BlockTag: Design and applications of a tagging system for blockchain analysis

Annotating blockchains with auxiliary data is useful for many applications. For example, e-crime investigations of illegal Tor hidden services, such as Silk Road, often involve linking Bitcoin addresses, from which money is sent or received, to user accounts and related online activities. We present BlockTag, an open-source tagging system for blockchains that facilitates such tasks. We describe BlockTag's design and present three analyses that illustrate its capabilities in the context of privacy research and law enforcement

Deanonymizing tor hidden service users through bitcoin transactions analysis

With the rapid increase of threats on the Internet, people are continuously seeking privacy and anonymity. Services such as Bitcoin and Tor were introduced to provide anonymity for online transactions and Web browsing. Due to its pseudonymity model, Bitcoin lacks retroactive operational security, which means historical pieces of information could be used to identify a certain user. We investigate the feasibility of deanonymizing users of Tor hidden services who rely on Bitcoin as a method of payment. In particular, we correlate the public Bitcoin addresses of users and services with their corresponding transactions in the Blockchain. In other words, we establish a provable link between a Tor hidden service and its user by simply showing a transaction between their two corresponding addresses. This subtle information leakage breaks the anonymity of users and may have serious privacy consequences, depending on the sensitivity of the use case. To demonstrate how an adversary can deanonymize hidden service users by exploiting leaked information from Bitcoin over Tor, we carried out a real-world experiment as a proof-of-concept. First, we collected public Bitcoin addresses of Tor hidden services from their .onion landing pages. Out of 1.5K hidden services we crawled, we found 88 unique Bitcoin addresses that have a healthy economic activity in 2017. Next, we collected public Bitcoin addresses from two channels of online social networks, namely, Twitter and the BitcoinTalk forum. Out of 5B tweets and 1M forum pages, we found 4.2K and 41K unique online identities, respectively, along with their public personal information and Bitcoin addresses. We then expanded the lists of Bitcoin addresses using closure analysis, where a Bitcoin address is used to identify a set of other addresses that are highly likely to be controlled by the same user. This allowed us to collect thousands more Bitcoin addresses for the users. By analyzing the transactions in the Blockchain, we were able to link up to 125 unique users to various hidden services, including sensitive ones, such as The Pirate Bay, Silk Road, and WikiLeaks. Finally, we traced concrete case studies to demonstrate the privacy implications of information leakage and user deanonymization. In particular, we show that Bitcoin addresses should always be assumed as compromised and can be used to deanonymize users

Measurement and Analysis of Bitcoin Transactions of Ransomware

Recently, more than 100,000 cases for ransomware attacks were reported in the Middle East, Turkey and Africa region [2]. Ransomware is a malware category that limits the access of users to their files by encrypting them. This malware requires victims to pay in order to get access to the decryption keys. In order to remain anonymous, ransomware requires victims to pay through the Bitcoin network. However, due to an inherent weakness in Bitcoin's anonymity model, it is possible to link identities hidden behind Bitcoin addresses by analyzing the blockchain, Bitcoin's public ledger where all of the history of transactions is stored. In this work, we investigate the feasibility of linking users, as identities represented by Bitcoin's public addresses, to addresses owned by entities operating ransomware. To demonstrate how such linking is possible, we crawled BitcoinTalk, a famous forum for Bitcoin related discussions, and a subset of Twitter public datasets. Out of nearly 5B tweets and 1M forum pages, we found 4.2K and 41K unique online identities, respectively, along with their public personal information and Bitcoin addresses. Then we expanded these datasets of users by using closure analysis, where a Bitcoin address is used to identify a set of other addresses that are highly likely to be controlled by the same user. This allowed us to collect thousands more Bitcoin addresses for the users. By analyzing transactions in the blockchain, we were able to link 6 unique identities to different ransomware operators including CryptoWall [1] and WannaCry [3]. Moreover, in order to get insights into the economy and activity of these Ransomware addresses, we analyzed the money flow of these addresses along with the timestamps associated with transactions involving them. We observed that ransomware addresses were active from 2014 to 2017, with an average lifetime of nearly 62 days. While some addresses were only active during a certain year, others were operating for more than 3 years. We also observed that the revenue of these malware exceeds USD 6M for CryptoWall, and ranges from USD 3.8K to USD 700K for ransomware such as WannaCry and CryptoLocker, with an average number of transactions of nearly 52. One address associated with CryptoLocker ransomware also had a large amount of Bitcoins worth more than USD 34M at the time of writing. Finally, we believe that such type of analysis can potentially be used as a forensic tool to investigate ransomware attacks and possibly help authorities trace the roots of such malware. 1- «Ransom Cryptowall.» Symantec. June 14, 2014. Accessed November 01, 2017. https://www.symantec.com/security_response/writeup.jsp?docid = 2014-061923-2824-99.2- Varghese, Joseph. «Ransomware could be deadly, cyber security expert warns.» Gulf Times. May 05, 2017. Accessed November 01, 2017. http://www.gulf times.com/story/546937/Ransomware-could-be-deadly-cyber-security-expert-w.3- Woollaston, Victoria. «WannaCry ransomware: what is it and how to protect yourself.» WIRED. June 28, 2017. Accessed November 01, 2017. http://www.wired.co.uk/article/wannacry-ransomware-virus-patch.qscienc