Police lost $45,000 in Bitcoin when an online investigation went wrong. Photo / File
NZ police officers were hoodwinked by the criminals they were targeting and had $45,000 in Bitcoin stolen during a covert online police operation.
The undercover online investigation was into money laundering but led to the detectives carrying out the operation being rinsed by the criminals they were pursuing.
The missing money has led to two further police inquiries.
One internal investigation has identified gaps in police procedures which failed to adequately protect the taxpayer money.
A criminal investigation into the money being taken was also launched but has so far failed to identify where the money went, or who took it.
The loss of the money, which was taken from a police Bitcoin wallet, was considered significant enough that Commissioner Andrew Coster was told and then briefed Minister of Police Poto Williams.
Williams confirmed she was briefed during a standard meeting with police but said the content of the discussion was confidential. The loss was also immediately reported to police's external auditors.
National Criminal Investigation Group intercept and technology operations manager Detective Inspector Stuart Mills said: "Police has committed to learning from this incident, and to introducing stronger processes so that it does not happen again."
Mills said police had purchased Bitcoin for $45,000 for use in an investigation. He said it was discovered in late 2020 that the money was gone.
He said the money was "fraudulently obtained from a police Bitcoin wallet during an operation" aimed at money laundering.
Mills said the culprits were "likely based overseas" and the "offending was part of a wider fraud targeting Bitcoin wallets".
The Weekend Herald had been told the money was intended to be used for a "controlled purchase" - a sting in which police attempt to buy illicit goods or services.
Police launched a criminal investigation into the "fraud" led by a detective sergeant from the National Organised Crime Group.
"The offenders have not yet been identified," Mills said.
The second inquiry into police processes around the handling of the Bitcoin was led by Detective Inspector Christiaan Barnard, manager of the police Financial Intelligence Unit.
This included "reviewing the actions and decisions taken by staff", Mills said. He said the operation had been approved under police standard procedures and the investigation found no misconduct by staff.
The review made recommendations to improve police processes. An updated policy had been drafted and was currently under consultation.
Founder of New Zealand-based cryptocurrency BitPrime, Ross Carter-Brown, greeted news of the $45,000 loss with the words: "That's pretty wild."
Carter-Brown said Bitcoin and other cryptocurrencies differed from usual bank transactions in that proof of ownership of the funds was based on possession, which was controlled by having the private key - a code - that controlled access to the wallet.
For those who forgot the private key, there was also the option of a back-up phrase that could allow recovery of the funds.
Carter-Brown said whoever took the $45,000 "would have had to have access to the private keys to that wallet or the back-up phrase".
"Having those private keys is the same thing as having money. If I was in charge of the breach, I'd be looking at who had access to the keys or back-up phrase."
Carter-Brown said he was not suggesting that was where the money went but it pointed to who had access or control over the funds.
A breach of security in storing the private key was possible but would likely need penetration of police networks to access, he said.
"It also seems unlikely someone would voluntarily hand it over."
The most likely option was that a controlled purchase went wrong and those the police sought to entrap disappeared with the money without supplying the goods or services.
"If [police] sent it to somebody and that person didn't keep their end of the bargain, you can't reverse it. [Cryptocurrency] is unforgiving. If you make a mistake, you can't reverse it."
The police loss highlighted advice from the Financial Markets Authority, which stated: "All online transactions are at risk of cyber-crime. The cryptocurrency in your digital wallet can be stolen just like the money in your real wallet – with very little chance of it being returned."
Victoria University criminologist Dr Trevor Bradley said the investigation of cybercrime was "almost virgin territory" for police in New Zealand.
"When it comes to cybercrime, they are babes in arms, really."
Bradley said those dealing with cybercrime in New Zealand were spread across a number of agencies, "fragmenting" a talent pool challenged by an area of criminal enterprise that was growing rapidly in scale and sophistication.
"I know the police are beginning to recognise these deficiencies and trying to address them. [Cybercrime] is a real big problem and a growing problem and the fragmentation is not helping."