Last updated on 19 January 202113 min read
Let’s continue our analysis. Remember that, in the last transaction seen in part 3, the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ received 0.20223736 bitcoins and the address 1AgEeJ1cNWpXxABaTysv4CM6MqARSnXFce received 2.5. Since the behavior does not conform to that seen in the other cases, let’s try to focus on both addresses.
To start, let’s continue to follow the changes
Let’s start analyzing the activity of the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ. We have already determined that this address received the change of the transaction. By following his activity you can see that the first and only outgoing transaction made involves an outgoing amount greater than the one received.
This time you will no longer be surprised as on the last occasion. As I have already shown you, we need to search the hash of the transaction with the blockchain.com explorer and see the other addresses involved.
As we expected, in addition to the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ, among the senders we also find the address 1BP6cAbMWNCD7zmrYsMTMs44knqiuunHSG.
Find the most suitable tool
The circumstance in which there are multiple sender addresses, in this phase of the analysis, is occurring more and more often. The bitcoinwhoswho.com service requires a good glance to notice this peculiarity every time. So far I have decided to use it deliberately as we were looking for information on addresses that we gradually identified, and this service allows us to find them quickly, as long as they have been shared on the network. However, we have seen that on almost all occasions we have been faced with addresses that have made a maximum of two transactions and that therefore have hardly been published online. In order not to miss precious details, we can think of starting to use the blockchain.com explorer also to examine the activity of bitcoin addresses and not just to search for transaction hashes. It will not provide us with additional information, but it displays more complete information relating to the transactions that each address has made or received.
Let’s continue to follow the transactions
Let’s continue with our analysis! At this point we have to examine the address 1BP6cAbMWNCD7zmrYsMTMs44knqiuunHSG. It is likely that we have come across a third stream of transactions that intersects with the one we are following. Let’s start by understanding where the bitcoins that have spent the address 1BP6cAbMWNCD7zmrYsMTMs44knqiuunHSG come from.
By now you should be able to do this analysis on your own. Let me give you the input to get you on the right path. Start by searching for the address with blockchain.com, to see where your bitcoins have come from.
You can see that the sender address is 1ERLDBwMikm96UBqLj9h7FfCVEnGs5grHH. Now try to search it with walletexplorer.com, to understand if its algorithm is able to lead it back to a known subject, in possession of more information.
Unfortunately, we weren’t so lucky. The address is traced exclusively to the wallet with the identifier e6a20c7ac3 and to no other address. Now try to trace the transactions back until you find where the bitcoins may have been purchased from.
Where do you think they were bought from this time? Well yes! Once again, the flow of bitcoin transactions started from the same wallet, managed by the Cex.io exchange and identified by walletexplorer.com with the identifier 0001d2e726.
The sequence of transactions initially moves 4.1721 bitcoins, which will gradually be involved in transactions in which a larger amount will be transferred to the change address and a smaller amount will be sent to addresses that we assume are in use by payment processors like BitPay.com or CoinPayments.net.
The eye also wants its part
Here is a chart that will help you understand what’s going on.
So far we have identified three transaction streams that originated from the Cex.io exchange and have crossed over as they have been used to dispose transactions with multiple senders addresses.
Let’s continue the ascent, we are almost there …
Let’s take a look at the two destination addresses of the last transaction.
The address 1Mo8of2hfMKRntywZHip88CxSqfJ2VwQbp receives 0.05383844 bitcoin, while the address 1FnFRMpgvkUNGuxpsqDS69JtLKGqc5pQTs receives 0.36984822 bitcoin. Both addresses receive an amount with 8 decimal places. How can we recognize the destination address from the change address? Remember that this is a two sender address transaction! The address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ spent 0.20223736 bitcoins into the transaction while the address 1BP6cAbMWNCD7zmrYsMTMs44knqiuunHSG spent 0.2214993. If the user of these addresses had wanted to transfer only 0.05383844 bitcoins, he would not have had any need to use both addresses.
We can therefore say that the address 1Mo8of2hfMKRntywZHip88CxSqfJ2VwQbp that receives 0.05383844 bitcoin is the change address, while the address 1FnFRMpgvkUNGuxpsqDS69JtLKGqc5pQTs that actually receives 0.36984822 bitcoin is the destination address.
As you will be used to doing by now, we have to search for the actual destination address with walletexplorer.com, to understand if it is a known subject.
Unfortunately this is not the case, but we can observe that the wallet has carried out 34 transactions and that contains 33 addresses.
Without forgetting that we have left the analysis of the address that receives 2.5 bitcoins pending, we continue to follow the flow of transactions we have at hand by observing the activity of the address 1Mo8of2hfMKRntywZHip88CxSqfJ2VwQbp which receives the change of the last transaction.
Also in this case the examined address carries out a transaction combined with another sender address, 129s7TCmH8ahezAemKxoLjx8wjMA1USp2x. Thanks to the fact that we changed explorer, we were able to notice it immediately, without having to pay too much attention to the amounts involved in the transactions.
As usual, let’s see where this last address gets the bitcoins from, observing the transactions in which it was involved.
The bitcoins come from the address 1Kn6wUwfAKarFHc1suXH2xFViQxe9WEzCQ. Let’s see if walletexplorer.com is able to tell us a little more.
Unfortunately this was not the case. So let’s look at the transactions of the address 1Kn6wUwfAKarFHc1suXH2xFViQxe9WEzCQ.
Sometimes we have to understand what we are facing from his behavior
At a glance you can already notice that there is something strange. The address carries out a single outgoing transaction involving over 88 bitcoins, sent to 7 addresses. Let’s go back to the result of walletexplorer.com and deepen the information that is provided to us.
Among the destination addresses, 5 are unknown, one is traced back to BtcMarkets.net and one to 999Dice.com. A behavior of this type, due to the variety of recipients and the large amounts handled, is usually typical of exchanges or payment processors. Unfortunately, we cannot say to which subject this address can be traced. Maybe, if you have any idea, don’t hesitate to suggest it.
Let’s now go back to the transaction made both from the address 1Mo8of2hfMKRntywZHip88CxSqfJ2VwQbp and from the address 129s7TCmH8ahezAemKxoLjx8wjMA1USp2x, to analyze the recipient addresses.
The address 1LAnu8aBw5MMkbp2aj7y3ypj6tH3jTPSPg receives 0.00128844 bitcoin while the address 13Bsa1JgufyYtDSvpw2uEpHx3n6ofoKhGm receives 0.0625 bitcoin. With everything you have learned so far, you will be able in an instant to determine that the address 13Bsa1JgufyYtDSvpw2uEpHx3n6ofoKhGm is the actual destination of the payment while the address 1LAnu8aBw5MMkbp2aj7y3ypj6tH3jTPSPg is the change address.
Also in this case walletexplorer.com does not give us information, but we can still observe that we are dealing with a wallet, with ID 035e72375b, which has carried out 593 transactions.
A huge amount of information
Let’s now look at the change address, to continue following the sequence of transactions. Also in this case, the amount transferred is higher than the available balance of the address.
Look at the details of the outgoing transaction 76f379d206304d0da93584633610289b296651f77ba3329c9dd94d0640909f10. Although the transferred amount is extremely small, only 0.02357879 bitcoin, we note that there are six sender addresses! Such a data is a mine of information for an analyst. In fact, it is possible to follow five other flows of transactions backwards, and collect more information that can be used to identify the real users of the bitcoins we are following.
At this point I leave the burden of following all the transactions of these addresses back to you, by now you have learned how to do it. It is not within the scope of this article to reconstruct all transactions, but just to show you how to perform it.
Don’t leave any information behind
Let’s move on instead, continuing to see where the bitcoin transactions we’re following are headed. The 129ZJG3i5qSSEdvzAjjBNqsrtiX2pRyFz5 address which receives 0.00004579 is the change address while the address 1FbV7p8zDqfuVU1unCTmmLjm7ShLD9GPyk which receives 0.023533 is the one of actual payment destination.
Walletexplorer.com does not trace it back to any entity, but nevertheless identifies a wallet that has carried out 292870 transactions, typical behavior of an exchange.
Let’s go ahead, observing the outgoing transaction of the changeover address 129ZJG3i5qSSEdvzAjjBNqsrtiX2pRyFz5.
Bitcoins are sent to two addresses. As usual, we immediately determine that the address 155HWPsNcBGxMuMgiQjhAUD2ggCMGLVm9X that receives 0.00003139 is the change address while the address 1Pw16T7ZMDkoMu1uR1AqQzNy11F9sDifX9 that receives 0.008643 is the actual payment destination. Also in this case the address examined is not the only sender of the transaction, but appears together with two other addresses. We observe the payment destination address.
It is returned to the same wallet that received the previous transaction. Remember, it is always good to take note of the identifiers of the wallets you encounter during an analysis, you never know when they might pop up again. Being able to connect two transactions made or encountered at two different times to the same wallet can be a very valuable information.
Let’s look at the address 155HWPsNcBGxMuMgiQjhAUD2ggCMGLVm9X which received the change of the last transaction.
The address shows only the incoming transaction just seen. The present amount, 0.00003139 is so small that the user has probably decided to don’t use it anymore.
At this point, we can say that we have followed a flow of bitcoins in which multiple transactions were made to different payment processors, gradually reducing the amount that was carried forward as change, up to an amount practically zero and above all point where the flow of transactions stops.
Let’s not forget that we have yet to observe where the 2.5 bitcoin transaction mentioned at the beginning of the article went, but we will talk about it in the next part.