91³Ô¹ÏÍø

Watch CBS News
MoneyWatch

Purported ransom note for Savannah Guthrie's mom demanded payment in bitcoin. Could it be tracked?

By
Aimee Picchi
Associate Managing Editor, MoneyWatch
Aimee Picchi is the associate managing editor for CBS MoneyWatch, where she covers business and personal finance. She previously worked at Bloomberg News and has written for national news outlets including USA Today and Consumer Reports.
Read Full Bio
Aimee Picchi

/ CBS News

The disappearance of "Today" show co-host Savannah Guthrie's mother, Nancy Guthrie, includes a tantalizing clue: an apparent ransom note that demanded payment in bitcoin

The note, which is being taken seriously by investigators, included a deadline of 5 p.m. Thursday, although it didn't specify a time zone. If the payment wasn't made, the note specified another deadline of Monday, investigators said Thursday. 

The demand for bitcoin raises questions about whether the cryptocurrency could be used to hide a kidnapper's identity, given the financial product's semi-anonymous nature. Experts tell CBS News that law enforcement officials can track down information about the people or organizations behind crypto transactions, increasing the chances that the ransom demand could produce possible leads in the Guthrie case.

All bitcoin transactions are recorded and monitored on the public blockchain, which is similar to a bank ledger. To conduct a transaction, a user must also have a bitcoin wallet with an alphanumeric address, which stores private keys for authorizing transfers and public keys for receiving funds.

Those pieces of information — a blockchain transaction and a bitcoin wallet — can offer a starting point for law enforcement to track down a bad actor, said Ari Redbord, global head of policy at TRM Labs, which helps track crypto fraud and crimes, and a former Department of Justice and Treasury official who investigated financial crimes.

"Every transaction in bitcoin is logged on an open public ledger, and it's immutable, meaning it's there forever," Redbord told CBS News. "We're able to track and trace every transaction to and from that address in order to potentially identify the holder of the wallet address."

Not untraceable

Blockchain analyses can examine whether that wallet has been used for illicit activity in the past, or if the account is associated with ransomware or other cybercrimes, he noted. They can also examine which other addresses are sending funds to the wallet in question, and then build out a map to help track the identity of the bad actor. 

"It's a common misconception that crypto, including bitcoin, is totally anonymous and untraceable, but it's actually the exact opposite of that," said Madeleine Kennedy, vice president of communications at Chainalysis, which makes apps and software for blockchain investigations, including tracking crypto crimes. 

That means the blockchain may be able to provide more information to investigators than other valuables often used to pay ransoms, including art, diamonds or even cash, Redbord said.

"Our law enforcement customers regularly tell us they would much rather follow the money in crypto than in cash," Kennedy added.

What "know your customer" laws can tell you

Once the owner of a bitcoin wallet goes to a crypto exchange — such as Binance or Coinbase — to cash out the cryptocurrency, law enforcement can gain even more information, experts said. Crypto exchanges in the U.S. are subject to the same "know your customer" laws, which are anti-money laundering regulations requiring a financial institution to collect customer information.

That data includes a customer's full legal name, birth date and home address, which is usually collected through a user's government ID,  to Coinbase.

"Law enforcement can send a subpoena to a cryptocurrency exchange where they know the funds went and say, 'Hey, we need to know more about the user of this address — what is their name, what is their birthday, what is their Social Security number, their phone number, what email did they use to set up the account'," Redbord told CBS News. 

He added, "When you can really catch them is when they're trying to move funds through a cryptocurrency exchange."

One question is whether law enforcement will be able to act fast enough to trace the money before it's transferred out of a crypto exchange and disappears, experts said. Criminals could also possibly transfer the crypto to an illicit exchange that doesn't follow "know your customer" regulations.

"The challenge is that bad actors can move faster than ever, and it really becomes this race to the off-ramps in cases like this," Redbord said.

Edited by Alain Sherter

In:

© 2026 91³Ô¹ÏÍø. All Rights Reserved.

View CBS News In
CBS News App Open
Chrome Safari Continue
const link = doc.createElement('link'); link.rel = 'stylesheet'; link.href = '/fly/fly/bundles/cbsnewscontent/css/cmp-banner.min.css?v=50747257b890e014813016b79ece0fb2'; doc.head.appendChild(link); doc.body.innerHTML = CONSENT_MESSAGE; } else { el.insertAdjacentHTML('afterend', CONSENT_MESSAGE); } }); } function hidePrivacyMessage() { // Remove from the main document document.querySelectorAll(`.${CONSENT_MESSAGE_CLASS}`).forEach(el => el.remove()); // Remove from inside any iframes document.querySelectorAll('iframe').forEach(iframe => { const doc = iframe.contentDocument || iframe.contentWindow.document; doc.querySelectorAll(`.${CONSENT_MESSAGE_CLASS}`).forEach(el => el.remove()); }); } function activateGatedScripts() { // Handle both new format (cmp-gated-script) and old OneTrust/Ketch format (optanon-category-4) const gatedScripts = Array.from(document.querySelectorAll('script.cmp-gated-script, script.optanon-category-4')); // Activate scripts sequentially with a small delay to avoid timing issues let delay = 0; gatedScripts.forEach(function(placeholder, index) { setTimeout(function() { // Skip if already processed if (placeholder.hasAttribute('data-cmp-processed')) { return; } placeholder.setAttribute('data-cmp-processed', 'true'); const newScript = document.createElement('script'); newScript.type = 'text/javascript'; // Try new format first (data-cmp-src), then fall back to old format (data-src) const src = placeholder.getAttribute('data-cmp-src') || placeholder.getAttribute('data-src'); if (src) { newScript.src = src; } else if (placeholder.textContent) { // Inline script - just copy the content newScript.textContent = placeholder.textContent; } // Handle new format attributes (data-cmp-attrs) - for both inline and external scripts const attrs = placeholder.getAttribute('data-cmp-attrs'); if (attrs) { const tempDiv = document.createElement('div'); tempDiv.innerHTML = '
<\/div>'; const tempAttrs = tempDiv.firstChild.attributes; for (let i = 0; i < tempAttrs.length; i++) { // For external scripts, allow defer/async. For inline scripts, skip them (not valid) if (src || (tempAttrs[i].name !== 'async' && tempAttrs[i].name !== 'defer')) { newScript.setAttribute(tempAttrs[i].name, tempAttrs[i].value); } } } // Copy other attributes from old OneTrust format for (let i = 0; i < placeholder.attributes.length; i++) { const attr = placeholder.attributes[i]; // Skip attributes we've already handled or don't want to copy if (!['class', 'data-src', 'data-type', 'data-cmp-src', 'data-cmp-attrs', 'data-cmp-processed', 'type', 'async', 'defer', 'src'].includes(attr.name)) { newScript.setAttribute(attr.name, attr.value); } } placeholder.parentNode.replaceChild(newScript, placeholder); // If external script, manually trigger window.onload handlers after it loads // This handles widgets that use window.onload for initialization if (src) { newScript.addEventListener('load', function() { // If page already loaded and script set a new onload handler, trigger it if (document.readyState === 'complete' && window.onload) { const originalOnload = window.onload; window.onload = null; // Clear temporarily to prevent loops originalOnload(); // Execute the handler } }); } }, delay); delay += 500; // 500ms delay between each script to allow full loading }); } cbsoptanon.onScriptsReady(function(cmp) { cmp.ot.targetingAllowed(function(allowed) { if (!allowed) { showPrivacyMessage(); } else { activateGatedScripts(); } }); cmp.ot.awaitInitialConsent(function(consent_model) { cmp.ot.addOnConsentChangedHandler(function() { cmp.ot.targetingAllowed(function(allowed) { if (allowed) { hidePrivacyMessage(); activateGatedScripts(); } else { showPrivacyMessage(); } }); }); }); });