“Decoding Political Violence with OSINT and Lessons from the Frontline”

Join deep dive: Wed, Dec 18, 16:00 CET
06 Oct 2021

Introducing Tatum to Maltego

Mathieu Gaucheler

Joining the ranks of our free cryptocurrency integrations, Tatum is a blockchain developer platform bringing new possibilities to Maltego. The Maltego team took advantage of their powerful unified API to develop free-to-use Transforms, allowing you to explore the blockchains of Bitcoin, Ethereum, Litecoin, Bitcoin Cash, as well as Dogecoin to a lesser extent.

Use Tatum Transform in Maltego to explore the blockchains of Bitcoin.

The Free Tatum Data Integration for Maltego đź”—︎

The Tatum Transforms are free to use. You can run 500 Transforms a week as a Maltego CE User, 5,000 Transforms a week as a Maltego Pro user and 10,000 Transforms a week with a Maltego Enterprise license. This integration will bring the capacity to explore and investigate transactions belonging to blockchains such as ETH, LTC and BCH to all Maltego users.

You will find the same pivoting options available in our other cryptocurrency integrations with Blockchain.info and CipherTrace. Starting from a cryptocurrency address (ETH in the example below), it is possible to retrieve the incoming and outgoing transactions. From these transactions, the input and output addresses can be added to the graph. This allows you to map out transactions and follow the money through the different supported blockchains.

Map out transactions by using Tatum in Maltego.

With Tatum we are also introducing the block Entity, which allows you to link transactions to a specific block in the blockchain. You can now pivot from a block Entity to their adjacent blocks and then to the transactions belonging to that block.

Tatum block Entity in Maltego allows linking transactions to a specific block in the blockchain.

Another interesting trick coming to Maltego with Tatum, is the ability to deduce whether a hash is a cryptocurrency address and to which blockchain it belongs. To do so, simply add the hashes to a Maltego graph while making sure their Entity type is maltego.Hash, then select them, navigate to the Tatum integration in the Transform menu and select the To Addresses [Tatum] set. There you will find several Transforms allowing you to check whether a particular hash is a cryptocurrency address. You can select the Transforms that focus on the cryptocurrencies you are interested in, or simply get a bird’s-eye view by running them all using the double arrow on the Transform menu.

Deduce whether a hash is a cryptocurrency address and to which blockchain it belongs.

This will add any cryptocurrency addresses to your graph that have been found among the hashes in your graph.

Founded cryptocurrency addresses among hashes in Maltego graph.

You can then continue to investigate these addresses by listing their transactions and exploring their activity in the blockchain.

To get a better sense of how to use Tatum in Maltego, let’s go through the following investigation.

Investigating Bitcoin scammers with Tatum đź”—︎

In this investigation, we are going to look at a very interesting “investment opportunity”, taking place on the dark web. This website offers to us the possibility to rent an “ASIC quantum CPU” to mine Bitcoin, given that quantum computing is still at an early stage of development, this seems hard to believe. Moreover, like many things on the dark web this is very likely to be a scam. Even though this website is run by people describing themselves as a “group of Cryptocurrency engineering, Quantum researchers and Blockchain developers”, we should try to examine what is happening before sending them all our savings.

Investigate bitcoin mining with quantum computers case with Maltego.

After choosing a bot to rent, we are prompted by a webpage to send the Bitcoin to an address (15tysy27Rc4QbvNAXzHjZhhKRGfvwuzAhD) displayed on the page. This address is the same for every bot and it will be our starting point in this investigation.

We begin by pasting the Bitcoin address to Maltego and, because Maltego does not automatically categorize it as a Bitcoin address, we have to convert that Entity to another Entity type (maltego.BTCAddress). To do so, select the Entity and right click anywhere on the graph to bring up the Transform Menu. Then, click on the third icon on the bottom of the Transform Menu and select Bitcoin Address in the Cryptocurrency group.

Convert entity type into another in Maltego.

The Change Type button allows you to change the type of an Entity to another type. By changing the type from Phrase to Bitcoin Address, you will have access to another list of Transforms, including the Tatum Transforms that we are going to use for this investigation.

There are two things we need to verify to confirm whether this website is a scam or if we are about to retire early:

  • Did anyone invest in this “opportunity” and, if so, did they get their benefits sent to their address? According to the website, the gains are sent to the BTC address that first sent the money to rent the bot.
  • Where did the money go after it was sent to this address? By knowing what this money is used for, we might get more information on the people running this service.

We will start with the first one: did anyone get their gains sent to them? To answer that question, we are going to go through the stream of transactions and see which address (if any) has been sending money to the address displayed on the webpage.

Select the Bitcoin address Entity and run the To Input Transactions [Tatum] Transform. This has yielded two transactions to date, the first one made on September 22 of this year, after 10 PM.

Run the Tatum Transforms in Maltego to find the transaction and address.

To get the address from which the Bitcoins were sent from, select the transaction and run To Input Addresses [Tatum]. This Transform will add to the graph all the Bitcoin addresses that sent money using that transaction. It should be noted that Bitcoin transactions can have several addresses sending Bitcoins and several addresses receiving them. Here, this is not the case, and we can see that one BTC address (bc1qmsdsxv85rddneme83z38m7mulqkgdvg6f3nx7v) was added to our graph.

Run Tatum Transforms in Maltego to find all Bitcoin addresses sent money.

By looking closely at the image above, we notice that the amount of Bitcoin sent by each address is displayed on each link. We can observe that our starting Bitcoin address received 0.001 BTC (around 43 USD at the time of writing) which matches the amount asked for the rent of the “Iron Robot” mining service (see first picture of this investigation).

Now that we know what robot has been rented and who rented it, we should be able to see the same address receiving its profit by observing the blockchain. To do so, let us pull all the incoming transaction of the address that sent the 0.001 BTC by running To Input Transactions [Tatum].

At the time of writing, it appears that there is only one incoming transaction to this address: one that was made two hours before the 0.001 BTC transaction to the so-called “mining service” address. This address did not get the money back.

For the second transaction, the matter is a bit more complicated. This transaction has one input address, however, according to Blockchain.com, this address has transacted more than a hundred thousand times, totaling over seventy-three thousand Bitcoins moved through this address. This should raise suspicions as to who this address belongs to, as not everyone is moving this amount of Bitcoin. It is likely that this address belongs to an anonymity service used by the people running the website to make fake transactions to their service to simulate customers and appear legitimate to their future victims.

To no one’s surprise, this is suggestive of a scam. As the only legitimate looking address never got their money back.

There is, however, one question that remains: how will the scammers hide their tracks? And up to what point can we follow the money? To answer that question, let us follow the transaction and see where the Bitcoins sent to the scammer’s address went.

Select the BTC address of the scammer and run To Output Transaction [Tatum] to add the transaction in which this address sent Bitcoins. In our case, only one transaction comes up. According to its timestamp, it was made on the 24th of September 2021, two days after Bitcoins were sent to the scammer.

Trace the bitcoin transaction timstamps by using Tatum in Maltego.

To see which addresses received the Bitcoins of this transaction, select it, and run To Output Addresses [Tatum]. To continue this investigation, we will repeat this pattern another time: running To Output Transaction [Tatum] on the addresses we wish to investigate then using To Output Addresses [Tatum] on the transactions that are returned. This will map out the path taken by the Bitcoins after leaving the scammer address. Be aware that using this pattern can quickly lead to overpopulated graphs, that may be difficult to comprehend.

After adding to our graph the address to which the scammer sent the money and using To Output Transaction [Tatum] on these addresses, we are left with this graph, with the scammer’s address bookmarked in blue.

Mapping out the bitcoin path and scammer address by using Maltego.

As displayed on the graph, two addresses received Bitcoins from this transaction, one of them however has a lot more transactions (3KXHFVgbjecWWyy4ZCFDGJiyPLfL9CBLoF), we will focus on that one for the rest of this investigation. The problem being: if we want to investigate this particular address, we will have to restrict our scope. If we try to map out the addresses related to eighteen different Bitcoin transactions, we will end up with a graph too complex to draw meaningful conclusions from. Therefore, we need to focus on specific elements of our graph to explore further. To do this, Maltego has a very useful tool: Views.

In this case, we will use a Viewlet that highlights the transactions with the largest number of Bitcoins involved. To get more information on how to add a new Viewlet on your Maltego desktop client, please consult this article. Here is the code of the Viewlet used in this blogpost:

if (type == "maltego.BTCTransaction"){ \
    if (hasProperty('total_input')) { \
        (getPropertyValue('total_input')/10 + 1) * 50 \
    } \
}

Use Viewlet in Maltego to highlight transactions.

After using the Viewlet to visualize the transactions of 3KXHFVgbjecWWyy4ZCFDGJiyPLfL9CBLoF, it becomes apparent that some transactions hold a much higher count of Bitcoins than others. Hover your cursor over the biggest transaction to learn about the exact amount of Bitcoin involved. One of them (dec93e9c17eac4f6979654c9c60d33b2e958356e123200dea08b313fcf42c38c) involved as much as 662 BTC, which converts to around 28 million USD at the time of the transaction.

Copy that transaction to a new graph by selecting it, bringing up the Transform menu and clicking Copy to New Graph on the bottom of the menu. Then, proceed to search the address that received money from this transaction by running To Output Addresses [Tatum]. Interestingly enough, there is only one recipient even though there are ninety-nine addresses that sent money through this transaction. If we investigate the receiving address using the same pattern we previously used (To Output Transaction [Tatum] followed by To Output Addresses [Tatum]) while focusing on the addresses receiving the biggest amount of money, something interesting will happen: it matches a pattern called a peeling chain.

Catching a peeling chain pattern in the transaction by using Maltego.

A peeling chain is a pattern sometimes used by exchanges but also by services attempting to launder Bitcoin. It generally follows this form: an address with a decent amount of Bitcoin starts a transaction in which it will send all the Bitcoins it holds to two different addresses. One will get a small fraction of the money while the other address receives the rest, it will then repeat the process until there is no difference between what is left in the chain and the lump of money being peeled off with every iteration.

Without further examination, there is no telling what the purpose of that peeling chain is, it is interesting to notice however that it is not the only one starting on this graph, the two other transactions that we highlighted using the Viewlet are also the beginning of a peeling chain. This would likely mean that the address that received the fund of the scammer might be part of an exchange through which the scammer would have cashed out or that the address might belong to a Bitcoin laundering service that the scammer would use to cover its tracks.

Sometimes things are just too good - or in this case too shady - to be true. Even if this website is nothing more than a scam designed to deceive gullible Bitcoin holders, we hope you enjoyed this overview of the possibilities offered by the Tatum data integration in Maltego.

Don’t forget to follow us on Twitter and LinkedIn and sign up for our email newsletter to stay updated on the latest news, tutorials, and events.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.