Once we get to the starting transaction as explained in part 1 and part 2 of this analysis, let's see what happened from there on. At the beginning you can see that the transactions continue with the same pattern: one address receives a lower bitcoin amount and with fewer decimal places and another receives the so-called remainder of the transaction, a higher amount and with more decimal places.

Transazione 1
Picture 1

With the same rules used up to now, we can state that the address 1NZ4MSeYcDKFiPRt8h7VK6XMhShwzhCzCp is the one that actually receives the bitcoins, while the address 1AK79g9gpvZ8jn2C9MsWQpijMFA5JaTdqP is the one that receives the remainder of the transaction.

In this case, walletexplorer.com does not give us any information on the destination address.

Wallet explorer 1
Picture 2

Let's continue to follow the chain of transactions

Now you can start looking at the next step, looking for the change address 1AK79g9gpvZ8jn2C9MsWQpijMFA5JaTdqP with bitcoinwhoswho.com.

Transazione 2
Picture 3

Also in this case the situation is that seen in most of the cases of our analysis. By now you shouldn't have difficulty recognizing that the address 153LqeB1mQa8xDaQDyvhWTCNweVTDeH9BE is the one of the actual destination of the payment while the address 1RBiVomgGeqqRm4NQkJhmffWtAfJDdjFr is the remainder.

Since these are little used addresses in all cases, it is easy for bitcoinwhoswho.com not to give us other useful information. So let's see what walletexplorer.com is able to tell us about the payment destination address.

Wallet explorer 2 - CoinPayments
Picture 4

In this case, the address was traced to CoinPayments.net. Let's continue with our analysis and see what happens in subsequent transactions.

To do this, as you have understood by now, we need to analyze the transactions made with the address 1RBiVomgGeqqRm4NQkJhmffWtAfJDdjFr.

Transazione 3
Picture 5

If we search for the change address with walletexplorer.com, we notice that it is not traced back to any known entity, but is still associated with a wallet with a great deal of activity, 211,023 transactions! Similar behavior is typical of an exchange or payment intermediary. It is difficult to imagine a person carrying out such a number of movements.

Wallet explorer 3
Picture 6

Going forward, observing the transactions carried out from the change address identified from time to time, you will notice the following payment destination addresses:

  • 1AV6NxfKYTwDSqbcGFn76KtAFHwCDYScHi, not related to any entity, but associated with the same wallet with ID 0000979937 of the previous case;
  • 1G85zgoQu1VeEaH4gQwyfS9VQqUxBJD6bb, not linked to any entity, but associated with the same wallet with ID 0000979937 of the previous cases;
  • 1MYQwTsamJ18WnaeggkF4Tboms5ySHp2VA, not linked to any entity, but associated with the same wallet with ID 0000979937 of the previous cases;
  • 1PQAL7HxjzuoKVAbbTijkZ3mPZWhtgEjYM, not related to any entity, but associated with the same wallet with ID 0000979937 of the previous cases;
  • 1MRFjrnChHPMP9WH797Tg27eZNzQexQW6S, not attributed to any entity;
  • 1EMVNB1aGTdL48oi2T6t4wZLUDQ9Kc5ddv, not linked to any entity, but associated with the same wallet with ID 0000979937 of the previous cases.

Something unusual, or not?

Continuing, we arrive at the address 1HvWTwViSsy8j5Z9QWCGKKFiSCgDe1uLAM, which receives the rest of the previous transactions. Look closely at their transactions, do you notice anything strange?

Transazione 4
Picture 7

The address seems to receive 1.37587747 bitcoins, but it spends 2.70223736! It seems absurd. Instead it is a deceptive display of information provided by bitcoinwhoswho.com. In fact, the service only displays information strictly related to the address you searched for. To understand what happened, you must first note the string 23e7879eaa2c2757d049f1a22a176dda4907be407aa70fdcc3ea4a5b57754f52 written above the "anomalous" transaction. This is the transaction identifier, called hash. To be able to understand it we need to query another blockchain explorer, for example blockchain.com.

By doing so, you can see that the address 1HvWTwViSsy8j5Z9QWCGKKFiSCgDe1uLAM is not the only sender of the transaction.

Transazione 5
Picture 8

In fact, the bitcoins also come from the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et. So you can learn another method to associate multiple addresses to the same subject, the "cospending". If a transaction comes from two addresses, the person who made it must have the private keys of both in order to sign it. We can therefore say that the user has both addresses, or that both addresses are part of the same wallet.

Another sequence of transactions

Note that the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et already had some bitcoins available when you encountered it. So this address will also have its own history and flow of transactions. If we begin to observe the transactions linked to this flow of transactions, we notice that these present a behavior almost identical to that seen so far.

Our address receives its bitcoins from the address 17SLcA24f4s3RXupPWWAdJsfJcdhyRivfF.

Transazione 6
Picture 9

This address, continuing backwards, receives the bitcoins from the address 17GKzWc4m7kEPxvoHAtPisvtZ7Qnk2sMd and carries out a single outbound transaction, of which the address 1ZeSmMCHFqd6Gg8y3NhrChVTyTPbUkneJ that receives 0.144816 bitcoin is that of the actual destination and the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et that receives 1.32640989 bitcoin is the change one.

Transazione 7
Picture 10

By going backwards, we can try to get to the point where these bitcoins may have been bought. I don't want to bore you with another analysis similar to the one already seen in the first part. Maybe you can try to reconstruct the path made by bitcoins yourself. However, I want to anticipate that the bitcoins come from the same wallet linked to Cex.io, which we met in the first part, with ID 0001d2e726 on walletexplorer.com.

A little confused? Pictures can help

Here is an image that can help you understand what is happening. There are two flows of transactions that start from the Cex.io exchange: one is the one we followed in the first two parts of our analysis and one is the one we have just encountered. The two flows merge when the bitcoins in the availability of the addresses 1ZeSmMCHFqd6Gg8y3NhrChVTyTPbUkneJ and 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et are used to carry out the same transaction.

Picture 11

Let's continue to follow bitcoins

So far I have only made you look at the senders of the transaction where we noticed the cospending by two addresses. But also look at the recipients of the transaction.

Transazione 8
Picture 12

We find the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ which receives 0.20223736 bitcoins and the address 1AgEeJ1cNWpXxABaTysv4CM6MqARSnXFce which receives exactly 2.5.

With the criteria I have made you adopt so far, you will certainly agree that the address that receives 2.5 bitcoins is the one of actual destination. In fact, as you will recall, we said that a user is unlikely to want to make a transaction by specifying an amount of 8 decimal places, resulting in a change of exactly 2.5 bitcoins.

In this case, we can strengthen our claim by taking into account that we have seen two senders addresses. If a user wanted to transfer 0.20223736 bitcoins it would not make sense to use both sender addresses. In fact, at the time of the transaction, observing the history of transactions received by each of the senders, the address 16xyGaTT2dQipfhUz8rNPR4L98xx7zQ9Et had 1,32640989 bitcoins

Transazione 9
Picture 13

and the address 1HvWTwViSsy8j5Z9QWCGKKFiSCgDe1uLAM had 1.3758774 bitcoins.

Transazione 10
Picture 14

So the only reasonable reason to use both addresses as senders is to have the intention to transfer 2.5 bitcoins. If the user of the addresses had wanted to transfer 0.20223736 bitcoins, it would have been enough for him to use only one of the two addresses, obtaining, depending on the case, a change of about 1.12 or 1.17 bitcoins.

Since we have found abnormal behavior compared to what we have seen so far, we need to carefully analyze what both destination addresses do. In fact, we could find ourselves in front of either a more substantial payment, or a consolidation transaction, that is, a transaction carried out to collect the balances available on multiple addresses in one.

For now let's say that this is enough, we will talk about this in the next part of this analysis.

Mister Serious
Post by Mister Serious
September 28, 2020
Head of the AnuBitux project. Works as a cryptocurrency analyst and in the blockchain forensics field. In the free time he develops this distro and codes with Python.