Behind the chain of obscurity : methodologies for cryptocurrency forensic analysis

Bitcoin and alternative cryptocurrencies are decentralised digital currencies that allow users to anonymously exchange money without requiring the presence of a trusted third party. The privacy components of cryptocurrency can facilitate illegal activities and present new challenges for cybercrime forensic analysis. Tackling such challenges motivates new research interest in cryptocurrency tracking. This thesis explores and proposes novel methodologies and improvements to existing cryptocurrency tracking and analysis methodologies. Our first contribution explores the most commonly used cryptocurrency tracking methodology named Taint Analysis and investigates a potential improvement to the methodology’s tracking precision with the implementation of address profiling. We also introduce two context-based taint analysis strategies and hypothesise behaviours related to the tracked Bitcoins context to create a set of evaluation metrics. We conducted an experiment using sample data from known illegal Bitcoin cases to illustrate and evaluate the methodology, and the results reveal distinct transaction behaviours in tracking between the results with and without address profiling for all of the metrics. Our second contribution proposes a cryptocurrency tracking methodology named Address Taint Analysis that is capable of tracking zero-taint coins created by Privacy-Enhancing Technologies (PETs) called centralised mixer services, which are untrackable with taint analysis tracking. Our results indicate that our proposed address taint analysis can trace the zero-taint Bitcoins from nine well-known mixer services back to the original Bitcoins. Our third contribution investigates and proposes a detection method for Wasabi Wallet’s CoinJoin transactions, which is one of the most recent well-known PET services. Our fourth contribution introduces an open-source library for cryptocurrency tracking and analysis named, TaintedTX , that we utilised to perform our research experiments. The library supports a variety of taint analysis strategies that users can select to track targeted transactions or addresses. The library also includes a compilation of utility functions for address clustering, website scraping, transaction and address classifications

Tracking Mixed Bitcoins

Mixer services purportedly remove all connections between the input (deposited) Bitcoins and the output (withdrawn) mixed Bitcoins, seemingly rendering taint analysis tracking ineffectual. In this paper, we introduce and explore a novel tracking strategy, called \emph{Address Taint Analysis}, that adapts from existing transaction-based taint analysis techniques for tracking Bitcoins that have passed through a mixer service. We also investigate the potential of combining address taint analysis with address clustering and backward tainting. We further introduce a set of filtering criteria that reduce the number of false-positive results based on the characteristics of withdrawn transactions and evaluate our solution with verifiable mixing transactions of nine mixer services from previous reverse-engineering studies. Our finding shows that it is possible to track the mixed Bitcoins from the deposited Bitcoins using address taint analysis and the number of potential transaction outputs can be significantly reduced with the filtering criteria.Comment: 17 pages, 3 figures, CBT 202