Bitcoin has created a new exchange paradigm within which financial transactions can be trusted without an intermediary. This premise of a free decentralized transactional network however requires, in its current implementation, unrestricted access to the ledger for peer-based transaction verification. A number of studies have shown that, in this pseudonymous context, identities can be leaked based on transaction features or off-network information. In this work, we analyze the information revealed by the pattern of transactions in the neighborhood of a given entity transaction. By definition, these features which pertain to an extended network are not directly controllable by the entity, but might enable leakage of information about transacting entities. We define a number of new features relevant to entity characterization on the Bitcoin Blockchain and study their efficacy in practice. We show that even a weak attacker with shallow data mining knowledge is able to leverage these features to characterize the entity properties.READ FULL TEXT VIEW PDF
Bitcoin is a peer-to-peer electronic payment system that popularized rap...
We present BitConduite, a visual analytics tool for explorative analysis...
A Blockchain is a global shared infrastructure where cryptocurrency
Bitcoin is a decentralized, pseudonymous cryptocurrency that is one of t...
Blockchain offers a decentralized, immutable, transparent system of reco...
Bitcoin is by far the most popular crypto-currency solution enabling
Hacks are one of the most damaging types of cryptocurrency related crime...
Bitcoin  stands out as the first global decentralized currency, and has seen spectacular growth recently, as illustrated by the exponential shape of the value of a transaction fee over the year , see Figure 1.
The underlying Bitcoin data structure, the Blockchain, has been perceived as a catalyst to the emergence of broad decentralized applications, from crypto-currency exchanges, to decentralized autonomous organizations (DAO), or tokens, see  for a comprehensive review. However, one of the most compelling applications remains the promise of a global decentralized currency, supporting large portions of the global economy.
As presented in , after only a few years, the bitcoin network has emerged to reflect a complex global payment system with new forms of players representing the traditional actors of the established financial infrastructure. Global transactions between Bitcoin exchanges, illustrated in Figure 2, have drastically complexified in the last years.
It is important for regulatory purposes as well as for the development of new crypto-currency paradigms to understand Bitcoin anonymity properties. Indeed, a healthy economy requires application of the rule of law on financial transactions , which usually entails traceability and transparency on identities. On the other hand, in order to attract users, privacy considerations associated with crypto-currency have to be adequate and competitive with privacy properties of transactions using fiat money.
We say that a transaction medium is private if no information on the transacting entity is revealed by the transaction graph. In the Bitcoin context, each individual transaction is publicly associated with a pseudonymous identity. Hence the strongest possibly guarantee is that the set of transactions associated with a given pseudonymous identity does not reveal information about the hidden transacting entity.
The main contribution of this work is the illustration that patterns of transactions involving the transacting entity but also patterns of neighboring transactions (on the transaction graph) are characteristic of the entity, in that these patterns can be turned into a fingerprint of transacting entity classes. We further give evidence that using these neighboring transaction patterns allows reaching state-of-the-art entity classification results.
Because the Bitcoin transaction graph is completely public it is clear that Bitcoin flows can be traced, although this is limited by merging transactions . Recent analysis of ransomware attacks and associated bitcoin transactions can be found in [16, 9, 21].
Furthermore, joining Bitcoin transaction with off-network activities can contribute to linking identities of certain Bitcoin transactions , for instance the authors of  link Bitcoin users with Tor hidden services.
A number of studies are focused on the problem of address clustering
consisting of identifying the address set associated with a transacting entity, and typically rely on heuristics motivated by properties of the Bitcoin Blockchain protocol, such as the requirement of a unique signature for transaction inputs, see for instance[4, 14] and references therein for more details. The authors of  highlight that these methods crucially depend on address re-use behavior.
Another attack motivated by the Bitcoin protocol involves the inference of peer-to-peer communication structure  and information leakage from the message dissemination pattern. A different type of attack is presented in , where the authors show that statistical analysis of bloom filters could help to identify the set of addresses owned by Bitcoin wallets. It has also been shown that patterns of newly minted bitcoins could play a role in revealing information of certain Bitcoin users .
Thematically closer to our work, several studies have considered the extent to which data mining methods can be applied to the entity characterization problem, with for instance the use of transaction-specific features in , able to achieve
accuracy for classifying entities into several types. In, the authors introduce the notion of transaction motifs with application to the detection of bitcoin exchanges, and achieve greater than accuracy.
Motivated by the success of , we consider the more general problem of classifying entities into multiple classes, based on extended transaction neighborhood properties. The study of transaction graph neighborhood structure is promising for at least two reasons.
First, the use of graph network features has been shown to be efficient for graph learning problems . The promise of such methods is illustrated by the spread of graph databases and related applications . The authors of  for example are able to successfully re-identify nodes from a noisy graph structure provided as part of a Kaggle contest.
Second, if neighboring network transactions are confirmed to be informative of entity identities, they constitute a fundamental limit to Bitcoin privacy guarantees. Indeed, while an individual has control of his personal address usage and transaction patterns, he does not have control of the behavior of the entities he is transacting with. While services such as CoinJoin serve to limit information leakage of Bitcoin flows via the merging of individual transactions , there is at this stage no service providing full neighborhood obfuscation.
The main contribution of this work are the following:
definition of novel features for entity classification from a graph neighborhood perspective,
analysis of the performance of various classification methods,
discussion of the implications of these entity characterization results in the context of Bitcoin anonymity.
The structure of the paper is as follows. In Section II we define the graph model we propose for the Bitcoin Blockchain. In Section III, we present our classification models as well as details of the graph neighborhood features developed. Finally we provide in Section IV numerical results that demonstrate the effectiveness of entity characterization using actual Bitcoin Blockchain data. Section V provides concluding remarks.
The Bitcoin Blockchain is a succession of blocks . Each block contains a set of transactions . We first present a bipartite address-transaction graph model, and then explain how we derive a discrete-time entity-transaction graph model with features relevant to the entity characterization program.
We model the Bitcoin Blockchain as a directed weighted bipartite graph , where represents an address, represents a transaction between addresses, and represents an edge between an address and a transaction. We partition the edge set into edges incoming to a transaction, and edges outgoing from a transaction, as follows: , where stands for input edges, i.e. incoming edges of a vertex , and for output edges, i.e. outgoing edges of a vertex . Multiple edges can exist between a pair .
For each transaction , we define and as the corresponding edges between the transaction and the addresses associated. For each (resp. ), we uniquely define the associated transaction (resp. ) and address (resp. ); these are well defined because the graph is bipartite.
We ignore the address and transaction fields that are specific to the protocol or not relevant to our study, see for instance  for related graph models for permissioned blockchains, or  for a more fundamental analysis of a transaction graph model and inherited protocol properties. In this work, we consider the following vertex and edge properties:
edge: inputs, , (resp. outputs, ) are represented by their amount in BTC, for ( for ), sent (resp. received) by an address, (resp. ), for a given transaction, (resp. ),
transaction vertex: a transaction contained in a block has a fee, , and a time , corresponding to the time when the block it belongs to is validated, .
address vertex: an address has a creation date and a balance.
In the next section we explain how we derive the entity-transaction graph from the address-transaction graph.
In the Bitcoin Blockchain a user may employ several addresses. We therefore introduce the concept of an “entity” where entity, , is fully characterized by a set of addresses , which can be interpreted as a logical user. We discuss subsequently the various methods for defining these sets, such as the common spending heuristic.
The entity-transaction graph is a directed weighted bipartite graph of entities and associated transactions. Let denote an entity and , a transaction between entities. Entities and transactions are connected by edges , where stands for input edges, and represents output edges.
As with addresses, for each transaction we define and as the corresponding edges between the transactions and entities. For each (resp. ), as for the address-transaction graph, we uniquely define the associated transaction (resp. ) and entity (resp. ). Inputs, , (resp. outputs, ) represent the amount in BTC, for ( for ), sent (resp. received) by an entity, (resp. ), for a given transaction. We define the set of addresses, (resp. ), associated with a set of inputs (resp. outputs). The mechanism to build the entity-transaction graph from the address-transaction graph is illustrated in Figure 3.
The vertices and edges of the entity-transaction graph inherit the properties of the address-transaction graph by standard summation of continuous properties and aggregation of graph topology. Additionally we consider that vertices and edges of the entity-transaction graph inherit some statistics of the entity-transaction graph that are lost by summation (e.g. an entity graph edge inherits the count of address graph edges which it subsumes).
We further define a set of categories , corresponding to entity class labels. We shall consider in the remainder of this work the entity classification problem, namely identification of the class label associated with an entity , based on the address-transaction graph.
We apply temporal aggregation to the directed weighted bipartite graph of entities to obtain a discrete-time data structure with commensurate properties.
A discrete-time aggregation operator is an operator :
where time-aggregated entities and transactions are derived from and required to satisfy the following constraints:
Entity activity: only entities transacting during the time period are considered.
Transaction: the edges, , represent the aggregation of transactions between two entities within the time window, .
In the following, we work with the discrete-time graph obtained by applying the discrete-time operator, with typical discrete time intervals of a day, a week, or a month.
The notion of motif in the Bitcoin Blockchain was introduced in  as a useful concept in entity classification studies, specifically in the context of Exchange detection. The authors define the so-called 2-motif. In this work, we consider more generally the case of N-motif and present a few relevant special cases.
A 1-motif is a path of length 2 on the entity-transaction graph, , in .
If we call it a Loop 1-motif, otherwise it is called Distinct 1-motif.
The 1-motif, is a direct transaction between entities. More generally, a direct N-motif is a path of length in the directed weighted bipartite graph starting and ending with an entity.
A N-motif is a path of length , , in starting and ending with an entity. A motif is required to satisfy the following constraint:
Direct: at least one output from each transaction is an input to the next transaction. .
If we call it a Direct Loop, otherwise Direct Distinct. From this condition we deduce immediately that the transactions are ordered in time: . Considering only Direct N-motif avoids redundancy of exploration and focuses on fast flow of value. In this work, we do not consider non-Direct paths that would correspond to more complex transfer-and-hold patterns.
We illustrate the case of a 3-motif in Figure 4.
Statistics of 1,2, and 3-motifs over the dataset considered are presented in Table I, with the following entity categories: Exchange, Gambling, Mining, Service, Darknet, as per labelling from Wallet Explorer. An indication of the power of transaction graph neighborhood structure is that certain motifs dominate within certain entity categories, e.g. direct transactions with distinct entities are more characteristic of Exchanges than of other entity categories.
Motif attributes such as BTC volume and number of addresses are similarly inherited from the address-transaction network, by summation and aggregation.
In this section we present the methods used for inferring the category associated with each entity, using our graph neighborhood features on the Bitcoin transaction graph. We first recall the heuristics used for associating distinct addresses to a single entity.
The common spending heuristic consists of clustering addresses that are inputs to the same transaction with the same entity. Formally,
The common spending heuristic is equivalent to the assumption that having access to multiple private keys at a given point in time is a defining property of an entity. Indeed, in order to submit a transaction to the Blockchain protocol, the transaction must be signed, implying using the private key of each address in the input set of the transaction, see Figure 5.
The notion of transitive closure allows extending the set of addresses associated with a given entity.
We wish to demonstrate the effectiveness of graph neighborhood features for entity characterization. As such we propose the following five feature classes:
Address features involving only address properties,
Entity features that can be computed from the set of addresses associated with a given entity,
Temporal features related to the evolution of specific transaction properties,
Centrality features encoding the value of classical centrality measures ,
Motif features corresponding to transaction paths involving the entity of interest.
The remainder of this section provides more details on each set of features.
Address-specific features include attributes such as the total BTC received, the total BTC balance, the number of input/output transactions, the number of predecessor/successor addresses, unique and otherwise, the number of predecessors addresses that are also successors, and the number of sibling addresses in output.
Analogous features are defined at the entity level as well as the number and proportion of coinbase transactions.
1-motif features include the value of incoming/outgoing transactions in BTC and USD, the number of incoming/outgoing addresses, the number of incoming/outgoing transactions per day, their total value in BTC and USD, and their total fee.
2-motif and 3-motif features are analogous but include also particularities of this graph structure such as, for 2-motif, the number of inputs (resp. outputs) in the first (resp. second) transaction of an incoming/outgoing/loop motif, the total value of the inputs (resp. outputs) of the first (resp. second) transaction of an incoming/outgoing/loop motif in BTC and USD, as well as the number of incoming/outgoing/loop motifs, the number of addresses involved as center of an incoming/outgoing/loop motif, the value transferred in the middle and the fees of the transactions in BTC and USD, and the number of predecessors/successors for an incoming/outgoing motif. 2-motif features are illustrated in Figure 6.
Centrality-based features include measures of betweenness centrality, closeness centrality, degree centrality, in-degree centrality, out-degree centrality, PageRank, and load centrality. These features are computed on the discrete-time aggregation of the entity graph over a week, a month and a year.
Temporal features are those such as the number of weeks, months, years of activity, the number of entity traded with per week, month, year, the number of receiving, sending days, the activity period duration, and the active day ratio.
We make use of in total 10 address features, 8 entity features, 16 temporal features, 42 centrality features, 44 1-motif features, 81 2-motif features, and 114 3-motif features.
For each continuous feature such as volume of Bitcoin transactions, we calculate the mean and the standard deviation in order to allow the classifier to discriminate up to second order statistics.
Transaction values are considered both in terms of BTC and USD, in order to support the analysis over the multiple years over which the BTC value in USD changed.
Given our interest in understanding the behavioral features characterizing certain categories of Bitcoin users, we propose to use a decision tree method, which provides feature relevance statistics via bootstrapping. A decision treepartitions the feature space into disjoint regions and produces a constant value in each region. The output of for input can be written as the sum:
where is the model response for input features from region . We consider an ensemble of trees, which we learn sequentially by minimizing the weighted sum
according to a gradient boosting procedure, where
is the loss function.
In order to identify the ensemble tree hyper-parameters most suited to our problem, we approximate the performance of the tree ensemble for given parameter values using Gaussian Processes. We learn a surrogate of the loss function based on previous evaluations , and identify the parameter minimizing this surrogate function. The calibration procedure can be summarized as follows:
Given observations , we build a surrogate using Gaussian processes. Each value is the loss function value obtained after having trained a decision tree with the hyper-parameter .
Given the surrogate function , we identify the parameter providing a good compromise between minimizing the surrogate and exploring the parameter space. The evaluation of the surrogate function for a parameter value consists in running the gradient boosting routine described above.
We benchmark the result of our decision tree algorithm against a logistic regression algorithm, defined below:
In this section we present our experimental results, as well as implications of these results for Bitcoin transaction anonymity.
We consider the set of blocks of height inferior or equal to 514.971, corresponding to blocks created before March 24th 2018, 15:19:02, which contains about addresses. Address labels are obtained from WalletExplorer111https://www.walletexplorer.com/.
We apply the common spending heuristic and transitive closure operation described in Section III-A to the labeled dataset obtained from WalletExplorer, and extend it slightly. We interact with the Bockchain via the BlockSci toolbox v.0.4.5 released on March 16th 2018 , on a 64 GB machine. The final labeled dataset used in numerical experiments consists of addresses, associated with entities representing entity categories in the following proportions:
Exchange: 108 entities, 7.892.587 addresses.
Service: 68 entities, 17.606.608 addresses.
Gambling: 65 entities, 2.775.810 addresses.
Mining Pool: 19 entities, 78.488 addresses.
DarkNet Marketplace: 12 entities, 1.978.207 addresses.
While the set of labeled address is of significant size, it is important to observe the entity category class imbalance, with the dominant Service class representing more than of the dataset, and the smallest Mining Pool category representing less than of the dataset.
The decision tree model described in Section III-C is deployed in Python via the LightGBM implementation . The Gaussian Process-based optimization procedure for hyper-parameter optimization is implemented using the Python skopt library222https://scikit-optimize.github.io/ with initial parameter values obtained from a coarse random search.
We use a typical trainingtest partition of our dataset. The learning rate hyper-parameter of the decision tree model is optimized over the interval after having done a random search over ; the resulting value is . To train LightGBM, we use an early stopping procedure which stops the training if the log loss does not decrease over ten consecutive iterations. The procedure stops after iterations with a loss of .
The inverse of the regularization parameter of the logistic regression model is optimized over the interval after having done a random search over ; the value obtained is .
The Gaussian Processes procedure is used with 50 iterations, which is a reasonable compromise between a small computation time, less than one hour for LightGBM in our hardware setting, and a good exploration of the interval. For fairness we use the same criterion for the logistic regression model. Along the same lines, we only optimize one hyper-parameter for LightGBM, namely the learning rate.
We analyze the performance of the classification model first from the perspective of an unsophisticated attacker incrementally adding features to a generic model based on their ease of access. We then model a sophisticated attacker with extensive modeling knowledge, collecting the full set of features, calibrating model hyper-parameters, and identifying the minimal set of relevant features required for a successful attack.
Consider an attacker who collects features in the following order, from simplest to most complex:
Address features requiring access only to the address set,
Entity features requiring access to the address set and address clustering heuristics,
Centrality features requiring crawling the Blockchain transaction network for connectivity information,
1,2,3-motif features: requiring crawling the Blockchain transaction network for both connectivity and transaction information (amount, fee, etc.).
We consider both the advanced decision tree model as well as the logistic regression model for classification, representing the range of sophisticated and simple methods. To model the weak attacker, we do not invoke the hyper-parameter calibration procedure, and use the default parameter settings. F1 and accuracy scores are reported in Table II. Given that 1-motifs are simpler to compute in practice for an attacker, we place them before Temporal and Centrality features when reporting the results.
The results provide two relevant insights. First it is notable that even a weak attacker using a simple model (logistic regression) with default hyper-parameter settings, and using only the 10 simplest features, is able to identify the entity type with accuracy, i.e. a factor of two improvement as compared to a random guess over the classes.
Second, it is of significance that while the model choice does not significantly impact the classification performance, using more sophisticated features provides drastic improvement. Indeed, the user of 3-motif features, encompassing the behavior of the 3-hop graph neighborhood of a given identity, contributes more than relative improvement to the accuracy score (from to accuracy for the decision tree model).
We now consider a strong attacker collecting the full set of features, and then selecting a small set of highly significant features. We model this process by applying the hyper-parameter calibration procedure described earlier. We then obtain the ranked feature set from the decision tree model. Table III provides the top ten features of the decision tree model.
The results indicate that the 3-hop graph neighborhood features dominate. Note, however that there are 114 such 3-hop graph neighborhood features out of 315 features in total.
It can be seen from Table III that outgoing features are more relevant that incoming features. This supports a “causal” interpretation that features specific to an entity can be well detected from its downstream transaction trace.
We now examine the minimal set of features required to obtain state-of-the-art accuracy. We present in Figure 7 the F1 and accuracy improvement over the complete feature relevance ranking from the decision tree algorithm for both the logistic regression and the decision tree model.
It is clear from the figure that even with a simple logistic regression model, the most relevant features are sufficient to obtain high classification accuracy. Using a more sophisticated decision tree model allows reducing the number of features to , after which improvement plateaus.
Finally, we consider the sophisticated attacker using hyper-parameter optimization. Table IV presents the Accuracy and F1 score for both classification methods.
Table V, provides the class-specific overall performance results.
The results dominate state-of-the-art results from the literature, which may be due to the use of novel advanced graph neighborhood features, as evidenced from Table II, along with the hyper-parameter optimization. At the class level, good classification accuracy (above ) is achieved over the set of exchanges, gambling services and general services as well as the darknet category. Mining pool behavior is less-well captured as evidenced by the low accuracy, indicating that there is no consistent transaction pattern identified for this class.
We formulate the problem of analyzing Bitcoin Blockchain transaction graph anonymity properties as a classification problem over a set of categories of Bitcoin users. Our results indicate that it is feasible for a weak attacker to characterize entities using a set of new graph neighborhood features that we propose, and that is feasible for a strong attacker to do the same with as little as of the most relevant features.
This suggests a number of interesting avenues for further work. Since it is possible as we have shown to accurately classify transacting entities on the Bitcoin Blockchain, the question arises as to whether it is possible to develop an effective generative model of the transaction network. If so, it would enable a wealth of studies into the effect of changes in network protocols or regulatory frameworks on the evolution of the Bitcoin economy.
Danny Yuxing Huang, Maxwell Matthaios Aliapoulios, Vector Guo Li, Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin, Kirill Levchenko, Alex C Snoeren, and Damon McCoy.Tracking ransomware end-to-end. In 2018 IEEE Symposium on Security and Privacy (SP), pages 618–631. IEEE, 2018.
2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA), pages 537–546, October 2016.