[PPT] - A Suite of Tools for the Forensic Analysis of Bitcoin Transactions: PowerPoint Presentation

SLIDE 1

UNIVERSITÀ DEGLI STUDI DI PERUGIA Dipartimento di Matematica e Informatica

A Suite of Tools for the Forensic Analysis of Bitcoin Transactions: Preliminary Report

Stefano Bistarelli, Ivan Mercanti and Francesco Santini

EURO-PAR 2018 WS FPDAPP 28-08-2018

SLIDE 2

BLOCKCHAINVIS SUITE

SLIDE 3

A SUITE OF TOOLS FOR THE FORENSIC ANALYSIS OF BITCOIN TRANSACTIONS

AGENDA

▸ BlockchainVis Suite ▸ Modules ▸ Future works

SLIDE 4

BLOCKCHAINVIS SUITE

SYSTEM DESIGN

SLIDE 5

BITCORE NODE

Bitcoin Node

SLIDE 6

BITCOIN NETWORK

BITCOIN

User Traders Exchange Miners Block N Block 2 Block 1 Block 0 Blockchain

SLIDE 7

BITCOIN TRANSACTIONS

HOW TRANSACTIONS WORK

SLIDE 8

BITCORE NODE

BITCOIN CORE

SLIDE 9

BITCOIN ADRESSES SCRAPER

Scraper

SLIDE 10

BITCOIN ADRESSES SCRAPER

SET OF USED SCRAPERS

▸ User-names on Bitcoin Talk and Bitcoin-OTC; ▸ Physical coins created by Casascius; ▸ Known scammers on the Bitcoin-OTC and Bitcoin Talk trust system; ▸ Name tags on block-chain.info.  

▸

SLIDE 11

DATABASE OF TRANSACTIONS

Blockchain DB

SLIDE 12

DATABASE OF TRANSACTIONS

THE BLOCKCHAIN IN A DB

SLIDE 13

MIXING SERVICES DETECTOR

Mixing Services

SLIDE 14

MIXING SERVICES DETECTOR

MIXING SERVICES

Mixing services

SLIDE 15

MIXING SERVICES DETECTOR

MIXING SERVICES

Mixing Service Name Fees Return Time Minimum import Maximum import

Helix Light 3% 10 minutes - 24 hours 0.01 BTC 43 BTC Bitcoin Blender 1-3% 0 - 99 hours 0.01 BTC None Coin Cloud 1% Instantaneous (less then 1 hour) 0.01 BTC None CoinMixer 1-3% + 0.0006 BTC Hours 0.01 BTC None BitClock Random around 2% + 0.0008 BTC Hours 0.02 BTC 10 BTC

SLIDE 16

MIXING SERVICES DETECTOR

DATA SET

Mixing services transactions  All transactions 

Type Made with mixing services Obtained from the Block-chain Time range From 25 September 2017 To 22 October 2017 From 25 September 2017 To 22 October 2017 Label Label with the name of the service No label Number of transactions 973 7,852,074

SLIDE 17

MIXING SERVICES DETECTOR

BEHAVIORAL PATTERNS

SLIDE 18

MIXING SERVICES DETECTOR

COINMIXER

#output address <=100 #output address > 100 V < 1000 #output address >=1000 Transactions Edge

SLIDE 19

MIXING SERVICES DETECTOR

14 SUSPICIOUS TRANSACTIONS

#output address <=100 #output address > 100 V < 1000 #output address >=1000 Transactions Edge

▸ Number of input addresses equal to 2 ▸ Number of output addresses in the range [2530, 2534] ▸ They were collected one a day, for 14 consecutive days.

SLIDE 20

MIXING SERVICES DETECTOR

SIMILARITY OF ADDRESS SETS

Transaction TX 1 TX 2 TX 3 TX 4 TX 5 TX 6 TX 7 TX 1 100% 98% 97% 96% 95% 93% 93% Transaction TX 8 TX 9 TX10 TX 11 TX 12 TX 13 TX 14 TX 1 91.78 91% 90% 90% 89% 88% 88%

SLIDE 21

BLOCKCHAINVIS (VISUALISATION)

Mixing Services Visualizations

SLIDE 22

BLOCKCHAINVIS

VISUALIZATION LAYER

SLIDE 23

BLOCKCHAINVIS

ISLAND VISUALIZATION

SLIDE 24

BLOCKCHAINVIS

ISLAND VISUALIZATION

SLIDE 25

BLOCKCHAINVIS

WANNA CRY

SLIDE 26

BITCOIN ADDRESSES CLUSTERISER

Mixing Services Clustering

SLIDE 27

BITCOIN ADDRESSES CLUSTERISER

MULTI-INPUT HEURISTIC

Transaction Input 0 address Input 1 address Input 2 address Output 1 address Output 0 address

SLIDE 28

BITCOIN ADDRESSES CLUSTERISER

MULTI-INPUT HEURISTIC

Input 0 address Input 1 address Input 2 address Transaction Output 1 address Output 0 address

SLIDE 29

BITCOIN ADDRESSES CLUSTERISER

SHADOW, CONSUMER AND OPTIMAL CHANGE HEURISTIC

Input address Transaction Output 0 address Output 1 address

SLIDE 30

BITCOIN ADDRESSES CLUSTERISER

Input address Transaction Output change address Output address

SHADOW, CONSUMER AND OPTIMAL CHANGE HEURISTIC

SLIDE 31

BITCOIN ADDRESSES CLUSTERISER

ONE-TO-ONE HEURISTIC

Input 0 address Transaction Output 0 address

SLIDE 32

BITCOIN ADDRESSES CLUSTERISER

ONE-TO-ONE HEURISTIC

Input 0 address Transaction Output 0 address

SLIDE 33

BITCOIN ADDRESSES CLUSTERISER

THE MULTISIG-ONE HEURISTIC

Input 0 address Transaction Output 0 address 0 Output 0 address 1 Output 0 address 2

SLIDE 34

BITCOIN ADDRESSES CLUSTERISER

THE MULTISIG-ONE HEURISTIC

Input 0 address Transaction Output 0 address 0 Output 0 address 1 Output 0 address 2

SLIDE 35

BITCOIN ADDRESSES CLUSTERISER

THE MULTISIG-TWO HEURISTIC

Input 0 address Transaction Output 0 address 0 Output 0 address 1 Output 0 address 2 Output 0 address 3

SLIDE 36

BITCOIN ADDRESSES CLUSTERISER

THE MULTISIG-TWO HEURISTIC

Input 0 address Transaction Output 0 address 0 Output 0 address 1 Output 0 address 0 Output 0 address 1 Output 0 address 2 Output 0 address 3

SLIDE 37

BITCOIN ADDRESSES CLUSTERISER

BITCOIN ADDRESSES CLUSTERED

Heuristic Clustered Addresses % of clustered Addreses

MI 83,867,895 72.61 OC 5,004,254 4.33 MS1 520,396 0.45 MS2 2,263 0.001 MI+OC 87,613,567 75.86 MI+MS1 84,372,511 73.05 MI+MS2 83,868,035 72.61 OC+MS1 5,523,007 4.78 OC+MS2 5,006,484 4.33 MS1+MS2 521,263 0.45 MI+OC+MS1 88,116,265 76.29 MI+OC+MS2 87,613,699 75.86 MI+OC+MS1 84,373,211 72.61 OC+MS1+MS2 5,523,859 4.78 MI+OC+MS1+MS2 88,116,388

76.29

SLIDE 38

TRANSACTION INFORMATION

Mixing Services Tx Info

SLIDE 39

TRANSACTION INFORMATION

STANDARD VS NON STANDARD

1 10000 100000000 STANDARD NON STANDARD

304 55.509.759 220.857 782.123.115

SLIDE 40

TRANSACTION INFORMATION

DISTRIBUTION OF STANDARD TRANSACTIONS

1 1000 1000000 1000000000

P2PKH P2PK Multi-signature OP_RETURN P2SH P2WPKH P2WSH

SLIDE 41

TRANSACTION INFORMATION

DISTRIBUTION OF NON STANDARD TRANSACTIONS

1 10 100 1.000

OnlyHash P2Pool Bug CLTV MIN EQUAL P2PKH NOP P2PKH 0 RETURN ERROR P2H Others

SLIDE 42

TRANSACTION INFORMATION

DISTRIBUTION OF MINERS IN NON-STANDARD TRANSACTIONS

UNKNOWN 20% BTC Guild 1% AntPool 1% Bitcoin-India 3% Eligius 5% F2Pool 4% P2Pool 64% BitClub 2%

SLIDE 43

CONCLUSIONI

FUTURE WORKS

▸ Bitcore Node: build a graphical interface. ▸ Database of transactions: build Spark DB with Mesh to store the graph

structure of transactions and a MongoDB for visualizations.

▸ Mixing Services Detector: fully automatised the module. ▸ Bitcoin Addresses Clusteriser: clustered addresses with all

aforementioned heuristics.

▸ Transaction Information: study P2SH, the aim is to investigate such

scripts.

SLIDE 44

CONCLUSIONI

FUTURE WORKS

▸ We plan to build a new module that show informations

about miners, called Miner analysis.

▸ Make BlockchainVis Suite able to analyse not only Bitcoin,

but also other crypto-currencies, as Ethereum for example.

SLIDE 45

CONCLUSIONI

RELATED PUBLICATIONS

▸ Stefano Bistarelli, Matteo Parroccini, Francesco Santini: Visualizing Bitcoin

Flows of Ransomware: WannaCry One Week Later. ITASEC 2018

▸ Stefano Bistarelli, Francesco Santini: Go with the -Bitcoin- Flow, with Visual

Analytics. ARES 2017: 38:1-38:6

▸ Stefano Bistarelli, Marco Mantilacci, Paolo Santancini, Francesco Santini: An end-

to-end voting-system based on bitcoin. SAC 2017: 1836-1841

▸ S. Bistarelli, A. Cretarola, G. Figà-Talamanca, I. Mercanti, and M. Patacca: Is

arbitrage possible in the bitcoin market?. GECON 2018.

▸ Stefano Bistarelli, Ivan Mercanti, and Francesco Santini: An analysis of non-

standard bitcoin transactions. Crypto Valley Conference 2018.

SLIDE 46

THANKS FOR THE ATTENTION. QUESTIONS?

UNIVERSITÀ DEGLI STUDI DI PERUGIA Dipartimento di Matematica e Informatica

A Suite of Tools for the Forensic Analysis of Bitcoin Transactions: Preliminary Report

Stefano Bistarelli, Ivan Mercanti and Francesco Santini

EURO-PAR 2018 WS FPDAPP 28-08-2018