Last updated on 19 January 20219 min read
As you will recall, at the end of part 3 of our analysis, we encountered a transaction which involved two recipient addresses: the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ which received 0.20223736 bitcoin and was examined in part 4 of our analysis and the address 1AgEeJ1cNWpXxABaTysv4CM6MqARSnXFce which received 2.5 bitoins.
In this part of our analysis, let’s see what happens to the 2.5 bitcoins transferred. Such a precise amount was certainly intentionally transferred, it is not a random change. However, in most of the transactions examined so far, we have seen much smaller amounts sent to the actual recipients. Therefore, it is good practice in an analysis of any kind, to pay more attention to all those behaviors that “break” the regularity, trying to identify the reasons that could have given rise to the anomaly.
Let’s start the analysis
Let’s immediately start looking at what has been done with the address we are examining.
The address was involved in a single outgoing transaction, in favor of two addresses: 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB which receives 0.99805659 bitcoin and 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1 which receives 1.501685. In this case, it is not at all easy to understand which of the two is the actual destination address and which is the rest address. In fact, a single sender address is involved, which spends all the available balance, and both destination addresses receive an amount with 8 decimal places.
So, to avoid that we can miss something, we must carefully examine both addresses, looking for behaviors similar to those already seen so far or for interactions with known entities.
First recipient address
Let’s start by observing the behavior that of the address 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB, which received 0.99805659 bitcoin.
Unlike what we have seen so far, this address received an amount of almost one bitcoin, but did not spend it. In these cases, checking the address with walletexplorer.com will not give great results. The data shown by this service are based on the activity that was done with the addresses. In this case, since there has been practically no activity, it will not be possible to group this address with others, or to trace it back to known entities.
This is a new situation, we have an address that has a substantial amount of bitcoins and has not yet spent them. This does not mean that the user, from one day to the next, cannot decide to use this address to carry out a new transaction and provide us with new information.
However, even if in this case we have only one address to observe, as it could carry out transactions, it is not at all practical to think of checking every day if the balance has changed. Imagine having dozens of addresses to keep under control and having to check them one by one several times a day.
A new tool
We can take advantage of a service that is right for us, offered by the Blockonomics site. Once we have created a free account, we have a service called “Wallet Watcher”, which allows us to keep an eye on multiple addresses simultaneously.
We have the ability to add multiple addresses and label them for easy recognition. Don’t forget, from the settings tab, to tick the box that allows you to receive an e-mail alert whenever one of the addresses you observe is affected by any activity.
In this case, consider the address balance is unchanged since 8 April 2016, so the possibility of it being used suddenly is quite low. However, imagine working on a more topical case, where addresses are continually involved in inbound and outbound transactions, or having an address on hand that is used to receive donations for illicit purposes. A service of this type will certainly help you a lot in keeping the situation in hand and not having to start your analysis from scratch each time as you are faced with a changed scenario.
Second recipient address
Continuing our analysis, let’s now look at the address 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1 which received 1.50168541 bitcoin, in the transaction reported at the beginning of this part of our analysis.
In this case, the bitcoins were all spent, in a single transaction.
As you can see, this is a single transaction that sees 11 other addresses among the senders and was carried out in favor of 6 other addresses.
A new actor on the scene!
In our analysis, we have never encountered a transaction involving so many addresses. Instead of starting immediately to examine all the addresses, grouping them in a single wallet and observing each of them where he got his bitcoins, let’s try to understand who we are in front of. Let’s search our address with walletexplorer.com.
As you can see, walletexplorer.com has grouped the address in a wallet that has carried out 232621 transactions! It is a wallet which, based on the reconstructions carried out by the algorithms on which walletexplorer.com is based, contains 37632 addresses! I would say they are too many for a single person.
Let’s go back for a moment to the previous image, which shows the activity carried out with the wallet which includes the address we are examining. As you can see for yourself, by clicking here, outgoing transactions are directed to spectrocoin.com.
What could have happened?
Let’s start by understanding what spectrocoin.com is. It is an exchanger that allows you to exchange different types of virtual currencies with each other or to buy and sell them using FIAT currencies.
The time machine
However, remember that the currencies displayed at the time of the analysis may be different from those accepted at the time of the transaction. Let’s try to understand what the situation was at the time of the transaction, therefore, approximately, in the period of April 2016. To do this we can use a service called WayBack Machine. Let’s search the spectrocoin.com page and view the available data.
There are various data relating to 2016. In particular, there is a capture of the site that dates back to April 8, coincidentally the day on which the transaction we are studying was carried out.
As you can see, at the time of the transaction, the site only supported Bitcoin and no other virtual currency.
In particular, the site could be used to buy and sell bitcoins, as well as to have your own online wallet or have a virtual debit card powered by your own bitcoins.
At this point, we can assume that the 1.50168541 bitcoin transaction, carried out to the address 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1, was aimed at exchanging bitcoins into FIAT currency or making a payment through the SpectroCoin virtual card. Unfortunately, at this point, the information is no longer present in the blockchain, but is in the exclusive availability of those who manage spectrocoin.com.
In summary …
Starting with a single bitcoin transaction, we were able to:
- identify other related transaction flows;
- understand that the bitcoins were probably purchased from the Cex.io exchange;
- reconstruct the scheme by which bitcoins were regularly used to send payments through BitPay.com and CoinPayments.com, following the rest of the transactions;
- follow a flow of transactions until its exhaustion;
- identify when bitcoins have likely been converted back into FIAT currency via SpectroCoin.com.
The analysis we conducted started with a casual transaction. Obviously, the scenario in front of us is always unpredictable. The more tools you master, the greater chances you will have of being able to productively analyze any scenario you will encounter.
Unfortunately, once you arrive at an exchange, it is difficult for it to decide to share information about its customers with you, unless you can use the powers of the Police Forces or the Judiciary.