How to track Bitcoin transactions

https://unsplash.com/photos/dV7UYaPtv6w

Using cryptocurrencies like Bitcoin, all the transactions we make will stay in the blockchain forever and ever and anyone will be able to check them. Knowing what to look to, it could be possible to perform an investigation of our transactions. Let's see an example of a chain analysis investigation proposed on the osintops.com blog and performed starting from a transaction pointed out in this article written by Brenna Smith.

The transaction, according to this document, was carried out by a group of Russian secret agents and was intended to manipulate the work of the US Democratic National Committee and Hillary Clinton’s presidential campaign.

Performing such analysis there are two main questions that we need to answer:

  • where are the bitcoins from?
  • where were they sent?

This approach should allow us to identify not so much who managed the bitcoins but rather who could provide us with some information about it, like exchanges and payment processors. Indeed, even if we know that blockchains do not store personal information, nowadays it is almost essential to interact with online services by performing KYC (know your customer) procedures when handling cryptocurrencies.

Where are the bitcoins from?

To find an answer to this question we will use one of the many blockchain explorers available: bitcoinwhoswho.com. This service is able to provide additional information about the addresses we are checking (scam reports, links to web pages where they are mentioned, information about the owner, etc.).

In combination we will use walletexplorer.com: this service uses algorithms that could associate bitcoin addresses with others to reconstruct a wallet and relate it to known entities such as exchanges, darknet markets, gambling sites, etc.

The transaction used to start this analysis was disposed by the address 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR. Unfortunately, in this case, the analysis of the address via bitcoinwhoswho.com did not provide any additional information.

We can also observe that the address was involved in only two transactions, one incoming and one outgoing.

Even walletexplorer.com is not able to provide us any useful information: the wallet consisting of the address being analyzed alone cannot be connected to any known name, nor is any further bitcoin address aggregated that could be associated with the same user.

To continue finding an answer to our question, let's take another look at the transactions in which the address 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR was involved.

 The incoming transaction, indicated by the green arrow, comes from the address 1HF9VgN3AcA5RJd6ZUPnXdETmFbYmikveN.

This address also made only two transactions of which it is not possible to obtain additional information either via bitcoinwhoswho.com or walletexplorer.com.

So, with the same approach, let's continue to analyze the address that sent bitcoins to the one we are looking to, checking them with bitcoinwhoswho.com and walletexplorer.com.

Doing so, we will encounter this addresses:

  • 1Fj4RkrtnnMn5mBtQFW5ZkzEw4vGyCoRe9;
  • 1KSkbN7JHYxBSoYwuuWuzA4dpZf9TKP6V8;
  • 1AB99VvWeLtRcEZ6yubX1Cqvcvi4bPH6R6;
  • 13ZMs871ZBcTTauhXDpRQ6hDaTaPcPVmTY;
  • 1MS4KRpKakzTEUFzcU9PHCbs2f1u9a1aL4;
  • 1MYQzejdwhiU83qy4SsLKcm7CwV5XxVFRn;
  • 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn;
  • 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YRbc;
  • 1KgUcHDuWLVzFxVnwp3u5jZw3FmorjG1jD.

The last address, unlike what happens with the others, receives bitcoins from four different addresses.

These addresses seem to be involved in an intenser activity. Walletexplorer.com clusters all 4 addresses in the wallet with ID 0001d2e726, whose activities are mostly inbound transactions attributable to the exchange Cex.io.

So, we are now able to state that the transactions we are looking to involve bitcoins that were purchased through the Cex.io exchange.

Where were the bitcoins sent?

Now let's take a look at the transactions disposed by the owners of the bitcoins after they bought them at Cex.io. Looking at the addresses we have encountered by now, we can see that every time there is an outgoing transaction sending coins to two addresses:

  • one receiving a larger amount which is gradually carried forward from transaction to transaction;
  • one receiving a smaller amount, which often consists of more decimal digits. 

Peel chains

This transactions schema is usually called peel chain. In peel chains, users send bitcoin to an intended destination address, maybe because they are paying something, and receive the remaining part, named change, on a new address that is in their control. This happens because the Bitcoin protocol does not allow to spend any desired amount but only allows to forward amounts that were previously received and have not yet been involved in transactions. These amounts are called UTxOs (unspent transaction outputs).

Analyzing peel chains can give us two kinds of information:

  • we can collect a lot of addresses belonging to the target of our identification;
  • we will encounter a lot of payments made by the target of our investigations and, some of them could lead us to new evidence regarding our target.

The main challenge in this kind of analysis is to determine which address is receiving the change and which one is the recipient of the payment. This can be done by making considerations on the amounts and the addresses involved. So, we should be able to determine, for any transaction, which address will receive the funds of the target of our investigation and which one is receiving their payment.

How to go up the chain of transactions

Let's start following the chain from the first address that received the bitcoins purchased from Cex.io. This is the starting point of the peel chain.

In this case, the address that receives 0.8 bitcoin, 1N5hfyuGVZbTR78zXQ22kjUyCwZbgB8yhw, is most likely the actual destination address, while the address that receives 11.04445 bitcoin, 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YR, is the change address. It is very unlikely that a user could make a transaction of 11.04445 bitcoins (even by specifying the sending amount in FIAT currency on their client) and get a change of exactly 0.8 bitcoins.

Analyzing the address 1N5hfyuGVZbTR78zXQ22kjUyCwZbgB8yhw with walletexplorer.com, it is not traced back to any known person or entity.

This does not mean that it is not possible to trace the address to an exchanger or a payment intermediary but rather that walletexplorer.com was unable to identify who presumably controls the address.

Continuing to follow the sequence of payments, observing the transaction made from the change address 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YRbc and considering the behavior assumed in the other transactions examined, we can assume that the actual recipient is the address 1Mut7bPWhQS2NkTQ6wUpRtbV65vyELBqcs and the change address is 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn.

 

Analyzing the information provided by walletexplorer.com, confirming what we hypothesized a little while ago, 1Mut7bPWhQS2NkTQ6wUpRtbV65vyELBqcs is traced back to the payment intermediary BitPay.com.

Now, look at the outgoing transaction made from the address 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn.

Transazione 3

We assume, with the same criteria adopted for the previous transactions, that the destination address is 1ChwFk9Wtq7zav6TRnxE8e8xgf5daFXV5D, while the change address is 1MYQzejdwhiU83qy4SsLKcm7CwV5XxVFRn. Also, in this case, walletexplorer.com was unable to link it to any known service.

Wallet Explorer 3

Continuing along the flow of transactions, analyzing the transactions disposed by every encountered change address, we can find the following destination addresses:

  • 13ov4UBJYJQBC1Tv5vEvijShn2vWS3vPrJ, not attributable to any entity;
  • 1Atc1n6rCm7GMpW1JsRuwF8b2hWQJjxi6i, not attributable to any entity, but recipient of an unusually high amount equal to 5 bitcoins;
  • 13DD8uH3FMZbJjXnSgZfL2MMTxesT9qUgJ, not attributable to any entity but grouped with other 6 addresses that could be further examined;
  • 1Hy8Comf7wyBtqgGzph3fX8Ky6S5t8eXeh, attributable to the same wallet as the address in the previous point;
  • 1DLTLvpev16LemyDtuyEL2WnyLskcPSvKM, attributable to CoinPayments.net;
  • 1J8LeRgSwuHqfJuFX3Uo62WnDNFsNuAygR, attributable to BitPay.com;
  • 1Jkoon938Pe66whJgZZwxn6zzjKMLkFRCX, not attributable to any entity;
  • 14mUSXvddwR9qgBr93BGXEAcgRw84jEtaG, not attributable to any entity;
  • 1NZ4MSeYcDKFiPRt8h7VK6XMhShwzhCzCp, not attributable to any entity.

This last address is the one that received the transaction from the address 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR, cited in the article from which we began our analysis.

Let's recap

Returning to the main discourse, in the following image, we can graphically observe what we have reconstructed so far with our analysis. The change addresses are represented by circles that get smaller and smaller, to represent the part of bitcoin that is used to make payments.

What else should we look at?

To obtain more information, the aforementioned wallet of seven addresses, including 13DD8uH3FMZbJjXnSgZfL2MMTxesT9qUgJ and 1Hy8Comf7wyBtqgGzph3fX8Ky6S5t8eXeh, could be examined.

Furthermore, we can observe that the aforementioned address 1Atc1n6rCm7GMpW1JsRuwF8b2hWQJjxi6i, with the transaction made on 23 December 2015, receives 5.0 bitcoins, unlike other transactions where the amounts are much smaller. This could be a more substantial payment but, considering that less than 12 bitcoins were handled at the beginning of the transaction sequence, it could also be that the user of these addresses wanted to split the managed bitcoins and start another sequence of transactions. In fact, the following transaction is destined in favor of the addresses 1HbKVbT2k82JcMrvErwWMhJPGHjSo8iLBK and 1JX9Q7fqn9TajUe4F6vjWGtGnD2wqnXTii. Of these, the address 1HbKVbT2k82JcMrvErwWMhJPGHjSo8iLBK is associated, by walletexplorer.com, to the payment intermediary BitPay.com.

And now?

Now we arrived at the starting point of our analysis and we were able to determine that the target of our investigation bought bitcoins from Cex.io and made many payments, also using payment processors like BitPay.com and CoinPayments.com. So, let's take a look at what our targets made with their bitcoins after the aforementioned transaction.

We can see that the transactions continue with the same pattern: one address receives a lower bitcoin amount and with fewer decimal digits and another receives the so-called change of the transaction, a higher amount and with more decimal places.

With the same rules used up to now, we can state that the address 1NZ4MSeYcDKFiPRt8h7VK6XMhShwzhCzCp is the one that receives the bitcoins, while the address 1AK79g9gpvZ8jn2C9MsWQpijMFA5JaTdqP is the one that receives the remainder of the transaction.

In this case, walletexplorer.com does not give us any information on the destination address.

Now let's look to the change address 1AK79g9gpvZ8jn2C9MsWQpijMFA5JaTdqP with bitcoinwhoswho.com.

Also in this case the situation is the same seen in most of the cases of our analysis. By now we shouldn’t have difficulty recognizing that the address 153LqeB1mQa8xDaQDyvhWTCNweVTDeH9BE is the actual destination of the payment while the address 1RBiVomgGeqqRm4NQkJhmffWtAfJDdjFr receives the change. So let’s see what walletexplorer.com can tell us about the payment destination address.

In this case, the address was traced to CoinPayments.net. Let’s continue with our analysis and see what happens in the subsequent transactions. To do this we need to analyze the transactions made by the address 1RBiVomgGeqqRm4NQkJhmffWtAfJDdjFr.

If we search for the destination address with walletexplorer.com, we notice that it is not traced back to any known entity, but is still associated with a wallet with great activity, 211.023 transactions! Similar behavior is typical of an exchange or payment intermediary. It is difficult to imagine a person carrying out such several transactions.

Going forward, observing the transactions carried out from the change address identified from time to time, we will notice the following payment destination addresses:

  • 1AV6NxfKYTwDSqbcGFn76KtAFHwCDYScHi, not related to any entity, but associated with the same wallet with ID 0000979937 of the previous case;
  • 1G85zgoQu1VeEaH4gQwyfS9VQqUxBJD6bb, not linked to any entity, but associated with the same wallet with ID 0000979937 of the previous cases;
  • 1MYQwTsamJ18WnaeggkF4Tboms5ySHp2VA, not linked to any entity, but associated with the same wallet with ID 0000979937 of the previous cases;
  • 1PQAL7HxjzuoKVAbbTijkZ3mPZWhtgEjYM, not related to any entity, but associated with the same wallet with ID 0000979937 of the previous cases;
  • 1MRFjrnChHPMP9WH797Tg27eZNzQexQW6S, not attributed to any entity;
  • 1EMVNB1aGTdL48oi2T6t4wZLUDQ9Kc5ddv, not linked to any entity, but associated with the same wallet with ID 0000979937 of the previous cases.

Continuing, we arrive at the address 1HvWTwViSsy8j5Z9QWCGKKFiSCgDe1uLAM, which receives the change of the previous transactions. Looking closely at the transaction amounts, it could seem a bit strange.

Indeed, the address seems to receive 1.37587747 bitcoins, but it spends 2.70223736! It seems absurd. Instead, it is a deceptive display of information provided by bitcoinwhoswho.com. The service only displays information strictly related to the address you searched for. To understand what happened, we must first note the string 23e7879eaa2c2757d049f1a22a176dda4907be407aa70fdcc3ea4a5b57754f52 written above the “anomalous” transaction. This is the transaction identifier, called hash. To be able to understand it we need to query another blockchain explorer, for example, blockchain.com.

By doing so, we can see that the address 1HvWTwViSsy8j5Z9QWCGKKFiSCgDe1uLAM is not the only sender of the transaction.

The bitcoins also come from the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et. If a transaction comes from two addresses or more addresses, the person who made it must have the private keys of all of them to sign it. In this case, we can therefore say that the user has both addresses, or that both addresses are part of the same wallet.

Note that the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et already had some bitcoins available when we encountered it. So this address will also have its own history and flow of transactions. If we begin to observe the transactions linked to this flow, we notice that the behavior is almost identical to that seen so far.

Our address receives its bitcoins from the address 17SLcA24f4s3RXupPWWAdJsfJcdhyRivfF.

This address, continuing backward, receives the bitcoins from the address 17GKzWc4m7kEPxvoHAtPisvtZ7Qnk2sMd and carries out a single outbound transaction, of which the address 1ZeSmMCHFqd6Gg8y3NhrChVTyTPbUkneJ that receives 0.144816 bitcoin is that of the actual destination and the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et that receives 1.32640989 bitcoin is the change one.

By going backward, we can try to get to the point where these bitcoins may have been bought. Using the same techniques we have seen so far we can see that the bitcoins come from the same wallet linked to Cex.io, which we met in the first part, with ID 0001d2e726 on walletexplorer.com.

Here is an image that can help to understand what is happening. There are two flows of transactions that start from the Cex.io exchange (this suggests us there were two purchases made by our targets from that exchange): one is the one we followed in the first two parts of our analysis and one is the one we have just encountered. The two flows merge when the bitcoins in the availability of the addresses 1ZeSmMCHFqd6Gg8y3NhrChVTyTPbUkneJ and 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et are used to carry out the same transaction.

So far we have only taken care of the senders of the transaction where we noticed the cospending by two addresses. But let's also take a look at the recipients of the transaction.

We find the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ, which receives 0.20223736 bitcoins, and the address 1AgEeJ1cNWpXxABaTysv4CM6MqARSnXFce, which receives exactly 2.5.

With the criteria adopted so far, we will certainly agree that the address that receives 2.5 bitcoins is the actual destination. We said that a user is unlikely to want to make a transaction by specifying an amount of 8 decimal places, resulting in a change of exactly 2.5 bitcoins.

In this case, we can strengthen our claim considering that we have seen two sender addresses. If a user wanted to transfer 0.20223736 bitcoins it would not make sense to use both the sender. In fact, at the time of the transaction, observing the history of transactions received by each of the senders, the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et had 1,32640989 bitcoins available.

and the address 1HvWTwViSsy8j5Z9QWCGKKFiSCgDe1uLAM had 1.3758774 bitcoins available.

So we can assume that our target had the intention to transfer 2.5 bitcoins. If the user of the addresses had wanted to transfer only 0.20223736 bitcoins, it would have been enough for him to use only one of the two addresses.

Since we have found abnormal behavior compared to what we have seen so far, we need to carefully analyze what both destination addresses do: we could find ourselves in front of either a more substantial payment, or a consolidation transaction, that is, a transaction carried out to collect the balances available on multiple addresses in one.

Continuing to analyze our flow of transactions, from the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ we will find a situation similar to what we have seen by now, with transactions that have two destinations addresses, a recipient and a change.

In the picture, we can see a reconstruction of what's happening.

Continuing to follow the peel chain as we did so far, we will find the address 155HWPsNcBGxMuMgiQjhAUD2ggCMGLVm9X.

The address was only involved in an incoming transaction. The actual amount, 0.00003139 is so small that the user has probably decided to don’t use it anymore.

At this point, we can say that we have followed a flow of bitcoins in which multiple transactions were made to different payment processors, gradually reducing the amount that was carried forward as change, up to an amount of practically zero and above all point where the flow of transactions stops.

The 2.5 bitcoins transactions

We do not have to forget that we have yet to observe where the 2.5 bitcoin transaction mentioned above went.

In this part of our analysis, let’s see what happens to the 2.5 bitcoins transferred. Such a precise amount was certainly intentionally transferred, it is not a random change. However, in most of the transactions examined so far, we have seen much smaller amounts sent to the actual recipients. Therefore, it is good practice in an analysis of any kind, to pay more attention to all those behaviors that “break” the regularity, trying to identify the reasons that could have given rise to the anomaly.

Let’s immediately start looking at what has been done with the address we are examining.

The address was involved in a single outgoing transaction, in favor of two addresses: 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB, which receives 0.99805659 bitcoins, and 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1, which receives 1.501685 bitcoins. In this case, it is not at all easy to understand which of the two is the actual destination address and which is the change address. A single sender address is involved, which spends all the available balance, and both destination addresses receive an amount with 8 decimal digits.

So, to avoid that we can miss something, we must carefully examine both addresses, looking for behaviors similar to those already seen so far or for interactions with known entities.

First recipient address

Let’s start by observing the behavior of the address 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB, which received 0.99805659 bitcoins.

Unlike what we have seen so far, this address received an amount of almost one bitcoin but did not spend it. In these cases, checking the address with walletexplorer.com will not give great results. The data shown by this service are based on the activity that was done with the addresses. In this case, since there has been practically no activity, it will not be possible to group this address with others or to trace it back to known entities.

This is a new situation, we have an address that has a substantial amount of bitcoins and has not yet spent them. This does not mean that the user, from one day to the next, cannot decide to use this address to carry out a new transaction and provide us with new information.

However, even if in this case we have only one address to observe, as it could carry out transactions, it is not at all practical to think of checking every day if the balance has changed.

In such cases, we can take advantage of a service that is right for us, offered by the Blockonomics site. Once we have created a free account, we have a service called “Wallet Watcher”, which allows us to keep an eye on multiple addresses simultaneously.

We can add multiple addresses and label them for easy recognition. From the settings tab, ticking the appropriate box we will receive an e-mail alert whenever one of the observed addresses is involved in any activity.

Second recipient address

Continuing our analysis, let’s now look at the address 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1 which received 1.50168541 bitcoin, in the transaction reported at the beginning of this part of our analysis.

In this case, the bitcoins were all spent, in a single transaction.

This is a single transaction that sees 11 other addresses among the senders and was carried out in favor of 6 other addresses. In our analysis, we have never encountered a transaction involving so many addresses. Instead of starting immediately to examine all the addresses, grouping them in a single wallet and observing each of them where it got its bitcoins, let’s try to understand who we are in front of. Let’s search our address with walletexplorer.com.

As we can see, walletexplorer.com has grouped the address in a wallet that has carried out 232.621 transactions! It is a wallet that, based on the reconstructions carried out by the algorithms of walletexplorer.com, contains 37.632 addresses, too many for a single person.

Let’s go back for a moment to the previous image, which shows the activity carried out with the wallet which includes the address we are examining. As we can see, outgoing transactions are directed to spectrocoin.com.

What could have happened?

Let’s start by understanding what spectrocoin.com is. It is an online service that allows you to exchange different types of virtual currencies with each other or to buy and sell them using FIAT currencies.

However, the currencies displayed at the time of the analysis may be different from those accepted at the time of the transaction. Let’s try to understand what the situation was at the time of the transaction, therefore, approximately, in  April 2016. To do this we can use a service called WayBack Machine. Let’s search the spectrocoin.com page and view the available data.

There are various data relating to 2016. In particular, there is a capture of the site that dates back to April 8, coincidentally the day on which the transaction we are studying was carried out.

As we can see, at the time of the transaction, the site only supported Bitcoin and no other virtual currency. In particular, the site could be only used to buy and sell bitcoins.

At this point, we can assume that the 1.50168541 bitcoins transaction, carried out to the address 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1, was aimed at exchanging bitcoins into FIAT currency or making a payment through the SpectroCoin virtual card. Unfortunately, at this point, the information is no longer present in the blockchain but is in the exclusive availability of those who manage spectrocoin.com.

Summary

Starting with a single bitcoin transaction, we were able to:

  • identify other related transaction flows;
  • understand that the bitcoins were probably purchased from the Cex.io exchange;
  • reconstruct the scheme by which bitcoins were regularly used to send payments through BitPay.com and CoinPayments.com, following the rest of the transactions;
  • follow a flow of transactions until its exhaustion;
  • identify when bitcoins have likely been converted back into FIAT currency via SpectroCoin.com.

The analysis we conducted started with a casual transaction. The scenario in front of us is always unpredictable. The more tools we master, the greater chances we will have of being able to productively analyze any scenario we will encounter.

Unfortunately, once we arrive at an exchange, it would unlikely share information about its customers with us, unless we can use the powers of the law Enforcement Agencies or of the Judiciary.

 

This article was updated on May 15, 2024