Thodex Case from a Digital Forensic Perspective
The terms digital, cyber, incident, event and case have close meanings in context of security but the distinguishment of the meaning provides beneficial output for digital forensics. In the case of an analysis, using these words with their correct meanings in the investigation of the event will be useful for the research step.
1.1. Digital
The concept of “digital” has entered our literature with computers. This term refers to the binary system; 1 and 0. These two digits form the basis of the computerized mediums. The concept covers the internet, computer programs and applications.
1.2. Cyber
The etymological overview of the term “cyber” is based on ancient Greece. According to the history of this term, we derive the meaning of “governing”. We can infer the meaning of management from here. Cyber means information-driven governance.[1] Basically, cyber gathers all the components of the internet world under a common roof.
1.3. Incident
Incident, as a term is like an event, but it has a suspicious dimension. In security view, there are security incidents; if we talk about a situation that puts sensitive data at risk of exposure, we call it “incident”.
1.4. Event
Event and incident seems like they are synonyms but there is an important difference between them; events can happen any time like incidents, but unlike the incidents, these unexpected events are not always harmful for the system or the organization. There may be unexpected situations, and these situations may not always compromise organizational data. It would be correct to call it “event”.
1.5. Case
“Case” is a description of the situation. A case can contain an incident or an event. If there is a risky environment or a damaged area, the explanation is also here. Possible solutions and possibilities are also indicated. It is possible to talk about the context.
Problem: A problem can be found abundantly in a case. Also, incident and events may occur due to problems; even it can also be a problem for an incident to occur. Problem is a situation that must be dealt with in order to solve a matter.
1.6. Digital Forensics
Forensics is a branch of science. It benefits from the law. Forensics can take part not only in the investigation of a crime, but also in matters where a crime has not been committed, or where a person is accused of a wrongdoing. fraud and crime are the primary research areas of forensics. Fraud is the misuse of the assets or parts of a person or an organization in unethical ways while Crime has an aim to give harm to a person or an organization. There may be different ways of doing this damage. For example, a damage can be done using fraud techniques.
Digital Forensics, is the uncovering and examination of evidence located on all things electronic with digital storage, including computers, cell phones, and networks.[1] It is a field that covers the basic elements of information security and information assurance. These disciplines are needed to examine criminal assault, a criminal investigation, and forensic validation methods as evidence. Digital forensics is a kind of representation of information and communication technologies (ICT) and the law, both substantive and procedural, that is our rule of law.
This discipline we study uses evidence and evidentiary/evidence-based objects. This discipline we study uses evidence and evidence-based objects. Pieces of evidence can be a digital asset or computational inference. The basic principle here is that regardless of the form, whether judicial, legislative, or administrative, the use of electronic evidence in forensic should be reliable. This basis is vital to the investigation of new cybercrime where the evidence is largely digital. For this reason, it is necessary to consider the reliability of the sources to be examined.
1.7. Blockchain
To conceptualize and define the Blockchain and cryptocurrencies, numerous definitions have been used. From the online dictionary of Merriam-Webster, is quoted a definition from Iansiti and Lakhani (2017) for Blockchain as “The technology at the heart of bitcoin and other virtual currencies, Blockchain is an open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The ledger itself can also be programmed to trigger transactions automatically.”
The concept of Blockchain first appeared in October 2008 as part of a proposal for Bitcoin that intended to create P2P money without third parties like banks. The sentence that was in the first lines of the proposal read as follows:
“Commerce on the Internet has come to rely almost exclusively on financial institutions serving as trusted third parties to process electronic payments… What is needed is an electronic payment system based on cryptographic proof instead of trust, allowing any two willing parties to transact directly with each other without the need for a trusted third party…”[2]
As the author of this proposal, Satoshi Nakamoto, published the idea of “Bitcoin” as a computer program they hoped would one day produce the modern world’s first thriving non-national currency. Bitcoin, a type of cryptocurrency that Nakamoto explained in their proposal, is a medium of exchange similar to the US dollar, European Euro or other currencies. Unlike physical currencies, a cryptocurrency is digital, which uses cryptology methods to control the creation of monetary units and verify the transfer of funds.[2]
1.8. Peer To Peer Network (P2P)
The definition of P2P network changes depending on the industry in which it is used. For example, a P2P network is a distributed network that enables peers to exchange digital assets like cryptocurrencies for the financial sector. This architecture allows peers, sellers, and buyers to buy or sell without a mediator.
Blockchain technology is a ledger system that is distributed. It can store linked transactions in the form of a decentralized database in the P2P network. Accordingly, there are no other destinations in this network except the users who perform transactions. Data is stored in time-stamped blocks linked in a chain, creating a perpetual audit trail that is publicly visible and validated by a consensus-based proof of trust.
1.9. Chain Of Custody
Chain of custody is the essential part of evidence documentation. It occupies a crucial place at this point. The tools, techniques and processes utilized for an investigation should be trustworthy and perform as intended; they must be audited in order to provide the chain of custody. The primary thing to consider is; the authenticity of the evidence.
In order to conduct forensic investigations, tracking source information requires using Chain of Custody (CoC) documents.
When we consider digital evidence, we are talking about who, when, where, how, and the integrity of the data.
The chain of custody or chain of evidence is known as the movement of the possession of evidence at the scene of discovery and crime. Instead, from an individual until the time that it is allowed transport to the laboratory for examination, which is admitted in court. [3]
Capital Markets Board of Turkey (SPK)
Capital Markets Board is the public institution responsible for regulating the capital market. It is an institution with authority to determine the procedures and principles relate to the capital market.[4]
The capital market contributes to the production of economic value by directly bringing together those who supply funds and those who request funds. For this reason, the capital market must function fairly, effectively and transparently, and the legitimate interests of market actors must be protected. The Law has been prepared to consider the European Union Directive on the Markets in which Financial Instruments Transact, such as the crisis of subprime mortgage loans (Enron Scandal, 2001) in the world. The law visualizes exclusive legal sanctions for the capital market in order to prevent certain acts that may adversely affect the capital market.[5]
2. Digital Forensics and Laws
Cyber-activity relationships between countries are often affected by agreement obligations between them. For a regulation on this issue, it is to examine the relevant activities and regulations of the countries that have signed and have not the European Cyber Crime Convention. The convention signatories have established a web of treaty obligations designed to address rights and cooperation between countries. Besides, signatories need to harmonize their domestic laws to allow compliance with the laws of other countries with which they have to cooperate.[6]
2.1. Convention On Cybercrime
The convention aims to harmonize the legislation of the state parties and to coordinate an effective judicial cooperation.
“For the purposes of this Convention:
a. “computer system” means any device or a group of interconnected or related devices, one or more of which, pursuant to a program, performs automatic processing of data;
b. “computer data” means any representation of facts, information or concepts in a form suitable for processing in a computer system, including a program suitable to cause a computer system to perform a function;
c. “service provider” means:
i. any public or private entity that provides to users of its service the ability to communicate by means of a computer system, and
ii.any other entity that processes or stores computer data on behalf of such communication service or users of such service.
d. “traffic data” means any computer data relating to a communication by means of a computer system, generated by a computer system that formed a part in the chain of communication, indicating the communication’s origin, destination, route, time, date, size, duration, or type of underlying service.”
The offenses defined in the Convention are[7]:
a. Offenses against the confidentiality, integrity and availability of computer data and systems (illegal ac- cess, illegal interception, data interference, system in- terference, misuse of devices),
b. Computer related offenses (computer-related forgery, computer-related fraud)
c. Content related offenses (offenses related to child por- nography)
d. Offenses related to infringements of copyright and re- lated rights.
3. Digital Forensic View To Cryptocurrencies
Digital forensics uncover and examine evidence located on all electronic things with digital storage, including computers, mobile phones, and networks.[8] It is a field that encompasses the essential elements of information security and information assurance. These disciplines are needed to investigate a criminal attack, criminal investigation and forensic validation methods as evidence. Digital forensics represents information and communication technologies (ICT) and law, both substantive and procedural.
The application of cryptology methods in digital forensics provides preservation of digital integrity and repeatability by creating a digital fingerprint (hash digest) for a digital asset to prevent changes in the record of transactions in the ledger. Blockchain technology can provide forensic applications that offer significant advantages for digital forensic investigation procedures. In particular, Blockchain can increase transparency at every investigation stage. For example, it can provide practical applications in the early stage of the investigation to precisely define data sources, reduce data storage, and increase the efficiency of operational analysis to reduce costs.[9]
4. Analysis Of Thodex Case From Digital Forensics Perspective
Thodex is a cryptocurrency exchange. Until mid-April 2021, many users were trading in this market. Thodex was known as the first Turkish cryptocurrency exchange to open to the global.
This market was advertised quite well. Its name was announced in many places through celebrities and politicians. In order to use the system, users took a photo with their IDs and registered, so the market was growing.
In April, it was announced that there was a failure in the system, and it has been announced that it will not be possible to trade with cryptocurrencies called Dogecoin for a while. It was said that six hours of maintenance work will be done for all operations.
The market made another announcement after this failure. This time it was announced that the stock market would not work for five to six business days because the market was planning a partnership.
Users could not access their accounts on the market, and news emerged that the founder of Thodex closed their Twitter account and went abroad. Accordingly, on April 22, it was stated on the market’s Twitter account that it was “temporarily closed for trading due to the abnormal fluctuation in the company account”. Thus, the news was denied.
The trading volume on the Thodex exchange is thought to be $585,513,644. The equivalent of this value is 4.881.702.441 Turkish Liras as of April 23. The latest activity in the stock market coincides with around 10:00 on April 20, according to Coinmarketcap data. It is possible to research where the money in the market might go.
For example, Whale Alert is a Twitter page that tracks and reports large amounts of suspicious money transfers. However, Thodex’s wallet addresses are not available on this site. When we scan it on BitInfoCharts, another site where Bitcoin accounts are published, it does not appear in a wallet account belonging to Thodex.
Another way to find wallets belonging to Thodex is to track them on the blockchain with information obtained from previously traded users on the market. One of the studies’ findings in this direction is that some wallets of the Thodex exchange were either completely emptied three months ago or held very little money.
In such cases, it may be necessary to research its history in order to have a clearer view. According to an “about us” page on the Wayback Machine, Thodex is based on Koineks, which was founded in 2017. However, there is no corporate structure, founder name or similar information here.
It is remarkable that the FinCen MSB license, which is stated to be obtained from the USA, is mentioned in the About Us section; when a search is done on this subject, it can be seen that the license issue is included on various news sites: it is not a license, it is just a database. Thus, a record called Thodex can be accessed in FinCen, known as the financial crimes investigation network where organizations that carry out financial transactions in the country must register.
The registration date is April 16, but in the article on Thodex’s site, celebrating their third year, it is written that the license was received in March. When FinCen data is examined again after this remarkable difference, it is possible to reach other information in the Thodex file. While it is stated in the file downloaded from the site that the registration is for money transfer transactions, the address is 55 E. Lockerman St, Suite 120 Dover; then it turns out this is a post office after a bit of search.
When we examine the database of Thodex INC, where we can search for companies named opencorporates.com, we reach the information that the previous name was “Koineks”. In other words, we can say that the record in FinCen belongs to Thodex, which also operates in Turkey.
From the Trade Registry, it is possible to access the information of a company established as Koineks Teknoloji AŞ on September 20, 2017, although not on behalf of Thodex. In this record, the address and sole founder of the company can be reached.
CMB, the institution that should take the most active in such a situation, said, “Crypto assets and platforms are not within the jurisdiction of our board.”
The Thodex event is such that it will open the door to many discussions, from the legal status of the crypto money markets to the control.[10]
When the Thodex case is examined in digital forensics, we can reach some key points, which summarizes the situation.
The threat source is internet fraud. The threat event is the theft of the assets of those who intend to invest while the vulnerability is the lack of audit, the absence of any regulation in this regard and unconscious use of technologies. The risk event causing all this is the possibility of losing economic assets. When viewed on a large scale; the impact is people’s lives, the situation of other companies in the stock market and the damage to the country’s economy. The consequence is loss of reputation as the Binance environment is now considered unsafe while the loss is become economic loss.
5. Conclusion
First of all, Binance is a subject of economics; financial knowledge is also necessary. However, trading in this market is not limited to knowledge in these matters. It is necessary to know the cryptocurrency system well; this requires modern internet knowledge. Binance is a risky environment for those who cannot choose which sites are trustworthy. Because although there are regulations and controls, the internet is a free and constantly evolving environment. For this reason, users should have extensive knowledge about the economy, finance, and the internet.
In addition to these requirements, it is necessary to protect the rights of individuals. Just as the state determines laws to combat cybercrime, some regulations should be made in this area as well. Institutions such as the CMB should adopt a posture that aims to take the situation under control in cases such as the Thodex case. Thus, the Binance domain is considered reliable for users, and the crime rate is significantly reduced.
References
[1] Wiener, N. (2019). Cybernetics or Control and Communication in the Animal and the Machine. MIT press.
[2] Nakamoto, S. (n.d.). A Peer-to-Peer Electronic Cash System. 24.
[3] Burri, X., Casey, E., Bolle, T., & Jaquet-Chiffelle, D. O. (2020). Chronological independently verifiable electronic chain of custody ledger using blockchain technology. Forensic Science International: Digital Investigation, 33, 300976.]
[4] Sermaye Piyasası Kurulu. https://www.spk.gov.tr/Sayfa/Index/0/0/2.
[5] Geçer, A. E. (2017). Sermaye Piyasası Hukukunda Piyasa Dolandırıcılığı Suçu. Ankara Hacı Bayram Veli Üniversitesi Hukuk Fakültesi Dergisi, 21(2), 241–270.
[6] Losavio, M. M., Pastukov, P., Polyakova, S., Zhang, X., Chow, K. P., Koltay, A., … & Ortiz, M. E. (2019). The juridical spheres for digital forensics and electronic evidence in the insecure
[7] Ozbek, M. (2015). The Impacts of European Cybercrime Convention on Turkish Criminal Law. GSI Articletter, 13, 73
[8] Garfinkel, S. L. (2013). Digital forensics. American Scientist, 101(5), 370–377.
[9] Li, S., Qin, T., & Min, G. (2019). Blockchain-Based Digital Forensics Investigation Framework in the Internet of Things and Social Systems. IEEE Transactions on Computational Social Systems, 6(6), 1433–1441.
[10] Teyit. (2021, April 24). Thodex olayı hakkında neler biliyoruz?: Teyit. Şüpheli bilgileri inceleyen doğrulama platformu. https://teyit.org/dosya-thodex-olayi-hakkinda-neler-biliyoruz.
