Bitcoin is not anonymous. Anyone who has followed the dark web or the continuing regulation of the cryptocurrency should be familiar with that idea. If someone manages to link a real identity to a wallet—something that we've seen is possible—they can then follow other transactions around the public blockchain to see where else that person's money has traveled.
Now, researchers are releasing an open-source tool for grouping bitcoin transactions together in order to identify which belong the same entity, marketplace, or person. It doesn't necessarily reveal the identity of the bitcoin user, but it can show details about someone's bitcoin spending.
"Our goal is not to help either the offenders or law enforcement"
"Our goal was to see, how much data can you gather on people who are using the bitcoin network, and can you aggregate the bitcoin wallets which seem to be anonymous and isolated from one another?" David Décary-Hétu, an assistant professor at the School of Criminology at the University of Montreal, told Motherboard in an interview. Along with Mathieu Lavoie, a researcher and penetration tester at a large financial institution, the pair will be presenting their work at the upcoming HOPE hacking conference later this week.
Lavoie originally showcased the Python-based tool, now known as BitCluster, back at the NorthSec 2015 conference. By analysing transactions between addresses, the tool allows users to build up a network of associated bitcoin wallets and download the results in a spreadsheet.
"Instead of seeing movement per addresses, you see movement per entity," Lavoie told Motherboard. That entity might be a drug dealer, a fraudster, or an ordinary bitcoin user. Décary-Hétu and Lavoie will be showing their own BitCluster findings on ransomware operators and dark web marketplaces at HOPE.
In lots of cases, ransomware authors—the people behind malware that locks down a computer until a bitcoin bounty is paid—give each victim their own bitcoin address to send money to. That way, the criminals can keep track of who has actually paid. But if the author pools all of that cash back into one wallet, "Then we can see exactly how much money they've made, because we can group this data by date or amount, we can know exactly when the first victim sent them money," Décary-Hétu said.
As for dark web marketplaces, it is possible to cluster the wallets that are being used for escrow payments on any one market—that is, the money held by the market until sellers fulfill their end of the deal. The pair has data for the original Silk Road, but also more recent and still up-and-running markets, such as AlphaBay and Nucleus. Using this information, it's possible to see how many people were making payments at any one time, how much was made overall, or the average amount of transactions on a market.
Previous research has used the feedback left by customers on marketplaces to track dark web expenditure. "Using this BitCluster tool, we can validate the data we have, or even correct it in some cases," Décary-Hétu said.
BitCluster will be open-source, but the researchers aren't planning on hosting a version themselves; it takes up a lot of computing resources, especially for very popular entities, such as shuttered bitcoin exchange Mt. Gox, so other investigators will likely need to setup their own instance of it.
Presumably, researchers may not be the only ones to take advantage of BitCluster; law enforcement could use it too.
"Our goal is not to help either the offenders or law enforcement. It's an open tool to help people have a better idea of what is going on with the bitcoin network," Décary-Hétu said.
There are ways of handling bitcoin that make BitCluster's job much harder, though. Tumblers, for example, send random amounts of bitcoins to a selection of addresses. BitCluster may, however, be able to track the money if it all eventually lands in a single account.
Ultimately, the best tactic to avoid being profiled by a tool like this is not to share addresses and to create single-use wallets per transaction. Then, even if a wallet or two are linked, they should be isolated from any other transactions on the blockchain.
"This tool can help us understand bitcoin movements when people are not using it properly," Décary-Hétu said. "And let's face it, most people are not using it properly."