We first mentioned Ben Strickland in our coverage of his report on SadaqaCoins, a dark web marketplace aimed at crowdfunding for weapons and paramilitary training of Syrian jihadists. Strickland didn’t just stumble across the site — he’s an OSINT (open source intelligence) investigator who uses OSINT techniques to trace cryptocurrency transactions and draw connections between paramilitaries, extortionists, and organized criminals online.
In June, Strickland published a Medium post called “Tracing a Jihadi cell, kidnappers and a scammer using the blockchain — an open source investigation.”
Strickland spoke to CCN about the open-source data techniques he used in his investigation, describing open source data as anything from YouTube videos, blockchain data, satellite imagery, or social media posts.
“I started by looking at a jihadist group that were requesting donations from the public through the typical channels groups like that generally operate on (Telegram, Twitter). Doing the same as I do with human rights abuses, I looked at all of the data available. It became apparent to me than an address linked to their account was linked to a kidnapping in South Africa.”
He started to run searches on Google and Reddit regarding linked bitcoin addresses and found a comment about a scam Facebook account containing one of the addresses he had flagged.
“I looked through the alleged Facebook account. It was pictures of the guy and his girlfriend from the UK, but he was cashing his bitcoin out in South African Rand. In other images he was posting pictures of handfuls of US dollars and statements on ‘how I can make you the next bitcoin millionaire.’”
He later found multiple other Facebook accounts with a similar setup that actually offered each other support and guidance on how to scam their victims as well as praising each other’s successes.
“Needless to say, my bullshit radar was going off. Those Facebook accounts had pictures of their bitcoin addresses to flash how much they had made. On the blockchain, those addresses were in the middle of it all. I eventually identified a former South African exchange that was connected to them all.”
Asked about the reasons behind his work, Strickland cited the growing amount of cryptocrime cases, pointing out that on BitcoinWhosWho, a site aimed at identifying bitcoin addresses and reporting scams, there are 10-30 daily reported cases of sexual extortion alone. He said that just as we have the ability to monitor the more prevalent world of fiat-funded crime, it’s important that people are aware of the methods used to monitor crypto-crime as well.