“Decoding Political Violence with OSINT and Lessons from the Frontline”

Join deep dive: Wed, Dec 18, 16:00 CET
02 Mar 2021

Tracing Transactions through the Bitcoin Blockchain with Maltego

Maltego Team

Note: The Blockchain.info Hub item has been deprecated from the Maltego Transform Hub. We recommend checking out our Tatum Hub item or CipherTrace Hub item for all cryptocurrency investigations.

The number of cryptocurrencies has skyrocketed since the release of Bitcoin’s source code in 2009, with more than 7,800 different currencies being released and a total market value of over 545 billion USD. Even though Ethereum, Monero, and Tether are becoming more popular every day, Bitcoin is still the main player holding 62.3% of the total cryptocurrency market capitalization and over 350,000 daily transactions.

Blockchain.info Bitcoin Transforms in Maltego 🔗︎

As the price of Bitcoin reaches all-time highs, we think it’s a great time to release an update to our Blockchain.info Transforms. This Hub Item visualizes the Bitcoin blockchain, providing rich details on all Bitcoin addresses and transactions. With the current update, it is now easier to get all details regarding a specific Bitcoin address or transaction, the handling of unsupported Bitcoin addresses has been improved, new Transforms were added, and a new Entity —the Bitcoin Block Height Entity— was introduced.

Blockchain.info Hub item in Maltego

In this article, we will explore some of the Hub item’s new features by examining why seemingly anonymous Bitcoin transactions can be traced, how to trace them and see if we can find a connection between a mysterious Bitcoin whale (1933phfhK3ZgFQNLGSDXvqCn32k2buXY8a), and the founder of the Silk Road.

Watch this five-minute video to learn the basics of tracing cryptocurrency movements:

Bitcoin is not Anonymous 🔗︎

Though rising in popularity, Bitcoin and other cryptocurrencies have not entered the mainstream as a widely accepted, everyday means of payment. They still carry a negative connotation by evoking images of ransomware, hackers, and internet drug deals. And these perceptions were not improved by the over 790 USD million worth of Bitcoin that were spent in the darknet during 2019. In 2016, only 2% of customers in Germany used Bitcoins and other cryptocurrencies to perform daily transactions, and in 2017 the head of JP Morgan declared that cryptocurrencies were only of use for drug dealers, murderers and people living in North Korea or Venezuela (JPMorgan has since seemed to have had a change of heart and has created the JPM Coin).

You would think that criminals would choose an untraceable and completely private payment option, but Bitcoin is by design, one of the most transparent currencies out there. This transparency helps to carry out the transactions in a decentralized manner.

Normally, when you transfer government issued currency, a bank will update its records, lower your balance, and credit somebody else’s. This all happens behind closed doors, and only you will know the details of your account. This process requires a central bookkeeper whom you have to trust — in this case, the bank and banking system, as well as its record-keeping integrity.

For this same process to work without a central authority (e.g., a bank), the creator of Bitcoin developed the blockchain. The Bitcoin blockchain is a ledger (record) distributed among many different nodes (computers) that are updated every time a new Bitcoin transaction is made. Anybody can run a node and observe the transactions being executed. Ledgers therefore permit Bitcoin to function with distributed, instead of centralized, accountability.

Some cryptocurrencies use obfuscated ledgers (see Monero), but Bitcoin does not. This means that anybody can observe every Bitcoin transaction ever made (and possibly graph it using Maltego). The balance of every Bitcoin address (account) is then also discoverable. This leads to addresses with large balances garnering much attention online. The 1933p Bitcoin address is one of such addresses, with a peak value of 2 billion USD.

Bitcoin address

Let’s explore this address in Maltego.

Tracing Transactions through the Blockchain 🔗︎

To follow this walk-through, ensure that have the free Blockchain.info (Bitcoin) Hub item installed in Maltego.

Blockchain.info Hub item in Maltego

Insert the 1933p Bitcoin address as a Bitcoin Address Entity. By running the new To Details [BlockChain.com] Transform, we can see that, although now empty, this address has received 111,114.65 BTC, which are currently valued at over 2 billion USD.

Detail of the bitcoin address

To find out how this address got its Bitcoins, we can select it and run the To Inbound Transactions [BlockChain.com] Transform.

A total of 147 transactions are returned, but we will only pay attention to the first two transactions received, for we are assuming that the owner of the account most likely had direct involvement in its first movements.

To find out which Transactions were likely executed first, we will use blocks and block height. As previously mentioned, Bitcoin transactions are stored in a distributed ledger called the blockchain made up of collections of transactions called “blocks” which are chained together.

A block’s height is the number of blocks between a given block and the first block ever mined (a.k.a. the Genesis Block). Since transactions are progressively collected into blocks, those belonging to blocks with a lower block height usually occur before transactions with higher block heights. However, this is not always the case given that transactions are not added to a block immediately, but it can be a reliable rule of thumb, especially with larger differences in block height.

You can find a transaction’s block height in Maltego by looking at the Property View, but we will use the new To Block Height [BlockChain.com] Transform in order to group the transactions by block height. This Transform will return a Bitcoin Block Height Entity for each corresponding transaction.

To find out which Transactions occurred first, we will select all Block Height Entities returned, and sort them by value.

Block Height Entities

For each Bitcoin Address Entity, we will then select the two Block Height Entities with the lowest values. By clicking Select Parents from the Investigate Tab, we can highlight the transactions corresponding to these Block Height Entities. These will be the first transactions leading to the Bitcoin address we are investigating.

Next, select these transactions and run the To Source Addresses [BlockChain.com] Transform. We can now see which Bitcoin Addresses were the first to transfer Bitcoins to the 1933p address!

We will repeat the steps above (Bitcoin address -> oldest transactions -> Bitcoin addresses with highest throughput) several times (Pro tip: Machines can help speed up this process).

To choose which Bitcoin addresses to explore at each step, we will look up each address’s throughput (i.e. how many Bitcoins it has received and sent over time) using the To Details [BlockChain.com] Transform. We will then explore only the three Bitcoin addresses with the highest throughputs. The addresses can be found manually, or you can write a custom Viewlet that changes the size of the Bitcoin Address Entities depending on their throughput.

Bitcoin transactions results

Who Owns This Bitcoin Address? 🔗︎

By following the steps outlined above, we were able to find out the first Bitcoin address to transfer significant amounts of Bitcoin into address 1933p. This can help us to identify possible owners of the address under investigation.

As mentioned above, Bitcoin is not anonymous. It is, however, pseudo anonymous, which means that for any Bitcoin transaction you can uniquely identify the address (the pseudonym) that executed it. Addresses can, in theory, then be linked back to a real person or group. For example, when a Bitcoin exchange suffers from a data leak.

It is also possible to link Bitcoin addresses to their holders using OSINT methods. The address 1LDNLreKJ6GawBHPgB5yfVLBERi8g3SbQS, which we uncovered during our investigation, was linked to the founder of the Silk Road through posts in a Bitcoin forum. Using the same username, this individual posted a job offering (which included an email registered in their name) and asked for help with the Bitcoin API (including a code snippet in which they were sending Bitcoins from the 1LDNL address).

A way to search for Bitcoin address mentions online using Maltego would be to convert the Bitcoin Address Entity into a Phrase, and then use the To Website [using Search Engine] Transform to find all websites where it is mentioned.

Convert Bitcoin address into a phrase

What’s Next? 🔗︎

After identifying the owner of an address, it is possible to trace all their transactions through the blockchain and identify other addresses they may control. For example, we were able to find a path between addresses 1933p and 1LDNL. And although the path is not a direct one, if we take into account that we only followed the first two transactions into each address and that all those transactions, except the ones in the path between 1933p and 1LDNL, were relatively insignificant, we can speculate that both addresses are either controlled by the Silk Road’s founder, or at the very least, are related in some manner.

Bitcoin investigation overall graph

We hope to have piqued your interest for the many interesting applications of our updated Blockchain.info Transforms! Bitcoin is an amazing technology, and we are excited to hear how these Transforms help in your own investigations!

To delve deeper into cryptocurrency investigations, we also offer CipherTrace Transforms, for which you need a commercial Maltego license and an API key or a Maltego data subscription. With CipherTrace Transforms, you would even have the benefit of accessing transaction data on other cryptocurrencies like Ethereum, attribution (Wallet) information and risk score data from CipherTrace.

Don’t forget to sign up to our email newsletter and follow our Twitter and LinkedIn for more interesting walkthroughs, announcements and use cases, or to post your own ideas, questions and comments.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.