Dust transactions, what are they?
When dealing with virtual currencies such as Bitcoin, we know that it is possible to obtain the details of every single transaction. However, it remains extremely complicated to solve another big question regarding virtual currencies: who is hiding behind any address?
There are many services, such as walletexplorer.com or oxt.me that can:
- associate an address with others as they are part of the same wallet based on their use (aka clustering);
- provide information on the entity that owns the reconstructed wallet (aka tagging).
In addition to free access online services, such as those mentioned, there are companies specializing in blockchain intelligence. In addition to providing valuable tools that make analysis and investigations easier, they use complex heuristics for clustering and tagging cryptocurrency wallets.
How can we investigate the blockchain?
Regarding the clustering techniques, we talked about them in this post.
Suffice it to say that, knowing in depth aspects of Bitcoin such as the format of the addresses and the management of the amounts to be transferred, it is possible to deduce that multiple addresses are associated with the same entity.
Using clustering techniques and starting from an address whose entity that manages it is known, it will be possible to associate the whole reconstructed cluster with it.
How does clustering work
Let’s take a look at the following transaction:
If we are aware that the address 1KKJ992kekD8KHMhGVLmkGodBPzVaoky88 belongs to entity A, we can say that also the other sender address belongs to the same entity A. This clustering method is called “co-spending”. It is based on the assumption that to spend the bitcoins of multiple addresses it is necessary to sign the transaction with the private key of each of these. Therefore, whoever arranges the transaction must simultaneously have all the private keys available and it is unreasonable to think that these are in the availability of foreign subjects.
Knowing the Bitcoin protocol better, especially considering that:
- transactions consist in forwarding amounts previously received and not yet spent;
- in transactions, there is generally a change address that receives the part of bitcoin used in the transaction that is not intended to be sent to the recipient and is not intended to be paid as a fee;
- transaction fees are generally determined by the clients used on the basis of the byte weight of the transaction;
it is possible to associate the cluster also to the address receiving the change of the transaction.
In fact, in this case, if the purpose of the transaction had been to send 0.00682001 bitcoins to the first address, it would not have made sense to use both amounts to weigh down the transaction. So we can say that the address 1GkYDvrGzDCXmnx8P9VTKByWSnrzNfzGQL also belongs to entity A, since it received the change of the transaction.
What about tagging?
Once we understand how to associate multiple addresses with each other, we need to understand how to link them to a known entity. In addition to using the aforementioned services, we can think of searching online for each address of the cluster using various services such as BitcoinWhosWho or by searching on portals such as BitcoinTalk or Keybase.
It may happen that these methods give positive results, but often this is not the case. And if you are dealing with entities that are particularly attentive to anonymity such as black markets, it will be even more difficult to find information online. The difficulty increases with the markets created most recently. In fact, it is not unusual to find a lot of information on wallets from past markets, such as Silk Road or Alphabay, while for more recent markets, information is scarce.
To be able to find something useful you can try to stir things up a bit, using a so-called “dust transaction”.
Dust transactions
These transactions take the form of sending very small amounts of bitcoins to a large number of addresses. Below you can see an example:
The transaction features over 2700 destination addresses and an amount spent that does not even reach 0.03 bitcoins. If, when the transaction is prepared, the ownership of each address is noted, it will be possible, studying its future activity, to reconnect it to other addresses and perhaps reconstruct at least part of the wallet of the subject we are examining.
Basically, with a dust transaction, we are creating a starting point for an analysis aimed at the reconstruction of a wallet of interest.
Such an analysis makes sense if the transaction is directed to addresses that would otherwise not be used or disclosed. Otherwise, if we are dealing with addresses already in use, mere monitoring would be more than enough. Instead, let’s think of services that automatically provide a new address every time they request payments in bitcoin. The addresses generated will still be in the availability of the service, but if they do not receive transactions they will not be used and no further analysis will be possible.
A practical case: black markets
An analysis of this type may well be applied to a black market, especially those that have an escrow wallet. In practice, those markets keep the balance of each user and reduce it as they make purchases.
Let’s register a test account on such a market, for example, BigBlueMarket (now offline) and let’s try to top up our available balance.
From the main page, we see that the balance of the newly created account is zero and that we can click on the appropriate link “deposit funds”.
In this way we will see a new screen, where there is an address associated with our account and towards which we can arrange a transaction. By doing so we will have funds available to make purchases on the market.
We got the address 19t8ESJ6iMWbBMNT1qS5nnHxZT2ijQhWww. By sending bitcoins to it, our balance will automatically be increased. We have to consider that the address is not in our availability, but is managed by the market administrators. As we make purchases, there will be no corresponding transactions starting from the identified address, but only an update of a record in the market’s database. The address will always remain in the exclusive availability of the market administrators. In addition, if there was a direct transaction to the seller’s wallet, this could seriously compromise their anonymity and dissuade them from selling on that particular market. Therefore, to maximize the anonymity of users registered on the platform, it is reasonable that the individual trades are managed off-chain by the market.
The advantages of “dust transactions”
The activity of the Bitcoin addresses used to top up accounts will not follow a trend that will reflect the actual activity performed on the market. Therefore, it is more than reasonable to think that at some point the administrators will also use the bitcoins of the address we have (hypothetically) reloaded for various reasons.
If instead of reloading a single address, we send a very small amount of bitcoins to different addresses, it will be very likely that some of these will be used together with other addresses in the market. Thus, little by little, it will be possible to at least partially reconstruct the wallet used by the administrators that manage the market.
In doing so, we have created various starting points to rediscover the black market's wallet. As soon as the administrators move the funds either for a withdrawal requested by a seller or to withdraw their earnings, they will most likely also use some of the bitcoins present on the addresses we know. By doing so, using this address together with others in a single transaction, we will be able to reconstruct the market wallet a little at a time.
Holders of the wallet could make a “coin selection” before arranging the transactions and notice the presence of dust transactions, avoiding spending them and compromising their anonymity. However, by carrying out similar transactions to a large number of addresses, relating to different entities of interest, with a negligible expense it could be possible to reconstruct and tag a large number of wallets.
Conclusions
Dust transactions are one of the methods used to try to find information on cryptocurrency wallets. Clearly, it is a method with several contraindications. In particular:
- it is better to use it only when there are no other viable roads;
- it requires a cost as, albeit small, a Bitcoin transaction must be arranged;
- the target of the investigation could notice the dust transaction and become aware of our interest;
- sending a transaction to the target must be done with due caution so as not to reveal information about us and obtain the opposite effect to that hoped for.
However, if used with due care, dust transactions can sometimes give a turning point to investigations that cannot otherwise be resolved, in particular with limited resources or little time available.