An e-book by
What Every Analyst Should Know
Cryptocurrency Investigations 101:
1 |
Table Of Contents
Part 1 Cryptocurrencies: The Least You Need To Know
Part 2 Cryptocurrency Investigation Basics
Part 3 More Of The Basics
Part 4 About Tools
Part 5 The Technology Behind Cryptocurrencies
Appendix 1 Doing Manual Investigations
Appendix 2 Useful Sources For Investigations
What Every Analyst Should Know2 |
Part 1
Cryptocurrencies: The Least You Need To Know
What Every Analyst Should Know
The Cryptocurrency Revolution
Cryptocurrency has the potential to revolutionize fi nancial services, reinventing the way how we buy or pay for goods, how we create or share businesses or even how we behave. However this beautiful digital revolution also has its dark side. As cryptocurrency has came into the mainstream, investigators need to become familiar with how to work cryptocurrency cases.
It is important for anyone involved in forensics to understand what sort of techniques are available to combat potential crimes where virtual currency is being used.
Technology helps us follow fl ows of cryptocurrencies through wallets and the blockchain. This simple guide covers cryptocurrency basics as well as techniques and available tools that give an investigator a way to track cryptocurrency data.
In this simplifi ed guide, you will learn how to investigate a cryptocurrency crime by applying blockchain analysis. This can be of particular use to regulators and law enforcement, as well as investigators and auditors.
What Every Analyst Should Know4 |
Cryptocurrencies: An Alternate Global Financial System
Cryptocurrency Value “In Circulation” As Of September 2020
$330BWhat Every Analyst Should Know5 |
Why Should You Care About Cryptocurrencies?
• An increasingly popular way for criminals to do fi nancial transactions
• Cryptocurrencies will likely become more important over time
Terrorist Financing
Scam/Frauds/Ransomware
MoneyLaundering
Payingfor illicit goods
What Every Analyst Should Know6 |
Cryptocurrency Transactions Compared To Bank Transactions
• Transactions are private
• Identities known
• Single-sender, single-receiver
• Small number accounts per entity
• Transactions controlled by centralized banks
• Governments control money supply
• Transactions are public
• Identities unknown
• Multiple inputs, multiple outputs
• New addresses for most transactions
• Transactions controlled by decentralized network
• Supply typically based on consensus
What Every Analyst Should Know7 |
Bitcoin Is The Most Popular Cryptocurrency
“BTC”1 BTC = ~$US10,000*For the moment we’ll just focus on Bitcoin
* Value as of September 2020; fl uctuates signifi cantly What Every Analyst Should Know8 |
Transactions Are Between Addresses
Sample Transaction:
Transaction ID (hash)
Address In (Sender) Address Out (Receiver)
Time stamp
Value In Value Out
212132312….
1bc65d….. 1bc65d…..
2020-07…
0.5 BTC 0.5 BTC
What Every Analyst Should Know9 |
All Transactions Are Posted On A Public Ledger
BlockchainPublic Ledger
Bloc
k
Bloc
k
Bloc
k
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
All transactions are posted on a public ledger called the blockchain.
You can view the blockchain at various block explorers such as blockchain.com.
Block explorer – webpages to browse blockchain data (e.g. transactions).
Key issue for analysts: “owner” of each address is not posted.
What Every Analyst Should Know10 |
A “Wallet” Refl ects The Addresses Owned By An Entity
Basically a wallet is simply a Bitcoin equivalent of a bank account, where users store and transact their cryptocurrency. There can be a software wallet (like an application installed by the users on their devices) or a web / hosted wallet, which is normally hosted and maintained securely by a third party provider.
• Single wallet can be used for various cryptocurrencies
• Wallet contents is visible to the wallet owner, but nobody else
• Data analysis tools will attempt to derive contents of a wallet (e.g., via clustering) – see page 24
Address 1 2.5 BTC1 BTCAddress 2
Address 3Address 4Address n
My Wallet
What Every Analyst Should Know11 |
Money Can Be Converted Between Cryptocurrencies And Traditional Currencies Via An Exchange
Exchanges are online trading platforms.
There are many available exchanges.
Cryptocurrencies can also be purchased at ATMs and other places that we’ll discuss later.
What Every Analyst Should Know12 |
Part 2
Cryptocurrency Investigation Basics
What Every Analyst Should Know
0.005
0.0050.005
Address 123XYZ
Wallet
Dirty money
EXCHANGE
Simplifi ed Example 1: Money Laundering With Bitcoin
Let’s consider a simplifi ed example. A criminal has a few thousand dollars worth of dirty money. To launder it, he goes to a Bitcoin ATM (a kiosk like a traditional ATM, but for Bitcoin), and spends the
money on Bitcoin. That Bitcoin goes into his wallet, and he then converts that Bitcoin to dollars at an online cryptocurrency exchange and moves it into a “clear” bank account controlled by him.
What Every Analyst Should Know14 |
0.005
0.0050.005
Address 123XYZ
Wallet
Dirty money
EXCHANGE
The Analyst’s Challenges With This Case
1. Identify the actor and/or fi ngerprints.
2. Follow the money. 3. Identify where cryptocurrency was changed to traditional currency.
Fraudster
Clean money
ATM
What Every Analyst Should Know15 |
0.005
0.0050.005
Address 123XYZ
Wallet
Dirty money
EXCHANGE
How To Identify The Criminal (It’s Simple In Theory)
1. Identify the actor and/or their fi ngerprints e.g. addresses.
2. Follow the money.
3. Identify businesses.
A. Follow the money to the places (in this case, ATM and Exchange) where the criminal converts cryptocurrency.
B. Subpoena the exchange: “Give me name and details of person associated with Address 123XYZ”.
What Every Analyst Should Know16 |
How To Follow The Money (Manually)
Single transaction - 9/1/2020
Input InputOutput Output
Single transaction - 9/2/2020
342njss3... 0.01 BTC 1NjEpH8m... 0.01 BTC31mLd3p... 0.01 BTC 31mLd3p... 0.01 BTC
You can use a tool such as Blockchain.com to see the transactions.
Each input address for a BTC transaction was previously an unspent transaction output. This is the key for following the money!
What Every Analyst Should Know17 |
Address 1 Address X
Address 2
Address 3
My Wallet Shop Wallet
2.5 3.5
1
2.5 BTC
1 BTC3.5 BTC
But Following The Money Gets Complicated:Co-Spending
Often a transaction consists of multiple addresses being combined to generate the required amount.
Example: Pay 3.5 Bitcoin
A single transaction can have many addresses (i.e., many Inputs and Outputs).
What Every Analyst Should Know18 |
Address 1 Address X
Address 2
Address 3
My Wallet Shop Wallet
2.5
1
2.5 BTC
1 BTC3.5 BTC 3.3 BTC
0.2 BTC0.2 BTCCHANGE
Following The Money Gets Complicated:Change
“Change” is generated as an additional output to a new or existing address.
Example: Pay 3.3 Bitcoin
Change looks like any other transaction on the blockchain.
3.3
What Every Analyst Should Know19 |
Example Of A Transaction From The Blockchain
Manual Analysis Of Such Data Is Very Complicated.
What Every Analyst Should Know20 |
There Are Two Ways To Work Cryptocurrency Cases
Manually(i.e., the really hard way)
With A Tool(i.e., the less hard way)
A single transaction may consist of multiple input addresses and multiple output addresses
Criminals will use multiple intermediaries (e.g., exchanges) to hide their tracks
Addresses are clustered
Database Contains Various Types Of Known Entities
Instant access to OSINT data to correlate identities
Money fl ow visualization and automation
It’s not obvious when addresses are associated with a common entity
It is not obvious what addresses are associated with Exchanges or other known entities
What Every Analyst Should Know21 |
To Effectively Perform Cryptocurrency Investigations, You Need To Have A Tool!
ManualTool
EXCHANGE
Cluster name: 59077648 Cluster name: 232056661
Cluster name: 229549858
Cluster name: Kraken.com
Cluster name: Bittrex.com
Cluster name: [000147c74e]
Addresses: 44 Addresses: 1
Addresses: 50,968
Addresses: 6
Addresses: 786,652
Addresses: 547,871$295
$696$
$649$$792$
$536$
$44$
What Every Analyst Should Know22 |
Tools Can Provide Up To Four Key Capabilities
Address AAddress B
Address C
Address AAddress B
Address C
“Cluster” addresses likely controlled by same entity.
Provide database of clusters associated with known entities.
Aggregate and visualize transactions and money fl ows.
Provide access to the Internet and darknet to fi nd digital fi ngerprints related with addresses.
What Every Analyst Should Know23 |
Tools Can Cluster Addresses Controlled By Single Entity
Transaction Hash:
Clustering - it is possible for tools to automatically cluster together individual addresses that are controlled by the same person using various clustering techniques.
Co-spending technique: As several addresses all contribute inputs to a single transaction, typically it can be assumed that these addresses represent a cluster controlled by a common entity.
This co-spending technique is one example of how tools can automatically identify clusters. There are various other techniques, but for now the key points are that tools can generate clusters, these clusters are valuable, and practically speaking, you can’t create clusters by hand.
653hg5.....
1MhKK...
1Bmht...
1Mjyg...
0.25 BTC
0.25 BTC
34m4Y... 1 BTC
0.5 BTC
Address In Value In Address Out Value Out
What Every Analyst Should Know24 |
Why Clustering Is Important
Having a single address, an investigator can see a broader picture, getting more addresses and transactions controlled by the target. Additionally, clustering helps enable visualizations of money fl ows.
Cluster#of Addresses: 2Balance: 0 BTC
In: 1.8 BTCSpent: 1.8 BTC
Cluster#of Addresses: 44
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
(1.8 BTC) (1.8 BTC)
What Every Analyst Should Know25 |
With a Tool You Can Start Your Investigation From Various Places
Start from an address or transaction.
Start from an email, phone, IP, login, nicknameor entity name.
5rd54353532gs5s … +1 6657 656 …
“Cyberbrevik”
1bc342… [email protected]
Shopsocks5….
What Every Analyst Should Know26 |
Working A Case: Ransomware Example
Here’s another simplifi ed example. A criminal breaks into John’s PC and demands a ransom of 1 BTC to release control. John transfers 1 BTC from his wallet to the address provided by the
Address 176hgf...
Fraudster’s Wallet
Address 1bc876...
Address n
John’s Wallet
1
EXCHANGE
Dear John, I blocked your computer. Pay me 1 BTC.
My address: 176hgf…
From:
To:
John
1 BTC
Fraudster
criminal, and the criminal then converts this to currency at an exchange. Let’s see how an analyst would work this case.
What Every Analyst Should Know27 |
Our Sample Case, As Shown In A CC Analysis Tool
This a visualization from DataWalk, which shows Bitcoin fl ow from John’s wallet to the fraudster’s wallet. After this transaction Bitcoin was sent to the exchange – Bittrex.com.
John’s address1bc876...
Scammer cluster1b876...
Scammer cluster176hgf...
Scammer addresscontrolled by Bittrex
(0.6 BTC) (0.6 BTC) (0.6 BTC)
Exchange
Source: KYCName: Andy Wood
SSN: 3244....Phone +1 432....
Address: Palma StreetIP: 172....
What Every Analyst Should Know28 |
Working Our Case In A Tool: Step 1
John’s Address
John’s cluster1bc8d...
1bc8d...
Scammer cluster1b876...
Scammer Address
1b876...
Search for John’s and scammer address and see related clusters.
What Every Analyst Should Know29 |
Working Our Case In A Tool: Step 2
Review cluster balance, total spent/received, number of transactions.
John’s Address
John’s cluster1bc8d...
Cluster#of Addresses: 2Balance: 0 BTC
In: 1.8 BTCSpent: 1.8 BTC
1bc8d...
Cluster#of Addresses: 44
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
Scammer cluster1b876...
Scammer Address
1b876...
What Every Analyst Should Know30 |
Working Our Case In A Tool: Step 3
John’s Address
John’s cluster1bc8d...
Unknown cluster1cc626...
Unknown cluster76hg6...
Cluster#of Addresses: 44
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
Cluster#of Addresses: 2Balance: 0 BTC
In: 1.8 BTCSpent: 1.8 BTC
Scammer cluster1b876...
Scammer Address
1bc8d... 1b876...
(0.6 BTC)
(0.6 BTC)
(0.6 BTC)See potential victims besides John to see the scale of the crime.
What Every Analyst Should Know31 |
Working Our Case In A Tool: Step 4
John’s Address
John’s cluster1bc8d...
Unknown cluster1cc626...
Unknown cluster76hg6...
Cluster#of Addresses: 44
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
Cluster#of Addresses: 12
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
Cluster#of Addresses: 2Balance: 0 BTC
In: 1.8 BTCSpent: 1.8 BTC
Scammer cluster1b876...
Scammer Address176hgf...
Scammer Addresscontrolled by
Bittrex
Scammer Address
1bc8d... 1b876...
(0.6 BTC)(1.8 BTC) (1.8 BTC)
(0.6 BTC)
(0.6 BTC)
Follow the money – automatically identify exchanges
What Every Analyst Should Know32 |
Working Our Case In A Tool: Step 5
John’s Address
John’s cluster1bc8d...
Unknown cluster1cc626...
Unknown cluster76hg6...
Cluster#of Addresses: 44
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
Cluster#of Addresses: 12
Balance: 0 BTCIn: 1.8 BTC
Spent: 1.8 BTC
Cluster#of Addresses: 2Balance: 0 BTC
In: 1.8 BTCSpent: 1.8 BTC
Scammer cluster1b876...
Scammer Address176hgf...
Scammer Addresscontrolled by
Bittrex
Scammer Address NameSSNDOB
PictureID...
Bank Acc: 8772...
1bc8d... 1b876...
(0.6 BTC)(1.8 BTC) (1.8 BTC)
Subpoena ($24k)(0.6 BTC)
(0.6 BTC)
Subpoena the exchange – KYC data and details of the wire.
Exchange
What Every Analyst Should Know33 |
Bitcoin Investigation Basics: Summary
EXCHANGE
Cluster name: 59077648 Cluster name: 232056661
Cluster name: 229549858
Cluster name: Kraken.com
Cluster name: Bittrex.com
Cluster name: [000147c74e]
Addresses: 44 Addresses: 1
Addresses: 50,968
Addresses: 6
Addresses: 786,652
Addresses: 547,871$295
$696$
$649$$792$
$536$
$44$
Cluster name: Kraken.com
Cluster name: Bittrex.com
Addresses: 786,652
Addresses: 547,871
$792$
$536$
You need a tool!
Identify actors via subpoena of Exchange…
…Or by tying actors to other digital fi ngerprints.
Follow the money. Identify target actors via transaction endpoints.
JÜrgen Machery
What Every Analyst Should Know34 |
Part 3
Cryptocurrency: More Of The Basics
What Every Analyst Should Know
The Blockchain
A Blockchain is an open-source database built with blocks, which include aggregated transactions and addresses.
Bloc
k 2
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
Bloc
k 1
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
Bloc
k 3
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
Bloc
k 4
Transaction 1Transaction 2Transaction 3Transaction 4Transaction 5Transaction 6….
What Every Analyst Should Know36 |
A Small Fee Is Deducted For Each Cryptocurrency Transaction
A fee is the difference between all inputs and all outputs in transaction.
Amount In Amount Out
1.0005 BTC 1.0000 BTC
Fees are small: typically $1 – $6
What Every Analyst Should Know37 |
There Are Hundreds Of Cryptocurrencies; Bitcoin And Ethereum Are The Most Popular
Market Share By Cryptocurrency, 2020
All cryptocurrencies except Bitcoin are referred to as “Altcoin” (Alternative coin).
BitcoinEthereum
Others
XRP
Tether
Source: https://coinmarketcap.com/charts/ 9/6/2020 What Every Analyst Should Know38 |
Ethereum Is The Second Most Popular Cryptocurrency Platform
Ethereum is a global open-source blockchain platform, for creating decentralized applications, which use a cryptocurrency called Ether. You can view Ether transactions at sites such as etherscan.io.
You can track transactions on Ethereum in the same manner as tracking Bitcoin.
This is important for investigators, as criminals trying to hide their trail may convert Bitcoin to alternative coins through an exchange.
What Every Analyst Should Know39 |
Sample Coins And Tokens
Coin Token
Examples:
Bicoin Compound
Ripple Uniswap
Cardano Omisego
Litecoin Ox
lota Tether
Ethereum Chainlink
Examples:
What Every Analyst Should Know40 |
Tokens - Special Kinds Of Virtual Currency
Anyone can use Ethereum technology to create their own digital assets such as tokens*. All such tokens including Ether cryptocurrency are stored on the same, single blockchain.
*Tokens in Ethereum can represent almost anything, e.g., shares in a company, traditional currency, lottery tickets or even ounces of gold. They are available on exchanges and can be traced on Ethereum like cryptocurrencies. The main difference between tokens and cryptocurrencies is that tokens do not have their own blockchain.
What Every Analyst Should Know41 |
Be Aware: Monero Is A Cryptocurrency Built To Be Untraceable
Monero (XMR) is an open-source cryptocurrency that focuses on fungibility, privacy and decentralization. Monero uses an obfuscated public ledger, meaning anybody can broadcast or send transactions, but no outside observer can tell the source, amount or destination. (source: Wikipedia)
Monero is very problematic for regulators & law enforcement who want to follow the money.
What Every Analyst Should Know42 |
There Are Also Many Cryptocurrency Exchanges
• Hundreds of exchanges
• Highly varying degrees of safety, security, privacy, and control
• Most do KYC – Know Your Customer is a process required by businesses to verify the identity of customers
• Though there are some exchanges where KYC is not required, such as:• Binance (withdrawals up to 2 BTC daily) • BitMEX (no-KYC)
What Every Analyst Should Know43 |
Cryptocurrency ATMs Are Another Vehicle For Converting Bitcoin <-> Cash
Specialized kiosks for buying and selling Bitcoin.
ID not required for ~$5K per day (varies by country).
Becoming more common (Bitcoin ATM installations doubling each year).
Often in gas stations, convenience stores, and malls….and typically beyond the range of CCTV cameras.
You can locate nearby ATMs online via sites such as coinatmradar.com/
What Every Analyst Should Know44 |
Online Gambling Sites
Gift Cards
Face-2-Face
Instant exchanges
There Are Other Mechanisms For Converting Cryptocurrency To Traditional Money Or To Hide The Money Trail
• Cryptocurrency in, cash out
• Limit ~ $5-10K per week • Buy cards with
cryptocurency, sell the cards for cash
• Find local buyer via web
• Electronically transfer cryptocurrency; get cash in return
• Fast exchange without registration
What Every Analyst Should Know45 |
Mixers Increase Anonymity
A cryptocurrency mixer is a tool for increasing anonymity of cryptocurrencies.
A user sends their cryptocurrency to a mixer’s address; where it is then mixed with other transactions or addresses (typically hundreds or thousands). The output is “clean” cryptocurrency that is transferred to either the sender or the new owner.
To track money fl owing through mixers, cluster the addresses belonging to the mixers.
What Every Analyst Should Know46 |
FYI: FIAT = Traditional Currency
FYI, in cryptocurrency and fi nancial circles, the term “FIAT” is commonly used to refer to traditional, government-backed currencies.
EUR
USDGBP
AED
CAD
AUD
SEK SAR
TL
MYRTHB
CNY
What Every Analyst Should Know47 |
Cryptocurrencies Are The Preferred Payment Vehicle For Illicit Transactions On The Darknet
The “darknet” consists of websites that are purposefully hidden because of their nefarious nature and are not indexed by search engines. Well-known examples of Dark Net websites are the now-defunct AlphaBay and Silk Road marketplaces, where threat actors bought and sold illicit goods and services. Cryptocurrencies are the preferred payment vehicle for illicit darknet transactions.
Darknet investigations very often turn into cryptocurrency investigations.
What Every Analyst Should Know48 |
CoinJoin Transactions
CoinJoin is a method to combine multiple transactions in one. Inputs and outputs of this transaction belong to different users.
Wasabi and Samurai Wallet are non-custodial, privacy-focused wallets which implement CoinJoin over the Tor network (Darknet).
Why should an investigator be aware of CoinJoin (CJ)?
It is important to recognize a CJ transaction while following the money as within a single transaction each input may belong to different users, so clustering based on co-spending can not be applied here.
What Every Analyst Should Know49 |
How To Recognize CoinJoin
Examples
• Several (or more) inputs and outputs
• Every input and output address starts with “bc1”
• At least two of the same output values
• One of the outputs is a fee address for using this technique
What Every Analyst Should Know50 |
CoinJoin Transactions
Samourai Wallet – example part of CoinJoin transaction
Wasabi Wallet – example CoinJoin transaction
What Every Analyst Should Know51 |
How can I buy bitcoins / cryptocurrency?
• You can buy cryptocurrencies through your wallet, exchanges, instant exchanges, ATMs, and in public places.
How can I exchange Bitcoin to another cryptocurrency?
• You can exchange Bitcoin to another cryptocurrency using exchanges or cantors.
Is it possible to steal bitcoin / cryptocurrency ?
• Yes. For example, in 2019 there were hacks on exchanges and over $290M was stolen.
What are “hot” and “cold” wallets?
• Hot wallet: connected to the Internet, less secure (e.g. online wallet, exchange, desktop wallet)• Cold wallet: not connected to the Internet, highly secure (e.g. hardware wallet, paper)
Q&A
What Every Analyst Should Know52 |
Part 4
About Tools
What Every Analyst Should Know
There Are Two Types Of Tools
Dedicated Cryptocurrency
Tools
Analysis Tools That Include
Cryptocurrency
• For cryptocurrency analysis only
• Generally limited to a few other sources that can supplement CC data
CHAINALYSISCIPHERTRACEELLIPTIC
• General purpose data analysis platform that supports Bitcoin analysis
• Can connect Bitcoin data with any other data (Bank data, agency data, social media, etc.)
What Every Analyst Should Know54 |
Databases Vary By Tool, And Can Contain Various Types Of Known Entities
Exchange
Other
Gambling Mixer
Scams, frauds
Mining pool Card/Wallet
ATMPaymentservices
Darknetmarkets
Cantors
Market-place Terrorism
OFAC Shop Faucet
What Every Analyst Should Know55 |
Investigation With Bitcoin In The Background
EXCHANGE
Cluster name: 59077648 Cluster name: 232056661
Cluster name: 229549858
Cluster name: Kraken.com
Cluster name: Bittrex.com
Cluster name: [000147c74e]
Addresses: 44
Cluster name: 216177761
Address: 34cR8d2CzERUuBqAZVc78tNnT39AtGM1YT
Dan Novik(Source: Facebook_Search)
630-889-8900
727-786-1638
865-724-6672
email scamemail scam do not pay2018-12-19 23:00:00
34cR8d2CzERUu8qAZVt78tNnT39SAtGM1YT
Source: http://bitcointyl.com/bitcoin-phishing-the-n1ghtm4r3-emails/
Addresses: 1
Addresses: 1
Addresses: 50,968
Addresses: 6
Addresses: 786,652
Addresses: 547,871$295
$696$
$626$
$649$$792$
$536$
$44$
@
Identifybad actors
Identify addressesbelong to bad actors
Identifyfi ngerprintsassociated with bad actors
Let’s consider a more advanced example. A criminal scammed an individual requesting ransom in Bitcoin. The criminal’s BTC address from the e-mail has been reported on bitcoinwhoiswho as a scam. The details of the scam have been described on a post on the blockchain forum. Using the email address, associated phone numbers and a social media profi le have been found.
For the criminal to launder bitcoins, he transferred funds through several addresses to fi nally route them to the Kraken and Bittrex exchanges to convert to FIAT.
Cryptocurrency Investigations
What Every Analyst Should Know56 |
Databases Vary By Tool, And Can Contain Various Types Of Known Entities
Analyzing Addresses:
Analyzing Transactions:
Automatically identify entities?
How follow the money?
Cryptocurrencies
Connect with other data
Advanced analytics (i.e. text mining)
Single addresses
Single transactions between entities
No
Manually
Most (manually)
Manually
No
Clusters
Overall directional fl ows between entities
Many
Visualizations and maybe automation
Vary
No
No
Clusters
Overall directional fl ows between entities
Many
Visualizations and maybe automation
Bitcoin only
Yes
Yes
Manual/Blockchain Typical CC Tools DataWalk
What Every Analyst Should Know57 |
Automating Blockchain Analysis Via “Find Paths” Can Dramatically Increase Effi ciency
With the Find Path capability you can quickly and automatically identify whether cryptocurrency has been transferred from an address of interest to known entities such as exchanges, via any possible path.
14
66
23
345
3
61
2
76
11
14
66
1
4
5
2
66 3
3
33 3
3
4
1
11
2
36
666 3
33
2
6
64
5
3
4
13
1
444 11
11 1ISIS
InvestigativeAddress
ATM
Scam
• Instant results• On billions of records• Unlimited number of hops• With business logic applied• All paths / shortest path
What Every Analyst Should Know58 |
Part 5
The Technology Behind Cryptocurrencies
What Every Analyst Should Know
How Bitcoin Works
In 2008 a new solution of a digital currency was offered by an anonymous programmer going by the name of Satoshi Nakamoto.
Bitcoin is the fi rst program that has been built on a type of database, called a blockchain. It provides a quicker, easier and cheaper way to spend money.
Bitcoin transactions are confi rmed as real by other users of the network, and the process of checking and confi rming transactions is often referred to as “mining”. Users who confi rm transactions called miners.
The Bitcoin system uses blockchain technology to record transactions and the ownership of bitcoins. This is basically technology that connects groups of transactions (blocks) together over time (in a chain).
Miners are awarded a fee (shown in every transaction).
What Every Analyst Should Know60 |
How Blockchain Works
Someone requeststransaction
The transactionis completed
Validation
The requested transaction isbroadcast to a P2P networkconsisting of computers,known as nodes.
The network ofnodes validatesthe transactionand the user’sstatus usingknown algorithms.
Once verified, the transactions is combinedwith other transaction to createa new block of data for the ledger.
The new block is then added tothe existing blockchain, in a way thatis permanent and unalterable
A verifiedtransaction caninvolvecryptocurrency,contracts, records,or otherinformation
............. .........................
..........................
....................
.............................................
......
......
......
......
......
......
.....
A new block is created every 10 minutes and consists of new transactions. New blocks are confi rmed by users who maintain a blockchain and are called miners. They are rewarded for adding new blocks and get all transaction fees.
Source: https://www.pwc.com/us/en/industries/fi nancial-services/fi ntech/bitcoin-blockchain-cryptocurrency.html
What Every Analyst Should Know61 |
Public and private keys
In addition to containing addresses, wallets also contain keys.
private keylarge, randomlygenerated number
generated from the private key
generated from the public key
public key
address
Private keys are like your secret password to unlock your account.Public keys are analogous to bank account numbers.An address is a digital fi ngerprint of a public key.
What Every Analyst Should Know62 |
Appendix 1
Doing Manual Investigations
Manual Investigation Process
Take a specifi c bitcoin address to track. Open a block explorer
(e.g. blockchain.com) and search for this address.
Search darknet using various types of tools to identify addresses and related entities / attributes.
In WalletExplorer* or OXT** you can check if this address was clustered (co-spending).
Check all inputs and outputs of this address (click in) – check number of transactions, total money spent and received, transaction dates etc. Check this address and
other related addresses in multiple sources (see page 57) to see whether it was scam, fraud etc.
TROUBLEAHEAD
* Data on WalletExplorer is no longer being updated so usefulness is quickly decreasing
** OXT has a very limited number of businesses
What Every Analyst Should Know64 |
Appendix 2
Useful Sources For Investigations
What Every Analyst Should Know
Blockchain.com See addresses and transactions. Follow the money.
OXT.me See addresses, clusters (some are known) and transactions. Follow the money.
KYCP.org Check your coin privacy.
BitcoinWhosWho.com Address check (see if address has been associated with a scam, etc.)
BitcoinAbuse.com Address check (see if address has been associated with an abuse, etc.)
CheckBitcoinAddress.com Address check (see if address has been mentioned online, etc.)
WalletExplorer.com See addresses, clusters (some are known) and transactions. Follow the money.
bitinfocharts.com See addresses and transactions. Follow the money(additional statistics and graphs)
blockchair.com See addresses and transactions. Follow the money
C-hound.ai See addresses and transactions. Follow the money visualization and additional statistics
ahmia.fi Darknet Search Engine
Resource Description
Useful OSINT Sources For Investigations
blocksherlock.com Crypto Investigation framework
What Every Analyst Should Know66 |
Glossary
Altcoin – all cryptocurrencies other than Bitcoin.Cluster – group of addresses controlled by a single entity. FIAT – in cryptocurrency and fi nancial circles, the term “FIAT” is commonly used to refer to traditional, government-backed currencies.KYC – know your customer or know your client (KYC) guidelines in fi nancial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship with an applying entity.Miners – special users who use their own computers (servers) to confi rm transactions and who perform the process of creating new bitcoin.Mining – or cryptomining, is the process of creating new bitcoin by solving a computational puzzle. Token – a special kind of cryptocurrency. Tokens in Ethereum can represent almost anything, e.g., shares in a company, traditional currency, lottery tickets or even ounces of gold.Wallet – a software program that stores private and public keys (addresses) and interacts with various blockchains to enable users to send and receive digital currency and monitor their balance.(i.e. individual, exchange, ATM).
What Every Analyst Should Know67 |
Webinars
https://datawalk.com/webinar-a-simple-intro-to-cryptocurrency-investigations/
A Simple Introduction To Cryptocurrency Investigations
What Every Analyst Should Know About Cryptocurrency Investigations
https://datawalk.com/effi cient-cryptocurrency-investigations/
What Every Analyst Should Know68 |
© 2020 DataWalk Inc. All rights reserved.
www.datawalk.com