Would a Ransom Payment in Bitcoin (BTC), in Exchange for Nancy Guthrie, Be Anonymous?
The reported disappearance of Nancy Guthrie and the accompanying ransom demand for millions in bitcoin (BTC) has reignited public questions as to the anonymity of cryptocurrency. As headlines illustrate, purported kidnappers demanded a $6 million payment in BTC by a set deadline — a deadline that has now passed without payment or verified contact from any suspect.
At first glance, BTC's reputation as a privacy-centric digital asset might seem to embolden criminals: no names, no banks, no traditional “paper trail.” But that reputation oversimplifies how BTC works in practice.
The Public Can Always See the Movement of BTC, Whereas as the Ownership of BTC Is Private
Bitcoin transactions are recorded on a public ledger known as the blockchain. Every transfer to and from a BTC address — including the BTC address provided by the purported kidnappers for receipt of the demanded ransom — is openly visible and permanent. That transparency is exactly what allows investigators to follow the flow of funds across transactions over time.
But there is a critical nuance. Whereas the movement of BTC from one wallet to another is always viewable to the public, the ownership of those wallets is not public. For example, imagine if a major bank created a publicly accessible website showing the account numbers and transactions for every checking account at that bank, while also keeping the account owners anonymous. In other words, anyone could access the site, see every account number, and see every transaction between accounts—specifically the time, amount, sending account, and recipient account for every transaction. However, the owner(s) of those accounts would still be private. Whereas the public could see that a specific sum of money moved from Account A to Account B on a specific date, the public could not see any details about who owns Account A or Account B. That information would be private and inaccessible.
The blockchain for BTC operates the same way. Every wallet is essentially an account number, and the “blockchain” is a publicly viewable ledger showing every single BTC transaction between those wallets (including the time, amount, sending wallet, receiving wallet). Meanwhile, the public cannot see who owns each wallet. There is no associated name or Social Security Number, just a wallet address (akin to a bank account number).
The Type of “Wallet” Can Affect the Extent To Which the Ownership Information Is Private or Accessible
There are two types of cryptoasset “wallets”: (1) non-custodial wallets (a.k.a. self-custody wallets); and (2) custodial wallets (a.k.a. exchange wallets).
First, non-custodial wallets are inherently private as to ownership. Anyone can create a non-custodial wallet in minutes through many platforms (e.g., MetaMask, Base, etc.), and that person need not provide any identifying information. Once created, the wallet will have a public address (i.e. a publicly viewable account number) that anyone can view on the blockchain. The owner will also have a password (a.k.a. private key), and that password is the sole means for anyone to access the wallet and move assets out of the wallet. Just like with a checking account number, therefore, a third party needs only the account number in order to send money into the wallet, but the password is required for someone to withdraw money from—or transfer money out of—the wallet. Meanwhile, the owner of the wallet remains completely anonymous.
Second, exchange wallets are more similar to traditional bank accounts. A person must create the wallet with a business (i.e. exchange) that will conduct basic Know-Your-Customer (KYC) and Anti-Money-Laundering (AML). Just like a bank, that business will know the identity of the account owner. Simply put, the owner effectively has an account with a business/exchange (e.g., Coinbase, Kraken, Crypto.com, etc.) that, in turn, handles the backend transactions on blockchains.
Because of those differences between non-custodial wallets and exchange wallets, some transactions can be traced to owners, whereas other transactions cannot be.
Tracing Crypto Can Be Fruitful… Sometimes
Federal law enforcement agencies routinely employ blockchain analytics to trace cryptocurrency in fraud, money laundering, ransomware, and other cybercrime cases. The U.S. Department of Justice (DOJ) has highlighted the critical role of blockchain data analytics in prosecuting digital asset cases, emphasizing that such tools are now part of standard investigative practice.
The critical issue is whether the BTC (or other cryptoasset) ever passed through an Exchange Wallet. If so, then that exchange (e.g., Coinbase, Kraken, Crypto.com, etc.) will have the identity of the wallet owner, and that information could be compelled. If the BTC (or other cryptoasset) passed through only Non-Custodial Wallets, however, then there is no exchange, business, or other third-party that knows or possesses the identity of the wallet owner.
Hence, law enforcement can trace BTC and identify the owners or recipients when the BTC moves through centralized exchanges that collect identity information as part of compliance obligations. If the BTC was sent to an Exchange Wallet at Crypto.com, for example, then Crypto.com should have KYC/AML information as to the person who set up and owns that wallet.
Unfortunately, bad actors can easily set up and use multiple Non-Custodial Wallets and move BTC (or other cryptoassets) rapidly. Although law enforcement (or the public) can feasibly watch the BTC move from wallet to wallet, law enforcement will not know who owns or controls those wallets and will not be able to seize the BTC without the private key (i.e. password) to the subject wallet. Furthermore, there are Non-Custodial Wallets and Exchange Wallets that act as “mixers” meant to receive and pool crypto assets from multiple sources and then redistribute those assets to multiple other wallets. Because of the mixing, the origin and destination of a cryptoasset becomes obscured; the public blockchain just shows many transfers into one wallet and many transfer out of that wallet, without a concrete way to connect the incoming transfers to the outgoing transfers.
Nonetheless, if an owner ultimately chooses to convert their BTC (or other cryptoasset) into a fiat currency (e.g., U.S. Dollars, Euros, etc.), then the owner will need to use some type of exchange or business within the regulated financial system. And that transaction could then involve a KYC/AML record as to the source of fiat currency used to purchase the BTC. Therefore, if law enforcement is still tracing those BTC, there might be a light at the end of the tunnel revealing the real-world identity of a transacting party.
Under this paradigm, law enforcement has seized ransom-related cryptocurrency in several high-profile ransomware prosecutions and investigations. For example, the DOJ has seized millions in crypto assets from wallets associated with illicit actors, further demonstrating that transactions can leave actionable breadcrumbs. Despite criminals’ attempts to obscure trails using mixers or cross-chain maneuvers, therefore, modern analytics tools — coupled with international cooperation and subpoena authority — can allow investigators to reconstruct transactional paths and link them to individuals or entities.
The Guthrie Kidnapper Wallet
Various sources have reported that the ransom note for Guthrie contained a wallet address for the demanded ransom of BTC. If so, then law enforcement (or anyone) can enter that wallet address (a long string of numbers and letters) into a website and see the time, date, sending wallet, receiving wallet, and amount for all transactions into or out of that wallet. As stated above, however, law enforcement will need some additional information—that may not be obtainable—in order to identify the people or entities that own or control that wallet.
Legal and Practical Implications
For practitioners and clients monitoring the Guthrie case and similar incidents, the takeaway is that the landscape of digital asset ransom is more complex than “anonymous wallets.” Bitcoin’s transparency creates pathways for investigation, and in many scenarios, law enforcement can exploit that transparency to identify and prosecute bad actors once funds begin to move. But bad actors also have the tools to keep BTC moving through Non-Custodial Wallets and mixers that may very well conceal the identity of the true owner(s) and leave law enforcement without a practical recourse. As high-profile cases continue to unfold and expertise in blockchain analysis grows, law enforcement will likely test these contrasts, with the aim of developing practical ways to identify and hold accountable bad actors profiting through cryptoasset ransoms.
For more information contact Constantine Economides.