Forensic Science International: Reports 4 (2021) 100241

Contents lists available at ScienceDirect

Forensic Science International: Reports

journal homepage: www.sciencedirect.com/journal/forensic-science-international-reports

Case Reports

How cryptocurrency is laundered: Case study of Coincheck

hacking incident
Yoichi Tsuchiya a, *, Naoki Hiramoto b
a
Meiji University, 1-1 Kanda-Surugadai, Chiyoda-ku, Tokyo 101-8301, Japan
b
Basset Inc., 8-4-15 Nishi-Gotanda, Shinagawa-ku, Tokyo 141-0031, Japan

A R T I C L E I N F O A B S T R A C T

Keywords: On January 26, 2018, 58 billion yen ($530 million) worth of a cryptocurrency, NEM, was fraudulently accessed,
Cybercriminal and was then stolen from the Coincheck Exchange, headquartered in Japan. This hacking incident is unprece­
Crypto currency dented not only because it was one of the world’s largest cryptocurrency heists, but also because the stolen NEM
Dark web
was sold and money laundered on a crypto market. Three years later, the Metropolitan Police Department, Japan,
Hacking
announced that more than 30 people had been charged for allegedly exchanging NEM cryptocurrency, ac­
Bitcoin
counting for one third of the stolen value, for other cryptocurrencies. The hackers have not yet been arrested, and
how the stolen NEM was money laundered has not yet been investigated. By resolving two challenges in tracking
the stolen NEM and its money laundering, this report shows that there were increasingly larger sales of the stolen
NEM over time, and on the last two days of market operation, approximately one third of the stolen NEM was
money laundered. Furthermore, this study reveals that there was no pattern in the hour of the day of the sales
transactions whereas more sales occurred on Sundays and Mondays. This suggests that the laundering was in­
ternational and that the stolen NEM was purchased by individuals. These findings emphasize the need for
cryptocurrency exchanges to verify the identity of a new user when an account is opened.

1. Introduction
Since the introduction of Bitcoin [1], various cryptocurrencies have
been developed, introduced to the market, and gained considerable
attention. Cryptocurrency (Bitcoin) is a fully decentralized digital cur­
rency based on blockchain technology. Although all transaction records
are public, cryptocurrency payments are anonymous unless the ad­
dresses and transactions can be matched to actual identities. This online
anonymizing technology has considerable potential to increase conve­
nience and improve social welfare. However, there is a negative side to
the new technology when it is paired with another online anonymizing
technology, the Tor network, in which users’ messages are routed
through a series of relays that serve as a buffer between the users and the
websites that they visit [2]. This makes it difficult to determine the
location of a website’s visitor. These online anonymizing technologies
have led to the creation of illicit online marketplaces known as crypto
markets. The most popular products for sale on crypto markets are illicit
drugs (e.g., [3,4]), because the administrators of crypto markets can
conceal the location of their website servers, thus avoiding law
enforcement agencies. Therefore, crypto markets have gained consid­
erable attention from the media, government authorities, and law
enforcement agencies, and numerous studies have been conducted (e.g.,
[5–7]).
On January 26, 2018, we witnessed a cybercrime that had yet to be
seen using these two new technologies. 58 billion yen ($530 million)
worth of NEM, a cryptocurrency, was fraudulently accessed, and was
then stolen from the Coincheck Exchange, which is headquartered in
Japan. This hacking incident is unprecedented not only because it was
one of the world’s largest cryptocurrency heists, but also because the
stolen NEM was sold and money laundered on a crypto market that the
hackers themselves opened. The hackers offered to swap the stolen NEM
with other cryptocurrencies, including Bitcoin and Lightcoin, at a 15%
discount on the market rate at the time of transaction. Further, the
hacking incident led to significant price drops and swings in NEM as well
as other cryptocurrencies. Three years later, on January 22, 2021, the
Metropolitan Police Department (MPD) of Japan announced1 that 31

* Corresponding author.
E-mail addresses: ytsuchiya@meiji.ac.jp (Y. Tsuchiya), naoki.hiramoto.tus@gmail.com (N. Hiramoto).
1
https://asia.nikkei.com/Spotlight/Cryptocurrencies/Japan-police-target-about-30-people-linked-to-huge-cryptocurrency-heist. (Last accessed on January 28,
2021.)

https://doi.org/10.1016/j.fsir.2021.100241
Received 16 May 2021; Accepted 20 October 2021
Available online 23 October 2021
2665-9107/© 2021 The Author(s). Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license
(http://creativecommons.org/licenses/by-nc-nd/4.0/).
Y. Tsuchiya and N. Hiramoto
people had been charged for allegedly exchanging NEM cryptocurrency
for other cryptocurrencies while knowing the assets had been stolen. The
trading on the crypto market involving the 31 people is estimated to
have totaled approximately 20 billion yen (using the exchange rate at
the time of the theft). Despite considerable efforts by the authorities and
volunteers, the hackers have not yet been arrested, and the remaining
NEM, exceeding 30 billion, has not been traced. Although approximately
one third of the stolen NEM was traced by the policing effort, few
scholarly studies have investigated this hacking incident or how the
stolen NEM was money laundered.
Therefore, this study investigates how the stolen NEM was money
laundered to Bitcoin on a crypto market by investigating NEM and Bit­
coin transactions.
2. Case description
Table 1 summarizes the timeline of the case, focusing on events
related to money laundering on the crypto market. The hackers broke
into Coincheck at 2:57 (JST) on January 26, 2018 and hacked approx­
imately 58 billion yen ($530 million)2 worth of NEM. Almost all of the
users’ assets were stolen and sent to a hacker’s address.3 The breach was
discovered at 11:25.4 The leak occurred when a terminal in the company
was infected with malware, which was used as a stepping stone to steal
the private keys of the NEM. The hackers immediately distributed the
currency to 18 secondary addresses. Through a total of 19 addresses,5
the stolen currency was distributed to numerous other addresses to
interfere with tracking efforts. The hacking was possible because Coin­
check kept NEM in a “hot wallet,” a part of the exchange connected to
the Internet. This contrasts with a cold wallet, in which funds are stored
securely offline.
The NEM.io Foundation, the founding organization of NEM,
attempted to trace the stolen NEM and prevent it from being cashed out
by other exchanges using a mosaic tagging system.6 A mosaic is a token
that is realized on the NEM blockchain and can be issued freely by users
Table 1
Timeline of the incident.
Date Event
January Incident occurred.
26
Hackers began to transfer and distribute NEM to multiple addresses.
January Announcement by Coincheck.
27
February 1 The hackers’ Bitcoin addresses received first Bitcoin payment:
presumable test operation for crypto market for exchanges.
February 7 Crypto market for exchange open: The hackers’ Bitcoin addresses
started receiving Bitcoin from buyers.
March 12 The hackers transfer the profit from sales from their Bitcoin addresses.
March 20 NEM Foundation disables tracking.
March 22 Stolen NEM sold out.
April 23 The hackers transfer the total profit from sales from their Bitcoin
addresses.
2 10
https://corporate.coincheck.com/2018/01/26/29.html. (Last accessed on
January 23, 2021.)
3
“Wallet” is a precise term that shows an entity that holds NEM. However,
“address” is used to indicate wallet for consistency with Bitcoin.
4
https://corporate.coincheck.com/2018/03/08/46.html (Last accessed on
January 23, 2021).
5
https://web.archive.org/web/20180201060121/http://the-japan-news.
com/news/article/0004215668 (Last accessed on January 23, 2021).
6
See https://docs.symbolplatform.com/ for details on the mosaic tagging
system. There was a study that investigates the tracking by mosaic, [8]. It
examined the number of addresses that received the leaked NEM, the median
time lag of mosaic granting, and the mosaic grant rate.
2
Forensic Science International: Reports 4 (2021) 100241
with a namespace for any purpose. A mosaic can be exchanged like a
currency that no one can move except its sender. The NEM.io Founda­
tion sent a mosaic to the hackers’ addresses.7 The mosaic is in turn
assigned to the addresses to which the NEM is sent from those addresses
with the mosaic; the same process is repeated. We call the NEM with the
mosaic tracking marked NEM. The purpose of using a mosaic is to pre­
vent the hackers from exchanging the stolen NEM for other crypto­
currencies or a real currency. For the hackers to gain profit from the
stolen cryptocurrency, it is ultimately necessary that they exchange the
stolen cryptocurrency for legally authorized currency, such as US dol­
lars, euros, rubles, or yen. A mosaic can warn exchanges that deal in
NEM that the NEM they received was stolen from Coincheck, and the
exchanges may be asked not to pass transactions with the mosaic.
Further efforts by volunteers, also using mosaics, have been devoted to
tracing the stolen NEM and identifying the hackers.
The hackers attempted to disrupt the tracking by sending the marked
NEM to those who had contacted them by sending messages or a small
amount of NEM. Further, some exchanges8 that had no communication
with Coincheck passed transactions of the marked NEM, although the
NEM.io Foundation asked cryptocurrency exchanges not to pass the
transactions of the marked NEM. Those transactions resulted in a large
amount of marked NEM that was not related to hackers or hacking in­
cidents. Therefore, this counter activity to the tracking made the
tracking effort ineffective.
On February 7, 2018, one of the secondary addresses sent a message
to several other addresses announcing that a 15% discounted exchange
rate,9 relative to the rate for NEM to Bitcoin or Lightcoin10 exchange at
the time, was being offered on a crypto market, and included the URL of
the market, which had been opened by the hackers themselves. The
transactions on the crypto market continued until March 22, 2018. The
hackers announced that the balance of the stolen NEM on the addresses
used by the exchange were empty as of March 22, 2018. Almost all the
NEM stolen in the hack was exchanged for Bitcoin or Lightcoin, and it
was then dispersed among more than 130,000 cryptocurrency
accounts.11
The NEM Foundation announced12 on March 20, 2018 that it had
disabled the tracking mosaic that was used to monitor the stolen NEM. In
this announcement, the NEM Foundation stated that the mosaic tracking
had prevented the perpetrators from selling the leaked NEM and had
provided valuable information to law enforcement. However, the NEM
Foundation has no plans to provide further details.
On January 21, 2021, the investigative source announced that 31
people had been charged for exchanging NEM cryptocurrency for other
digital currencies knowing the assets had been stolen, which is a
7
The mosaic that was sent to the hackers’ addresses was “ts:warning_dont_
accept_stolen_funds.” See https://explorer.nemtool.com/#/s_account?accoun
t=NCU63AYO6RS2ISG4UEP5CALTKVQOB4FUTYIYXUAV (Last accessed on
April 28, 2021).
8
https://xtech.nikkei.com/atcl/nxt/column/18/00134/022600017/. (Last
accessed on January 28, 2021.)
9
https://explorer.nemtool.com/#/s_tx?hash=a76b5724e3bfa81f39366ddb5
eaedf93159fafc369b4d348b6b147c7242be905. (Last accessed on March 1,
2021.)
On February 2, someone sent a message to the hackers’ NEM address to
offer an exchange of the stolen NEM to DASH, a highly anonymous crypto­
currency. They subsequently had several transactions, although those in­
teractions have not been matched to identities in the real world. https://www.
itmedia.co.jp/news/articles/1802/07/news086.html. (Last accessed on
January 23, 2021.) This indicates that there is possibility that the stolen NEM
was money laundered for cryptocurrencies other than Bitcoin and Lightcoin.
11
https://www.japantimes.co.jp/news/2020/03/11/national/crime-legal/to
kyo-police-arrest-two-taking-possession-stolen-nem-cryptocurrency/. (Last
accessed on January 28, 2021.)
12
https://medium.com/nemofficial/coincheck-hack-update-removal-of-m
osaic-tagging-system-18b4157ff060.
Y. Tsuchiya and N. Hiramoto
violation of a law intended for organized crime. However, the identities
of the hackers remain unknown. The 31 suspects traded around a total of
20 billion yen worth NEM, which was approximately 30% of the stolen
value.13 The rest flowed abroad, and those who traded it were not
identified. These 31 reside in Japan in a total of 13 prefectures, and are
males aged 20–40 years. The Metropolitan Police Department further
traced the NEMs exchanged on the crypto market and identified the
identity of the registrants when their holdings were traded on regular
cryptocurrency exchanges for cash. Note that those 31 include two who
had already been arrested in March 2020 and whose trade volumes were
considerably larger than the others. Note also that one of the arrested
traded 6.7 billion yen, which was the largest trade done by a single
person. He repeated hundreds of transactions, at least, using automated
trading programs that enable fast trade.
Regarding regulatory and administrative responses, the hacking
incident prompted increased regulatory oversight of the industry. The
hack led two cryptocurrency trade groups in Japan to merge into a new
self-regulatory organization. The Financial Services Agency took
administrative action by ordering Coincheck to improve its security
practices, but it did not order the exchange to shut down. Coincheck
initially announced that it might not be able to compensate all users
affected by the hack, but then announced14 that it would repay all
260,000 users affected in Japanese yen using their own capital.
3. Method
To track and measure the exchanges of the stolen NEM on the crypto
market, how the hackers and buyers conducted their transactions needs
to be understood. During an exchange on the crypto market, buyers were
asked to provide their NEM addresses and to send Bitcoin or Lightcoin to
the Bitcoin or Lightcoin addresses provided by the hackers. After
sending Bitcoin to the hackers, the buyers received the NEM. Therefore,
there are two challenges in tracking the transactions between the
hackers and buyers to reveal how the stolen NEM was money laundered.
First, to track the stolen NEM, the NEM addresses used by the hackers
need to be identified. Second, to measure Bitcoin’s money laundering,
the Bitcoin addresses used by the hackers need to be identified.
Specifically, the first challenge is to distinguish the hackers’ NEM
addresses from numerous unrelated marked NEM addresses, which were
presumably created for disruptive purposes. Simply tracking the NEM
addresses that received the stolen NEM results in identifying addresses
and measuring transactions that are not related to the hackers or the
stolen NEM. As described in the previous section, after the hackers
transferred the stolen NEM to the secondary addresses, they also
distributed the stolen NEM to addresses that were not related to the
hackers, including the addresses of those who purchased the discounted
NEM on the crypto market and other major cryptocurrency exchanges.
Fig. 2 shows a histogram of NEM transactions between the secondary
addresses and those addresses that received the stolen NEM until the
launch of the crypto market on February 7. It reveals that the majority of
the hackers’ sending transactions were less than 100 NEM.15 Therefore,
the first heuristic is set as follows:
Heuristic 1. The hackers sent the stolen NEM in amounts smaller than
a certain threshold to unrelated addresses to disrupt tracking, whereas
they distributed the stolen NEM in amounts larger than a certain
threshold to their own addresses.
13
https://asia.nikkei.com/Spotlight/Cryptocurrencies/Japan-police-target
-about-30-people-linked-to-huge-cryptocurrency-heist. (Last accessed on
January 23, 2021).
14
https://corporate.coincheck.com/2018/03/12/47.html. (Last accessed on
January 23, 2021.)
15
Particularly, on January 30, there were transactions of 100 NEM that were
sent by the hackers to unrelated addresses. Those addresses sent messages and
mosaics to the hackers’ addresses soon after the hacking incident.
3
Forensic Science International: Reports 4 (2021) 100241
The following simple algorithm is proposed to identify hackers’ NEM
addresses. Let A(t) denote a set of addresses owned by the hackers,
where t is a block.16 A(t0), the initial set of hackers’ addresses, is set
manually. A(t0) includes those addresses that initially received the sto­
len NEM during the hacking incident. Starting with the addresses in A
(t0), where t0 is the block where the hacking incident occurs, the hacker
addresses are identified iteratively using the following algorithm.
Algorithm. .
(1) At block height t, list addresses that received more than a certain amount of NEM from
those addresses in A(t-1).
(2) Among the addresses listed in (1), exclude the addresses that received more than a
certain amount of NEM from those addresses not included in A(t-1) and from
Coincheck until block height t.
Note that 100 NEM is set as the threshold amount in steps (1) and (2)
of the algorithm according to the examination of the transactions be­
tween the secondary addresses and those addresses that received the
stolen NEM shown in Fig. 2. Using the addresses with a mosaic, the NEM.
io Foundation tracked numerous irrelevant addresses, making it difficult
to trace the flow of the criminal funds. To avoid irrelevant addresses, a
threshold value was set by examining the transactions between the listed
addresses. Note that 100 NEM is worth approximately $100–110, and it
is not likely that the hackers would have sent this amount to numerous
addresses for interference. For step (2) in the algorithm, the addresses
that received more than 100 NEM until block height t from those ad­
dresses not included in A(t-1) are also excluded, because those addresses
that have transactions of relatively large amounts of NEM with clean
addresses are likely to be unrelated to the hackers.
The second challenge is to identify the hackers Bitcoin addresses to
measure Bitcoin sales in the crypto market. To do this, the hackers’
Bitcoin addresses were obtained from WalletExplorer.17 The next step
was to ascertain whether there are other unknown addresses owned by
the hackers and to find these unknown addresses if necessary. Exam­
ining the transactions of those known addresses revealed that the known
addresses sent Bitcoin to two unknown addresses. It can be considered
that these two addresses18 were for collecting the proceeds from Bitcoin
sales. These indicated that there were two types of addresses: numerous
addresses19 for receiving Bitcoin from buyers and two main collection
addresses. Therefore, to find other unknown receiving addresses, the
addresses that were not listed on WalletExplorer but that sent Bitcoin to
the collection addresses were identified as hackers’ addresses. Note that
this identification method was also used by volunteers who traced the
hackers.20
Finally, to estimate the daily balance of the stolen NEM, the amounts
of NEM at the hackers’ addresses in A(t-1) at the end of each day are
aggregated. This shows how the stolen NEM was exchanged for other
cryptocurrencies and money laundered over time. Note that transactions
between the hackers’ addresses are excluded only to estimate Bitcoin
sales. To calculate the proportion of NEM that was money laundered
using Bitcoin, the balances of NEM and Bitcoin sales for each day are
converted to US dollars using the rates at the end of each day.
16
Time was measured by block height in the blockchain.
17
See https://www.walletexplorer.com/. (Last accessed on January 17,
2021). WalletExplorer provides Bitcoin addresses in various crypto markets and
is a useful source. Several studies have used information on the site (e.g., [9,
10]).
18
See https://www.walletexplorer.com/wallet/044c1db3e953a5a2. (Last
accessed on March 1, 2021.)
19
See https://www.walletexplorer.com/wallet/044c1db3e953a5a2/
addresses. (Last accessed on March 1, 2021.)
20
See, for example, https://bitcoinexchangeguide.com/investigation-i
nto-nem-hack-potential-bitfinex-involvement-blockchain-analysis-details-insi
de/ for description with diagrams.
Y. Tsuchiya and N. Hiramoto Forensic Science International: Reports 4 (2021) 100241

Fig. 1. Balance of NEM and Bitcoin sales.

Fig. 2. Histogram of NEM transactions sent by hackers until launch of the crypto market on February 7. Notes: Each bin is 100 NEM. For exposition purposes,
transactions valued at more than 50,000 are excluded. There are five transactions with values larger than 50,000.

4. Results and discussion
4.1. Laundering over time
First, using the developed method to identify the hackers’ NEM ad­
dresses, the unsold balance of stolen NEM over time is estimated and
demonstrated in Fig. 1 on the left axis. Fig. 1 shows a clear pattern of
periods of sluggish sales alternating with periods of increased sales. Very
little stolen NEM was sold before February 12. The stolen NEM was sold
quickly on February 13 and February 19, and sales then stagnated again
until February 27. There was an increase in sales during the period from
the end of February to March 5, and a stagnant sales period from March

4
Y. Tsuchiya and N. Hiramoto
6 to March 10. From March 11, the stolen NEM was sold at an increasing
rate. Ironically, on March 20, when the NEM.io Foundation announced
that it had disabled the mosaic tagging system, more than 10% of the
stolen NEM was sold, and a larger portion of the stolen NEM of
approximately 20% was sold on March 21, implying that approximately
30%21 had been money laundered within the two days immediately
following the announcement of the disabled tracking. The hackers then
announced that the stolen NEM was sold out on March 22.
The observed sales pattern, where buyers purchased the stolen NEM
cautiously and even aggressively after they gained trust in the crypto
market, is generally consistent with previous studies on crypto markets.
Previous studies have shown that crypto market users are concerned
about being scammed. Scams and fraud are likely to be widely used in
crypto markets [11], and crypto markets fall prey to hacking attempts.
The site administrators may abscond with users’ funds after exploring
various types of crypto market theft and fraud using multiple sources,
including forum posts [12]. Further, while crypto markets are not
restricted to economic exchange between users, these exchanges are
often a setting for scams, hacks, and threats aimed at crypto market users
[13].
Consistent with previous studies, the buyers of the stolen NEM were
initially cautious so as not to get scammed by the offers from the
hackers. However, after consulting various forums and posts and buying
small amounts of the stolen NEM, buyers began to trust the hackers’
offers and increased their purchases over time. As the exchange on the
crypto market gained trust, it is likely that more buyers came in, and that
buyers increased their purchase amount. On the last two days of market
operation, around one third of the stolen NEM was money laundered. It
was probably due to the announcement by the NEM.io Foundation about
the disabled tracking that more buyers purchased and larger trans­
actions were made.
Fig. 1 also shows the daily sales of the stolen NEM that were
exchanged for Bitcoin on the right axis. Note that the daily sales are
shown as cumulative daily sales. The daily sales of Bitcoin are parallel to
the decline in its balance. It is estimated that the majority of money
laundering was done through Bitcoin. The total value of stolen NEM
exchanged on the crypto market is estimated to be 22.6 billion yen
($206 million) at transaction market rates. This is less than half of the
stolen value according to the market rate at the time of the incident,
because the NEM exchange rate dropped significantly after the incident.
The total amount swapped for Bitcoin is estimated to be 15.1 billion yen
($137 million). This implies that two thirds22 of the stolen NEM was
money laundered through Bitcoin, whereas one third was estimated to
be money laundered by Lightcoin and other cryptocurrencies. Our es­
timate of two thirds is in line with the previous study on the use of
Bitcoin for illegal purposes. In [9], the authors investigated Bitcoin
transactions between January 2009 and April 2017 and showed that the
use of Bitcoin on crypto markets accounted for 46% of all Bitcoin
transactions. Further, although it is not shown in Fig. 1, it is observed on
April 23, about a month after sealing the crypto market, that the hackers
transferred the total profit from sales (BTC) from their Bitcoin addresses.
This is probably because the hackers held off their sales of Bitcoin to
cash out at better rates. The Bitcoin rate was recorded to be low between
February and March and began to rebound in April.
21
Although it is not known when one of the arrested traded 6.7 billion yen,
the transactions worth 6.7 billion yen do not contribute to the large volume of
purchases in the last days because those transactions were done by March 11, at
the least according to the investigative source: https://www.japantimes.co.jp/n
ews/2020/03/11/national/crime-legal/tokyo-police-arrest-two-taking-poss
ession-stolen-nem-cryptocurrency/. (Last accessed on January 28, 2021.)
22
It is estimated that around one third of the stolen NEM was money laun­
dered by Bitcoin using the rate at the time of the incident. The difference from
the daily rates is mainly due to the relatively large price decrease in NEM.
5
Forensic Science International: Reports 4 (2021) 100241
4.2. Transaction analysis
Next, using the identified sales of stolen NEM, analysis of the
transaction patterns revealed the characteristics of the Bitcoin sales.
First, there were 4778 transactions of the stolen NEM in total. Fig. 3
shows a histogram of the Bitcoin sales.23 It shows that each sale of the
stolen NEM was of a small amount, implying that individuals were the
main purchasers. Sales worth less than $100 (0.0094 BTC) accounted for
approximately 5% of all sales of the stolen NEM, and the majority of
sales took place at below $9000 (0.84 BTC).
Further, following the previous study [10], hour-of-day and
day-of-week analyses revealed the characteristics of the transactions.
Fig. 4 shows the hourly average of Bitcoin sales to examine the specific
hour-of-day transaction pattern. It shows that there is no clear tendency
of peak times although there were slightly more sales between UTC 15
and 16. Because UTC 15–16 corresponds to 11 p.m. to 12 a.m. in Japan
Standard Time, those larger sales may be attributable to residents of
Japan and East Asia. Note that the hourly average before March 16 is
also provided to exclude the effect of large sales that took place in the
final week of the crypto market. The analysis revealed a consistent
pattern. Fig. 5 shows that more transactions took place on Sundays and
Mondays as compared to the rest of the week. Note that a higher average
for Monday, Tuesday, and Wednesday for full samples is attributed to a
very large volume of sales during the final three days.
To evaluate whether these patterns were accidentally observed or
not, Table 2 shows the results of statistical tests to evaluate the signifi­
cance of the differences in the mean sales volumes by hour of day and
day of the week. The test statistics24 were obtained by the likelihood-
ratio test for equal means. To evaluate robustness, sub-periods before
and after March 16 and March 20 were examined because there were
large sales in the final week and even more sales in the final three days.
This showed that the mean sales volumes by hour were not significantly
different. The null hypothesis of the equal mean cannot be rejected at a
significance level of less than 5% (p < 0.05). In contrast, the mean sales
volumes among the day of the week were significantly different at a level
of less than 0.1% (p < 0.001). Note that these results are robust for the
periods covered.
There are three implications of these results. First, no significant
difference in hour of day suggests an international nature of the laun­
dering, which is in contrast to the local nature of illicit drug sales on
crypto markets [5,15]. Because the transactions on crypto markets more
often take place at night where trade is most active [10], there would be
a clear pattern in the hour of day if there were larger sales in specific
countries or regions. Second, a difference in the day of the week and
larger sales on Sundays and Mondays25 suggests that those buyers were
likely purchasing the stolen NEM on days off, which aligns with crypto
markets being used for personal use [10]. Users cannot access the dark
web when they are at the office and are more likely to access such sites
when they return home because they are cautious to avoid being seen.
Lastly, larger sales on Mondays might be related to an anomaly of Bit­
coin that its price is likely to increase on Mondays [16] because an in­
crease in Bitcoin price favors the exchange for more NEM. The
association between activity on crypto markets and the prices of crypto
currencies is on the agenda for future research.
4.3. Discussion
Finally, we discuss the regulatory implications of this hacking
23
Note that the mean is 3.04, the median is 0.835, the standard deviation is
6.38, and the maximum is 105.4.
24
Due to the large volatility in hourly data, heterogeneous covariance was
allowed instead of assuming equal covariance. See [14] for details.
25
Due to differences in time zones, sales that took place after midnight on
Mondays in East Asia are recorded sales as on Mondays.
Y. Tsuchiya and N. Hiramoto Forensic Science International: Reports 4 (2021) 100241

Fig. 3. Histogram of Bitcoin sales.

Fig. 4. Hourly average of Bitcoin sales.

incident. First, cryptocurrency exchanges are required to verify the financing watchdog, the Financial Action Task Force26 (FATF). It sets
identity of their users when the users open their accounts. In fact, there international standards to prevent illegal activities. In 2016, before the
exists an intergovernmental body for money laundering and a terrorist hacking incident, the FATF recommended that virtual currency

26
See https://www.fatf-gafi.org/home/ for details.

6
Y. Tsuchiya and N. Hiramoto Forensic Science International: Reports 4 (2021) 100241

Fig. 5. Week-of-day average of Bitcoin sales.

References
Table 2
Mean test. [1] S. Nakamoto, Bitcoin: a peer-to-peer electronic cash system, Bitcoin (2008) (URL),
Period Hour Day of week 〈https://bitcoin.org/bitcoin.pdf〉.
[2] R. Dingledine, N. Mathewson, P. Syverson, Tor: The Second-Generation Onion
Test statistics p-value Test statistics p-value Router, Naval Research Lab, Washington DC, 2004.
[3] K. Soska, N. Christin, Measuring the longitudinal evolution of the online
Full 17.9 0.761 41.4 (< 0.001)
anonymous marketplace ecosystem, 24th USENIX Security Symposium (USENIX
Before March 16 18.0 0.760 76.0 (< 0.001) Security 15), (2015), pp. 33–48.
After March 16 25.3 0.336 43.6 (< 0.001) [4] M. Tzanetakis, Comparing cryptomarkets for drugs. A characterisation of sellers
Before March 20 19.0 0.704 77.3 (< 0.001) and buyers over time, Int. J. Drug Policy 56 (2018) 176–186.
After March 20 34.2 0.062 49.3 (< 0.001) [5] J. Broséus, M. Morelato, M. Tahtouh, C. Roux, Forensic drug intelligence and the
rise of cryptomarkets. Part I: studying the Australian virtual market, Forensic Sci.
Note: (< 0.001) indicates that p-values are less than 0.001. Int. 279 (2017) 288–301.
[6] J. Broséus, D. Rhumorbarbe, C. Mireault, V. Ouellette, F. Crispino, D. Décary-Hétu,
Studying illicit drug trafficking on Darknet markets: structure and organisation
exchanges be required to verify the identity of customers before they
from a Canadian perspective, Forensic Sci. Int. 264 (2016) 7–14.
open accounts, but there are still cryptocurrency exchanges that allow [7] D. Rhumorbarbe, L. Staehli, J. Broséus, Q. Rossy, P. Esseiva, Buying drugs on a
users to open accounts without any legal identity. Second, coordinated Darknet market: a better deal? Studying the online illicit drug market through the
analysis of digital, physical and chemical data, Forensic Sci. Int. 267 (2016)
international policing efforts are required as seen in cases of law
173–182.
enforcement authorities in Europe and the U.S. Because illegal activity [8] S. Teppei, I. Mitusyosi, K. Omote, Survey on tracking of leaked NEM by coincheck
on crypto markets is not limited to a single country, investigation and incident (in Japanese), IEICE Tech. Rep. 118 (30) (2018) 35–41.
arrests of hackers and other participants can be effectively implemented [9] S. Foley, J.R. Karlsen, T.J. Putniņš, Sex, drugs, and bitcoin: how much illegal
activity is financed through cryptocurrencies? Rev. Financ. Stud. 32 (5) (2019)
by law enforcement authorities across various countries. 1798–1853.
[10] Y. Tsuchiya, N. Hiramoto, Dark web in the dark: investigating when transactions
Declaration of Competing Interest take place on cryptomarkets, Forensic Sci. Int. Digit. Investig. 36 (2021), 301093.
[11] M. Tzanetakis, G. Kamphausen, B. Werse, R. von Laufenberg, The transparency
paradox. Building trust, resolving disputes and optimising logistics on conventional
The authors declare that they have no known competing financial and online drugs markets, Int. J. Drug Policy 35 (2016) 58–68.
interests or personal relationships that could have appeared to influence [12] K. Moeller, R. Munksgaard, J. Demant, Flow my FE the vendor said: exploring
violent and fraudulent resource exchanges on cryptomarkets for illicit drugs, Am.
the work reported in this paper. Behav. Sci. 61 (11) (2017) 1427–1450.
[13] K. Masson, A. Bancroft, ‘Nice people doing shady things’: drugs and the morality of
Acknowledgments exchange in the darknet cryptomarkets, Int. J. Drug Policy 58 (2018) 78–84.
[14] G.A. Seber. Multivariate Observations, John Wiley & Sons, 2009.
[15] L. Norbutas, Offline constraints in online drug marketplaces: an exploratory
Tsuchiya gratefully acknowledges financial support from the Tele­ analysis of a cryptomarket trade network, Int. J. Drug Policy 56 (2018) 92–100.
communications Advancement Foundation. The opinions expressed [16] G.M. Caporale, A. Plastun, The day of the week effect in the cryptocurrency
market, Financ. Res. Lett. 31 (2019) 258–269.
herein are those of the authors and do not necessarily reflect those of
Basset Inc.