Predicting Threats by Anomaly Tracking Crypto-to-Fiat Conversions in a Geolocation
In April 2021, Strike Labs joined the JSOC Wildfire Data Challenge, a month-long effort bringing together intelligence professionals from the U.S., 5-Eyes partners, and Jordan. Strike Labs chose to tackle the challenge of analyzing crypto-to-fiat conversions to detect adversarial operations,.
The Core Challenge: Predicting Threats with Anomaly Tracking
Strike Labs hypothesized that sudden spikes in crypto-to-fiat conversion in a specific area could be a predictive indicator of upcoming adversarial attacks.
The core idea behind tracking crypto-to-fiat conversions is that adversaries use cryptocurrency as a convenient, anonymous medium for storing illicit funds. However, for real-world operations—like purchasing equipment, renting vehicles, or bribing officials—they need local, usable currency: fiat money. Therefore, a sudden spike in crypto-to-fiat conversions within a specific geographic area can be an indicator of upcoming operations or attacks.
Imagine a scenario in a mid-sized city known for sporadic unrest. Over recent weeks, intelligence analysts have noticed increased chatter about a potential attack but have no clear signals about timing or targets. Then, suddenly, there’s an unusual spike in Bitcoin conversions at local ATMs—particularly in one specific neighborhood.
Normally, conversions are steady and predictable. But in this case, over 48 hours, transactions increase by 500%. Analysts flag the anomaly: someone is turning large amounts of crypto into local currency. The spike correlates with an uptick in online wallet transactions exhibiting a peeling pattern—large sums broken down and split across numerous wallets. This is classic laundering behavior, meant to confuse investigators and disguise the source of the funds.
The intelligence team suspects that this surge in fiat conversion is linked to imminent operational needs. The attackers may be preparing to buy supplies, secure safe houses, or pay local contacts. This pattern suggests that the attack is no longer just talk—it’s moving toward action.
By focusing on these crypto-to-fiat spikes, intelligence teams can shift from reactive to proactive defense, taking steps like bolstering local security, initiating surveillance, or targeting suspicious actors. While not conclusive, the conversion pattern provides a valuable piece of the puzzle, potentially saving lives by enabling early intervention.
Here’s how the concept unfolded:
Identifying Conversion Points: We mapped global ATMs and kiosks where crypto was converted to fiat, providing a foundational dataset for analysis.
Real-Time Anomaly Detection: By monitoring conversion patterns in real-time, we aimed to detect spikes or suspicious behaviors in specific areas. These anomalies could signal attackers preparing for operational expenses.
Integrating Intelligence: We combined blockchain data with open-source intelligence, aiming to correlate suspicious wallet IDs with known adversaries. This provided a more comprehensive analysis and alerted intelligence analysts to potential threats.
Key Challenges in Implementation
The concept was promising, but not without obstacles:
Data Scale: Tracking conversions globally required mapping thousands of kiosks and ATMs.
Pseudonymous Blockchain: While transactions are transparent, identifying the true owners of wallets remains difficult.
Adaptability: Adversaries constantly change tactics, necessitating a flexible tool capable of adapting to evolving laundering techniques.
Final Thoughts
Upon completion of the challenge, Strike Labs delivered the initial peeling detection code and overall concept to JSOC. Whether JSOC further developed or operationalized the concept remains unknown. The Wildfire Data Challenge underscored the importance of private-public collaboration in tackling complex national security issues. For Strike Labs, the experience highlighted how advanced data analytics could transform intelligence operations, making them faster, more accurate, and more predictive.
