Navigating the Crypto Jungle: How to Investigate a Trail of Bitcoin

Pull back the curtain on anonymous bitcoin users while learning how to use OSINT tools and techniques in this article.

A crypto jungle to investigate a trail of bitcoin

Introduction

In the vast and often perplexing world of cryptocurrencies, unraveling the complexities of transactions can feel like a daunting task for investigators. While an abundance of Open Source Intelligence (OSINT) resources exists, knowing how to decipher the information they yield is the true challenge.

This article delves into the fundamental methods of cryptocurrency investigation by dissecting a real-life case study. By shedding light on the basic principles of tracing and interpreting crypto addresses, even those with minimal background in the field can uncover valuable insights.

Understanding Cryptocurrency Basics:

Before diving into investigation techniques, it's crucial to grasp the basics of cryptocurrencies. These digital assets exist solely in the virtual realm, stored in "wallets" identified by unique alphanumeric addresses. Despite the transparency of blockchain ledgers, which record all transactions, the anonymity of wallet owners adds layers of complexity to investigations. Bitcoin is the most popular cryptocurrency, but it is only one of many.

Basic Investigation of Crypto Addresses:

This article's journey begins with a simple due diligence check on a cryptocurrency address, using readily available OSINT tools like blockchain explorers. By analyzing transaction histories and visualizing connections between addresses, investigators can glean invaluable information about the flow of funds.

As investigations progress, attention shifts to analyzing transaction patterns and expanding the network of connected addresses. Suspicious behavior, such as funds being routed through multiple addresses or connections to known criminal entities, often emerges during this phase.

Intriguing discoveries often surface when delving deeper into specific addresses. By leveraging platforms like Arkham Intelligence and Open Sanctions, investigators can uncover affiliations with illicit activities and identify pivot points for further exploration.

Case Study Investigation

This article will guide you through a standard due diligence check on the Bitcoin address 12bZ39. For simplicity, I will refer to each address by its first six characters.

The first step is to Google the address. If no relevant information surfaces, the next step is to check the address on a crypto address research tool like Arkham Intelligence. I prefer Arkham for its comprehensive data and intuitive interface, but there are several other valuable OSINT resources.

OSINT Tools for Crypto:

Deep Dive into Blockchain Analysis

After finding no initial leads, we use blockchain investigation and visualization tools such as Breadcrumbs and Wardgraph. These tools visualize transactions connected to the address 12bZ39, which appears to receive funds from five different sources. See the image below, each blue line represents a financial relationship (sending and/or receiving funds) between 12bZ39 and a different wallet.

A graph with lines and numbers

Description automatically generated with medium confidence

Examining Connected Wallets

Upon investigating the first source, we identify five wallets interacting with it. One of these wallets is easily identified via a Google search as belonging to Gate.io, a top global crypto exchange noted for its significant trading volume. Unfortunately, there is no further information on the other four addresses.

Analyzing Transaction Patterns

In the transaction network, three wallets (194mDx, 1topuj, and 1ADHVr) appear to channel funds to 12bZ39. A closer inspection reveals that these funds originate from a single address (1ADHVr), with the other two merely acting as intermediaries. 

The image below shows the direction of funds that flow from 1ADHVr to 12bZ39.

A screenshot of a computer

Description automatically generated

This pattern suggests the use of these wallets as transfer points by a single entity controlling multiple addresses, complicating the flow of funds and potentially obscuring the origins for anyone investigating. This kind of layered transaction, often seen in money laundering, illustrates the need to look beyond surface data.

Key Observations:

  1. Direct and Indirect Transactions: If a wallet receives a transfer and then forwards the exact amount, it is likely serving as a pass-through entity. In these cases, the sender and receiver addresses are often owned by the same person.
  2. Apparent Complexity: The observed transaction complexity is typical of efforts to obfuscate financial trails.
  3. Analyzing Illogical Money Transfers: Transactions that don't logically connect suggest manipulation or illicit activities.

Transaction History Analysis

Here is an example of a pass-through entity in action. One wallet received 0.2244 Bitcoin on September 23rd and sent out 0.2338 Bitcoin three days later. Note that there is a small difference in the two amounts, which accounts for the transaction fees. 

A screenshot of a computer

Description automatically generated

If you are using Breadcrumbs you can click on a wallet to see basic details of its transaction history. More detailed information is available on blockchain explorers such as Blockchair.com

Expanding the Network Investigation

By broadening our analysis to include financial interactions two or three degrees removed from the primary wallet, new activities and connections emerge. This expanded network visualization reveals suspicious financial behaviors across several linked addresses.

In this image, lock icons represent addresses linked to illegal activities.

A diagram of a network Description automatically generated

Exploring Noteworthy Addresses

Let's examine one of the addresses marked with a lock icon, specifically 1KctQE. A quick search reveals a listing on the website OpenSanctions.org. Open Sanctions aggregates reliable data from a variety of sources to inform users about individuals and entities under international sanctions.

The page displays a notice identifying the wallet’s owner, who is classified as a “Specially Designated National” (SDN) involved in illicit drug activities, according to the U.S. Treasury Department's Office of Foreign Assets Control (OFAC). The SDN list includes names of individuals and entities that are subject to sanctions by the U.S. government.

A screenshot of a computer

Description automatically generated

On the Open Sanctions site, clicking any hyperlinked entity opens a page containing detailed data related to that entity. For this address, clicking on the wallet holder’s name reveals additional information about the individual.

A screenshot of a computer

Description automatically generated

The notice on Open Sanctions also lists several pivot points for further investigation, including a website, passport details, and multiple cryptocurrency wallets associated with the individual.

For example, the Open Sanctions entry indicates that the wallet owner possesses assets in various foreign companies, providing additional avenues for investigation.

A white sheet with black text

Description automatically generated

However, for the scope of this article, it is unnecessary to delve deeply into the background of this individual. Our primary interest lies in verifying that our initial wallet of interest is connected to a recognized criminal entity. By examining other addresses, we find similar associations with adverse actors, underscoring the interconnected nature of these dubious entities.

Analysis of Findings

Our comprehensive network analysis indicates a pattern of transactions designed to launder or conceal funds, involving addresses connected to known bad actors. This evidence is more than enough to justify strongly advising any legitimate entity against associating with our original address, 12bZ39.

This process underscores the importance of a meticulous and multi-layered approach to the investigation of cryptocurrency transactions, highlighting the need for expertise in navigating complex data landscapes to uncover underlying risks.

Conclusion

The investigation of cryptocurrency addresses can seem labyrinthine due to the intricate nature of blockchain transactions. However, with the right tools and a basic understanding of blockchain technology, even those new to the field can uncover significant insights into the activities associated with these digital assets. This guide has showcased that effective cryptocurrency investigation is not only possible but also imperative for anyone involved in digital finance security. By employing systematic approaches and leveraging specialized tools, investigators can peel back the layers of anonymity typically associated with cryptocurrencies, ensuring a higher level of transparency and accountability in the digital finance arena.