In re Search Multiple Email Accounts Pursuant to 18 U.S.C. § 2703 for Investigation of Violation of 18 U.S.C. § 1956

• Citation: 585 F.Supp.3d 1
• Decision Date: 26 August 2021
• Docket Number: Case No. 20-sc-3310 (ZMF)
• Parties: In the MATTER OF the SEARCH OF MULTIPLE EMAIL ACCOUNTS PURSUANT TO 18 U.S.C. § 2703 FOR INVESTIGATION OF VIOLATION OF 18 U.S.C. § 1956 et al
• Court: U.S. District Court — District of Columbia

585 F.Supp.3d 1

In the MATTER OF the SEARCH OF MULTIPLE EMAIL ACCOUNTS PURSUANT TO 18 U.S.C. § 2703 FOR INVESTIGATION OF VIOLATION OF 18 U.S.C. § 1956 et al

Case No. 20-sc-3310 (ZMF)

United States District Court, District of Columbia.

Signed August 26, 2021
Filed February 8, 2022

585 F.Supp.3d 5

MEMORANDUM OPINION

Zia M. Faruqui, United States Magistrate Judge

In January 2021, the government submitted an Application for a Warrant ("Application") to search certain email accounts (the "Target Accounts"). See ECF No. 3 (Application). The Court subsequently posed questions to the government about this request. In June 2021, the government submitted a memorandum of law in support of the Application. See ECF No. 8 (Mem. in Supp. Of Appl.) ("Memo"). The Court's concerns included whether: (1) it had venue; (2) the government's previous collection of evidence complied with the Fourth Amendment; and (3) the software the government used to establish probable cause was reliable. For the reasons below, this Court granted the Application.¹

585 F.Supp.3d 6

I. BACKGROUND

A. Blockchain

A blockchain is a transparent digital list of records of transactions shared across a decentralized, peer-to-peer network. See Jane Wild et al., Technology: Banks Seek the Key to Blockchain , Fin. Times, Nov. 1, 2015, https://www.ft.com/content/eb1f8256-7b4b-11e5-a1fe-567b37f80b64 [hereinafter Technology ]. The network consists of the devices of the members of the network. When a party wants to make a transaction, the transaction (or "block") is broadcast to parties within the network, who approve the validity of the transaction and allows it to proceed. Id. The term "blockchain" derives from the fact that each block is added to prior blocks, creating a list of data on every prior transaction (i.e. the "chain"). Id.

Any attempt to manipulate a prior transaction (i.e. one prior block) will necessarily alter the entire blockchain, an action which the blockchain software would reject. The Great Chain of Being Sure About Things , The Economist, Oct. 31 2015, https://www.economist.com/briefing/2015/10/31/the-great-chain-of-being-sure-about-things [hereinafter Great Chain ]. Contrast this with traditional financial records, which are susceptible to error and fraud. See BlockChain and Computational Trust , Katipult, https://www.katipult.com/blog/blockchain-and-computational-trust.

B. Bitcoin

Bitcoin ("BTC") is a cryptocurrency that runs on a blockchain system. Damien Cosset, Blockchain: What is Mining? , DEV (Jan. 5, 2018), https://dev.to/damcosset/blockchain-what-is-mining-2eod [hereinafter Blockchain ]. In blockchain-based cryptocurrencies, miners solve cryptographic puzzles to solve the mechanism securing a block. Id. This mining of the block confirms a transaction and allows the bitcoin to function as currency. Id. Miners receive rewards, which can come in the form of bitcoins or transaction fees, for mining blocks. Id. "Individuals can acquire BTC through cryptocurrency exchanges, cryptocurrency ATMs, or directly from other people." In re the Search of One Address in Washington, D.C. Under Rule 41 , 512 F.Supp.3d 23, 26 (D.D.C. 2021) [hereinafter One Address ]. BTC transactions "require[ ] an address, a public encryption key, and a private encryption key." Id. (citation omitted). The address and keys consist of alphanumeric strings, and each transaction is recorded on the public Bitcoin ledger. United States v. Harmon , 474 F. Supp. 3d 76, 81 (D.D.C. 2020), reconsideration denied, 514 F.Supp.3d 47 (D.D.C. Dec. 24, 2020) (citation omitted). The first BTC transaction provides an example of what a completed transaction reveals:

585 F.Supp.3d 7

Available at blockchain.info.

C. Wallets: Hosted and Unhosted

To own and transact BTC, a user must be able to store information about the user's BTC (including a private key) in a virtual wallet. Broadly, there are two ways to own and transact BTC—in other words, two kinds of wallets: hosted and unhosted. One Address , 512 F.Supp.3d at 26.

An unhosted or "personal" wallet is a personal device or a paper medium on which the user stores the private key. Id. at 26. The unhosted wallet allows users to directly conduct transactions without an intermediary. See Jai Ramaswamy, How I Learned to Stop Worrying and Love Unhosted Wallets , Coin Ctr. (Nov. 18, 2020) https://www.coincenter.org/how-i-learned-to-stop-worrying-and-love-unhosted-wallets/.

A hosted wallet is an account held by a third-party financial institution, frequently referred to as a virtual currency exchange ("VCE"). One Address , 512 F.Supp.3d at 26. VCEs typically allow their customers to exchange BTC or other cryptocurrencies for other forms of value, such as other digital currencies or conventional fiat currencies, and they can function as intermediaries to make BTC transactions with third parties on behalf of their customers. See One Address , 512 F.Supp.3d at 26.

The significant difference between hosted and unhosted wallets is that hosted wallets are performed through a third-party intermediary which retains records for each user. See One Address , supra , at 26, 26 n.3. "BTC in an unhosted wallet is like cash in a personal safe or hidden under the mattress, while BTC in a hosted wallet is like money in a bank account." One Address , 512 F.Supp.3d at 26 n.3.

D. Blockchain Analysis

Cryptocurrency transactions that occur on a blockchain are, by design, publicly available, and thus are pseudoanonymous. See Sarah Meiklejohn et al., A Fistful of Bitcoins: Characterizing Payments Among Men with No Names , IMC ‘13: Proceedings of the 2013 Conference on Internet Measurement Conference, Barcelona, Oct. 23-25, 2013, at 1, 1 (Association for Computing Machinery), https://doi-org.nuc.idm.oclc.org/10.1145/2504730.2504747 [hereinafter Fistful ]; One Address , supra , at 29-31. "Ironically, the public nature of the blockchain makes it exponentially easier to follow the flow of cryptocurrency over fiat funds." One Address , supra , at 27. Repeated government seizures and forfeiture actions should disabuse the uninformed of the myth that BTC is untraceable, yet this myth abides. Indeed, the IRS alone seized

585 F.Supp.3d 8

$1.2 billion worth of cryptocurrency in fiscal year 2021. See The IRS has seized $1.2 billion worth of cryptocurrency this fiscal year – here's what happens to it , https://www.cnbc.com/2021/08/04/irs-has-seized-1point2-billion-worth-of-cryptocurrency-this-year-.html.

Undoubtedly, people attempt to conceal illicit transactions using BTC in a variety of ways. But this is no different than what people do with fiat currency every day and where such efforts are far more effective.² See One Address , 512 F.Supp.3d at 30 n.11. One concealment method unique to BTC is "mixing" or "tumbling" transactions, a method whereby one user's payment or transaction is jumbled with other payments and transactions to make it harder to detect the owner of the BTC. See Harmon , 474 F. Supp. 3d at 82. These multiple transactions are typically conducted with multiple sending addresses and over a span of time (rather than all at once). See Meiklejohn et al., Fistful , at 4. Sophisticated users may mix or launder on their own by creating multiple BTC addresses. See Brief of Plaintiff-Appellee, United States v. Gratkowski , 964 F.3d 307 (5th Cir. 2020), 2020 WL 736044, at *7. Other users may employ tumbler or "mix or laundry services" to facilitate a similar process. Meiklejohn et al. Fistful , at 4. The operation of services to knowingly conceal illicit BTC transactions may lead to serious criminal exposure. See United States v. Harmon , 19-cr-395, ECF 122, 123 (D.D.C. August 18, 2021).

However, these BTC anonymizing techniques fail when pitted against algorithms that analyze transactions on the blockchain. See One Address , at 26 ; see generally Meiklejohn et al., Fistful. The most effective algorithms employ a technique described as "clustering." See Gratkowski , 964 F.3d at 309. Essentially, clustering tools rapidly scan the blockchain, which is an enormous data set, to conduct various forms of pattern recognition. See Meiklejohn et al., Fistful , at 5-8. As a rudimentary example, an algorithm might discover that a single address on the blockchain receives the same quantity of BTC at regular time intervals. Those seemingly unrelated addresses would then be clustered together to demonstrate common ownership. The clustering analysis un-mixes, un-tumbles, and de-anonymizes, leaving bare the transactions which illicit actors tried to cover up. See Meiklejohn et al., Fistful , at 12.

There are multiple publicly available tools that enable clustering analysis. These are available for free as open source software and for a fee by private software companies. See One Address , supra , at 26, 26 n.5 (referring to Chainalysis, Eliptic, and TRM Labs as examples). "Law enforcement uses commercial services offered by several different blockchain-analysis companies to investigate virtual currency transactions." ECF No. 3 (Aff. in Supp. Of Appl. for Search Warrant) ("Aff.") at 20. In fact, the instant search warrant is based largely on clustering analysis conducted by law enforcement. See Aff. Yet, before the Court may go down the crypto rabbit-hole to determine if clustering can establish probable cause, it must first consider if it has the authority to consider such warrant.

E. The Instant Investigation

This investigation involves the hack of VCE ("Victim VCE"). See Aff. at 26. "In or

585 F.Supp.3d 9

about August 2016, unknown actors utilized a ‘remote access trojan’ (‘RAT’) to breach Victim VCE's security systems and infiltrate its infrastructure. A RAT is a type of malicious software (‘malware’) that allows a criminal to surveil and control a victim machine covertly. In essence, the RAT used in the hack provided the intruders unregulated remote access to Victim VCE's network." Id. "While inside Victim VCE's network, the hackers gained access to Victim VCE's computer systems and located Victim...