Following the money!
Following the money
• We now understand the blockchain
• We now need to consider how to follow the money
• We have techniques to find addresses from the web, physical places and from devices.
• Address are used in transactions
• Transactions have their own metadata
Following the money
• Because of the base58 and hex naming of addresses and transactions, can quickly become complex
• Need to take it slowly
Following the money
• We can use online resources to help us gather addresses in use by the same person or
organization
• TIP – I use the first 5 characters of any address in my notes. Very rare to see the same. Helps stop
‘address blindness’.
• Lets look at https://bit.ly/2RpSf5t
Following the money
Sending to the address/s Sending from the address/s
TX_ID Date
Following the money
‘Blue Ball’ will take us back to the previous transaction
‘Red Spent Ball’ will take us to the next transaction
Following the money
Red total is funds sent FROM our target address
Following the money - Clustering
• Clustering addresses is a vital skill
• Discover an address in a cluster we can identify
• By inferring what addresses belong to the same person we can extend our investigation
• Number of ways to achieve this
• REMEMBER – we are inferring ownership and it
Following the money - Clustering
• Input addresses – usually the same private key
A
B
Following the money - Clustering
A
B
B
C
• Input addresses - Addresses used with other input addresses – C clusters with A and B.
Following the money - Clustering
• Change addresses – Individual values of A, B or C are more than one of the outputs, but less than the other, that output is the change
1.5
3.5
Following the money - Clustering
• Different address types.
• 1… address paying a 3… address – 1… is the change
1….
3….
1….
Following the money - Clustering
• Different address types.
• 3…. address paying a 1…. address, 3…. Is the change
1….
Following the money - Clustering
• Multi-signature wallet addresses
• Multi-sig address paying non multi-sig address and a Multi-sig addr… multi-sig is the change
3….
3….
3….
Multi-sig
2 of 3 Multi-sig
2 of 3 Not Multi-sig
Following the money - Clustering
• Look at https://bit.ly/2RsVE3L
• What addresses belong to the person paying?
• ALL INPUTS BELONG TO THE SAME PERSON!
Following the money - Clustering
• We can infer that the 19Gmgg address is the change address.
• Click on it and we can use the same process to see other addresses owned by the same person
Following the money - Clustering
• Look at https://bit.ly/2ACfXWI
• What addresses belong to the person paying
Following the money - Clustering
• Look at https://bit.ly/2P3Gu8p
• What addresses belong to the person paying
Following the money - Clustering
• Change addresses are normally dynamic
• Generated by the wallet when a transaction is built
• In this case we would expect there to be no prior transactions
• Look at the transaction date
• Do the addresses have previous transactions?
Following the money - Clustering
• This helps us to infer that 1M96j is the change address and hence can be clustered with 18aBQ
Following the money - Clustering
There is another way to infer a change address and that is where
different address types are used.
Take a look at -
https://bit.ly/2yIOe5v Where a user of a 1 address (P2PKH) pays a 3 (P2SH) or a bc1
(Bech32) address, the change address will always be a 1!
Following the money - Clustering
• Or in reverse, a 3 address paying 1 or bc1 addresses.
• The change will almost certainly be the 3 address.
Following the money - Clustering
• Another way to discover change, is to look for Multi-sig wallet addresses
• Take a look at -https://bit.ly/3iFRgz5
Following the money - Clustering
• Inputs both Multi-sig 2 of 4
• Outpus are Multi-sig 2 of 4 and 2 of 3
• 2 of 4 must be change, as 2 of 3 has to be a different wallet!!
Following the money - Clustering
• Consider the reverse
• Take a look at -
6afbb4fdabd0e0d726c15c106dd26a288f23baffe1d8c83373c16ba0bd94a60 4
• https://bit.ly/3zuXUxW
Following the money - Clustering
• A final way is to look for one of the output addresses to see if it is transacted with an address used by our suspect.
Following the money – Human or computer?
• Humans tend to think in round figures
• When moving money will tend to think in whole or primary fractions of coins.
• 5 bitcoin
• 1.5 bitcoin etc
• A transfer of 0.000002347 bitcoin, could be a machine
• https://bit.ly/2Pv10On
Following the money
• Automated clustering script
• Daniel Buetikofer – Swiss Police
• Software such as TRMLabs, Chainalysis, Elliptic and Ciphertrace do this automatically
• Simple python script
• Attempts top cluster based on input addresses
• Attempts to work out the change address
• Works – mostly
Following the money
• Automated clustering script
• Browse to Cluster folder on key
• Open command shell
• Type:
• Py -3 cluster.py
• Enter the address
1FkRsNmsacihn4iH5eFLEzogX55hEGkate
• Or 1Hjah3yGjDbDgnrpShLhufPZD3T1tyi5PL
Following the money
• https://bit.ly/2JqwG1U
• ID the change address
• https://bit.ly/2yl6JvR
• ID the change address
• https://bit.ly/3grxqGe
• ID the change address
• https://bit.ly/2qmnm6E
• Why are there the same input addresses?
Following the
money
Following the money
• Once you start clicking, get lost immediately!
• https://bit.ly/2DgaUhp
Following the money
Following the money
• Browse to www.walletexplorer.com
• Aleš Janda now works for Chainalysis
• … to try and cluster addresses into wallets
• Uses same techniques of….
• Input addresses
• Possibly new change addresses
• Take a look at:
• https://www.walletexplorer.com/wallet/Coi nMotion.com/addresses
Following the money
• OK, lets build a picture • Take 3EGy678G659RnevCA1pmfzVrrC5DEaiqAt
• How many transactions? When?
• Where does the money go?
• Where did it come from?
• Pick an address and find the change addresses
• Who owns the address?
Following the
money
Following the money
• Another excellent site for following transactions is:
• www.btc.com
Following the money
Following the money
• Bitcoinwhoswho.com
Following the money
Bitcoinwhoswho.com I like the scam alert function Take a look at –
• 1JHwenDp9A98XdjfYkH KyiE3R99Q72K9X4
Following the money
• Good site for all the primary cryptocurrencies
• Bitinfocharts.com
• Bitcoin
• Bitcoin Cash
• Ethereum
• Ripple
• Litecoin
Following the money
• Best site for me for following the Bitcoin Cash fork
Following the money
• Chainz.cryptoid.info
• Doesn't cover the big ones but every cryptocurrency you’ve never heard of!
Following the money
• Blockexperts.com
• More rarely used coins
Following the money
• Ethonym.com
• Good resource for clustering services addresses
• Search for
122SrTvM3U2dLenk9HMpCYFReqCLLms onq
• https://bit.ly/3d2GpM4
• Click on the wallet number
Following the money
• If you find an odd looking address just Googling it is normally successful.
• For example, if I found…
• AN7x4fANwLWXBDobqdjgNnqwKmVvHE ac4p
• Google would respond with a link to the blockchain
• Obviously the same general rules apply for the other cryptocurrencies
• Browse to etherscan.io
• With Ethereum you are only sending to one address at a time
• It is possible to define a contract that will kick off multiple transactions however
Following the
money
Following the money
• Can still follow the flow of transactions
• Remember the difference between a ‘coin’ transaction and a contract transaction
Following the money
• Browse to http://bit.ly/2x6V845
• Tend to see same addresses used much more
Following the money
• There are no ‘change’ addresses in Ethereum
• Every account simply has a balance, no UTXO’s
• Balance is simply deducted from a balance
• Or added to a balance
• Take a look at the following address:
• Is this address involved in nefarious activity? If so what?
• How much did they get and over what period of time?
• What was the average value of the transactions received?
• Cluster the other addresses associated with 1GVD8Y
Following the
money - practical
Following the money - automatically
Monitoring an address can be
very useful Perhaps a ransomware address
has been gathering funds and you are waiting for the money to be
moved
There are a number of sites that can help with this
Following the money - automatically
• https://www.blockonomics.co
• Browse to Wallet Watcher
• Log in with a Google ID
Following the money - automatically
Will provide screen notification of
a transaction Will also email your Google
address Does wait for 2 notifications
(blocks) before email is sent
Following the money - automatically
• Can also see the history
Following the money - automatically
• And export the data in a date range
Following the money - automatically
• Build your own!
• Open ‘notifytest.html’ from your download files
Following the money - automatically
• Open ‘notifytest.html’ using notepad++
• Just need to change the address to the address you wish to monitor
• Copy and paste the line to add a new address
• You can add <br/> to the end of a line for a line break
Following the money - automatically
• Can do the same with Ethereum
• www.etherscan.io
• Click on an address to view