search newsletter login upgrade

Dark web bitcoin transaction traced to US exchange leads to pre-trial detention

by Nelson Rosario

August 25, 2019, 4:15PM EDT  ·  5 min read

Quick Take

  • Criminal investigation of dark web chid porn site leads to indictment. 
  • Defendant’s pre-trial detention initially denied.
  • Using transaction data, investigators trace dark-web transaction using bitcoin to defendant’s exchange address and district court orders detention.

by Nelson Rosario

August 25, 2019, 4:15PM EDT  ·  5 min read

US v. Galarza, № 18-mj-146(RMM) (D.D.C. decided May 8, 2019)[NMR]

Link to Opinion

Crypto cheerleaders responding to arguments that bitcoin or other virtual currencies can be used by criminals often stress that the technology is morally neutral, and can be as easily used for good or for bad. Like dollars, euros or yen, cryptocurrency that relies on blockchain — the use case with which most people are familiar — can be used for both legal and illegal conduct.  It’s a simple fact that if you build a technology that helps people hide things or move money quickly they will use it accordingly. At the same time, the traceability of bitcoin and its public transaction record may make it a questionable choice for criminals and a tech with benefit for law enforcement.  

This opinion from back in May of 2019 is a case in point — a dark and disturbing criminal case tells one story about people using bitcoin for nefarious purposes got caught doing precisely that. It also describes how investigators analyzed and tracked bitcoin transaction data to find the defendant.

The defendant in this case, Vincent Galarza, has not yet faced trial. He is facing child pornography charges. On the day that Galarza was arrested on December 11, 2018, the government sought his pretrial detention. That motion was denied and Galarza was released under certain conditions. After his release, the government continued its investigation.

The investigation included analyzing a server that was seized by South Korean law enforcement that hosted a child pornography website, as well as a computer that the defendant built, which was seized as part of a lawfully executed search warrant. The examination of both the South Korean server, and defendant computer uncovered alleged additional criminal conduct. In light of this new information, the government again sought pretrial detention of the defendant, and was again denied by a magistrate judge. This opinion, from a district court judge, overruled that denial and ordered him held pretrial.

Generally speaking, to determine whether to detain someone before trial a judge must find probable cause that the defendant committed the offense, and the judge must also take into consideration four factors: the nature and circumstances of the charged offense, the weight of the evidence, the history and characteristics of the defendant, and whether the defendant is a danger to the community. Given the above considerations, and based on the digital evidence, which we’ll discuss shortly, as well as testimony from witnesses that are victims of the defendant’s alleged conduct the judge determined the defendant should be detained while he awaits trial. The digital evidence tells a grim story with broader implications about the nature of the dark web, and cryptocurrency’s role in it.

When investigators searched the seized server and the defendant’s computer they were able to map out how the defendant was allegedly obtaining and distributing child pornography. Based on analysis of the server that was seized in South Korea, users accessed the website (the site is known to authorities, but not named in the opinion so as to not make its users aware of other pending investigations) via Tor, and then had to pay in “points” to access the content on the website. A user could earn points by uploading videos, or by buying them with bitcoin. Here, the government has evidence that a user who the government believes to be the defendant uploaded 500 videos in 2016, and downloaded 174 videos between May 2017 and February 2018. Additionally, the website allowed users to purchase a VIP account with bitcoin, which the government believes the defendant did.

How did the government trace the defendant to the website? According to the opinion, “[a]fter law enforcement seized the website’s server in South Korea, they were able to pull back the veil of anonymity in which the website’s users had hidden their activities.”

Investigators analyzing an image of the server “revealed a transfer of approximately 0.00228809 BTC (worth about $1.80 at the time of transaction) on December 17, 2016 from a BTC address to [the CP] Website’s BTC address starting with 1Hrb.”

Law enforcement then subpoenaed a US-based crypto exchange “and learned that the BTC transfer starting with 1Hrb was from a BTC Exchange Account number starting with 5855, which was created on or about December 17, 2016 and registered in the name of the defendant, using the defendant’s confirmed phone number and email address.” Additionally, when investigators analyzed the defendant’s computer they found at least two videos that were uploaded by the same user that uploaded the 500 videos.

There is no great moral to this story. If you give a person a tool you can’t be sure if they will use it for good or evil. Such is the nature of technology. It is simply reality that bad people will do bad things with whatever they can get their hands on. Here, the traceability of bitcoin, as we’ve seen in other cases, aided investigators in taking down a heinous website, and presumably will aid investigators in the future as they attempt to track down other users of the site.

Disclaimer: Crypto Caselaw Minute is provided for educational purposes only by Nelson Rosario (@nelsonmrosario) and Stephen Palley (@stephendpalley). These summaries are not legal advice. They are our opinions only, aren’t authorized by any past, present or future client or employer. Also, we might change our minds. We contain multitudes.  As always, Rosario summaries are “NMR” and Palley summaries are “SDP”.