Since the majority of well-known cryptocurrencies contain open-source ledgers of transactions, they would conform to the denotation of open source. Public ledgers may be extremely valuable to cryptocurrency forensic investigators.
Nevertheless, the pseudo-anonymous information employed by cryptocurrencies like Bitcoin (BTC) and Ethereum (ETH) may pose a significant challenge for an investigator to understand the data.
What Cryptocurrency Addresses Look Like
Cryptocurrencies persist as reasonably intricate assets. Notably, a cryptocurrency address is an amalgamation of letters and numbers, which is frequently depicted in Base58. They typically gravitate toward comprising 34, 42, or perhaps 96 characters long, despite the fact that there are alternative lengths.
A Bitcoin address resembles something such as:
Whereas an Ethereum address resembles something like the following:
A raw Monero address corresponds to a set of 95 characters beginning with a 4.
A Monero (XMR) address can resemble something like the subsequent:
An XMR address is, in fact, the concatenation of the public spend key and the public view key.
Generally, an address is fundamentally a public key that a cryptocurrency user may provide to anybody who wants to send them coins. Nonetheless, to transfer any coins kept in an address, the associated private key is required.
In the reconnaissance stage, the crypto forensic investigator will look for available public crypto key addresses and will notice numerous public addresses. Clearly, such addresses are always public and rarely will private keys be published online by the users.
Notably, few private keys are published online as a result of the user’s poor operational security (OPSEC) or leaks. In such instances, any coins that were managed by the key will generally disappear.
Bear in mind that crypto addresses are pseudo-anonymous. They are not directly connected to an account or identity, though sophisticated forensics methods can be used to deduce possession. Such methods are labour-intensive and intricate, typically requiring vast resources and the presence of trained investigators.
As soon as a crypto user wants to send a cryptocurrency value to another user, they create a transaction that is conveyed to all ledgers (Full-node) of that cryptocurrency.
Subsequently, miners include transactions to a block and deploy extremely robust computers to figure out an intricate numerical issue that locks the blocks which indicates that data may not be effortlessly be altered.
In the event that somebody attempted to modify the components of a transaction, the individual would have to convey that alteration with each ledger in the world and recompute the numerical issue.
If there is a higher quantity of blocks to compute the foregoing block comprising the altered transaction, the more challenging and perhaps impracticable it may be.
Using Blockchain Explorers To Investigate Crypto Addresses
Blockchain explorers serve as valuable tools as they can provide information for various cryptocurrencies like Bitcoin, Ethereum, Litecoin (LTC), and Dash (DASH).
Such explorers will return a list of every transaction where the address has turned out to be an input, or an output, where it obtained money from another address.
For example, Blockchain.com permits anyone to search for a Bitcoin, Bitcoin Cash (BCH), or Ethereum address.
Petya/NoPetya ransomware attackers kept the cryptocurrencies in an address for numerous days after victims paid prior to transferring the cryptocurrencies.
Ransomware essentially infects a victim’s computer with malware that encrypts all data on the system, and a ransom is demanded for the decryption key.
In the event that an investigator finds an address that is owned by a suspect, for instance, in their forum post signatures, it is straightforward to find out the value that has gone through the address or possibly is still being kept at the address.
Evidently, searching for a particular address used by the ransomware attackers can show when the swindle likely began, the number of victims that paid into the attackers’ address, the amount of money the attackers made, if the cryptocurrencies were transferred or kept:
By examining the graph and data for the balance, we can observe that the pinnacle was in June 2017.
We can clearly observe the metadata located in the top panel succeeded by several transactions.
It is easy to determine when the victims began paying the ransom fee, the amount the attackers received, and when the cryptocurrencies were transferred.
Based on the graph and data, we can observe that payments began on June 27, 2017, and principal payments were completed by June 28, 2017.
Cryptocurrencies remained in the address until July 4, 2017, at the moment they were eventually transacted.
Such information assists analysts in not merely grasping the lifetime of a swindle, but also realizing the fact that the payments made by victims occurred over a 24-hour duration and were kept in the address for a couple of days prior to being transferred.
This serves as an excellent instance of how metadata of one address may assists analysts in constructing a picture of a crypto address deployed in a cybercrime.
The number of payments can assist forensic investigators in perceiving the potential number of victims affected.
OXT.me permits anyone to search for a block, transaction, or address. Information provided includes incoming and outgoing transactions, when an address began to be employed, when it was last spotted, and individual values that indicate when the cryptocurrencies were received and sent.
Significantly, the clear indication of incoming and outgoing transactions assists investigators in grasping the number of potential victims affected, 103 incoming payments, and the number of addresses that were deployed to ultimately transfer the cryptocurrencies away from the swindle address.
One important thing to make a note of is that victims of cybercrime are generally cryptocurrency beginners and are inclined to buy cryptocurrencies directly from an exchange and send them to the attackers.
In the event that the exchange may be identified, it is simple to render a request to the exchange for Know Your Customer (KYC) information and communicate with the victims.
How To Follow The Money
To clarify, the definition of cryptocurrency investigations typically refers to following some sort of illegal payments from a source destination to a destination.
Due to the pseudo-anonymous structure of cryptocurrencies like Bitcoin accompanied by its 34-character Base58 addressing, this is difficult to carry out.
“Address blindness” may rapidly be involved as transactions are clicked.
Shifting from one transaction to another transaction is somewhat different in each blockchain explorer. With Blockchain.com, we would utilize the emphasized “Spent” link on the output part of the transaction to shift to the subsequent transaction, and click on the “Output” link on the input part of the transaction to shift back to the prior transaction.
For instance, you could presume that a particular Bitcoin address may be associated with a swindle, and you wish to investigate it.
The BTC address of interest is:
As we can see, the address has 11.964 BTC. Anyone looking at the transaction history is probably wondering where the money will move next.
We may observe that 11.66 BTC is transferred to address 3GporzKZgwJdpPkGNywWTGzc29UNUbXJYh and a tiny quantity to 153B16UteFGfB7pcByoWhZ6PePaex3zsCf.
Subsequently, we would determine if one of the addresses corresponds to a payment address. In various transactions that are one-to-many or many-to-many addresses, an output will serve as the change address.
The rationale is that every Bitcoin is composed of 100 million satoshis. Hence, the odds that payments to various addresses will add up to precisely the input amounts are small.
Another BTC address that could be of interest is:
In this instance, we can see that the payment is out of a ‘3‘ wallet. Bitcoin addresses that begin with the number 3 are deployed for multi-signature or more sophisticated transactions than merely a direct address-to-address payment.
The outputs represent a 3 address and to a 1 address. There is a higher probability that the change address is also a 3 address. Therefore, we can deduce that the 3 address corresponds to the change, and the 1 address is the payment.
Furthermore, each of the 3 inputs could have paid for the payment address 3HfFwqxknjRse4JQA49p8bXZfDojDiEvze, though each 3 are required for the quantity sent to 3B5kCWKwSLZPRFwdWp8jB3Zs729NbhWE2a. This illustrates that the change address is 3HfFwqxknjRse4JQA49p8bXZfDojDiEvze, and thus, we have to follow the other address.
After we have perceived the address or addresses that are potentially payments, we may follow them to the subsequent transaction by clicking on the Spent button. In this instance, both inputs are Unspent which indicates that the situation is an impasse.
If you decide to click on the subsequent or prior transaction, it will merely supply another list of inputs and outputs, and the analyst could become confused instantly. We suggest halting after every click and examining the addresses before proceeding further.
If a suspect of interest is utilizing cryptocurrency mixers and tumblers to shift and divide the cryptocurrencies, then sophisticated commercial tracing tools should be employed.
Some individuals are exceptionally sophisticated and will utilize advanced techniques to obfuscate their ultimate destination through dividing and recombining cryptocurrencies, transferring through exchanges, or converting into other cryptocurrencies. Thus, sophisticated commercial tracing tools can assist in such instances.
Transferring from one transaction to another transaction is solely significant if an investigator manages to identify a source of information that is reliable which could contain log information (IP Addresses) or KYC details.
Identifying such sources of information is vital in the majority of investigations.
Bear in mind that it is impracticable to trace through a crypto exchange. If an individual decides to deposit a coin into an exchange and subsequently withdrawing, the coin returned back to them will not be identical to the one before.
The same could be said of depositing $10 into a financial institution and withdrawing it from an automated teller machine, which would return a note of same value.
If someone has made a deposit into an exchange, an investigator’s only way at tracing is to get the exchange to cooperate with them to provide the KYC information.
There are various websites that can be of value to analysts as they provide the capability of identifying addresses owned by exchanges and traders.
Deploying clustering methods and algorithms is essential to finding additional addresses belonging to the same individual. Cryptocurrency forensic professionals deploy sophisticated commercial tracing tools to assist them in their investigations.
Such tools are not cheap but are capable of identifying clusters of addresses belonging to traders, exchanges, and dark web websites.
The majority of these tools offer visualization features that make tracing a transaction to an exchange in an investigation significantly simpler.