While Bitcoin is no longer the cryptocurrency with the most effective privacy system today, it remains the most prominent and valuable cryptocurrency in use with pseudonymous privacy to protect its users’ identities. This makes Bitcoin attractive to individuals who are looking for a less traceable currency – compared to traditional currency – to be used for illegal activities, whether it be for dark market transactions, ransomware, scam, gambling, money laundering, prostitution, or even theft of the cryptocurrency itself.
Such illegal activities can diminish Bitcoin’s value and its potential to become the official alternative to traditional money. This also includes the cryptocurrency thefts performed on multiple cryptocurrency exchange services. For example, security issues of the cryptocurrency service platforms that result in hacking and theft incidents – such as the hacking of the Coinrail exchange platform on 9th June 2018 with the loss of 30 percent of their total cryptocurrency holding – caused Bitcoin and other cryptocurrencies’ prices to drop by almost 10 percent in one hour (Eric et al., 2018).
Since the thefts occurred at cryptocurrency services can affect both the service and its direct users, they can also often cause a negative impact to the economy of cryptocurrencies, which in-turn can affect other users, and even the real-world economy to a degree. It is in the interests of cryptocurrency market participants, and organisations – such as the government, regulatory agencies – as well as researchers to be able to decipher and track the transaction network of a cryptocurrency, whether it be for research, crime forensic, law enforcement, or personal interest purposes.
However, because of the privacy protection system of Bitcoin, the tracking of Bitcoin transactions still remains a difficult challenge. In particular, the lack of precise identity information and the existence of transaction obscuring methods such as laundering services, ease of address creation, and anonymous connections with TOR network111TOR is a software that allows user to anonymously connect to its network with data encryption as a gateway to other networks or the Internet., allow the perpetrators of cryptocurrency theft to evade the grasp of law enforcement. And while there is already some previous research that propose and develop tainting analysis methods in an attempt to track the illegal Bitcoins, So far none of the research present evaluation criteria to measure the accuracy of tainting results.
Therefore, this paper focuses on the analysis and tracking of Bitcoin transactions that involve the theft of Bitcoins using transaction tainting analysis. The purpose of this paper is to compare and evaluate tainting strategies, address profiling and to suggest novel techniques that have the potential to provide superior tracking result. Ultimately, the aim is to reveal the way forward, whereby misappropriated cryptocurrencies find their way into the real financial markets, in particular via money laundering activities.
2 Bitcoin transaction tainting
Bitcoin uses an open, distributed transaction ledger called blockchain which allows transaction flow to be easily traced and visualised. However, the tracking of Bitcoin is still difficult to accomplish, especially in the case of finding the exact ownership of tainted Bitcoins222In this paper, tainted coin are the coins that are originally stolen from specific address while clean coins are unrelated coins.. This is due to the fact that, aside from the pseudonymous system, that the possession of Bitcoins in each address is in the form of unspent outputs333The result of each transaction is stored in the form of output, which can be used in the next transaction., which are newly created from the sum of inputs444Input is a reference of the output from previous transaction that is being used in the transaction.
of previous transactions. As a result, when some (possibly stolen) inputs are combined with other inputs to become new outputs, it is difficult to identify or classify the resulting output for tainting without a clear and precise methodology. The main idea of tainting is that the stolen coins are considered tainted (or “dirty”), and any address that uses or transfers them is also considered to be a tainted address. As such, the tainted coins should not be accepted by other users or businesses555Ideally, a warning signal could alert authorities that tainted coins are in circulation. If regulatory systems would be in place, the address identified as belonging to the thief would immediately be flagged, and measures would be taken to place stolen coins in quarantine.; this is similar to how the blacklisting of addresses works.
2.1 Tainting methods discussed in the literature
The past literature identifies three strategies or methods for tracking transactions and classifying tainting using transaction information from the blockchain: Poison, and Haircut methods by Moser et al. (2014), and FIFO (First In, First Out) method by Anderson et al. (2018). The following sections discuss in detail the above-mentioned techniques.
2.1.1 Poison method
The Poison method is the simplest tainting strategy; the rule is that any transaction output that originated from either a whole, or a part of, tainted input will be considered as a tainted output regardless of the proportion of tainted Bitcoins involved (Moser et al., 2014). This means that the clean Bitcoins involved in the transaction will also become tainted, hence as the tainting progresses, the amount of tainted Bitcoin will increase exponentially over time. Moser et al. (2014) argue that as the method works only on transaction level and not address level, there is no risk of a criminal attempting to sabotage publicly known addresses by purposely sending them a proportion of tainted Bitcoins (so that it becomes mixed with other clean coins). This implies that so long as innocent recipients do not use the tainted outputs along with clean outputs in the same transaction, their clean Bitcoins are safe from being tainted. While this method is considered extreme in terms of the number of Bitcoins impacted, and it has less practical use for both blacklisting and tracking, the tainting result can still be used to provide a baseline sample or full tainted transaction network for further study and analysis.
2.1.2 Haircut method
The Haircut method works in a similar way as the Poison method, but the Haircut method implements an additional rule: the tainted output value is based on the proportional value of the tainted input (Moser et al., 2014). The tainting compares the proportion of clean and tainted currency in the outputs that are used as the inputs of the new transaction, and each output will contain the proportion of tainted and clean Bitcoins accordingly. For example, suppose that a transaction with two inputs, 1 clean Bitcoin and 1 tainted Bitcoin, is sent to two other addresses as two outputs, each at 1 Bitcoin. Each resulting output will then contain a half portion (0.5 BTC) of the tainted Bitcoins and another half (0.5 BTC) of the clean one. This means that the resulting number of tainted addresses and transactions from both the Poison and Haircut policies would be similar, as both consider all the outputs with tainted inputs in the transaction to be tainted. The only difference from the Poison method is that the tainted Bitcoins do not affect the amount of the clean Bitcoins in the Haircut method. As both Poison and Haircut methods consider every output in the transaction to always receive a part of tainted input, the tainting often results in a large number of tainted transactions and addresses, as the mixing between clean and tainted coins increases. The end result of Poison and Haircut tainting methods usually concludes in a vast portion of active Bitcoins in existence classified as tainted coins.
2.1.3 FIFO method
The FIFO Method (First In, First Out) uses a similar concept of asset inventory management to sort the order of tainting transaction that cannot be specifically identified. The concept can be summarised as follows: the first item that goes in is also the one that goes out first. In the Bitcoin case, the item would be the coins or transaction outputs that are transferred from some addresses to others (Anderson et al., 2018). Similar to the Poison and Haircut methods, FIFO also operates at the transaction level by first looking at the order of inputs of the transaction, after which the method considers transaction outputs.
Anderson et al. (2018) argue that the FIFO method provides more precise tainting results compared to Poison and Haircut methods, which would allow the government or relevant organisation to implement clearer regulation or blacklisting. On another note, it is worth mentioning that the FIFO method is used in the common law (in the UK) for money distribution or withdrawal from an account originated from a historical case in 1816 called Clayton’s case which is also one of the argument that Anderson et al. (2018) provide for using FIFO over other methods.
The diagram in Figure 1 demonstrates an example of a transaction with two inputs and outputs. The red circle represents tainted input/coins. The black arrows represent the transaction flow according to FIFO method, while the red arrows represent actual flow.
However, the tainting result of this method does not necessarily reflect the transaction’s contexts or intended purposes of the senders as demonstrated in Figure 1, where the FIFO method would distribute the tainted coins into the second output based on the transaction order, while the actual intended destination of the tainted coins is at the first output. Hence, the actual context of the transaction can be a contradiction to the tainting results of the FIFO method. As a result, while this method might solve some issues for legal purposes, it still does not truly address the problem of tracking accuracy, which is the main goal of the present research paper.
In this section, the tainting methods that we propose in this paper will be introduced. Second, the attacker model for the transaction tainting that we used in this research will be described, Third, we will discuss the address profiling method that we incorporated into our tainting methods. And finally, we will discuss the evaluation metrics and the variable the we used to evaluate each tainting method.
3.1 Proposed new tainting methods
Using the same principle as the FIFO asset inventory management, there are new strategies we propose to implement in the tainting process. We describe these two proposals, the LIFO and TIHO methods below. Also mention that you modify the above described methods by stopping the tainting at the service address. Also explain why you are stopping the tainting there.
3.1.1 LIFO method
LIFO (Last In, First Out) is an alternative method to FIFO concept of asset inventory management with the ordering reversed from FIFO. Instead of the assumption that the first item that goes in is the first to go out, LIFO assumes the last item that goes in is the first to go out.
As we discussed earlier that using FIFO method alone by itself cannot achieve the aims of providing accurate tainting result, as there is a possibility that the result of FIFO tainting does not match the actual flow of the transaction as shown in figure 1. Therefore, we will implement LIFO tainting method to evaluate whether such possibility is true or not.
3.1.2 TIHO method
Using the same principle as in the FIFO and LIFO methods, we design a new tainting method based on the transaction order, but also incorporate the context of the tainting which is the tainting classification itself into the tainting algorithm. The fundamental assumption in this method is that in the transactions that involve the mixing of clean and tainted coins, the resulting transaction output that has highest value or in other word the address that receives the highest amount of Bitcoins is the main purpose or target of the transaction, and that tainted inputs are the most important inputs of the transaction. In summary, this method prioritises the distribution of the tainted input to the outputs with higher values first, then the remaining clean inputs will be distributed to the other outputs afterwards. We call this tainting method, Taint In, Highest Out (TIHO). We introduce this method to test the potential of using other transaction information as the tainting variables beside the transaction order which in this case are the tainting classification and the value of the transaction outputs.
This method is not without limitation as the method can still be manipulated by an attacker to purposely make the intended output small in the transaction. Although, there are valid reasons for small outputs such as using large value Unspent Transaction Outputs666Unspent Transaction Output (UTXO) is an output that still haven’t been used in any transaction. to purchase products from a merchant. Similar to using a large value banknote to buy a cheap product, this would mean that the outputs that go to the merchant address, so the output that is sent to purchase the product would be smaller than the change outputs which is the remaining that goes back to the address belonging to owner of the transaction. For such reasons, this method can be somewhat accurate mostly during the early phases of transferring tainted coins when the tainted coins are still likely to be in the thief’s possession.
3.2 Attacker Model
The attacker model implemented in this paper uses the concept of transaction tainting. The tainting starts from at least one known and confirmed account involved in theft and linking together related multiple transactions and addresses using mainly the information from the blockchain. It is worth noting that the tainting itself does not directly deanonymise the addresses involved, however the resulting transaction pattern found from the tainting can be used to help accomplish such an objective. In this paper, the tainted address classification is slightly different than the ones proposed in the previous literature: an address would be considered tainted only after it uses the tainted coins; we will classify an address as being tainted by just receiving the tainted coins for tracking purposes.
3.3 Address Profiling
Although deanonymisation, which aims to reveal the real identity of Bitcoin addresses, is not the goal of this paper, we believe that tainting should be context-aware and be adapted to the type of addresses that are being tainted. Tainting indiscriminately would miss our goal to understand theft strategies. Address profiling is one of the methods that can assist the tainting process by providing the context for the tainting so that it can track the transactions more precisely. As a result, we classify the address into three categories using the information available in the blockchain and the result of tainting methods as follows.
3.3.1 Service address
In this paper, we consider a service address to be an address that has very high transaction traffic compared to other addresses. A high transaction traffic often implies that the address is a point of central exchange for many users, similar to how businesses operate in the real world. Services in cryptocurrencies exist in many forms with different purposes such as the followings:
Cryptocurrency exchange services, where users can exchange cryptocurrency for real money or other cryptocurrencies, e.g., Kraken, Bitflinex or Mt.Gox.
E-commerce businesses that accept payment with cryptocurrency, e.g., Microsoft, Newegg, Humblebundle and Expedia, among others. This also includes marketplaces or websites that facilitate transactions for the user such as Darknet market likes Silk Road and Dream Market or gambling sites.
Websites or organisational donation sites that accept Bitcoins as donation, e.g., Wikipedia, Reddit, 4Chan and Wikileaks, among others.
Laundering/mixing services, which are a type of service that helps randomising the transaction flow for the users to make it more difficult to track, such as the Helix Mixer, Coinmixer and Bitblender. The service would take a certain amount of Bitcoin from the mixed transaction as their fee, which is usually based on the complexity and number of mixing requested. Each mixing service usually employs different types of mixing methods, but generally the complexity of the mixing is more sophisticated with a higher number of mixing transactions, randomness and mixing time (Moser et al., 2013).
In this paper, we classify service addresses by looking at the transaction traffic of the tainted addresses and comparing to other addresses within a similar time period. If a tainted address has considerable higher transaction number than the average addresses at the time, then it will be classified as a service address. The classification process and the selection of the boundary for the service addresses will be described in more detailed in the Section 4.
Additionally, we consider service addresses to be the end goal or exit point of the tainted transaction. This assumes that all Bitcoin transactions, including those with stolen coins, have the purpose to reach its uses to achieve the real-world monetary value, and thus for the analysis in this paper we consider service addresses to be the exit point or medium of exchange for the coins.
3.3.2 Tainted address
A tainted (or dirty) address is any address that the tainting methods consider to be tainted from interacting with the tainted Bitcoins regardless of the amount. As each tainting method employs different ways of tracking and classification, each tainted address may or may not be classified as tainted in each method. Likewise, the tainted addresses may or may not belong to the accomplices of the theft incident, as Bitcoin addresses can be easily created without any cost. In this paper, we use the same classification of tainted address as previous literature, but with an exception for the service addresses. In other words, for our results, such as the number of tainted addresses, we don’t count beyond the first encounter of a service address when implementing any of the tainting methods (Poison, Haircut, FIFO, LIFO, and TIHO).
As we incorporate the address profiling into each tainting method, the tainting methods used in this paper are a slightly different version from the ones presented in the previous literature. As mentioned in service address subsection that by limiting the tainting to stop for the coins that already been used, we believe that the tainting result would become more precise. Therefore, the tainting result of the methods used in this paper would also be different. As such, we will indicate the inclusion of the address profiling in the methods with asterisk sign (*) behind the method name.
Due to the reason that we are using only data from the blockchain for our tainting analysis in this paper, it is still possible for the tainting method to classify addresses that belong to services as a tainted address (in case we don’t recognize an address as belonging to a service) especially for services that use multiple few use addresses instead of reusing same addresses multiple times.
3.3.3 Clean address
A normal or clean address is any address that does not yet receive any tainted coin. In the same way as tainted addresses, normal or clean addresses can also belong to the theft accomplices depending on how the tainting method operates. Some tainting methods may mistakenly consider an address as clean, e.g., even when it is the recipient address of stolen coins.
3.4 Evaluation matrix
In order to evaluate the performance of each tainting strategy, we have created an evaluation matrix using information that is available in the blockchain data. We discuss these evaluation metrics in the subsections below.
3.4.1 Transaction fee
A Transaction fee is the number of Bitcoins specified by the transaction sender as an incentive for a miner to prioritise the transaction over other transactions contained in the process of block mining. The transaction fee is taken from the difference of inputs and outputs of the (Nakamoto, 2009). Normally, the transaction fee is calculated from the data size of the transaction, which comes mainly from the number of inputs and outputs within the transaction, and the number of transactions that are waiting to be confirmed at the same time.
A Miner is a person or a group of individuals that are the first to complete the block mining challenge provided by the Bitcoin protocol. The challenge involves miners finding the hash of the block they are going to create that is lower than the provided target, which is calculated from the total mining computation power of every miner who participated in the mining of the previous blocks. Miners will receive rewards such as specific number of Bitcoins and transaction fees for all the transactions included in the block that they mined in the form of the first transaction in the block called ‘Coinbase transaction’ (Franco, 2015). While mining could be accomplished by a single person during the early years of Bitcoin, as more individuals join to compete for mining due to increasing value and reputation of Bitcoin, the cost-effectiveness of being a single miner decrease. As a result, miners instead typically join “mining pools” to complete the block mining together and then distribute the reward based on each contribution to the mining.
In this paper, we hypothesize that the amount of the transaction fee in tainted transactions will be higher than normal transactions in order for the thief to obscure his/her transaction trail by rapidly moving the stolen coins; therefore, he/she needs to provide sufficient incentive through the transaction fee to accomplish this. As a result, the tainting strategy with better tracking accuracy should have overall higher average transaction fee for the tainted transactions according to our hypothesis.
3.4.2 Reaching a Service address; the end point of a transaction trail
Using the address profiling method mentioned in section 3.2.1 to classify service addresses, we can observe the point in transaction flow when the tainted coins are received by a service address. We hypothesize that as the thief would want to spend the stolen coins as soon as possible in order to minimise the transaction trail - as the longer the stolen coins are still in his/her possession - the higher the chance for it to be detected. The tainting strategy that shows the earliest route to any service address is more likely to be more accurate in our hypothesis.
3.4.3 Privacy and transaction obscuring measure
While privacy protection is one of the most important aspects of Bitcoin, many users are believed to not be as privacy conscious as can be observed from the high frequency of reusing addresses (Harrigan and Fretter, 2016). However, due to the nature of the transactions involving theft, we argue that a thief would likely try to employ transactions obscuring and privacy techniques as much as possible in order to prevent tracking. Avoiding the reuse of the same address multiple times is one such technique, as the Blockchain system (including exchanges) allows users to easily create multiple new addresses in a matter of minutes. We assume that the thief would try to avoid using any address more than once in order to reduce the traceability of the transactions. So, we can use this basis as one of the hypotheses to test the accuracy of each tainting strategy.
The ‘reused address’ metric does not include service addresses, nor any transactions outside of the limit tainting period. Rather, we will classify addresses that have transactions – including ones from the outside of the limit time period prior to receiving tainted coins – as ‘fresh address’. Moreover, since the system allows the user to send their Bitcoins to any address without requiring confirmation from the receiver address, we will classify reused addresses using only the number of sending transactions.
In this paper, we use a historical theft as a sample for testing the transaction tainting analysis. The case we are going to use is the Bter hack from 2015, which resulted in theft of 7,170 Bitcoins with the total value of 1.7 million USD at the time (Higgins, 2015). Bter is a cryptocurrency exchange service located in China. Its service was shut down in 2017 due to the Chinese government’s ban on the use of cryptocurrency in that year.
In this paper, we use a historical theft as a sample for testing the transaction tainting analysis. The case we are using is the Bter hack of 2015, which resulted in theft of 7,170 Bitcoins with the total value of 1.7 million USD at the time (Higgins, 2015). Bter is a cryptocurrency exchange service located in China. Its service was shut down in 2017 due to the Chinese government’s ban on the use of cryptocurrency. The theft occurred on 2015-02-14 at 04:32:26 where the hacker stole 7,170 Bitcoins from the Bter cold wallet exchange777Cold wallet is a type of address that does not connect to any network or internet to protect against security breach. This can be accomplished by storing it in offline storage such as USB drive, paper, safe, external hard drive, offline computer and so on.. At the time, the exchange temporarily suspended its service and announced the theft the following day and announced a bounty for providing information about the thief (Higgins, 2015). The theft involved only one initial transaction in which coins were moved from Bter’s cold wallet address to two other addresses which are 1FETsHZyjppcs8KJUvh82vNCNqsJYD5pWy and 1KPNHv8mfMPNivHptAiwwytUVZmzovVF8f.
For this paper, to test each tainting method, to limit the amount of computational resources required and time taken for our evaluation, we limited the tainting of the transactions to within 4 days after the first distribution transaction of the stolen coins from block 343401. Table 1 shows the exact total number of all transactions and the addresses that appear in the blocks within the time period limit. To test and evaluate the tainting methods, we divide the time limit period into 5 periods which are 6 hours, 12 hours, 1 days, 2 days and 4 days to show gradual change of the results within the space of limited time.
To put this theft into perspective, the total number of Bitcoins in every transaction, excluding the initial theft transaction is 3,692,467.31451518 Bitcoins. At the exchange value of 230 USD per 1 Bitcoin at the time of the theft, this equals to around 85 million USD compare to the 7,170 Bitcoins theft has a value of 1.7 million USD which is around 2 percent of total transaction value within 4 days.
4.1 Service Address Classification
In order to find the most efficient classification of the service addresses, we use the total number of transactions of all addresses that appear in the same limited time period as the sample data; next, we compare the number of transactions of every address that appears in the blockchain within a six-month period of the theft (three months before and after the theft transaction). There are 17,466,256 transactions and 22,266,571 active addresses in total within the six months period. The results of transaction number percentiles and the service address classification results of each percentile can be seen in Table 2.
In this experiment, we choose the classification of service addresses to be at the very top percentile of all addresses in the time limit at 99th percentile. As shown in in Figure 2, the majority of the addresses have a low number of transactions at only around two transactions, but the total number of transaction increases exponentially for the addresses at the top percentile. This finding appears to be in line with the finding of Dorit and Adi (2012), which means that sufficient number of users of Bitcoins are concerned enough about their privacy and avoid reusing the same address multiple times. At the 99th percentile, the transaction number required for an address to be classified as a service address is at 18 transactions. At this percentile, 8,058 out of 1,006,212 addresses would be classified as service addresses.
Choosing the lower percentile would mean a higher chance to include services that employ transaction obscuring techniques, such as laundering service addresses; moreover, it would also increase the chance of false classification of normal addresses. However, it should be noted that there are still many individuals who reuse their address, as pointed out in Harrigan and Fretter (2016). Thus, there is still a possibility that the top percentile addresses are actually not service addresses.
4.2 Poison* and Haircut*
As the Poison* and Haircut* methods consider all the involved outputs to be tainted, the number of tainted transactions for both methods are the same including the addresses. Hence, we will combine the Poison and Haircut* methods together in the results and discussion section.
The Poison and Haircut* tainting methods result in the highest number of tainted addresses and transactions compared to other tainting methods as shown in Table 3. The results of the Poison* and Haircut* tainting display an intriguing pattern that we didn’t expect. While we expect that due to the nature of Poison* and Haircut* method, the number of tainted transactions and addresses would be much higher than the other methods. The number of tainted transactions and addresses that increase within such short amount of time is at a much higher rate than we expected at first.
The number of tainted transactions and addresses increase exponentially within the first day of the tainting period. Furthermore, the tainted coins manage to reach 7 addresses that we classify as service addresses within the first six hours after the first distribution transaction of the stolen coins. Within the first day of the tainting, the tainted coins managed to spread to 55,099 addresses with 11,256 transactions in total and as high as 939 service addresses receive a portion of the tainted coins. At the end of the time limit tainting, there are 69,840 tainted transactions that involve 255,831 addresses and 3,502 service addresses in total.
The number of reused addresses in the Poison* and Haircut* tainting results are considerably high at around 10 percent of the total addresses, though the ratio of reused addresses to total tainted addresses decreases over time. Interestingly, the number of fresh addresses (the addresses that receive tainted transactions as its first transaction) is very high throughout the entire time period. The average value of transaction fee in tainted transactions decreases over time, yet the fee proportion to the size of the transaction actually increases over time.
The first tainted transaction that involves a service address occurs on block 343,435 which is mined at 12:30:29 on 2015-02-14. The transaction occurs roughly 5 hours after the stolen coins’ distribution transaction on block 343,401 at 07:34:04 on 2015-02-14.
As shown in Table 3, The FIFO* tainting method results in a much lower number of tainted transactions and addresses compared to the Poison* and Haircut* methods; moreover, the number of tainted transactions and addresses increase much more steadily compared to the Poison* and Haircut* methods. On the first day of tainting using the FIFO* method, there are 60 tainted transactions with 105 addresses involved and only 2 service addresses appear to receive the tainted coins. On the fourth day, there are 91 tainted transactions and 149 tainted addresses in total. The number of service addresses does not increase further after the first day of tainting.
The number of reused addresses in the Poison* and Haircut* tainting is higher during the first day of tainting, unlike for the Poison* and Haircut* methods, which is at about 20 to 30 percent of the total address. However, similar to the Poison* and Haircut* methods, the ratio of reused addresses to total tainted addresses decreases on the following days. However, the number of fresh addresses is considerably less than for the Poison* and Haircut* methods throughout each tainting time period. The average value of transaction fee is much higher than for the Haircut* method and increases over time; yet, the fee-size proportion of transaction fee pattern is similar, though lower, in comparison to the Poison* and Haircut* methods.
For the FIFO* tainting, the first tainted transaction that involves service addresses occurs on block 343,469 which is mined at 17:01:30. The transactions occur around 9 hours after the first stolen coins’ distribution transaction.
As shown in Table 3, the LIFO* tainting method’s results show a similar pattern compared to the FIFO* method results overall; the number of tainted transactions and addresses is slightly lower compared to the FIFO* method results. On the first day of the LIFO* tainting, there are 56 tainted transactions with 109 addresses involved including 2 service addresses. Further, the number of service addresses does not increase further afterwards. On the fourth day, there are 78 tainted transactions and 140 tainted addresses in total.
The number of reused addresses in the LIFO* tainting is almost the same as for the FIFO* tainting method throughout the entire period, including the ratio to the total number of addresses. However, the number of fresh addresses is slightly lower than the FIFO* method. Unexpectedly, the average value of transaction fee is much higher than both the Poison*, Haircut* and FIFO* methods including the proportion to the transaction size. The average transaction fee is as high as 68,938 Satoshis compared to 48,500 Satoshis for the FIFO* method and 25,799 Satoshis in the Poison* and Haircut* tainting methods. Although, the average value and ratio of the transaction fee gradually decreases on the following days, similar to the Poison*, Haircut*, and FIFO* methods.
The first tainted transaction that involves service address in the LIFO* method is the same one as in the FIFO* method, which occurs on block 343,469.
As shown in Table 3, the TIHO* tainting method’s results show a similar pattern to the FIFO* and LIFO* methods overall, albeit with a smaller number of tainted transactions and addresses. On the first day of the TIHO* tainting, only 44 transactions and 83 addresses are considered to be tainted. The number of service addresses is similar to the FIFO* and LIFO* methods. In the end, there are 68 tainted transaction and 115 addresses in total.
The number of reused and fresh addresses in the TIHO* tainting is slightly lower than for the FIFO* and LIFO* methods but shows a similar increasing pattern as for the other two methods. However, the TIHO* method has a higher number of reused and total addresses ratio than the other two methods. The average value of transaction fee is considerably higher than in the other tainting methods at the early tainting period, but becomes lower than the LIFO* method afterwards, while still much higher than FIFO*, Poison* and Haircut* methods. Despite the higher average transaction fee value, the transaction fee per byte ratio is closer to the FIFO* method than the LIFO* method.
The first tainted transaction that involves a service address in the TIHO* method is the same as the FIFO* and LIFO* methods, which occurs on block 343,469.
As shown in Figure 3 and 4, a significant number of tainted transactions and addresses are considered to be tainted by all the three tainting methods. The FIFO* and LIFO* methods have similar portions of tainted transaction and address that are not shared by the other methods. The TIHO* tainting yields almost the same tainting result as the FIFO* method in this sample case, with a minor difference in the tainted address result.
Despite a very high number of service addresses in the Poison* and Haircut* methods, the value of tainted coins that reach service addresses is still rather low as can be seen in Figure 5. This means that most of the transactions that involve service addresses consist of a very low number of Bitcoins overall. The amount of tainted coins that manage to reach the service addresses is very low, at roughly 0.4 percent of the total tainted coins for all four tainting methods.
The experiment has limitation of the lack of control group for evaluation of the tainting methods. So, we cannot yet compare the tainting result to normal/clean transactions for further evaluation in this paper.
5 Discussion and Evaluation
The result of Poison* and Haircut* tainting methods yield very intriguing and unexpected results. As can be seen in Table 2, the number of transactions that the Poison* and Haircut* methods considered to contain tainted coins is very high on the first day (almost 10 percent of total transactions). We assume that the thief distributes the tainted coins in a rapid fashion with high possibility involving money laundering services multiple times right within the first day of the theft. As our implementation of the tainting methods stops tainting at the addresses that have a very high number of transaction traffic within the time period (i.e., likely a service address), the tainting process is not yet able to effectively detect money laundering service addresses considering the low number of transactions.
However, even with the lack of money laundering transaction analysis and profiling, the number of addresses that the tainting considers to be a service entity after one day is considerably high at 939. There are three possible explanations for the high number of service address that the tainted coins manage to reach within the first day for Haircut and Poison methods. First, the thief employed the services of the laundering services to mix the tainted coins, then the laundering services mix the tainted coins with other clean coins from other users and distribute a portion of them to the other users that also employ the mixing services. This would create a possibility that the addresses that spend the tainted coins on the service addresses that we detected is actually owned by unrelated users. Second, the thief himself spent the stolen coins right away on the first day of the theft. Third, some of the service addresses are actually not service addresses, meaning the users reuse their addresses multiple times.
While we cannot yet confirm which possibility is correct due to the lack of consecutive money laundering analysis, we cannot prove or disprove either of the first and second theory. The third theory can be partially true as while many users do indeed reuse their address, it is still quite unlikely that many non-service addresses would have enough transactions to reach the top percentile of all the addresses. In any case, the only way we can truly disprove those possibilities is by performing further analyses of the involved addresses while considering additional information.
Another consideration that should also be taken into account is that illegal activities are one of the most important aspects of the Bitcoin economy, considering that as high as 33 percent of all Bitcoin transaction involve illegal activities (Foley et al., 2018). Thus, the classification of service addresses as an exit point of tainted transactions that use only transaction traffic may not be sufficient enough, considering that thieves would more likely prefer spending the stolen coins on the exit points, with the least chance of being caught, as opposed to official services like cryptocurrency exchange services at which governments can enforce laws. As the services or businesses that engage in illegal activities are likely to employ transaction obscuring techniques to protect their own privacy, the address profiling should not solely rely on the number of transactions alone in order to capture more accurate result.
The result of the FIFO*, LIFO* and TIHO* methods display very similar patterns and value, especially during the first six hours. This entails that the majority of the transactions during the first day consists of simple structures of input and output with low amounts of coin mixing, hence the minor difference in value. Yet, the results at the end of the first day and afterwards show significant difference in value between the three tainting methods, despite considerable amount of overlap of transactions and addresses, as shown in Figure 3 and 4.
Overall, the FIFO* tainting result has the higher number of tainted transactions and addresses including the number of reused and fresh addresses of all the three tainting methods. However, in term of proportion between total tainted, reused and fresh addresses, the FIFO* tainting method performs better than both LIFO* and TIHO* methods, considering our hypothesis that the thief would less likely to reuse addresses in order to reduce transactions traceability.
For the transaction fee variable, even though each tainting method presents varied results for both the average fee value and size ratio, they seem to all share the same pattern in changing their value throughout the entire tainting period. Also, while all of the tainting methods have similar results in this aspect during the early tainting, the results seem to greatly diverge passing the first half of the first day tainting. The FIFO* method results in a much lower average transaction fee in its tainted transactions for both value and size ratio compared to the LIFO* and TIHO* methods. For the LIFO* method, the tainted transactions have much higher transaction fee than the other two. Based on our hypothesis, the LIFO* tainting results provide the most accurate tracking result in this aspect, followed by the TIHO* and FIFO* methods.
In order to evaluate the transaction fee results, we also extract the transaction fee of all other clean transactions according to Poison* and Haircut* methods within the same time period as the tainted transaction, which can be used to represent the average transaction fee at the time as shown in Table 4. The transaction fee value and size ratio of the clean transactions are constant throughout the four days period at around 15000 Satoshis and 37 Satoshis per byte. Compared to the tainting results, the average transactions fee for the clean transactions is much lower for every limit time period. However, the transaction fee size ratio is much higher than the tainted transactions from all four tainting methods. We can interpret this difference as follows: due to the higher-than-average value of the stolen coins, the tainted transactions would have much higher transaction fee value than the average transactions in the same period. Although, interestingly, the fee size ratio of tainted transactions in this sample case is much lower than the average transactions ratio. Therefore, it is likely that the thief prioritises saving the stolen coins rather than the speed of transaction confirmation into the block in this sample theft case.
Based on our transaction fee hypothesis, the assumption that the thief would include a higher transaction fee to speed up the transaction confirmation time does not perfectly match the common pattern shown in the result and comparison to the average clean transaction fee in this sample case. The inclusion of those variables still provides an interesting insight due to the distinct difference in transaction fees between the tainted transaction and clean transaction.
While the address profiling of service addresses that we incorporated into the tainting shows interesting results in the Poison* and Haircut* method as there are as high as 3,502 service addresses receiving the tainted coins, our hypothesis for service reaching – that the thief would like to try to spend the stolen coins as soon as possible – is in contradiction to the results shown in Figure 5. Although, the number of service addresses is very high in the Poison* and Haircut* methods, the total value of the tainted coins that reach a service is very low compared to the total tainted coins involved for every tainting method. This ineffectiveness may be the result of the short evaluation period, as there is also a possibility that the thief would try to “lay low”, until the public awareness decreases before spending the stolen coins.
Nevertheless, the results still prove that there is already certain amount of tainted coins that manage to reach addresses that are likely to belong to service entities as soon as the first four days of the tainted coin distribution. This means that the integration of address profiling into the tainting method can improve further the tainting exercise, while providing a more accurate and detailed profiling for both classification and address profiling. This can be achieved by incorporating additional techniques such as address clustering in the likes of input sharing clustering, transaction behaviour clustering, and so on.
6 Conclusion and Future Work
While the privacy that Bitcoin can bring to users is revolutionary in today’s modern society, the privacy features to commit crimes or even cause harm to others which also bring a negative image to Bitcoin as can often be seen in today’s news. In an attempt to combat crime and illegal activities in Bitcoin, tracing the coins to the end of the blockchain alone would only show who are the unlucky winners to be the last holders of dirty coins chosen by the tainting process. In order to truly track the crime in Bitcoin, it is crucial to understand the context of each transaction involved.
The context of the transaction can be obtained by combining both blockchain information and external information that are available in public such as forum website (Michael et al., 2015). The variables we used to analyse the context of transaction in this paper are the transaction information that can be found directly in the blockchain. Such information cannot be falsified due to the nature of the blockchain and bitcoin protocol itself. However, in the case of retrieving the information from external sources, there is a risk of the information being either incorrect or purposely falsified, so extra caution must be exercised when handling external information.
The result of our experiment shows that some of our hypotheses are in conflict of the actual result which means that the comparison between each tainting method still requires further analysis and validation before we can truly measure and evaluate their accuracy. Still, the hypothesis variables that we applied show potential to be used further as evaluation variables in the taint analysis.
The address profiling process can be developed further by incorporating additional techniques such as address clustering and network analysis techniques to assist in the address profiling process, incorporating other information of the transaction as evaluation variables and analysis, Address profiling can also incorporate network analysis to analyse the transaction network to find out the structure patterns of transaction and address, the result can then be used to discern the transaction flow and relationship of the addresses involved in the tainted transaction (Bianconi and Agrawal, 2017).
This paper laid the foundation for our future work on transaction tainting analysis to not only discover the most accurate tainting strategy but to also improve upon the current tainting analysis methods. The results of transaction tainting can then be used for assisting cybersecurity in combating against cryptocurrency cybercrime. This will have important implications not only to cybersecurity but to financial regulatory developments.
- Anderson et al. (2018) Anderson, R., Shumailov, I., and Ahmed, M. (2018). Making Bitcoin Legal: 26th International Workshop, Cambridge, UK, March 19–21, 2018, Revised Selected Papers, pages 243–253.
- Bianconi and Agrawal (2017) Bianconi, G. and Agrawal, M. C. (2017). Predicting bitcoin transactions with network analysis.
- Dorit and Adi (2012) Dorit, R. and Adi, S. (2012). Quantitative Analysis of the Full Bitcoin Transaction Graph. Technical Report 584.
- Eric et al. (2018) Eric, L., Jiyeun, L., and Jordan, R. (2018). Cryptocurrencies lose 42 billion usd after south korean bourse hack. https://www.bloomberg.com/news/articles/2018-06-10/bitcoin-tumbles-most-in-two-weeks-amid-south-korea-exchange-hack. Accessed: 2018-12-11.
- Foley et al. (2018) Foley, S., Karlsen, J. R., and Putnins, T. J. (2018). Sex, drugs, and bitcoin: How much illegal activity is financed through cryptocurrencies? SSRN Electronic Journal.
- Franco (2015) Franco, P. (2015). Understanding Bitcoin: Cryptography, Engineering and Economics. John Wiley & Sons, 1st edition.
- Harrigan and Fretter (2016) Harrigan, M. and Fretter, C. (2016). The Unreasonable Effectiveness of Address Clustering. In 2016 Intl IEEE Conferences on Ubiquitous Intelligence Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress (UIC/ATC/ScalCom/CBDCom/IoP/SmartWorld), pages 368–373.
- Higgins (2015) Higgins, S. (2015). Bter claims 1.75 usd million in bitcoin stolen in cold wallet hack. https://www.coindesk.com/bter-bitcoin-stolen-cold-wallet-hack. Accessed: 2019-01-13.
- Michael et al. (2015) Michael, F., Michael, K., and Sudeep, P. (2015). Bitcoin Transaction Graph Analysis. arXiv:1502.01657 [cs].
- Moser et al. (2013) Moser, M., Bohme, R., and Breuker, D. (2013). An inquiry into money laundering tools in the Bitcoin ecosystem. In 2013 APWG eCrime Researchers Summit, pages 1–14.
- Moser et al. (2014) Moser, M., Bohme, R., and Breuker, D. (2014). Towards Risk Scoring of Bitcoin Transactions. In Financial Cryptography and Data Security, Lecture Notes in Computer Science, pages 16–32. Springer Berlin Heidelberg.
- Nakamoto (2009) Nakamoto, S. (2009). Bitcoin: A Peer-to-Peer Electronic Cash System.