OsintOops

What happens in the Blockchain does NOT stay in the Blockchain – Part Five –

by

Mister Serious
in , , ,

As you may recall, at the end of the part 3 In our analysis, we encountered a transaction that involved two recipient addresses: the address 1DqYiuVPjxrS3tkE8VeSorvx4ZEeR3oGkZ who received 0.20223736 bitcoin and was examined in the part 4 of our analysis and the address 1AgEeJ1cNWpXxABaTysv4CM6MqARSnXFce who received 2.5.

 

Transazione 1

In this part of our analysis, we see what happens to the 2.5 bitcoins transferred. Such a precise amount was undoubtedly transferred intentionally; it's not random change. However, in most of the transactions examined so far, we've seen much smaller amounts sent to the intended recipients. Therefore, it's good practice in any type of analysis to pay close attention to any behavior that disrupts the regularity, trying to identify the reasons that may have given rise to the anomaly.

 

Let's start the analysis

Let's start by looking at what has been done with the address we are examining.

Transazione 2

The address was involved in a single outgoing transaction, to two addresses: 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB who receives 0.99805659 bitcoin and 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1 which receives 1.50168541. In this case, it's not at all easy to determine which of the two is the actual destination address and which is the change address. In fact, a single sender address is involved, which spends the entire available balance, and both destination addresses receive an amount with 8 decimal places.

So, to avoid missing anything, we need to carefully examine both addresses, looking for behaviors similar to those already seen so far or interactions with known entities.

 

First recipient address

Let's start by observing the behavior that the address will assume 1J8kvixEnAnGDEDwkfqJS246sXdW1mhkvB, who received 0.99805659 bitcoin.

 

Indirizzo 1

Unlike what we've seen so far, this address received almost one bitcoin, but didn't spend it. In these cases, checking the address with walletexplorer.com won't yield significant results. The data displayed by this service is based on activity with the addresses. In this case, since there has been virtually no activity, it won't be possible to group this address with others or trace it back to known entities.

 

Wallet Explorer 1

This is a new situation: we have an address with a substantial amount of bitcoins that hasn't yet been spent. This doesn't mean the user can't decide to use this address at any time to make a new transaction and provide us with new information.

However, even if in this case we only have one address to monitor, as it could be making transactions, it's impractical to check the balance every day to see if it has changed. Imagine having dozens of addresses to monitor and having to check them one by one several times a day.

 

We know a new tool

We can take advantage of a service that suits us, offered by the site Blockonomics. Once you've created a free account, you'll have access to a service called "Wallet Watcher," which allows you to monitor multiple addresses simultaneously.

Wallet Watcher 1

We have the ability to add multiple addresses and label them for easy recognition. Don't forget to check the box in the settings tab to receive an email alert whenever any of the addresses you're monitoring receive activity.

 

Wallet Watcher 2

In this case, consider that the address's balance has remained unchanged since April 8, 2016, so the likelihood of it being used suddenly is quite low. However, imagine working on a more current case, where addresses are constantly involved in incoming and outgoing transactions, or having an address used to receive donations for illicit purposes. A service like this could undoubtedly help you stay on top of things and avoid having to start your analysis from scratch every time you encounter a changed scenario.

Second recipient address

Continuing our analysis, let's now look at the address 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1 who received 1.50168541 bitcoins, in the transaction reported at the beginning of this part of our analysis.

In this case, all the bitcoins were spent in a single transaction.

Transazione 3

As you can see, this is a single transaction with 11 other sender addresses and was made to 6 other addresses.

Another actor on the scene!

In our analysis, we've never encountered a transaction involving so many addresses. Instead of immediately examining all the addresses, grouping them into a single wallet and seeing where each one got its bitcoins, let's try to understand who we're dealing with. Let's search for our address on walletexplorer.com.

Wallet Explorer 2

As you can see, walletexplorer.com has grouped the address into a wallet that has processed 232,621 transactions! This wallet, based on the reconstructions made by the algorithms that walletexplorer.com is based on, contains a whopping 37,632 addresses! I'd say that's too many for one person.

 

Wallet Explorer 3

Let's return for a moment to the previous image, which shows the activity carried out with the wallet containing the address we're examining. As you can see for yourself, by clicking here, outgoing transactions are made to spectrocoin.com.

What could have happened?

Let's start by understanding what spectrocoin.com is. It's an exchange that allows you to exchange different types of virtual currencies or buy and sell them using fiat currencies.

 

SpectroCoin 1

The time machine

However, remember that the currencies displayed at the time of the analysis may differ from those accepted at the time of the transaction. Let's try to understand the situation at the time of the transaction, which is approximately April 2016. To do this, we can use a service called WayBack Machine. Let's find the spectrocoin.com page and view the available data.

WayBackMachine 1

There is a variety of data from 2016. In particular, there is a screenshot of the site dating back to April 8th, coincidentally the very day the transaction we are studying took place.

SpectroCoin 2

How can you you can see it too, At the time of the transaction, the site only supported Bitcoin and no other virtual currencies.

Specifically, the site could be used to buy and sell bitcoin, as well as to have one's own online wallet or a virtual debit card funded with one's own bitcoin.

SpectroCoin 3

At this point we can assume that the transaction of 1.50168541 bitcoins, made to the address 1NPgLU4sVj5ww2UZ8DktDSYm7kLJN6sYq1, was intended to exchange bitcoins for legal tender or make a payment using SpectroCoin's virtual card. Unfortunately, at this point, the information is no longer present on the blockchain, but is exclusively available to those who operate spectrocoin.com.

 

To recap…

Starting from a single bitcoin transaction, we were able to:

  • identify other related transaction flows;
  • understand that the bitcoins were likely purchased from the Cex.io exchange;
  • reconstruct the pattern with which bitcoins were regularly used to send payments via BitPay.com and CoinPayments.com, following the rest of the transactions;
  • follow a stream of transactions until it is exhausted;
  • Locate where bitcoins were likely converted back into legal tender, via SpectroCoin.com.

The analysis we conducted began with a random transaction. Obviously, the scenario we encounter is always unpredictable. The more tools you master, the greater your chances of productively analyzing any scenario you encounter.

Unfortunately, once you arrive at an exchange, it is unlikely that they will decide to share their customer information with you, unless you can avail yourself of the powers of the police or the judiciary.

 

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *