Wietholter and this is the Data Sleuth Podcast. In this season of the Data Sleuth Podcast, From Numbers to Narratives, our host, Justin Burns, the director of operations for Workman Forensics, discusses a broad range of forensic accounting cases, from embezzlement and money laundering, fraud against family members, and so much more. In each episode, he's joined by an industry expert to help tell the story behind the numbers.

Justin Burns:

Thank you, Leah. I'm Justin Burns, and I'll be your host for this season of the Data Sleuth Podcast, From Numbers to Narratives. Together with some amazing guests, we'll take you beyond the spreadsheets and into the human side of fraud investigations. Let's dive in to today's episode. In today's episode of the Data Sleuth Podcast, we discussed crypto fraud with Brett Johnson. Brett is a partner within Eide Bailly's Fraud and Forensic Advisory department. Brett has provided fraud detection, investigation, and prevention consulting services for more than 20 years. He has extensive experience tracing, documenting, and identifying employee fraud schemes in all industries, and has provided expert testimony in federal, state and tribal court systems. Brett also serves as an internal control consultant to help strengthen controls over assets. Additionally, he leads Eide Bailly's cryptocurrency tracing investigations and blockchain forensic services. He has provided training on fraud investigative methods to dozens of organizations and associations across the country. Hi, Brett. Thank you for joining me for today's episode.

Brett Johnson:

Hey, I'm excited to be here. Thank you for having me.

Justin Burns:

Yeah, we're excited to have you. We're especially excited to talk to you regarding your experience in cryptocurrency and fraud related to cryptocurrency. And cryptocurrency I know has just been more and more in the front of people's minds over the last five to 10 years, and it still seems like it's a very specialized area. So how did you get involved with that?

Brett Johnson:

Yeah, I think you're right. And I'll start by saying that I've always been intrigued by crypto. I think everyone's kind of curious about it, and that was kind of how it started for me. But I remember in, I think it was 2017 when there was a really big Bitcoin pump, and I had a buddy of mine that I worked with who'd made five grand on some Bitcoin, and I remember being like, wow, this is kind of interesting. And that's what kind started to pique my interest into crypto. Not so much investing into it or anything, but just understanding what I do for a living and what probably a lot of the listeners of this podcast for a living, and started thinking about how does this apply to fraud and there's got to be a use case here. And so then I kind of shelved it and then 2020 hit, COVID hit, and then I really started to, there was kind of this big influx of money from the government to a lot of businesses, and then we started to see another crypto pump and all these alt coins and Bitcoin again pumping.

And then we started to get calls. So then around 2020, 2021, we started to get calls from prospects and people saying, hey, I need assistance with some crypto forensics. They started calling it crypto forensics because they didn't, no one knew what to call it. And we were starting off with saying, we don't do that work. Sorry, can't help you. And the more it happened, the more it became, well, why don't we do this work? Why don't we help these people? We're forensic accountants, we help people with fraud matters, and if this is a fraud matter, we should be able to help. And so I had a colleague of mine who was an associate at the time, very bright kid, and he was really into crypto, and I started talking with him and picking his brain. And at the time I was like, we should really start, I need to learn more about this. He knew quite a bit at the time and I would get a lot of knowledge from him, but I started to learn more and more about it.

Got to the point where I was thinking I got to, we got to be able to do this. This is the future. This is a way to hide money and if we can't do this, someone else is going to do it before us anyway. So started to kind pitch it to the other partners in my department and our forensic department here at Eide Bailly and gave them, they kind of gave me the if you can figure it out and sell it, go ahead. And so I just started learning through YouTube. And so I would spend an hour every night before I went to bed and I would just start off with what is cryptocurrency? Watch it, watch an hour long video on it, and then I'd have more questions, and then I would watch another YouTube video the next day, the next day, and the next day. And eventually I got to the point where I felt comfortable enough to when those calls started coming in, I would take those cases. And that's kind of how we cut our teeth on cryptocurrency tracing investigations.

Justin Burns:

And for those of us who might not know much about it or work with it or we know nothing about it, could you kind of give us just a high level explanation of how cryptocurrency works and how someone can obtain it, and what does that mean? What do they actually have?

Brett Johnson:

Yeah. I try not to overcomplicate it too because I'm very who, what, where, how, when, just give me what I need to know. And so for the sake of your listeners, the biggest way to really do it without overcomplicating everything is that it's really just software. So I mean, if you think of blockchain or if you think of Bitcoin, it's just software. And the blockchain, if you think of it as a general ledger. To people that are familiar with accounting, the blockchain is just one big public general ledger. And then within that general ledger, you have wallets. And these wallets are essentially general ledger accounts. And so money can move between accounts through essentially journal entries. And those journal entries manifest themselves in the blockchain as transaction IDs or transaction hashes. So every transaction will be identified through a unique transaction hash, and those transactions go between wallets and there can be transaction between one wallet to two wallets, two wallets to one wallet, much like you would in accounting between accounts.

So that's a good high level way. And the reason that there's an allure with crypto too is because it is decentralized. So there's not one individual or company that's really running a blockchain. It's run by nodes which are essentially computers. You or I could start a node and it would just be opening up a computer, running the software, and now we're part of the blockchain and we're helping verify all the transactions on that blockchain. And if all the nodes don't agree, then it doesn't work. So that's why, that's the kind of upside with blockchain and crypto is that it's decentralized, so you can't change. Because there's so many nodes, you can't really hack it because you'd have to hack 51% of the computers operating it in order to control it. And so that's always a positive thing that people, when they talk about crypto and blockchain, that's one of the positives with it.

And so thinking about it as a general ledger and the wallets between that people own and the transaction hashes are kind of the journal entries, that's kind of the best way I can think of to explain it in the simple terms. And then when it comes to obtaining crypto, there's a few ways you can do that. The most popular way is through an exchange. You see a Coinbase or Crypto.com, Binance, Kraken. These are all exchanges that you can set up an account, much like anything else, and purchase cryptocurrencies within that application or that program. You can also go to, they have, I don't know if you might've seen these, you can go to some gas stations have them, but there's literally Bitcoin kiosks where you can put cash in. So there's other ways you can obtain that and that'll spit out, and if you put a hundred dollars into a Bitcoin kiosk, it'll print you out a wallet address.

So now you have your wallet address that's just on paper and your balance. And from there, you can then transact. And it also will give you what's known as your private keys, which is what you need to be able to transact crypto, which is essentially a password or a passphrase, there's a seed phrase that comes with that. So there's like 12 words or something usually that make up your private keys, and that's how you can essentially password allow you to send that crypto. So those are the main ways you can get it. Otherwise, people can, now that you have a wallet, you can now share that wallet address with people and they can send you crypto to that wallet address. So it's kind of like the high-level version I would say.

Justin Burns:

Yeah, I've seen the kiosks at gas stations. They look just like an ATM pretty much.

Brett Johnson:

Yeah, exactly. And when you think of fraud too, you think of like, oh, if someone's going to convert a bunch of cash to crypto, it makes it kind of hard to trace. Right?

Justin Burns:

Yeah. So how does cryptocurrency get stolen?

Brett Johnson:

Yeah, so it's a great question. So it's really hard. It's really hard to steal crypto, but usually obtaining private keys. So maybe in the example we were just talking about with someone going to a Bitcoin ATM and putting in some cash and then it spits out their little paper wallet with their keys right on there. If I were to drop that piece of paper, someone would have my wallet address, which the wallet address is your public key. That's what people can see on the blockchain. They can't really know who it is. They can't say, hey, that wallet address belongs to Brett. They'll just know that there's a wallet address with activity on the blockchain. But those private keys that you have, which is like I usually say, it's usually a twelve-word seed phrase, that's what unlocks that crypto. And so there's a common phrase used, not your keys, not your crypto, meaning if you don't have those keys, you can't touch that cryptocurrency and you can't move it. And so if someone gets a hold of that, then now they have control of it.

So if I were to drop that piece of paper and someone else picks it up, they can now control that cryptocurrency and steal it. Some of the more maybe popular versions of theft, if you think of the FTX, the big FTX scandal that happened a few years ago, keeping. If you go on an exchange and you purchase crypto, they're holding it for you. It's not on the blockchain, it's just they have an IOU, kind of like a bank. If you have your bank, if you have your money in the bank, your account is essentially an IOU from the bank saying if you have a million dollars in the bank, they might not have a million dollars to give you, but they owe you that money at some point. So it's the same concept with an exchange. You buy Bitcoin, maybe they don't have it all, but they owe you that. I think there are regulations in place now where they actually have to make sure they have some in reserves, but there's not a...

In the instance with FTX, they got hacked. So when they got hacked or then they mismanaged their funds and they didn't have all the assets that they said they had for their customers. And when they got called out on that, everyone lost their money. And so people thought they had crypto, but they ended up not having crypto. And so that's one way that you can lose it or be defrauded from you is through just exchanges being mishandled or misused or hacked. People just obtaining your private keys through hacks as well is another way. And then people being just simply tricked into sending crypto to somebody else, just like any other type of case. But the idea that someone can get to your crypto wallet without your private keys, I've never heard of someone, that actually happening. So that's always a good thing I guess with crypto is that if you can keep security of your private keys, your crypto is usually pretty secure.

Justin Burns:

So in the cases that you've worked on, are these cases where somebody's account has been hacked or they've moved cryptocurrency?

Brett Johnson:

Yeah. It can be quite a few things. So usually it's either one of two for the ones that I've worked with. One is someone tricked me into sending crypto to a place I didn't want to, and I don't know how to find it. Can you help me out? That's usually one issue. The other would be, usually it's a divorce type of situation, and one spouse is like, "I think my spouse has been buying crypto. I'm not sure. Is there anything you can do to help? Or I found a wallet address or some crypto information that I can't dissect or understand. Can I give this to you and can you tell me if my spouse has anything?" So those are usually the types of cases that we get involved with. Some of the other ones, like the big hacks and things like that, that might be more like law enforcement or FBI, they might get involved. But it's usually the person to person or the family law type of stuff where we'll get involved.

Justin Burns:

So in the sorts of cases that you've worked, what does that investigative process look like for you to identify how this is moving?

Brett Johnson:

Yeah. So that's a good question. And what we like to tell people, so let's just say it's a divorce case or something and a wife calls and maybe their attorney calls us and says, "We know that the husband has been investing in crypto." From there, we just need a starting point. And that starting point can be several different things. It could be we know that they've made purchases on Coinbase just by looking at the bank records, we know that there's a Coinbase account. So then we can inform our client or the attorney to, we need you guys to subpoena their Coinbase information because exchange data is not on the blockchain. So that's the part that makes it difficult for us is until it's on the blockchain, wallet to wallet type activity, so again, going back to that general ledger example, until there's movement within the general ledger, we can't see it on the public blockchain. So we need to get that information directly from the exchange.

Because within their exchange account, it can be buying, selling, converting crypto, staking it, which is kind of like a savings account where you get interest on your crypto and there's all kinds of stuff you can do in there, and moving it to a wallet. So you could have a cold wallet or a hot wallet that you actually move that to, and you might not understand that that's even happening unless you get their exchange data. So getting that starting point is one thing. And so again, it could be a exchange account that we need. We could see a wallet address that they have or they know about. They might say, "Hey, I found this transaction ID number that's like a million characters long and we don't know what it means." And so we can start with that as well. And then from there, we can then, usually once we have one starting point, we can see where the money came from or where it went, and then we can start to put the pieces together from there.

Justin Burns:

Okay. Sorry, you mentioned hot wallet and cold wallet. What's the difference there?

Brett Johnson:

Yeah. So a hot wallet would be a wallet that would be essentially online. And the downside to a hot wallet would be that it technically could be hacked. So if you have a hot wallet that's maintained online, they call it hot because it can be accessed or hacked. A cold wallet would be something that you store offline. And if you think of some very popular ones are like Trezor and Ledger wallets. And they're basically just little USB devices that you can plug in and it's got some software on it, you can put your crypto onto that software, and then you can pull it out and now it's cold, it's not online, can't be hacked. And that's probably the safest way to store crypto in general is through a cold wallet, and it's also a really good way to hide it.

Justin Burns:

So in the cold wallet, it's not actively hosted on an exchange through online or a cloud, it's just you are holding X number of Bitcoins on this jump drive.

Brett Johnson:

Exactly. I mean, that's a great way to think about it.

Justin Burns:

You can put it in a safe or you can put it somewhere and once you have that thumb drive, you don't have [inaudible 00:19:38].

Brett Johnson:

Yeah. Well, the good thing is that you can back that up. So the information is there and there's some nice software that allows you to move it around and trade and that type of thing. But if you have your wallet address, which is the public key, and if you have your seed phrases, which is your private key, you could restore your wallet on a different system or software. So I might lose that USB device that my cold wallet's on, but if I know the wallet address and the seed phrases, I can restore that somewhere else because the blockchain, they may not necessarily know where it's actually physically located in terms of the software that I'm holding it on, but I can restore it and then I can access those funds through just by having my public key and my private keys and I can move it from there. But if I have a hot wallet, that information is now accessible on some cloud, like you mentioned, that could potentially be hacked.

Justin Burns:

Okay. So how do you trace this? How are people masking these transactions? What are you looking for in these investigations?

Brett Johnson:

Yeah. And sometimes it can be easy and sometimes it can spider web into oblivion and it's just a nightmare, but there's always a possibility. I'm not going to say that everything's impossible. Sometimes it's very difficult or there's other roadblocks that we run into. But some of the headaches that we have are there are things such as privacy coins. So XMR is an example of that, which is Monero coin, and that operates on a private blockchain. So you can't access that blockchain without essentially a password. And so that's become an issue. There are some workarounds on that that we've learned about, but it's very difficult to trace on private blockchains. Other issues, kind of like the paper wallet that we talked about, someone puts a bunch of cash into that and we don't know it exists. We'll never see it. And those kiosks can be subpoenaed. So there's cameras on them just like ATMs have. And a lot of them now do require KYC like banks do, know your customer. So they do require you submit a picture of your license or they take a picture of you at the kiosk and need to put in some your Social Security number or something like that. And so those can be subpoenaed to where you can obtain some information. So like I said, there are some workarounds on these things, but they do make it difficult.

There's also mixers and tumblers, which is a whole other issue that we run into. And if you've ever heard of a smart contract, that's essentially what these are. And a smart contract is simply a wallet address that's designed to do something specific. So if it goes into a wallet, these mixers and tumblers will accept a lot of different people's crypto and then send it all out to a bunch of people, and you don't know who sent what and which is who's. So that's confusing to someone tracing it. And it's a service provided to help people with privacy if people don't want to know where people are sending their crypto, because public blockchains, people can look at everything. And it is pseudo anonymous, you don't know who's doing it necessarily, but if you can tag one wallet to a name, then you can kind of see what they're doing, but then they can use these mixers and tumblers to kind of hide their actions. And Tornado Cash is an example of one of those mixers that does that for people provided as a service.

Justin Burns:

Good Lord. So there's two terms that I think a lot of people have heard in relation to crypto, and I think sometimes they get used interchangeably, but I think there's actually a difference here. So you hear token and you hear coin. Can you explain those, what they are, how they're different, how they're related?

Brett Johnson:

Yeah. And it is confusing. I remember that being one of my first questions, what's the difference between token and coin? And what I've learned too is people will use them interchangeably sometimes, kind of like funds and monies and dollars. But I think the technical definition would be that a coin, so if you think of Bitcoin, that operates on the Bitcoin blockchain. So that is the native coin to that blockchain. If you think of Ether or ETH, that is the native coin to the Ethereum blockchain. So if it is native to that blockchain, it is considered a coin. And then with blockchains like Ethereum, you have the primary blockchain, but then you can also, there's also what's called a layer two token. And layer two is essentially activity on an already developed blockchain that is developed on top of it. So this is what allows people to create Fartcoin. I think there's a Brettcoin out there, there's Dogecoin. There's all kinds of meme coins, and they're developed on layer two, and that allows people to create their own coins, create their own kind of programs. And it's creative but that's kind of when they start calling them tokens is when they're on that layer two as opposed to being the native coin to that blockchain.

Justin Burns:

Okay. Did you say Fartcoin?

Brett Johnson:

Fartcoin, yeah, fart. If you Google it, that is a cryptocurrency.

Justin Burns:

I think that might be the first use of the word fart on this podcast.

Brett Johnson:

Yeah, yeah. There's investors in fart. I mean, believe it or not.

Justin Burns:

All right. Well, I feel like that's a good spot to go into the ad break.

Brett Johnson:

Sounds good.

Leah Wietholter:

Have you ever wished your financial investigations could move faster and with less frustration? Well, at Data Sleuth, we have built a tool designed to do that for attorneys, forensic accountants, and law enforcement professionals. Picture this, all of your banking credit card statements reconciled, organized, payees cleaned and standardized so you can trace funds with clarity and confidence. Even better, key data flags common in fraud cases such as even dollar payments, recurring charges, and suspicious outliers are flagged automatically saving you some hours of digging. That's the power of the new Data Sleuth dashboard for professionals. With direct access to the source and use of funds report, you'll uncover related accounts, potential assets, loans and entities that you will want to research further. And with the interesting data findings report, you'll spot everything from outliers to recurring transactions that could mean more than they seemed at first glance.

The best part, our services come at a simple fixed fee based on the number of transactions you process. No surprises, just reliable, efficient insights at your fingertips provided by the team you've known through this podcast for years. And oh, by the way, all of our work is hosted and processed on US servers. So if you're ready to move past the important but tedious work necessary at the beginning of an investigation so you can focus on solving cases, it's time to put the Data Sleuth team on your team. Schedule a demo today at datasleuths.com/pro and start uncovering the truth with ease.

Justin Burns:

All right, so we are back with Brett Johnson talking about cryptocurrency fraud. Before the ad break, we heard a lot about what is crypto, how does it get stolen, how do you go about tracing some of these things. So let's get into some examples of what cryptocurrency fraud looks like in practice. Do you have any stories you'd be willing to share with us about a case that you worked?

Brett Johnson:

Yeah, absolutely. I think a good one, a good example, because I just think that this would be very common, is we had a client of ours that had reached out and he had an acquaintance of his that he knew personally. It wasn't like someone online or anything like that. It was an actual individual that he knew and met. And this acquaintance of his, I don't know if they were necessarily friends, they were kind of more like they weren't really working together either, just kind of knew each other. But he was really into crypto investing, the acquaintance of his. And he had mentioned to him that he had, there was an ICO, so an initial coin offering, much like it would be in a stock market.

And so there was this ICO that was going to happen. And if you're familiar with new meme coins or anything like that, you know that they pump and dump. So a lot of times they will pump really high right when they come out, everyone's trying to get in on it, and then the second they make a lot of money on it, they dump it and they make a bunch of money. And then from there it's just kind of flat, maybe a little bit of gains here and there, but they kind of call them pump and dumps. And so they were talking about this new ICO and it was kind of like we talked about, layer two, it was going to be on a layer two, so it was like a token that was going to be coming out. And so he said, "If you're interested, I can get you in. We're using Ethereum. You'd need to send me..." I think it was 300 ETH that he needed to send. So at the time, ETH was over, it was over two, maybe it was $3,000 a coin, so it was a chunk of money.

So he was like, "Sure, I'm interested. You've kind of convinced me. I'd like to invest." So he was communicating with him and he ended up sending him the ETH that he wanted to use. They kind of kept in touch and then slowly but surely, the guy kind of started not responding to his messages, not saying anything, and then it got to the point where he just flat out ghosted him. So we get called, he calls us. He didn't have an attorney at the time. We told him, "You should probably lawyer up. This is something you want to do." And he gave us the initial transactions that he had where he sent the funds and we started to trace it on the blockchain. So he gave us the wallet that he had with the ETH and the transaction hash that he sent to this individual. And then from there, it turned into this spiderweb of movement of funds.

And that's where it can get difficult just because you start to commingle a bunch of funds with each other. But if you keep following it, it kind of starts to manifest itself a little bit. So we see it go into one wallet, splits and there's ETH going to this wallet, ETH going to this wallet, more ETH that's exceeding the amount that he gave them to another wallet. So we just start tracing everything. And we do this using blockchain explorers, and I should probably mention that. But so when we do our tracing, we actually have a software that's fairly expensive. I can't say the name of the software, but there's several out there. And that scrapes all the public blockchains for us. We still have to verify it just for purposes of the court to the actual blockchain, but it's almost always correct anyway. But it scrapes it for us, it helps, it gives us a little bit of a shortcut. But even with that shortcut, there is a lot to follow and to trace.

So we're tracing this ETH through these wallets and now they're going to exchanges. So we are identifying that these cryptocurrencies are eventually hitting exchange accounts. Well ,now we need to subpoena those exchange accounts. So we start to talk to his attorney, they officially sue him so we can obtain his exchange data. And he had a few different exchange accounts. We go through that. There's a ton of activity in there. We start reconciling it, trying to determine where this individual's ETH may have went. And then we start seeing money going out to other wallets. So it's coming into this exchange account and now we see it going out to other wallets that we've never seen before. We start just continue tracing it.

And then eventually we see that it all does move into an ICO that he had mentioned in one of their communications. So that was important to us just because during the entire litigation process, this guy was saying, "I lost that money. That money's gone. It got lost in the investment." I think at one point he said he never even gave him the ETH. And so that was a battle in and of itself. But when we finally find it go to that ICO, that was kind of the big flag that we could say, well, this is what you guys talked about. We could kind of piece that together for the court. And so it was kind of still sitting there and then it got moved out of there and then it went to another wallet. So we knew where the funds were sitting. And we were kind of able to prove that this individual, regardless of if he has the access to the keys to that wallet, he's the one that's responsible for putting it there. And we were able to prove that to the court. The court was able to agree with us, and he ended up winning the case and was able to get his funds back.

But that process of tracing it through all that, getting the exchange accounts, that was a little bit of a process, took over a year to get everything and through litigation and all that. But that was one of our nice success stories of being able to, you get one transaction to start with and then you just start tracing it and going through the blockchain and using those explorers, using our software and mapping it. And we found that mapping everything for the court in a visual is by far the best way to explain it to people how it moved, instead of trying to show a bunch of transaction hashes and wallet addresses that are 64 characters long and whatever it is.

Justin Burns:

Just like flowcharting it out basically, here's where it's all gone.

Brett Johnson:

Exactly. Simple flowcharts, labeling them, saying here's where it went and if you want to know, you can reference this where it shows all the transactions related to that. And so we were able to figure out where the final resting place of that was, which is kind of the nice thing with crypto is that you can't really cash out unless you go to an exchange or it's going to be sitting in a wallet somewhere. So it's either sitting in a wallet or it did get cashed out to an exchange and it's in someone's bank account and you can trace it to all of that. So it is all kind of traceable. It's just where is it currently sitting? And then you get people that say, "Well, I don't have access to that. That's not my wallet." And then that's a whole nother argument. But that was kind of an interesting one that we had that ended up being very beneficial to our client.

Justin Burns:

So the money did end up in the ICO, it just took a very roundabout way of getting there.

Brett Johnson:

Yeah. And his funds were still there. He just tried to play it off like he lost it, but we were able to identify it.

Justin Burns:

Okay. And then earlier you mentioned the use of crypto in divorce cases.

Brett Johnson:

Yeah. Yeah. So one example that I did, I actually shared this one at the ACFE Global Conference a few years ago, but I had a case where husband and wife were getting divorced and they were separated for a while, and the divorce was kind of lingering and going on. And I think at this point they both had a girlfriend and a boyfriend. They had their own significant others at this point. But they had sold their home because they wanted to split the proceeds of the home, and the home was fairly expensive. It was I think like three or four million. And it got to the point in the divorce where the proceeds from that came into question. And the wife is the one who was living there and who had sold it. And they were trying to figure out, well, wait a minute, where is this? Where are the proceeds of this? And she said, "Well, it all got invested in crypto and I lost it all." And so that kind of triggered his attorney to call an expert. And then so we got involved.

And then obviously the first thing we wanted to see is, well, we wanted to see the data from the sale of the home so we could see where the funds were deposited originally. For whatever reason, we didn't get that. They couldn't provide that to us. So what they did provide us with was she was finally able to admit that she had a ledger, which that's again a cold wallet device called a ledger, which is confusing in the accounting world when we talk about ledgers. And so she had a ledger device and we got a very crappy printout of the summary of the crypto in that ledger. Because if you plug it in, you open it up, you can see a summary of all your crypto. And there was also some transactional data in there, but it was very hard to read. And I'm almost positive that was intentional to give us something difficult to read and find out.

But we started to look at that and we did see some transactional data in there. So we had some transaction hashes that we could put into our software into blockchain explorers, and we started to trace it, and we did see activity into Coinbase. And so we said, okay, we see some funds coming from Coinbase into your ledger. She probably has a Coinbase account. Well, Coinbase came back and said, no, she doesn't have one. And so now we start looking at the boyfriend and saying, okay, well it's probably your boyfriend. And the state that we were working with, they were very, very tight on going after people not related to the matter of the divorce. So we needed to have a lot of evidence to be able to say, hey, we need to subpoena the boyfriend's information.

And so we kept going and we found another exchange where there was activity with her little snapshot she sent us, and it was Kraken. Subpoenaed them, came back no activity in the account other than maybe a few transactions, which was what we saw. So that wasn't very helpful. And then we found a Binance one. Sent one to Binance. She did not have an account, but the boyfriend did have deposition and indicated he had a Binance account. So at that point, we were able to successfully subpoena his Binance account to see what was going on in that exchange. And when we got that information, we saw pretty much all of the proceeds from the sale of that home were invested into his Binance account. And he had kind of been giving her some of the crypto, which she had about a million worth, and he had a large chunk of the remaining.

So again, kind of an interesting roundabout way, but they were definitely trying to hide it through her boyfriend through an exchange and being difficult the entire time trying to get the information, but eventually found it and then they were able to finally split the funds. And then I think we may have even got some of our fees paid for by the opposing side. So it was another successful one for us. But it gives you an idea of how this happens in divorce and how they try to hide assets through crypto.

Justin Burns:

Yeah. And you mentioned your presentation at the ACFE Global Conference in 2024, I believe it was. You talked about resources available to investigators to help investigate a case involving crypto fraud. Can you share with us some of those tools that are available?

Brett Johnson:

Yeah. So the public blockchain explorers are by far the best use. So if you're dealing with Bitcoin, and I always say there's Bitcoin and there's crypto, because Bitcoin is almost on an island for me in terms of how it's treated. I mean, even if you look at it from a governmental standpoint, they treat Bitcoin differently than anything else. So if it's Bitcoin that you're tracing, blockchain.com is great. And that's again, a blockchain explorer where you can add any transaction hash that it would be related to Bitcoin, and then any wallet address that'd be related to Bitcoin, you can pump into there and it'll bring up the wallet information or that transaction information and you can click around and trace through that. Blockchair.com is another good one for Bitcoin. And I recommend using both, even if you like one over the other. Sometimes the nuance of it, sometimes they give you a little bit more information.

And I think in that presentation that I gave at the ACFE was if you went to blockchair.com, they actually tag the governmental, the FBI's wallets as FBI, which can be helpful because some software, wallet software will allow you to label your wallet if you want to like Brett's wallet or Justin's wallet or whatever. And some of these explorers will actually maintain that tag and you can actually see it, which is helpful in certain investigations. But then if it's not Bitcoin, etherscan.io is a great one for anything on the Ethereum blockchain and anything on its layer two is also good. You also have, and then you get into the other ones that can be really tricky like XRP, Ripple, that's the same thing, but that one has its own blockchain, so there's like XRPScan that you have to go to kind of trace that one.

And so it's always a good practice if it's a cryptocurrency or a coin or a token that you're not familiar with to see does it have its own blockchain that other than you might see some transactions of it on Ethereum, but then if you go to its own blockchain, you'll see there's a lot more activity that you can identify within those wallets on the other blockchain. So those can get a little bit tricky and a little bit confusing, but always recommend that as well. And then the other thing I always recommend is buying a little bit of crypto and moving it around. So I mean, if you have a hundred bucks that you can just say, okay, I'm going to buy $10 of five different cryptos that I'm familiar with, and I'm going to download a free hot wallet on my phone or any kind of wallet on my phone, like Coinbase Wallet, Meta and MetaMask is another pretty popular one. Trust Wallet is another popular one.

And then you'll get your seed phrases when it's generated. You can buy something on Coinbase or some exchange, and then you can move it to your wallet, move it back to Coinbase, download another wallet and move it to that one. And then you can go on the blockchain and see how it looks. And I always recommend people do that because that gives you a really good idea because you know what you're doing, you know what you just did and how much you moved. How does that look on the blockchain? And then you kind of get that look and feel of getting used to tracing it yourself. And I always recommend that just because kind of an easy, quick, cheap way to learn, and I feel like you learn better hands-on than me talking to you.

Justin Burns:

Yeah. I mean, I think investigators are, or anybody as a matter of fact, they're comfortable looking at a bank statement, understanding like, well, this is how money moves in my checking account, my savings account, a credit card statement, same thing, loan statement, same thing. They're all very familiar with that because we've been doing it forever. But they may not be familiar with, well, how does crypto move around. So get in, like you said, play around with it with a small amount and just kind of get the feel of how this actually works.

Brett Johnson:

Yeah, absolutely. And the other headache I've run into in the past is you start to testify about some of this stuff, and people will say, "Well, he's not a crypto expert, he's not a blockchain expert. He doesn't write code." And I always go back, "Well, as forensic accountants, we're experts in tracing assets. I don't need to understand the internal workings of a bank to trace funds through bank accounts. I don't need to understand how a manufacturing business works to trace its inventory if they keep accounting records correct. I just need to be able to trace assets, and that's what I'm an expert in." And that's worked in court. And the reason I say that is because that's what keeps a lot of people away in our field from wanting to do this type of work is I don't know anything about crypto, I don't know anything about blockchain. Don't worry so much about understanding the code and the nuances of the blockchain. Just learn how to trace assets through it and you'll be fine.

Justin Burns:

Yeah. Well, this has been very educational I think for me and for our listeners. And thank you so much for sharing your expertise with us today.

Brett Johnson:

Yeah, no, anytime. It's been fun.

Justin Burns:

So if people want to get in touch with you, they want to talk more about this or pick your brain about investigations, how do they get in touch with you?

Brett Johnson:

Best way, you can actually Google Brett Johnson Eide Bailly, and you can find me online. My email, B, as in Brett, Johnson@EideBailly, which is E-I-D-E-B-A-I-L-L-Y.com. Email is probably the easiest way to get a hold of me, but I'm always happy to talk crypto with people.

Justin Burns:

Okay. We'll include that in the show notes so people can get that information there. Again, thank you so much for joining me today.

Brett Johnson:

Yeah. Thanks, Justin. Appreciate it.

Leah Wietholter:

Thank you for listening to the Data Sleuth Podcast. If you enjoyed this episode, please leave us a review wherever you listen. The Data Sleuth Podcast is a production of Workman Forensics. To learn more about our investigation services and resources, please visit workmanforensics.com.