Costa Rican news outlets have been reporting a tragic story of a kidnapping that has a very interesting cryptocurrency twist. 12 people have been arrested in Costa Rica and Spain in connection with the kidnapping (and suspected murder) of American entrepreneur William Sean Creighton, who disappeared in September 2018 and hasn’t been seen since. Creighton’s family were contacted by the kidnappers after his disappearance, and were asked to pay a ransom of $5 million USD in Bitcoin, but they were only able to pay $1 million. Despite making a transfer, Creighton was not released, and is now presumed dead. It must be added that it is thought that Creighton was targeted because he ran a sportsbook betting business in Costa Rica called 5Dimes, and was taking payment in Bitcoin.
The story has caught the public’s attention for many reasons, not only because kidnappings are rare in Costa Rica, but also because the identity of those arrested, which include the main suspect, his girlfriend, his mother, and his grandmother. The fact that the band included two policemen is also an indication of the appalling degree of corruption that plagues law enforcement in my county of origin; these policemen collaborated in stopping the victim on the road, facilitating and allowing his kidnap.
As an avid follower of cryptocurrencies, the most interesting element for me has been how the band was apprehended despite the use of Bitcoin. One of the most vaunted characteristics of Bitcoin is its anonymity, and this is the reason why it has become the currency of choice for many criminal activities. In theory, all transactions are anonymous, BTC exists as a claim to funds held in a digital address, and you do not need to provide identity to gain access to those funds, only possession of a private key.
But unless you intend to remain fully digital, the failure of the anonymity element is its interaction with the tangible world, and this seems to be where the criminals made key errors that easily gave away their identity. While some of the specifics are sketchy, it seems likely that it was precisely in the vital final step of converting their crypto assets into fiat currency where they showed their identity. All Bitcoin transactions are public because they are recorded on the public ledger that is the blockchain, and as the victim’s family made a payment with Bitcoin, they would have known which address the funds were sent to, and these accounts would have been given to the police.
The police were given three addresses where the funds were sent, so they could monitor movements in and out of the virtual wallets. According to the statement by the Costa Rican investigators, it was precisely in this stage where the criminals made a key error. The chief of the Costa Rican Judicial Police indicated that the main suspect, a 25-year-old computer engineer of last names Morales-Vega, opened an e-wallet in his residence without any anonymization shortly after the funds had been sent by the victim’s family, and this led the police to quickly identify him. Apparently, when moving funds in and out of one wallet, an IP address was revealed which was linked to Morales-Vega. We have not been given full details other than that, but the Costa Rican authorities claimed that they were able to identify the suspect early on due to this IP address, and then they passed those details to the Spanish police.
The suspect and three members of his family fled to Spain via Panama and Cuba, and once there spent lavishly on apartments and restaurants, apparently waiting for the rest of the gang to join them there. All the while they were being watched by the Spanish authorities, and then they were caught.
There are various ways at this stage by which the police could have identified the suspect. The most likely in my opinion is that he had opened an account with an exchange to change funds from Bitcoin to other currencies (it’s difficult to pay for daily stuff with cryptocurrency after all). He either used his real details to comply with money laundering regulations, or he connected to the exchange to manage his wallet with his real IP address, which could have made him easier to find. The police only needed to ask the exchange for either his real name, or the IP addresses connected to the cryptocurrency wallets, and it is likely that the exchange complied immediately. It is quite remarkable that the police were aware of his identity very early on, and were able to notify Interpol and authorities in Spain that he was moving there.
This is a fascinating conclusion to a very tragic crime, and one that shows us that while Bitcoin is anonymous, the failure point is always its interface with reality. While it is true that many criminals have managed to elude justice by the use of cryptocurrencies, when there is a very large criminal offence such as a murder or a kidnapping, police may be able to identify criminals because eventually most people will make a mistake at some point and give away their identity, particularly if they want to exchange their digital assets.
In other words, even cybercriminals should HODL.