Carder
Professional
- Messages
- 2,619
- Reaction score
- 1,866
- Points
- 113
Today I am ready to please you with my structured reflection on bitcoin, because it is now on top, and the rate is approaching $ 50,000. And this is not at all about the investment or the potential of this crypt. In general, let's go.
It is a decentralized, peer-to-peer network that anyone can join by simply registering a btc wallet anywhere. Transactions are completely transparent and can be viewed in various browsers. The same applies to wallets, the movement of funds through which is easy to track. For instance:
View wallet through Blockchair
We immediately observe the current balance, transaction history and the total amount wrapped through this wallet. Everyone has known this for a long time, but after all, knowing the transaction history of one wallet, it is quite easy to establish its relationship with another wallet and calculate, for example, the further movement of funds, despite the whole principle of network decentralization, the presence of pools and the use of N-addresses for carrying out one transaction.
Let's try to analyze the address through the @EyeGodsBot bot and see what result it will give.
Information about bitcoin address in the "Eye of God"
In principle, the same as a regular browser, but in a more convenient form and with the ability to quickly download the history of all transactions, which can be analyzed even using Excel.
By the way, ChainAnalysis works all over the world and nothing prevents our law enforcement agencies from contacting them if necessary. I will leave the question of whether they will do this and spend budget funds on investigating cybercrime. Just think about how many years our three-headed marketplace has been successfully operating and in which crypt it accepts payment.
Below you can see an example of what the result of analyzing the connection of a bitcoin wallet with shadow services in the Tor network looks like. The full study can be read here.
An example of the result of analyzing the relationship of a bitcoin wallet with hidden services in Tor
But there is an anonymous crypt, why use bitcoin? I am sure that it is not worth talking about pseudo-anonymous analogs like ZCash and Dash as a worthy alternative. For example, there is a study that shows that 85% of Zcash transactions are transparent, traceable and public. Of the remaining 15% of private transactions, only 7% are in reality private. And about Dash, there is actually nothing to say after the statement of Fernando Gutierrez, director of marketing for the Dash Core Group, that “Dash is a cryptocurrency for payments, not for anonymity”. Draw your own conclusions. Perhaps, only Monero remains a noteworthy anonymous crypt today. The only more or less fakap of this crypt that I remember is the possibility of stealing XMR due to the vulnerability of wallets, which was quickly patched.
At the time of publication of the study, about 30% of transactions on the European darknet were paid for with litecoin, according to the authors of the publication. I did not find any reason not to believe them: Litecoin is fast, the network load is minimal (at that time near zero), there is much less attention to it and its rate is more stable. Why not give it a try?
The structure of transactions of European marketplaces in 2018
In conclusion of this section, I would like to spit in the face of the skeptics who snorted and laughed at the applicability of LTC in the shadow segment of the Internet. This year, MingleJingle, a new version of MimbleWimble, will be launched on the Litecoin testnet. And that means the following:
Oops .. And where to get the news?
Classification of methods for deanonymizing Bitcoin users
The methods are divided into two groups: passive and active. Let's start with the active ones.
And yes, these are just search engines, there are other tools, much more serious and effective, but I propose not to concentrate on them and move on to the methods of deanonymization.
1. Direct mapping
The simplest, like the Infusoria-shoe, is a method of deanonymization. Searching for mentioning the address in open sources (for example, on bitcoin forums) and further correlating the address with the user's digital identity. For example, the user's nickname will be the same on three different bitcoin forums, but only one will contain the BTC address in the account signature. It works poorly, but there are still chances of success.
2. Heuristic with multiple inputs
The proposed method can be called a multi-entry transaction heuristic. For the bitcoin network in 2021, there are no other transactions: you always see N senders and much less N recipients within one transaction. The authors of the study argue that it is possible to determine which addresses belong to the recipient of bitcoins by applying a special heuristic algorithm, but without a certain set of input data, it will not work.
3. Address change heuristic
We all know that the bitcoin network constantly generates new addresses, somewhere it happens automatically (after each transaction in blockchain.info), somewhere it needs to be done manually (for example, on a three-headed one). In essence, your first real bitcoin address does not disappear anywhere from the network and remains with you, which is why if a person sends money to your address, which is no longer valid, they will still come. Have you noticed this? Knowing this feature of the network, you can get to the user's initial wallet by using the same heuristic algorithm and searching for matches in the transaction history.
It should be noted here that all these heuristic methods work only for a certain set of data. You need a thorough OSINT exploration and preparation of an impressive dataset.
4. Clustering method
The authors of this study proposed a method for clustering the bitcoin network based on the above two heuristic methods. Using the first heuristic, the researchers were able to partition the network into 5,579,176 user clusters. The authors used a transaction graph and an address graph (see below) The researchers expanded the second heuristic, because if an attacker can identify changed bitcoin addresses, then he can potentially split into clusters not only input addresses (according to heuristic 1), but also changes in these addresses.
In general, the authors have proposed a new clustering heuristic based on address changes, which allows clustering of addresses belonging to the same user. Using the proposed method allowed researchers to identify the addresses of crypto-exchanges and some bitcoin casinos using only a small number of identified network transactions.
5. Fingerprinting
In this work, the authors show that any third-party web tracker can de-anonymize cryptocurrency users who use crypto to pay on the website of some online store using your cooke files. This method has 2 attack options:
As it has already become clear, the confidentiality of the owner of a bitcoin wallet is a rather fragile thing. A public bitcoin address is anonymous only when no one knows the owner and cannot even guess what kind of transactions are being carried out through the wallet. That is why many people recommend using disposable bitcoin wallets to conduct black market transactions. One wallet = one transaction.
In this study, the authors used the so-called PageRank method in the form of a classical graph. The main feature of the method is to identify large bitcoin wallets that belong to shadow marketplaces and gambling sites, because these are the main Bitcoin hubs on the darknet.
6.1. Transaction graph
The entire blockchain can be thought of as a directed acyclic graph.
Forum: G = {T, E}, where
T is a set of transactions stored on the blockchain,
E is a set of unidirectional edges between these transactions.
G - the flow of coins at a certain point in time
Each edge entering the transaction has a certain number of coins and a timestamp, which form the input data of the transaction. The wallet address graph and the user graph of these wallets are always built on the basis of the transaction graph.
6.2. Address graph
As we move through the transaction graph, we can easily deduce the relationships between various input and output addresses (public keys) and these relationships can be used to generate the address graph.
Forum: G = {P, E}, where
P - a set of bitcoin addresses,
E - the edges connecting these addresses
6.3. User graph
There is nothing interesting here: we just collect everything we found and group the addresses, possibly belonging to the same user.
It should be noted that the method is described in more detail here. I understand that it is stated rather superficially, so see the original for those who are interested in the technical side of the method. It is very interesting there, but if I translate all this, an article will turn out about the graph method in deanonymizing Bitcoin users. And this is just my reflection.
As practice shows, one of the popular mixers is a darknet platform project and the bitcoins that you get at the output are over-dirty. There is little sense in such a mixer and it is more harmful than useful. Finding a reliable mixer that sends your money for sure, uses a reliable pool and whitens bitcoin by cheating AML (see below) is not an easy task. You will either end up on a scam, or the mixer will be a dummy, or you will be lucky and you will find a reliable service. Each of the mixers must be looked for, of course, through DuckDuckGo, check via @cryptoaml_bot and watch the result. Below is an example of a screenshot of the result of transferring bitcoins through a low-quality mixer, close to the darknet marketplace. By the way, the presence of a .onion mirror on a mixer does not always indicate its reliability and is more a plus than a minus, but the fact is obvious: the service is useless.
You can see for yourself that 94% of the funds in a transaction belong to the Dark Market category, which leaves no doubt that Bitcoin is "dirty". Moreover, @cryptoaml_bot evaluates the risk level of your transaction and it has a "Mixer" category, which makes it clear that it can identify bitcoins from a poor quality mixer that are also high risk.
It would seem, well, evaluates and evaluates, what's the difference? But there is a difference, because the same Chatex recently connected to AML and now evaluates incoming transactions in the same way. In other words, it has now become much more difficult to sell dirty bitcoins for fiat through this service. Although this is an excellent P2P crypto exchange on Telegram, which had no other choice: either to remain a simple exchanger, or to grow into a full-fledged crypto exchange.
AML - Anti-Money Laundering (anti-money laundering). To be absolutely precise, the abbreviation should have been longer, AML CFT CWMDF - anti-money laundering and counter-terrorist financing and counter-weapons of mass destruction financing. destruction).
This is exactly how the mission of a non-governmental international organization, the Financial Action Task Force on Money Laundering, sounds.
KYC is rather a part of AML. The vast majority of crypto exchanges, from Binance to Kucoin, have long since introduced AML, identifying users and monitoring their transactions. And this is normal from the point of view of white business, but for lovers of dark movements, this is a stick in the wheels. Often, Binance simply does not accept a transaction from the "Dark Market" or "Mixer" category, and then it remains to look for a buyer in Telegram chats and hope that he will buy your bitcoin. Of course, there are dozens, if not hundreds of exchangers at BestChange where you can drain your bitcoin, but I can’t say anything about their level of reliability.
Bitcoin blockchain: excessive transparency for the black market
I would like to initially make a reservation for those who did not delve deeply into the topic: blockchain is, first of all, a technology for building a network. This is some kind of immutable distributed ledger of the Internet that cannot be tampered with. Each cryptocurrency has its own blockchain, i.e. a network of participants who interact in a certain way and have certain rights, which depend on the degree (-de) centralization, the consensus algorithm and other features of the network. By the way, there are already a lot of blockchain projects in the field of finance, logistics, real estate and insurance, but today we are not talking about that. It is important to understand that there are open, closed and hybrid types of blockchains and the bitcoin network belongs to the former.It is a decentralized, peer-to-peer network that anyone can join by simply registering a btc wallet anywhere. Transactions are completely transparent and can be viewed in various browsers. The same applies to wallets, the movement of funds through which is easy to track. For instance:
- https://www.blockchain.com/explorer (classic btc transaction explorer)
- https://blockchair.com/ (searches 17 blockchains)
View wallet through Blockchair
We immediately observe the current balance, transaction history and the total amount wrapped through this wallet. Everyone has known this for a long time, but after all, knowing the transaction history of one wallet, it is quite easy to establish its relationship with another wallet and calculate, for example, the further movement of funds, despite the whole principle of network decentralization, the presence of pools and the use of N-addresses for carrying out one transaction.
Let's try to analyze the address through the @EyeGodsBot bot and see what result it will give.
Information about bitcoin address in the "Eye of God"
In principle, the same as a regular browser, but in a more convenient form and with the ability to quickly download the history of all transactions, which can be analyzed even using Excel.
Example
Having understood the essence of the example, you can understand the following for yourself: the anonymity of bitcoin is so shaky that it is not even worth talking about it out loud. And you do not need to understand this article as a call to abandon bitcoin, because as an investment tool it is simply wonderful and does not even have a close analogue, except for the DeFi token YFI, when we talk about the price and its average annual growth rate. But let's return to the fact that the analysis of bitcoin transactions is not so difficult and even using a mixer does not guarantee complete protection, because it may turn out to be of poor quality.
By the way, ChainAnalysis works all over the world and nothing prevents our law enforcement agencies from contacting them if necessary. I will leave the question of whether they will do this and spend budget funds on investigating cybercrime. Just think about how many years our three-headed marketplace has been successfully operating and in which crypt it accepts payment.
"Anonymity" of bitcoin and cryptocurrency in general
Of course, trying to surprise someone in 2021 with the fact that Bitcoin is not anonymous is just ridiculous. The essence of the study was to use Big Data analysis technology to find the owners of Bitcoin wallets associated with Silk Road. Also, the study identified thousands of wallets that serve Wikileaks, Pirate Bay and various "shards" of Silk Road.Below you can see an example of what the result of analyzing the connection of a bitcoin wallet with shadow services in the Tor network looks like. The full study can be read here.
An example of the result of analyzing the relationship of a bitcoin wallet with hidden services in Tor
But there is an anonymous crypt, why use bitcoin? I am sure that it is not worth talking about pseudo-anonymous analogs like ZCash and Dash as a worthy alternative. For example, there is a study that shows that 85% of Zcash transactions are transparent, traceable and public. Of the remaining 15% of private transactions, only 7% are in reality private. And about Dash, there is actually nothing to say after the statement of Fernando Gutierrez, director of marketing for the Dash Core Group, that “Dash is a cryptocurrency for payments, not for anonymity”. Draw your own conclusions. Perhaps, only Monero remains a noteworthy anonymous crypt today. The only more or less fakap of this crypt that I remember is the possibility of stealing XMR due to the vulnerability of wallets, which was quickly patched.
At the time of publication of the study, about 30% of transactions on the European darknet were paid for with litecoin, according to the authors of the publication. I did not find any reason not to believe them: Litecoin is fast, the network load is minimal (at that time near zero), there is much less attention to it and its rate is more stable. Why not give it a try?
The structure of transactions of European marketplaces in 2018
In conclusion of this section, I would like to spit in the face of the skeptics who snorted and laughed at the applicability of LTC in the shadow segment of the Internet. This year, MingleJingle, a new version of MimbleWimble, will be launched on the Litecoin testnet. And that means the following:
MingleJingle is a reworked original MimbleWimble protocol offering completely non-interactive transactions. This means that the sender only needs to know the recipient's address, which is generated from the two public keys. Other important features include addresses that cannot be associated with wallets, as well as transaction outputs where addresses cannot be determined.
By the way, the originals of the articles on the darknet, which I refer to in the section above, were located on the DeepDotWeb site, which now looks like this. The fight between Europol and the FBI against the darknet turned out to be so large-scale that they even shut down news sites a few years ago, and until now I cannot find worthy analogs that would cover operations against the shadow segment of the Internet such services as Internetpol, FBI, NSA, The CIA and others. In other words, they don't want us to know the scale.
Oops .. And where to get the news?
Methods for Deanonymizing Bitcoin Users
Here I would like to refer to the article " Bitcoin Users Deanonimization Methods". With the permission of the reader, I will not translate what is written in the picture, but I will definitely masterfully translate the text of the article, making the essence of the classification presented below clear. The funny thing is that the article is in English, but written by Russian scientists from the HSE. I took it, of course, from Sci-Hub , although ResearchGate also has this material.
Classification of methods for deanonymizing Bitcoin users
The methods are divided into two groups: passive and active. Let's start with the active ones.
Active methods
- Social engineering. Do I need to explain something here? Social Engineer Standard Toolkit: OSINT + Deception Techniques in Communication with Victim. Fake handling, phishing, stealing, whatever. Not a very effective way in inept hands.
- P2P network analysis. It is known that the bitokin network has two classes of nodes: servers and clients. Their difference is that clients are nodes that do not accept incoming TCP connections, but servers do. Clients and servers have different protocols and anonymity issues. For example, clients do not relay transactions. That is why the main focus of deanonymization methods is on servers. Absolutely all attacks on the P2P network are based on the mechanism of transactions in the system. In theory, a hacker can hijack the IP address that initiated the broadcast of the transaction and start listening to traffic (classic MitM). Various researchers have previously used so-called "routing protocols" (approx. Flooding) in order to establish a connection between the user's IP address and his identifier in the Bitcoin network. In 2015, the Bitcoin community reacted to such attacks and changed the protocol to another, called "diffusion" among cypherpunks. The attacks described above use a supernode (large node) that connects to active bitcoin nodes and listens for all transactional traffic relayed by these nodes. When using this technique, the accuracy of deanonymization is about 30%, however, there is a more advanced version of the attack, the tests of which achieve higher accuracy. If you are interested in the technical side, then read it here.
Passive methods
One of the groups of passive methods is based on OSINT technology. In other words, it is an open source search. There are many different "hacker" search engines for finding specific data. Examples of such services:And yes, these are just search engines, there are other tools, much more serious and effective, but I propose not to concentrate on them and move on to the methods of deanonymization.
1. Direct mapping
The simplest, like the Infusoria-shoe, is a method of deanonymization. Searching for mentioning the address in open sources (for example, on bitcoin forums) and further correlating the address with the user's digital identity. For example, the user's nickname will be the same on three different bitcoin forums, but only one will contain the BTC address in the account signature. It works poorly, but there are still chances of success.
2. Heuristic with multiple inputs
The proposed method can be called a multi-entry transaction heuristic. For the bitcoin network in 2021, there are no other transactions: you always see N senders and much less N recipients within one transaction. The authors of the study argue that it is possible to determine which addresses belong to the recipient of bitcoins by applying a special heuristic algorithm, but without a certain set of input data, it will not work.
3. Address change heuristic
We all know that the bitcoin network constantly generates new addresses, somewhere it happens automatically (after each transaction in blockchain.info), somewhere it needs to be done manually (for example, on a three-headed one). In essence, your first real bitcoin address does not disappear anywhere from the network and remains with you, which is why if a person sends money to your address, which is no longer valid, they will still come. Have you noticed this? Knowing this feature of the network, you can get to the user's initial wallet by using the same heuristic algorithm and searching for matches in the transaction history.
It should be noted here that all these heuristic methods work only for a certain set of data. You need a thorough OSINT exploration and preparation of an impressive dataset.
4. Clustering method
The authors of this study proposed a method for clustering the bitcoin network based on the above two heuristic methods. Using the first heuristic, the researchers were able to partition the network into 5,579,176 user clusters. The authors used a transaction graph and an address graph (see below) The researchers expanded the second heuristic, because if an attacker can identify changed bitcoin addresses, then he can potentially split into clusters not only input addresses (according to heuristic 1), but also changes in these addresses.
In general, the authors have proposed a new clustering heuristic based on address changes, which allows clustering of addresses belonging to the same user. Using the proposed method allowed researchers to identify the addresses of crypto-exchanges and some bitcoin casinos using only a small number of identified network transactions.
5. Fingerprinting
In this work, the authors show that any third-party web tracker can de-anonymize cryptocurrency users who use crypto to pay on the website of some online store using your cooke files. This method has 2 attack options:
- Unified network of transactions. The aim of the attack is to link the user of an online store or other web service with a specific transaction on the blockchain. If the tracker has a function for obtaining a bitcoin address, then it's in the bag. Another option is when the tracker remembers the transaction amount and time. This data is used to search for an address in the network's transaction history for the purpose of further deanonymization.
- Intersection of clusters. The aim of the attack is to link two purchases of the same user to the bitcoin blockchain. Here, the attacker identifies a cluster of addresses that include the victim's addresses and looks for intersections between addresses using the graph method.
As it has already become clear, the confidentiality of the owner of a bitcoin wallet is a rather fragile thing. A public bitcoin address is anonymous only when no one knows the owner and cannot even guess what kind of transactions are being carried out through the wallet. That is why many people recommend using disposable bitcoin wallets to conduct black market transactions. One wallet = one transaction.
In this study, the authors used the so-called PageRank method in the form of a classical graph. The main feature of the method is to identify large bitcoin wallets that belong to shadow marketplaces and gambling sites, because these are the main Bitcoin hubs on the darknet.
6.1. Transaction graph
The entire blockchain can be thought of as a directed acyclic graph.
Forum: G = {T, E}, where
T is a set of transactions stored on the blockchain,
E is a set of unidirectional edges between these transactions.
G - the flow of coins at a certain point in time
Each edge entering the transaction has a certain number of coins and a timestamp, which form the input data of the transaction. The wallet address graph and the user graph of these wallets are always built on the basis of the transaction graph.
6.2. Address graph
As we move through the transaction graph, we can easily deduce the relationships between various input and output addresses (public keys) and these relationships can be used to generate the address graph.
Forum: G = {P, E}, where
P - a set of bitcoin addresses,
E - the edges connecting these addresses
6.3. User graph
There is nothing interesting here: we just collect everything we found and group the addresses, possibly belonging to the same user.
It should be noted that the method is described in more detail here. I understand that it is stated rather superficially, so see the original for those who are interested in the technical side of the method. It is very interesting there, but if I translate all this, an article will turn out about the graph method in deanonymizing Bitcoin users. And this is just my reflection.
Mixers, KYC and AML
First, about the mixers. Initially, the mixer is needed in order to confuse transactions and whiten your bitcoin, which is obtained by criminal means. For example, you sold drugs on the darknet and want to legalize the funds received. The mixer has its own pool of bitcoin addresses, you run your money through N addresses and get "white" bitcoin at the output. The amount of the commission depends on the number of addresses used and this can be regulated. But not every mixer can please you with its honesty.As practice shows, one of the popular mixers is a darknet platform project and the bitcoins that you get at the output are over-dirty. There is little sense in such a mixer and it is more harmful than useful. Finding a reliable mixer that sends your money for sure, uses a reliable pool and whitens bitcoin by cheating AML (see below) is not an easy task. You will either end up on a scam, or the mixer will be a dummy, or you will be lucky and you will find a reliable service. Each of the mixers must be looked for, of course, through DuckDuckGo, check via @cryptoaml_bot and watch the result. Below is an example of a screenshot of the result of transferring bitcoins through a low-quality mixer, close to the darknet marketplace. By the way, the presence of a .onion mirror on a mixer does not always indicate its reliability and is more a plus than a minus, but the fact is obvious: the service is useless.
You can see for yourself that 94% of the funds in a transaction belong to the Dark Market category, which leaves no doubt that Bitcoin is "dirty". Moreover, @cryptoaml_bot evaluates the risk level of your transaction and it has a "Mixer" category, which makes it clear that it can identify bitcoins from a poor quality mixer that are also high risk.
It would seem, well, evaluates and evaluates, what's the difference? But there is a difference, because the same Chatex recently connected to AML and now evaluates incoming transactions in the same way. In other words, it has now become much more difficult to sell dirty bitcoins for fiat through this service. Although this is an excellent P2P crypto exchange on Telegram, which had no other choice: either to remain a simple exchanger, or to grow into a full-fledged crypto exchange.
KYC and AML
KYC - Know Your Customer or Know Your Client (Know your customer). This is the principle of activity of financial institutions (banks, exchanges, crypto-exchanges, etc.), obliging them to identify the counterparty's identity before conducting a financial transaction. In other words, this is verification of you in the service by providing you with documents proving your identity.AML - Anti-Money Laundering (anti-money laundering). To be absolutely precise, the abbreviation should have been longer, AML CFT CWMDF - anti-money laundering and counter-terrorist financing and counter-weapons of mass destruction financing. destruction).
This is exactly how the mission of a non-governmental international organization, the Financial Action Task Force on Money Laundering, sounds.
KYC is rather a part of AML. The vast majority of crypto exchanges, from Binance to Kucoin, have long since introduced AML, identifying users and monitoring their transactions. And this is normal from the point of view of white business, but for lovers of dark movements, this is a stick in the wheels. Often, Binance simply does not accept a transaction from the "Dark Market" or "Mixer" category, and then it remains to look for a buyer in Telegram chats and hope that he will buy your bitcoin. Of course, there are dozens, if not hundreds of exchangers at BestChange where you can drain your bitcoin, but I can’t say anything about their level of reliability.
Conclusion
- The Bitcoin blockchain belongs to open blockchains and is completely transparent. This opens up wide opportunities for analyzing transactions and deanonmizing wallet users. From the point of view of the economy of the shadow marketplace, this is a risky tool, but in Russia everything works differently.
- Not only BTC is not anonymous, but also Dash and Zcash. Only Monero did not surrender its positions. Bitcoin transactions are the key to de-anonymizing Tor users, which casts doubt on the reliability of this payment tool on the darknet. LTC has much more potential.
- There are many different ways to de-anonymize users of bitcoin addresses, but most likely you will have to use them all together. The graph method is, so far, the most advanced and dangerous for users of bitcoin and Tor services.
- Mixers are necessary and useful, but many of them are dummies or pour you dirty bitcoin. You can find a good one, but for this you need to spend N money and N hours of your time.
- AML and KYC are the natural path for all crypto projects that scale, but a huge stick in the wheel for black market players on the darknet. We have to look for services that do not work with AML or ordinary physical buyers of bitcoin in chats and forums.