If you have no questions about the first one, let's try to find an answer to the second question that our hypothetical Decision Maker posed to us: what happens to these bitcoins?
As you may have noticed, all outgoing transactions, marked with the red arrow, usually had two recipient addresses: an actual destination address and a change address (change of address) in the possession of the person who carried out the transaction.
Understanding who a transaction is intended for
Determining which is the actual destination address and which is a return address is not as straightforward as you might imagine, as it requires case-by-case analysis, statistical evaluations, and the identification of objective criteria or recurring behaviors useful for profiling the user and the tools they used.
In these cases, observing with particular attention the transactions with the red arrow, you can notice that, for each transaction:
- A larger amount is allocated to an address and is gradually carried forward from transaction to transaction, generally consisting of eight decimal places;
- A smaller amount, consisting of six decimal places, is transferred to a second address.
Typically, the address that receives the most decimal places is the one receiving change, since it is unlikely that a user will make a transaction accurate to the eighth decimal place and receive a change with a maximum of six decimal places.
If you consider that this circumstance is repeated in different
transactions, this phenomenon is even more unlikely.
How to trace the transaction chain?
To better understand what is happening, let's follow the financial flow, starting from the first address where the recurring behavior we have identified first occurred, 1KgUcHDuWLVzFxVnwp3u5jZw3FmorjG1jD.
In this case the address that receives 0.8 bitcoins, , 1N5hfyuGVZbTR78zXQ22kjUyCwZbgB8yhw, is most likely the actual destination address, while the address that receives 11.04445 bitcoins, 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YRbc, is the change address. It's very unlikely that a user would want to make a transaction of 11.04445 bitcoins (even if they specified the amount in local currency on their client) and receive change of exactly 0.8 bitcoins.
Let's analyze the address, the actual destination. Using walletexplorer.com, it's possible to connect it to known entities, exchanges, or payment intermediaries like BitPay.com, CoinPayments.net, CoinGate.com, etc., which allows us to get even closer to the actual recipient of the transaction.
In the first case, the address 1N5hfyuGVZbTR78zXQ22kjUyCwZbgB8yhw It is not traced back to any known subject.
This does not mean that the address cannot be traced back to an exchange or payment intermediary, but rather that walletexplorer.com was unable to identify the entity that supposedly controls the address.
To help you understand what's happening, here's an explanatory image. Remember that, in many cases, creating transaction graphs is a very useful method for better understanding what's happening.
Let's keep it up!
Continuing to follow the sequence of payments, that is, observing the transaction made from the change address 1GN5ZGGQsgQGQdP5Yc2LAWUKssrLk5YRbc and considering the behavior assumed in the other transactions examined, we can hypothesize that the actual recipient is the address 1Mut7bPWhQS2NkTQ6wUpRtbV65vyELBqcs and the rest is the address 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn.
Analyzing the information provided to us by walletexplorer.com, confirming what we hypothesized earlier, 1Mut7bPWhQS2NkTQ6wUpRtbV65vyELBqcs is traced back to the payment intermediary BitPay.com.
Now observe the outgoing transaction made from the address 1ECFBdcnfhVWcGG6k4p4Pt4J9ciQsK8wEn.
We deduce, with the same criteria adopted for the previous transactions, that the destination address is 1ChwFk9Wtq7zav6TRnxE8e8xgf5daFXV5D, while the rest address is 1MYQzejdwhiU83qy4SsLKcm7CwV5XxVFRn. Again, walletexplorer.com was unable to trace it to any known service.
Continuing
Along the transaction flow, we find the following destination addresses:
- 13ov4UBJYJQBC1Tv5vEvijShn2vWS3vPrJ, not attributable to any subject;
- 1Atc1n6rCm7GMpW1JsRuwF8b2hWQJjxi6i, not traceable to any individual, but the recipient of an unusually high amount of 5 bitcoins;
- 13DD8uH3FMZbJjXnSgZfL2MMTxesT9qUgJ, not attributable to any subject but grouped with 6 other addresses that could be further examined;
- 1Hy8Comf7wyBtqgGzph3fX8Ky6S5t8eXeh, traceable to the same wallet as the address in the previous point;
- 1DLTLvpev16LemyDtuyEL2WnyLskcPSvKM, attributable to CoinPayments.net;
- 1J8LeRgSwuHqfJuFX3Uo62WnDNFsNuAygR, attributable to BitPay.com;
- 1Jkoon938Pe66whJgZZwxn6zzjKMLkFRCX, not attributable to any subject;
- 14mUSXvddwR9qgBr93BGXEAcgRw84jEtaG, not attributable to any subject;
- 1NZ4MSeYcDKFiPRt8h7VK6XMhShwzhCzCp, not attributable to any subject;
This last address is the one that received the transaction from the address 1LQv8aKtQoiY5M5zkaG8RWL7LMwNzVaVqR, cited in the article from which we began our analysis.
Let's recap
Returning to the main topic, the following image graphically illustrates what we've reconstructed so far with our analysis. Notice how the change addresses are represented by circles that gradually become smaller, representing the portion of bitcoins that are "lost" in making payments.
At this point, using the same method, you can continue following the transaction chain, identifying additional known entities and observing whether the change address, which is currently receiving an amount greater than 4.5 bitcoins, will gradually run out or, at some point, be completely sent to another entity.
What else should we look at?
To obtain further information, the aforementioned wallet of seven addresses could be examined, including 13DD8uH3FMZbJjXnSgZfL2MMTxesT9qUgJ e 1Hy8Comf7wyBtqgGzph3fX8Ky6S5t8eXeh.
Furthermore, we can observe that the aforementioned address 1Atc1n6rCm7GMpW1JsRuwF8b2hWQJjxi6i, with the transaction made on December 23, 2015, receives 5.0 bitcoins, unlike other transactions where the amounts are much smaller. This could be a more substantial payment, but considering that at the beginning of the transaction sequence, fewer than 12 bitcoins were moved, it could also be that the user of these addresses wanted to halve the bitcoins managed and start another sequence of transactions. In fact, the following transaction is destined for the addresses 1HbKVbT2k82JcMrvErwWMhJPGHjSo8iLBK e 1JX9Q7fqn9TajUe4F6vjWGtGnD2wqnXTii. Of these, the address 1HbKVbT2k82JcMrvErwWMhJPGHjSo8iLBK is traced back, by walletexplorer.com, to the payment intermediary BitPay.com, as happened in other cases seen so far.
Follow me on one last useful consideration for tracking a transaction flow: by looking at the transaction amounts and assuming that the address with the most decimal places is the change address, to continue tracking the flow and quickly identify the change address from the actual destination address, you can focus on the last digits of the transferred amount, which will remain the same in most cases.
In our case, in fact, the numbers “47” are repeated several times.
Please don't hesitate to ask me any questions you may have regarding what I've tried to explain in these two posts.
>>> Following the information provided in the Executive Summary, further clarification was requested on transactions that occurred after February 1, 2016. <<
We will start to explore this in more detail in the third part.
Leave a Reply