If you have no doubts about the first, let's try to find an answer to the second question posed by our hypothetical decision maker: what happens to these bitcoins?

As you have seen, all outgoing transactions, marked with the red arrow, usually had two addresses as recipients: an actual destination address and a change address held by the person who made the transaction.

Understanding who a transaction is intended for

Determining what the actual destination address is and what is the rest is not as immediate as you might imagine since it is necessary to analyze case by case, carry out statistical evaluations and identify objective criteria or repeated behaviors useful for profiling the user and the tools that he used.

In this case, by observing the transactions with the red arrow, you can see that, for each transaction:

  • a larger amount is allocated to an address which is gradually carried forward from transaction to transaction, generally consisting of eight decimal digits;
  • a smaller amount, consisting of six decimal digits, is forwarded to a second address.

Usually the address that receives amounts consisting of more decimal digits is the change address since it is unlikely that an user will make a precise transaction to the eighth decimal place, obtaining a remainder with a maximum of six decimal places.

If you consider that this circumstance is repeated in several transactions, this phenomenon is even more unlikely.

How to go up the chain of transactions?

To better understand what happens, let's follow the financial flow, starting from the first address where the recurring behavior we have identified occurred for the first time, 1KgUcHDuWLVzFxVnwp3u5jZw3FmorjG1jD.

Transazione 1
Picture 1

In this case the address that receives 0.8 bitcoin, 1N5hfyuGVZbTR78zXQ22kjUyCwZbgB8yhw, is most likely the actual destination address, while the address that receives 11.04445 bitcoin, 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YR, is the change address. It is very unlikely that a user will make a transaction of 11.04445 bitcoins (even by specifying the current currency amount on their client) and get a change of exactly 0.8 bitcoins.

Let's analyze the address, the one of actual destination. Through walletexplorer.com it is possible to connect it to known entities, exchanges or payment intermediaries such as BitPay.com, CoinPayments.net, CoinGate.com, etc., which allow us to get closer to who was actually the recipient of the transaction.

In the first case, the address 1N5hfyuGVZbTR78zXQ22kjUyCwZbgB8yhw is not traced back to any known person or entity.

Wallet Explorer 1
Picture 2

This does not mean that it is not possible to trace the address to an exchanger or a payment intermediary but rather that walletexplorer.com was unable to identify who presumably controls the address.

To help you understand what is happening, here is an explanatory image. Remember that, in many cases, making transaction graphs is a very useful way to better understand what's going on.

Picture 3

Let's keep it up!

Continuing to follow the sequence of payments, observing the transaction made from the change address 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YRbc and considering the behavior assumed in the other transactions examined, we can assume that the actual recipient is the address 1Mut7bPWhQS2NkTQ6wUpRtbV65vyELBqcs and the chenge address is 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn.

Transazione 2
Picture 4

Analyzing the information provided by walletexplorer.com, confirming what we hypothesized a little while ago, 1Mut7bPWhQS2NkTQ6wUpRtbV65vyELBqcs is traced back to the payment intermediary BitPay.com.

Wallet Explorer 2 - BitPay
Picture 5

Now look at the outgoing transaction made from the address 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn.

Transazione 3
Picture 6

We assume, with the same criteria adopted for the previous transactions, that the destination address is 1ChwFk9Wtq7zav6TRnxE8e8xgf5daFXV5D, while the change address is 1MYQzejdwhiU83qy4SsLKcm7CwV5XxVFRn. Also in this case, walletexplorer.com was unable to link it to any known service.

Wallet Explorer 3
Picture 7

Continuing along the flow of transactions, we find the following destination addresses:

  • 13ov4UBJYJQBC1Tv5vEvijShn2vWS3vPrJ, not attributable to any person;
  • 1Atc1n6rCm7GMpW1JsRuwF8b2hWQJjxi6i, not attributable to any person, but recipient of an unusually high amount equal to 5 bitcoins;
  • 13DD8uH3FMZbJjXnSgZfL2MMTxesT9qUgJ, not attributable to any subject but grouped with other 6 addresses that could be further examined;
  • 1Hy8Comf7wyBtqgGzph3fX8Ky6S5t8eXeh, attributable to the same wallet as the address in the previous point;
  • 1DLTLvpev16LemyDtuyEL2WnyLskcPSvKM, attributable to CoinPayments.net;

Wallet Explorer 4 - CoinPayments
Picture 8

  • 1J8LeRgSwuHqfJuFX3Uo62WnDNFsNuAygR, attributable to BitPay.com;

Walet Explorer 5 - BitPay
Picture 9

  • 1Jkoon938Pe66whJgZZwxn6zzjKMLkFRCX, not attributable to any person;
  • 14mUSXvddwR9qgBr93BGXEAcgRw84jEtaG, not attributable to any person;
  • 1NZ4MSeYcDKFiPRt8h7VK6XMhShwzhCzCp, not attributable to any person;

This last address is the one that received the transaction from address 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR, cited in the article from which we began our analysis.

Let's recap

Returning to the main discourse, in the following image you can graphically observe what we have reconstructed so far with our analysis. Note how the change addresses are represented by circles that get smaller and smaller, to represent the part of bitcoin that is "lost" to make payments.

Schema 2
Picture 10

At this point, with the same method, you can continue to follow the chain of transactions, identifying further known subjects and observe if the change address, which is currently receiving an amount greater than 4.5 bitcoins, will gradually run out or , at some point it will be completely sent to another subject.

What else should we look at?

To obtain more information, the aforementioned wallet of seven addresses, including 13DD8uH3FMZbJjXnSgZfL2MMTxesT9qUgJ and 1Hy8Comf7wyBtqgGzph3fX8Ky6S5t8eXeh, could be examined.

Furthermore, we can observe that the aforementioned address 1Atc1n6rCm7GMpW1JsRuwF8b2hWQJjxi6i, with the transaction made on 23 December 2015, receives 5.0 bitcoins, unlike other transactions where the amounts are much smaller. This could be a more substantial payment but, considering that less than 12 bitcoins were handled at the beginning of the transaction sequence, it could also be that the user of these addresses wanted to split the managed bitcoins and start another sequence of transactions. In fact, the following transaction is destined in favor of the addresses 1HbKVbT2k82JcMrvErwWMhJPGHjSo8iLBK and 1JX9Q7fqn9TajUe4F6vjWGtGnD2wqnXTii. Of these, the address 1HbKVbT2k82JcMrvErwWMhJPGHjSo8iLBK is returned, by walletexplorer.com, to the payment intermediary BitPay.com, as has happened in other cases seen so far.

Wallet Explorer 6 - BitPay
Picture 11

Follow me in one last useful consideration to be able to follow a flow of transactions: observing the transaction amounts and assuming that the address with more decimal digits is the change one, to continue tracing the flow and quickly identify the change address to be the actual destination one, you can focus on the last figures of the transferred amount which will remain the same in most cases.

In our case, in fact, the numbers “47” are repeated several times.

Transazione 4 - change
Picture 12

Transazione 5 - change
Picture 13

Please don't hesitate to ask me all the questions you think necessary regarding what I have tried to explain in these two posts.

>>> Following what is stated in the Executive Summary, a further study was requested on the transactions that took place after 1 February 2016. <<<

We will begin to see it in the third part.

Mister Serious
Post by Mister Serious
September 28, 2020
Head of the AnuBitux project. Works as a cryptocurrency analyst and in the blockchain forensics field. In the free time he develops this distro and codes with Python.