Back to all stories
Behind the Curtain: Inside the Investigation Task Force at CertiK

In films, we often encounter suave detectives using intricate stringboards to crack complex mysteries. But do similar stringboards exist at CertiK? How does the team approach blockchain investigations? To shed light on these questions, we reached out to the expert investigators, intelligence analysts, and security engineers at CertiK. Matthew and his colleagues from the Special Investigation Task Force welcomed us into their virtual "24/7 command center" to answer our inquiries and offer exclusive insights.

Behind the Curtain: Inside the Investigation Task Force at CertiK

Q: How do you become a crypto investigator?

A: It's crucial to note that our crypto investigators do not work solo on cases, rather, it is a collaborative effort that leverages a wide-range of diverse expertise. Our team of over 250 security engineers, PhD researchers, data scientists, intelligence analysts, and criminal investigators each bring a unique skill set to the table when investigating complex blockchain cases. All these individuals share key characteristics: passion for their job, curiosity, attention to details, and determination.

When a customer engages us to tackle a case, the Special Investigation Task Force assigns a customized cross-functional team comprised of specialists across the company. Collaborating with such a diverse group of experts is always an exciting experience, particularly as everyone here at CertiK is hardworking, passionate, and eager to share their knowledge. Our team members undergo a stringent selection process, as we receive thousands of applications from specialists working for top companies, prestigious law enforcement agencies, and intelligence organizations globally.

Q: How was the transition from law enforcement to CertiK?

A: Making the transition from a government job to CertiK was a significant change, but our investigators see it as a unique chance to apply their government-acquired skills in a more flexible and innovative organization. In government agencies, bureaucratic barriers can impede progress and limit the ability to improve investigation processes, techniques, and tools.

At CertiK, we enjoy the freedom to experiment and innovate, which makes a substantial impact. Of course, we also work hard—our 24/7 incident response team never rests, and even when we're off duty, it's challenging to detach from a captivating case. Our work here is far from a standard 9-to-5 routine and has an addictive quality. It's not unusual for our investigations to be so engaging that we forget to take a break, and end up dedicating entire nights or personal time to chasing a thrilling lead!

Q: What kind of investigations do you typically conduct in the crypto space?

A: Our team investigates a wide range of cases, with the scope varying from providing incident response services to in-depth expert investigations into specific incidents. These incidents can include hacks, flash loan exploits, illicit liquidity removals, wallet compromises, honeypots, phishing, and more. Our clients seek to evaluate the situation, contain the attack or damage, and track stolen funds. In addition to investigations, we also provide recommendations for improving security measures to prevent future incidents, and in some cases, we may even produce a comprehensive investigation report for investors, the community, or law enforcement authorities.

One of our most recent cases was for a company that was suing a defaulting partner and required us to assess the damage and serve as their expert witness. The requests we receive are highly diverse, which is why the Special Investigation Task Force is not a standalone team, but rather a collaboration of several teams. This includes the 24/7 incident response team that quickly analyzes incidents, members of the investigation advisory team who bring expertise from law enforcement, and security engineers from various technical teams who provide ad-hoc technical support.

Q: How do you solve these crypto cases?

A: This is a frequently asked question, and understandably so, as people are eager to learn about our investigative process. In some ways, our approach resembles that of traditional criminal investigations, where we conduct interviews with relevant parties, gather and analyze both public and confidential information, and pursue promising leads.

However, what sets our investigations apart is the requirement for technical expertise and the utilization of specialized tools and analysis. This has driven our engineers to develop proprietary software, such as a custom investigation management application, an address profiler, and a comprehensive Web3 criminal database. Moreover, we place significant emphasis on combining on-chain and off-chain data, which requires a unique perspective to effectively navigate the uncertainties that often arise throughout the investigation. To overcome this, we have created a playbook with a clear and structured process that allows our clients to track the progress of their case.

We typically start with a preliminary call with the client to discuss the incident and determine their specific objectives. Upon agreeing on the scope and outcomes, our investigative team launches into action and establishes a virtual war-room where they can collaborate closely with the client and provide live updates and findings. We present the results and provide recommendations for future security measures. Our clients often request a detailed report and evidence records for their stakeholders, or, in the event of an attack, we may submit a customized investigation report to law enforcement on their behalf.

Q: Can you investigate without access to government databases?

A: This is a crucial aspect of our work as a private company. Unlike law enforcement agencies, we do not have the authority to obtain privileged information, but our customers trust us and voluntarily provide us with the necessary details for the investigation. It's important to understand that investigative databases, although necessary, do not automatically solve cases on their own.

At CertiK, we have developed a proprietary Web3 criminal record dataset, which has proven to be invaluable in connecting transactions, wallets, criminals, and their past criminal history. Our database is unique as every flag represents a verified criminal event with corresponding evidence records.

To solve complex cases, one needs a combination of factors, including a robust investigative methodology, vast experience, and access to top resources. The ability to innovate and continuously improve our processes sets us apart and enables us to successfully crack even the most challenging cases.

Q: What type of customers hire your team for investigations?

A: Our investigators are ready to help anyone who is affected by serious security incidents in the Web3 space. Our clients are typically large or mid-sized organizations operating in the blockchain domain who have been affected by an incident or theft. They seek a comprehensive solution that covers both immediate response and post-incident investigation, reporting, and evidence recording. Engaging with clients after an incident can be both challenging and rewarding. As we work to understand and assess the situation, provide answers to their questions, and increase their chances of a favorable outcome and law enforcement response, we become a trusted ally in a time of great stress. This trust is a testament to our ability to handle sensitive and complex cases, and our commitment to delivering results that meet and exceed our clients' expectations.

Q: What is the most interesting thing you have discovered while working as a crypto investigator?

A: One of the most intriguing aspects of conducting crypto investigations is the blend of on-chain and off-chain intelligence analysis. The challenge lies in seamlessly connecting these two perspectives to arrive at a complete picture of the case. It is also fascinating to witness how perpetrators are constantly adapting to new technologies and devising new methods of illicit activities. Our investigators relish the opportunity to uncover hidden issues and evidence, chase leads, and crack complex cases. Additionally, they find it rewarding to continuously innovate and develop new techniques and tools that aid in detecting fraud and analyzing incidents. Our team is constantly pushing the limits of what is possible with blockchain technology, and the investigative potential it holds is truly remarkable.

Q: As investigators who have analyzed thousands of criminal incidents, do you believe most crypto projects are scams?

A: It is a common misconception that the majority of cryptocurrencies are scams. While there have been instances of fraudulent activities in the crypto world, it's important to understand that this is not representative of the entire ecosystem. In fact, there are many legitimate crypto projects that are making a positive impact on the world.

It's also worth noting that the media tends to focus more on the negative stories, like Web3 scams, as they make for attention-grabbing headlines. The transparency of the blockchain, however, also makes it easier to detect and document criminal activities.

At CertiK, we have had the privilege of working with thousands of crypto entrepreneurs over the past five years and have seen firsthand the dedication and hard work that goes into building legitimate projects. We believe that there are more legitimate entrepreneurs than scammers in the crypto world, and that the best way to reduce the risk of investing in a scam is to check our Security Leaderboard to verify the development team and their KYC status.