Conference PaperPDF Available

Abstract and Figures

This work briefly examines some of the most relevant Bitcoin Laundry Services, commonly known as tumblers or mixers, and studies their main features to try to answer some fundamental questions including their security, popularity, transaction volume, and generated revenue. Our research aims to inform both legitimate users and Law Enforcement about the characteristics and limitations of these services.
Content may be subject to copyright.
An Analysis of Bitcoin Laundry Services
Thibault de Balthasar1and Julio Hernandez-Castro2(B
)
1Chainalysis Inc., 43 West 23rd Street, 2nd Floor, New York, NY 10010, USA
thibault@chainalysis.com
2School of Computer Science, University of Kent, Cornwallis South,
Canterbury CT2 7NF, UK
jch27@kent.ac.uk
Abstract. This work briefly (An extended version can be found at
https://kar.kent.ac.uk/id/eprint/63502) examines some of the most rel-
evant Bitcoin Laundry Services, commonly known as tumblers or mix-
ers, and studies their main features to try to answer some fundamental
questions including their security, popularity, transaction volume, and
generated revenue. Our research aims to inform both legitimate users
and Law Enforcement about the characteristics and limitations of these
services.
Keywords: Bitcoin ·Tumble r ·Alphabay ·Helix ·Anonymity ·
Cybercrime
1 Introduction to Tumblers
Bitcoin offers pseudo-anonymity [10] because all transactions are visible and
traceable, but no names are stored in the Blockchain. Bitcoin laundry services are
open, like most modern technologies, to dual use. They are employed by regular
users who do not engage in any illicit activities and simply want to improve on
the anonymity features of Bitcoin. On the other hand, they can also be used by
cyber criminals for laundering their ill-gotten gains before exchanging them into
traditional currencies such as Dollars, Euros or Sterling. It is also common for
stolen Bitcoins (i.e. after a wallet compromise or a hack) and for ransom money
to be processed by one or more tumblers to reduce its traceability. In either
scenario, Bitcoin laundry services play a central role in the Bitcoin economy,
but they have been relatively poorly studied [8,9,11], and their operation is not
that well understood. We will try to address this in this work, by focusing on
a small number of very well-known Bitcoin tumblers that vary widely in their
characteristics and sophistication.
Methodology. For this purpose, multiple transactions have been carried out
involving the mixers under study, transactions that have been later carefully
studied for finding patterns, regularities and correlations with a set of tools
we have developed. Using our own tools, and together with other commercially
c
Springer International Publishing AG 2017
H. Lipmaa et al. (Eds.): NordSec 2017, LNCS 10674, pp. 297–312, 2017.
https://doi.org/10.1007/978-3-319-70290-2_18
298 T. de Balthasar and J. Hernandez-Castro
available ones1, it becomes possible to demonstrate that these services suffer
from serious limitations that expose their users to traceability and, sometimes,
even de-anonymisation attacks.
Attacker Model. The attacker model we will consider in this paper is based
around the concept of taint analysis. The objective of taint analysis is to link
multiple Bitcoin addresses. Typically at least one is known to contain stolen
Bitcoins, or Bitcoins that are otherwise clearly linked with a criminal activity,
so establishing this link will show the latter addresses (ones that have received
funds from it) are tainted and, for example, money from them should not be
accepted by reputable merchants or at legitimate exchanges. To break this link
or taint cyber-criminals use mixers, so our aim at attacking a mixer is first and
foremost to be able to characterize all (or a sizable proportion) of the Bitcoins
that have gone through it. Of course, this taint can also be interpreted in terms
of anonymity levels, when tainted addresses and wallets can be linked back to
individuals. Apart from this, we will try to find how exactly these mixers work
and establish clusters or other patterns between input and output addresses so
that, to a certain extent, we can ’reverse’ the operation of a tumbler and, at
least probabilistically, trace back and deanonymise it.
2 Results
We present in the following our most relevant results in terms of security and
privacy characteristics of the mixers we have studied.
2.1 DarkLaunder, Bitlaunder and CoinMixer
Darklaunder, Bitlaunder and CoinMixer are probably the weakest mixers of all
tested in this work. We analyse these jointly because we have reasons to believe
they share a common owner and are almost identical in their functioning and
features. So, albeit in the following we will mostly refer to Darklaunder many
of our findings also apply to Bitlaunder and CoinMixer, which will be explicitly
mentioned only to highlight any differences. Darklaunder is available on both
the clearnet2where it makes usage of CloudFlare (a widely used proxy service)
and on the darknet3. This duality is uncommon in good mixers, as is the use of
CloudFlare.
The service offers two types of laundering: the quick one is claimed to take
between one and six hours to process, and has a 2% fixed fee. The secure one
is said to be dealt with by hand and to be more secure. In this case there is
1In addition to a large set of python scripts developed by the authors, we have also
been given access to some of the proprietary Chainalysis tools.
2At https://darklaunder.com, last accessed on 17/02/2017.
3At http://wwxoxavgqbhthyz7.onion, last accessed on 17/02/2017.
An Analysis of Bitcoin Laundry Services 299
a 3% fixed fee. For both, the lowest accepted sum is 0.01 BTC4. According to
the service’s FAQ, there is an upper limit of 1,000 BTC. To be able to use
the service, registration is mandatory and a username, name, password and
email address have to be provided. This is common in other mixers, but not
a good practice regarding privacy. To launder Bitcoin, the user has to make a
deposit on a given address. When withdrawing, the only choices are the amount
of Bitcoin to withdraw and the destination address. Despite their claim that
it does not keep any personal information, we have found it stores data about
their user’s previous transactions with the service, including their exact date and
time and the involved IPs and Bitcoin addresses. All these weaknesses could be
also found in Bitlaunder. Since there is precedent of authorities arresting owners
of laundering services5, and the service retains full historical transaction data,
this mixer can not be considered secure. In addition, PHP errors creep around
frequently during its usage.
Security Analysis. On top of its bad design, the service is also subject to
other critical problems. First, it is possible to find the IP address of the server
hosting the mixer. This makes easy to establish a link to an individual’s name
and address, and to other mixers he owns and operates. Since the server is using
CloudFlare, which is only an HTTP proxy, the emails sent by the service (in
response to customer’s questions) do not go through it. By analyzing the header
of these emails it is possible to find that the mail server is located at the address
mail.darklaunder.com, which points to the IP address 94.23.45.166. We can,
therefore, access the website directly now without going through CloudFlare.
Furthermore, the SSL certificate used by the service is quite weak: It is using
the SHA-1 algorithm, that is deprecated [3,4], with a 2048-bit key. Finally, the
service certificate is self-signed, and has expired. It was signed in August 2015,
which suggest the service has been probably first online around this time. The
HTTP server used is Nginx 1.0.14, which is a legacy version as the latest one
at the time of writing is 1.10. There are multiple CVEs affecting the server ver-
sion, as shown at cvedetails.com [5], notably CVE-2013-4547, CVE-2013-0337,
CVE-2012-2089 and CVE-2012-1180. An additional serious security issue is that
the server is allowing SSL v3, which is vulnerable to multiple attacks [6,7].
Bitlaunder suffers from many of the previously described problems.
Transactions with the Service. At total of 61 transactions were carried out
with Darklaunder. At the beginning, the transactions were processed correctly
even if the time needed to get the money back was longer than expected, usually
between 8 and 10 h. From the 29th test on, transactions took more than 20 h to
withdraw. From the 45th, it took between one and seven days to get the with-
draw (sometimes, due to multiple failures during the laundering process). Eleven
4During our tests we encountered some issues, and the contact support stated that
the minimum value was 0.5 BTC. This is strange, since despite this message the
mixer eventually worked after some time with the initial 0.01 BTC.
5For example in the case of coin.mx [1,2].
300 T. de Balthasar and J. Hernandez-Castro
transactions have also been made with Bitlaunder but no delays were encoun-
tered, probably because they were requested to be more evenly spaced on time.
For both services, the fees taken have always been exactly as announced, but
once Darklaunder returned the money twice (so we received double the money we
sent!) and another time, the service returned slightly less: 10% of the total sum
was missing. These errors suggest that, at some point, the algorithm in charge
of withdrawing the money was suffering from flaws. Another important mistake
is that the service is using counters as transaction IDs, so the total number of
transactions can be simply read. Furthermore, several issues with the launder-
ing algorithm can be detected after analyzing our database of transactions. First
and foremost, the independent accounts we have used happen to have common
transactions. Also, when the service takes money from the wallet, the transaction
used involves multiple input wallets and they have always exactly two outputs,
one of them, as we will see later, being a central address. This is quite a poor
practice since a malicious user may simply engage in making transactions on a
regular basis to find the addresses of other users, thus partially de-anonymising
the service (Fig. 1).
Fig. 1. Darklaunder: withdrawing to multiple addresses
Tracking the Money. Using a script to trace the money, some common paths
between the addresses used have emerged. In particular, we can detect a path
between wallets and return addresses, showing the anonymity offered by the
service is poor.
Figure 2shows the output of the program we developed to follow the money,
where we can see the results when tracking the wallet generated in the first
transaction with the service. The watch-list is made of the addresses given to
the service to get the money back. We can see that, in this case, the money has
been redistributed to three known addresses generated in the next tests (these
three addresses are the only ones that belong to us within four levels of tracking
for all the tests, however, with a deeper tracking it is possible to find even more).
Drawing and Analysing the Transactions. We will begin the analysis of
the service by using Fig. 3, which is the graph generated after analysing the
transactions we performed with Darklaunder and Bitlaunder, to one level of
depth.
The image allows to quickly visualise the very high centralization of the
service, which is a poor characteristic regarding anonymity. All the wallets are
An Analysis of Bitcoin Laundry Services 301
Fig. 2. Darklaunder: output of the program following the money
Fig. 3. Darklaunder and Bitlaunder transactions, at depth one
sending their funds to address 15u...FKF6. This central address has been used
for the first time on the 18th October 2015 - which matches nicely with our
estimate of the creation time of the service - and has been continuously used
since.
Figure 4shows the number of operations of the 15u...FKF address since its
creation.
Fig. 4. Number of transactions by 15u...FKF, from October 2015 to February 2017
The address has a total of 1,635 operations. The number of credit transac-
tions (934) is roughly equal to the number of debit transactions (719). However,
615uyvmNQtLPyzeNcBCvuvgH4f7MUN6XFKF.
302 T. de Balthasar and J. Hernandez-Castro
this address received money from 4,277 addresses but sent money to only 1,327
addresses. The total in and out by day from the creation of the address to the
26th February 2017 tends to confirm the hypothesis that the address has only
be used as a gateway. We can observe that the credit and debit per day are
approximately equal, leaving the address with only a few bitcoin in reserve. Our
last 2016 test transaction with the service was on the 5th May 2016, and at this
time the wallet7was still using the same central address. However, another
transaction has been carried out on the 27 June, and we can see that the
wallet8has used another address to get back the money: 13K...isR9. This address
has been created on the 15 June 2016, which matches with the moment when
15u...FKF’s traffic started to decrease. In just 10 days, the new address made
110 transactions, sent 187.812357 BTC and received 190.612357 BTC.
By analysing money in, out and the total credit by day of address 13K...isR,
we can see a very similar behaviour to that shown in Fig. 5. We can also observe
that the percentages of credit and debit transactions are similar for the two
addresses. Considering these elements, we can guess that the service periodically
switches its cent ral address. This is a good security practice, but by itself not
sufficient to provide enough anonymity. The characteristics we underlined above
may allow to easily detect these new addresses, thus completely defeating its
security aims.
Fig. 5. Transactions by 13K...isR from June 2016 to March 2017
The interactions involving the central address follow recognisable patterns, as
showninFig.6. We can see that in each case wallets send bitcoins to the central
address (label 1) but sometimes they also send to another addresses (labels 2
and 3). These secondary addresses will receive bitcoins from other transactions
involving the withdraw addresses, and will then send it to other addresses and
back to the central node. Sometimes the rest of the transaction is directly sent to
the central address, as with node 26. Node 6 on the graph represents the address
15v...j2N10. Looking at its transactions is particularly interesting: there are a
total of 51 at the time of writing, and the pattern followed is very characteristic.
The address receives money and then sends it to two types of addresses; most of
the bitcoins go to the central node, but a few of them go to another address (not
the same every time) which is probably there to confuse a potential attacker.
71GgfvBoVpeJLKdVkqMehbFPrm4VjoqUP7.
81MC8VD89moVwXL4s213vNpdbrmUZQZf1DV.
913KtxHChVmGu43A19narE3hbKGCUBGAisR.
10 15vXhKcnNZo6su5PkKeZQPavvFhjVG3j2N.
An Analysis of Bitcoin Laundry Services 303
The fact that the money of all wallets is sent to the central node is a terrible
weakness, since it allows to find the wallet addresses with great ease. In addition,
performing most of the withdrawal transactions within only one or two levels of
the central node is also extremely poor.
Fig. 6. Interaction with central address
When observing the withdrawal transactions, a specific pattern is also inter-
esting to notice: almost every withdrawal is at a distance of one address, as we
can see on Fig. 7which has been adapted from real data. Address 1 (that has
not been analysed) establishes a link between two withdrawals, and Address 2
send the funds to the addresses used to withdraw.
Fig. 7. Interaction between withdrawal transactions.
Using Walletexplorer, we can find that Address 2 belongs to localBitcoins.com
while Address 1 behaves similarly to Addresses 3 and 4. We can see that the debit
transactions follow two distinct patterns. Either the central address gives money
to localBitcoins, or it makes a peeling-chain (which consist in dividing the sums
again and again) and eventually sends money to localBitcoins after a small num-
ber of transactions. Using the information gathered so far, we are now able to
understand the complete workflow of the service, that we display in Fig. 8.
304 T. de Balthasar and J. Hernandez-Castro
Fig. 8. Darklaunder workflow
The wallets are used to credit the central address (1) but at the same time
they can also make use of a change address (7). This change address will receive
credit at the end of the withdraw chain and send it to the central address.
The central address sends Bitcoins to localBitcoins directly but also, sometimes,
starts a peeling chain where bitcoins can be sent to localBitcoins.com during the
process (49, 51) or later (55, 56, 57, 58). Then, localBitcoins sends back money
to the service (17, 28) which starts a new withdraw chain. Using the Chainalysis
tool, a graph of the exchanges has been drawn (Fig. 9).
Fig. 9. Interaction of the service with external clusters
So we can conclude that the laundering algorithm itself is quite poor. The
service is characterised by a heavy centralization because a central address is
gathering all the Bitcoins from the customer’s wallets and receives the rest of the
money at the end of the withdraw chain. Furthermore, it is easy to find a direct
route (only a few levels deep) from the central address to some of the wallets.
Tracking is further facilitated because a significant number of transactions have
multiple input addresses. Finally, the scarcity of traffic makes for an even easier
address identification (Fig. 10).
An Analysis of Bitcoin Laundry Services 305
Fig. 10. Estimated darklaunder transaction volume
2.2 Helix
The Service. Helix is accessible only using Tor11 and offers two different ser-
vices: a standard version and a light version. The two versions only differ in that
the light one allows to withdraw to up to five addresses, and to choose to receive
multiple transactions and/or within a random time delay of a few hours while
the standard version requires registration and allows to manage a wallet and to
automatically mix money send to the wallet to a defined address. Both standard
and light services are taking 2.5% off fees, and only allow withdrawals of 0.02
BTCormore.
Analysis of the Transactions. A total of 34 transactions were carried out
with this service. The money always returned on time, and to the right number
of addresses. On the more negative side, the page which displays the status of
the laundering process has been observed to remain active a few days after the
mixing has finished, when it is claimed to be available only for 24h. Furthermore,
a major problem has been found in the pattern of transactions: Regardless of
whether we ask for multiple transactions or to use multiple addresses, our tests
suggests that there will always be 5 transactions done in total. Some of our
wallets and return addresses (issued from different tests) have also been observed
taking part in the same transactions. Finally, our tests revealed that it always
takes between one and two minutes to make a transaction. The average time is
ninety seconds and the average duration for all the transactions to perform is
five minutes and fifty seconds. This allows for a trivial timing-based attack.
Analysis of the Addresses. Our analysis has started by drawing a graph of
the exchanges we carried out, at a depth level of 2 from our wallet and return
addresses, as shown in Fig. 11.
First, it is possible to observe that the green addresses (which are the
addresses where the coins have been returned) are very close to each other.
Sometimes even present in the same transaction. This can be explained by the
fact that the service is using a peeling chain to fund its customers. An inter-
esting fact is that the transactions in these chains have always a single input
but can have between two and five outputs, thus allowing withdrawals to mul-
tiple customers at the same time. Three addresses involved in a big amount
of transactions are shown in the graph. The one in the center is identified by
11 Main address is at http://grams7enufi7jmdl.onion/helix/light.
306 T. de Balthasar and J. Hernandez-Castro
Fig. 11. Helix light exchanges at depth 2 - August 2016 (Color figure online)
Chainalysis’s tool as part of LocalBitcoins.com. This cluster receives money from
multiple points in peeling chains; This suggests it is widely used by customers
of the service. The two other addresses are identified by the tool as part of the
same cluster, which will be named C112 and studied later. Finally, the graph
shows that multiple addresses are receiving coins from multiple wallet addresses
(in red).
Fig. 12. Helix light withdrawal pattern - February 2017 (Color figure online)
Figure 12 has been drawn using Reactor. It represents the return transactions
made by Helix. The point on the left is a custom cluster, made of all the return
addresses used to perform the tests. The red point on the right is the Helix
cluster, and the big point in the middle is cluster C1. It is possible to observe
that C1 is receiving multiple transactions originated from an important number
of addresses in the graph. This cluster seems to be receiving only coins from the
12 1MiaNEG1jqoAeLPSE8JuZ8ync1e6i1y6ho.
An Analysis of Bitcoin Laundry Services 307
Helix’s peeling chains. The money sent by C1 can not be linked to Helix, but it
is possible to formulate two hypothesis: Either the owner of the service is using
the cluster to recover some money, or this is a very special customer making an
extensive usage of the service (190 BTC have been received).
The second interesting point is that (even though not all the chains are shown
in the graph) all the money that have been sent to the return addresses goes
through the Helix cluster, after a few transactions on the peeling chain. This
allows to guess the algorithm used by the service: it generates multiple wallets
and recovers their money using a few transactions. This money is then directly
sent to a peeling chain for the customers withdrawal.
Assessment of the Service. The Chainalysis’s tool suggests that at least
216,000 BTC have been mixed using this service until early 2017 showing it is
widely13 used. However, our findings indicate that it does not offer adequate
anonymity. We observed that wallets and withdrawals of multiple customers are
present on the same transaction, or very close to each other, so that it is easy to
identify them. For example, by processing regular and small-amount transactions
with the service we can gain valuable insights that can help us compromise its
security and anonymity at a very low cost.
2.3 Alphabay
The Service. Alphabay was accessible only through Tor14 and required to open
a customer account to use it. The registration was straightforward, and only a
username and password were required. A wallet address is automatically gener-
ated by the service for the user, and that address changes every time a deposit
is made. However, the address was still usable seven days after the change. On
top of that, if the generated address is not used after ten days, it will be deleted.
Each deposit to the service must be at least of 0.01 BTC, and it is possible
to withdraw money for a fee of 0.001 BTC. The service offered the possibility
to withdraw to one to five addresses, in an interval of time between one and
twenty-four hours. An option labeled Sent a single transaction suggest that the
service was capable of returning money in multiple transactions.
Transaction Analysis. We performed 35 transactions with the service before
proceeding with a first analysis of the tumbler. Multiple problems were detected
as this early point. First, the service was taking more than what was claimed in
fees (0.007 BTC instead of 0.001). In addition, the money was moved from the
user’s wallet before the withdrawal was carried out. During the tests, we also
noticed that the service was never returning the money in multiple transactions
13 The number of bitcoins in circulation at the time of writing is approximately 16.2
million, according to Blockchain.info.
14 The main address was at pwoah7foa6au2pul.onion, but many others existed to cope
with frequent DDoS attacks.
308 T. de Balthasar and J. Hernandez-Castro
(a feature that is proposed in the form) and that it did not returned money to
multiple addresses if the sum to withdraw is less than (#Addresses ·0.01 BTC).
During our tests, we also notice that the service never returned money by doing
multiple transactions to a single address. This was still true as of our last test
on the 16th February, 2017. Another important problem was in the history of
withdrawals, as IDs are used and they are simply incremental counters that leak
the number of transactions. Using this information we can, for example, estimate
the number of transactions to be around 33.76 per minute between the 4 and the
6 August 2016. Recent cluster size estimation tends to suggest the number of
transactions did not changed a lot a year later. Finally, we can also detect some
specific patterns concerning the number of input and outputs in the transactions
performed by Alphabay, which can allow for simple heuristics to recognize them.
On a more positive note, the money is always returned on time.
Analysis of the Addresses. By drawing the exchanges of the addresses on
two depth levels, we can observe that while the money on the wallet addresses
is going to addresses with a lot of traffic, the withdrawals are performed within
a basic peeling chain. The peeling chain is a pattern of use widely present in
the Bitcoin network; for example, various services often use it to withdraw their
customers. Basically, the chains starts with an address receiving a decent amount
of coins. This address will then send the coins to two (or more) addresses. One
of these addresses will belong to the service and will then send coins to two (or
more) addresses until there is no money left. In our example (Fig. 13), we can see
a withdraw chain started by the service (in blue) with 50 BTC. Another common
characteristic is that the nodes of a peeling chains have only two transactions.
One credit and one debit. In the case that a peeling chain is used by a service,
it can happen that the orange nodes are not to withdraw to a customer but just
a redirection of some part of the money to another peeling chain also owned
by the service. For example, 1dj6nAA7Sp456Ph9EvM8LYnvb6aYX9NPQ is the
start of a classical peeling chain.
Fig. 13. How a peeling chain works (Color figure online)
If we look closely at Fig. 14, the first thing we will notice is that three
addresses on the graph are involved in a lot of transactions. These addresses
An Analysis of Bitcoin Laundry Services 309
Fig. 14. Alphabay exchanges at depth 2.
will be discussed later and will be named A115 (the one on the left), A216 (the
one at the bottom) and A317 (the one on the upper right). We will first focus on
the exchanges carried out by our wallets: We can observe that, every time, the
service is making transactions with the wallet following the exact same pattern.
Money is moved with a transaction having only one input and one output, and
goes to an address which has multiple transactions. We can observe a lot of trans-
actions on this destination address, so we used Chainalysis’s tools to gather more
information.
There are multiple types of clusters we can observe in Fig. 15:
1. Some are identified by Chainalysis as belonging to well-known services, such
as BTC-e or localBitcoins.com
2. Some are not identified as known services, and only receive money from
addresses identified as part of the Alphabay cluster, or from addresses match-
ing the wallet pattern. Then, they send money to an unique service using
different addresses (for example 19Gc...X1d18). In this case, we hypothesize
that Alphabay is using these services to mix the bitcoins.
3. Some are matching pattern 2, but do not send money directly to ser-
vices and instead start peeling chains (e.g.: 1JJww8DFoAp5whSu4oV
89yZyY8MPVomsiz). The peeling chain is probably used to withdraw money
off the service.
4. Some are matching the pattern 2, but sending money directly to multiple
services. We do not have a good enough explanation for these cases.
5. A few clusters are sending and receiving money to/from multiple services.
In this case, they probably belong to services that are not detected by the
tool yet.
15 1HBsi9dDzHQecyy4xtRnvqjiT1KvLUwRcH.
16 16ZZ6svbB36o5Q2gLtAMHMiKJXtbs6nvuF.
17 14cGaFD4iUyqX9NQaB1ff8uLUb42qd5deM.
18 19Gc23Ggr58ZRhemmx7rtZnqTj6tasX1d.
310 T. de Balthasar and J. Hernandez-Castro
What we can tentatively conclude from this study is that Alphabay is using
other third party services to mix their bitcoins, but that it probably also makes
some custom in-house mixing. Here, we can identify a clear flaw: multiple cus-
tomer wallets are sending money to the same address, which could make the
detection of wallet addresses and the tainting process particularly easy. When
studying addresses A1, A2 and A3 in Fig. 15, we observe that these are receiving
a total of 8,582 credit transactions and only 122 debit transactions. Moreover,
the credit transactions have (with a few exceptions) only one input and one
output. This suggests we are dealing with users’ wallets. We noticed that the
clusters have a relatively large number of transactions matching the same pat-
tern: Deposit transactions having one (or two in some cases) inputs and two
outputs.
Fig. 15. Alphabay Wallet exchanges
We then analyzed return addresses. We can see in Fig.15 that these addresses
are often linked together and, sometimes, have associations to addresses
exchanging with many more addresses than usual. In the first case, we observed
that the addresses are part of a peeling chain. These peeling chains are most
of the time tainted with Alphabay addresses, but sometimes we can track-back
their origin to services such as localBitcoins. The second case is a direct with-
draw from a known service (most of the time, localBitcoins). Our address is never
alone on the outputs, and most of the time another output in the withdraw trans-
action leads to Alphabay. On both cases, we can say that the withdraw is not
secure. On the first case, since the peeling chain is highly tainted by Alphabay, it
would be easy to identify withdraw chains tainted by the service. Even without
knowing which cluster Alphabay is, engaging in regular, low-cost transactions
An Analysis of Bitcoin Laundry Services 311
with it should be enough for taint purposes. In the second case, we would need
to know Alphabay’s addresses to be able to find the withdraw addresses. This
would be a little more involved but not too difficult. In any case, this is not the
most common way the money is withdrew.
3 Conclusions
Bitcoin mixers are quite popular nowadays, but even the most well-known and
established ones seem to have serious security and privacy limitations, as exposed
in this work. Together with the major players, a myriad of smaller laundry
services such as Bitlaunder, Darklaunder and Coinmixer exist, and we have
shown some of them offer an appalling service that can seriously compromise
the security and privacy expectations of any legitimate user. Unfortunately also
the major players such as Alphabay and Helix present significant deficiencies.
Our findings show that devising and implementing a secure mixer is far from
an easy task, and as such it is plagued with a multitude of opportunities to
get things wrong and compromise the service. This is refreshing news for Law
Enforcement, who will be able to taint Bitcoin transactions and even back-track
them by using our findings and some readily available technology. But at the
same time this is worrying news to any legitimate Bitcoin user that simply
wants to use these services for the purpose of increasing its anonymity. More
study needs to be done on the advantages and shortcomings of the different
algorithms employed by these tumblers, as a well-founded theoretical analysis
of a highly secure and privacy-aware protocol for providing the required mixing
services is unfortunately still lacking. Whether these mix services will continue to
be popular and profitable in the near future, when alternative cryptocurrencies
that offer improved anonymity and untraceability properties such as Monero or
Zcash become widely accepted, is still an open question.
Acknowledgements
This project has received funding from the European Union’s Hori-
zon 2020 research and innovation programme, under grant agreement
No. 700326 (RAMSES project). One co-author also wants to thank
EPSRC for project EP/P011772/1 on the EconoMical, PsycHologi-
cAl and Societal Impact of RanSomware (EMPHASIS) which partly
supported this work.
References
1. Higgins, S.: Coin.mx Execs Arrested for Operating Illegal Bitcoin Exchange (2015).
http://www.coindesk.com/coin-mx-arrested- operating-illegal-bitcoin-exchange/
2. United States District Court Southern District of New York Sealed Indictment
(2015). http://bit.ly/2aC9Mpl
3. Stevens, M., Karpman, P., Peyrin, T.: Freestart collision for full SHA-1. https://
eprint.iacr.org/2015/967.pdf
312 T. de Balthasar and J. Hernandez-Castro
4. Prince, M.: SHA-1 Deprecation: No Browser Left Behind. https://blog.cloudflare.
com/sha-1-deprecation-no-browser-left-behind
5. Nginx CVE for version 1.0.14 (2013). CVEdetails.com
6. Barnes, R.: The POODLE Attack and the End of SSL 3.0 (2014). https://blog.
mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
7. M¨oller, B., Duong, T., Kotowicz, K.: This POODLE Bites: Exploiting The SSL3.
Fallback (2014). https://www.openssl.org/bodo/ssl- poodle.pdf
8. Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker,
G.M., Savage, S.: A fistful of bitcoins: characterizing payments among men with
no names. In: Proceedings of the 2013 Conference on Internet Measurement Con-
ference, pp. 127–140. ACM (2013)
9. Moser, M., Bohme, R., Breuker, D.: An inquiry into money laundering tools in the
Bitcoin ecosystem. In: eCrime Researchers Summit (eCRS), 2013, pp. 1–14. IEEE
(2013)
10. Bitcoin Organisation: Protect your Privacy (2016). https://bitcoin.org/en/
protect-your-privacy
11. Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J.A., Felten, E.W.: Mix-
coin: anonymity for bitcoin with accountable mixes. In: Christin, N., Safavi-Naini,
R. (eds.) FC 2014. LNCS, vol. 8437, pp. 486–504. Springer, Heidelberg (2014).
https://doi.org/10.1007/978-3-662- 45472-5 31
... In the trading context, this approach seeks to hide the identity of a buyer/seller transaction without altering the transaction structure or affecting its execution [10], [12]. Several distortion approaches are used to achieve this goal, such as mixing and generalization techniques [13]. ...
... However, the dependency on a third party to perform the mixing makes the system vulnerable to a single point of failure and can raise a severe privacy concern if the third party gets compromised or acts maliciously [15], [16]. Also, as studied in [13], the anonymity achieved by centralized mixing is proportional to the size of the addresses pool, where the larger the size of the pool, the better it is for the mixing service to be able to provide anonymity. CoinMixer [17] is a mixing service that requires, on average, between one to six hours to complete mixing transactions. ...
... Storing such information by the server can cause serious security issues if the mixing server is compromised. It is important to highlight that centralized mixing solutions, in general, require several hours to be completed [13]. ...
Article
Full-text available
This paper presents a privacy persevering framework for a decentralized stock exchange platform, ensuring anonymity and unlinkability of the investors’ accounts and their respective trading activities. The proposed framework meets these privacy requirements by (i) anonymizing both the unique account identifier (NIN) and balance information through customized data generalization and distortion techniques and (ii) making trading transactions unlinkable to their original investors by ensuring that both the NIN and balance are k-anonymous; i.e., k accounts belonging to different investors have the same balance. Moreover, to ensure long-term unlinkability, the process of anonymization is repeated at regular time intervals (every trading session). In addition to anonymity and unlinkability characteristics, the proposed framework is augmented with traceability and non-repudiation features. The simulation experiments with several market sizes and types confirm the effectiveness of the proposed framework in achieving full k-anonymity. Furthermore, to assess the overhead of the proposed privacy algorithms on the trading execution time, we conduct several experiments considering different anonymity levels k. We compare the transaction execution time of our proposed platform against a traditional non-privacy-preserving blockchain-based stock exchange. The obtained results for the worst-case scenarios show an acceptable execution time overhead.
... Aiding the former, security researchers in academia have proposed plethora designs and implementations for secure mixing [11,12,15,16,[22][23][24][25]. Hunting the latter, researchers developed techniques that are capable of tracking Bitcoins through deployed mixers [10,19,21]. However, a gap remains: Despite active research in Bitcoin mixing and un-mixing, it is unclear on what techniques current, actually deployed dual-use Bitcoin mixers base their operation and, thus, it is unclear what security properties their users can expect. ...
... The study found fingerprinting patterns in the services based on recurring addresses, fees, and branching patterns. Balthasar and Hernandez-Castro [10] interacted with DarkLaunder, Bitlaunder, CoinMixer, Helix, and Alphabay and identified security and pri- Fig. 1: High-Level diagram of a Bitcoin mixer with three participants and a centralized mixer run by an operator. The participants send their Bitcoin to the mixer. ...
Chapter
Full-text available
The lack of fungibility in Bitcoin has forced its userbase to seek out tools that can heighten their anonymity. Third-party Bitcoin mixers use obfuscation techniques to protect participants from blockchain transaction analysis. In recent years, various centralized and decentralized Bitcoin mixing methods were proposed in academic literature (e.g., CoinJoin, CoinShuffle). Although these methods strive to create a threat-free environment for users to preserve their anonymity, public Bitcoin mixers continue to be associated with theft and poor implementation. This paper explores the public Bitcoin mixer ecosystem to identify if today’s mixing services have adopted academia’s proposed solutions. We perform real-world interactions with publicly available mixers to analyze both implementation and resistance to common threats in the mixing landscape. We present data from 21 publicly available mixing services on the deep web and clearnet. Our results highlight a clear gap between public and proposed Bitcoin mixers in both implementation and security. We find that the majority of key security features proposed by academia are not deployed in any public Bitcoin mixers that are trusted most by Bitcoin users. Today’s mixing services focus on presenting users with a false sense of control to gain their trust rather than employing secure mixing techniques.
... We rely on the principle of tainted flows to trace the coins from source actors. Taint analysis has been used most notably in the context of tracking money from illegal sources [1,3,8,24,32]. However, those works mainly focus on the destination of tainted coins. ...
Preprint
Full-text available
Bitcoin is the first and highest valued cryptocurrency that stores transactions in a publicly distributed ledger called the blockchain. Understanding the activity and behavior of Bitcoin actors is a crucial research topic as they are pseudonymous in the transaction network. In this article, we propose a method based on taint analysis to extract taint flows --dynamic networks representing the sequence of Bitcoins transferred from an initial source to other actors until dissolution. Then, we apply graph embedding methods to characterize taint flows. We evaluate our embedding method with taint flows from top mining pools and show that it can classify mining pools with high accuracy. We also found that taint flows from the same period show high similarity. Our work proves that tracing the money flows can be a promising approach to classifying source actors and characterizing different money flow patterns
... Moreover, they made another conclusion that although analyses and patterns can be found for mixing services, a direct connection between sender and receiver could not be established, and mixers are effective tools for hiding true identity in the Bitcoin network. Another study by Baltazar and Castro of Chainalysis examined three mixing services and tried to find some patterns [18]. This work showed that mixing services follow a specific pattern in their activity, but they did not release any specific pattern. ...
Preprint
Cryptocurrencies gained lots of attention mainly because of the anonymous way of online payment, which they suggested. Meanwhile, Bitcoin and other major cryptocurrencies have experienced severe deanonymization attacks. To address these attacks, Bitcoin contributors introduced services called mixers or tumblers. Mixing or laundry services aim to return anonymity back to the network. In this research, we tackle the problem of losing the footprint of money in Bitcoin and other cryptocurrencies networks caused by the usage of mixing services. We devise methods to track transactions and addresses of these services and the addresses of dirty and cleaned money. Because of the lack of labeled data, we had to transact with these services and prepare labeled data. Using this data, we found reliable patterns and developed an integrated algorithm to detect mixing transactions, mixing addresses, sender addresses, and receiver addresses in the Bitcoin network.
... blockchain solutions [80] and distributed storage and filesystems, imply significant challenges for digital forensics [239], [240]. Some of these structures have strong privacy guarantees and can be leveraged to exfiltrate data, orchestrate malicious campaigns [241]- [244], or siphon fraudulent payments [245]. Traditional logging mechanisms and access control systems allow an investigator to assess who, when, how or even from where are not relevant for many of these technologies. ...
Article
Full-text available
Due to its critical role in cybersecurity, digital forensics has received significant attention from researchers and practitioners alike. The ever increasing sophistication of modern cyberattacks is directly related to the complexity of evidence acquisition, which often requires the use of several technologies. To date, researchers have presented many surveys and reviews on the field. However, such articles focused on the advances of each particular domain of digital forensics individually. Therefore, while each of these surveys facilitates researchers and practitioners to keep up with the latest advances in a particular domain of digital forensics, the global perspective is missing. Aiming to fill this gap, we performed a qualitative review of all the relevant reviews in the field of digital forensics, determined the main topics on digital forensics topics and identified their main challenges. Despite the diversity of topics and methods, there are several common problems that are faced by almost all of them, with most of them residing in evidence acquisition and pre-processing due to counter analysis methods and difficulties of collecting data from devices, the cloud etc. Beyond pure technical issues, our study highlights procedural issues in terms of readiness, reporting and presentation, as well as ethics, highlighting the European perspective which is traditionally stricter in terms of privacy. Our extensive analysis paves the way for closer collaboration among researcher and practitioners among different topics of digital forensics.
... The coin mixing mechanism can be employed to protect privacy for blockchain-based digital currencies, such as Bitlaunder, Bitcoin Fog and Blockchain.info etc [25]. Obviously, due to the need for third-party nodes to provide coin mixing services, there are defects such as additional costs, theft of funds, and third-party leakage. ...
Article
Full-text available
With the rapid development of permissioned blockchains, the problem of privacy leakage within permissioned blockchains is increasingly serious. In this paper, for the privacy problem in permissioned blockchains, a novel privacy protection method has been put forward. In this novel method, the ring signature is used to protect the privacy of the user in permissioned blockchains. On the other hand, the unconditional anonymity of ring signature may be abused maliciously by the adversary. Conditional anonymity is considered to improve the ring signature. Therefore, based on conditionally anonymous ring signature, permissioned blockchains privacy protection scheme has also been laid down. Furthermore, the effects of smart contract for transaction flows are considered. The asynchronous signing transaction process is proposed. The security of the scheme has been formally reduced to the Discrete Logarithm assumption. The comparison with the state-of-the-art and simulation experiment have also demonstrated that the proposed scheme is efficient and practical.
... While there is a misconception that cryptocurrency transactions are per se anonymous (Jaquez, 2016), some cryptocurrencies indeed obfuscate identifiable transaction information, claiming complete privacy through cryptographic means (e.g. Noether, 2015), and so-called 'mixing services' serve to hide the input and output data of cryptocurrency transactions (Chohan, 2017;Möser et al., 2013;de Balthasar & Hernandez-Castro, 2017). Anchain (2020) estimates the financial volume that passed though cryptocurrency mixers in the first half of 2020 at $8 billion. ...
Preprint
Full-text available
Cryptocurrency markets are still mostly associated with speculation and investment. Accordingly, most surveys to date focus solely on the prevalence of these use cases and the associated user motives while neglecting the wide range of other application areas. These include accessing services, making payments, preserving privacy, or voting on projects' governance decisions. Based on a representative, cross-sectional survey among 3,864 German citizens, this study discloses the black box of usage patterns by cryptocurrency users (N = 357). Using a generalised distance measure (GDM2) and partitioning around medoids (PAM) method on the frequency of use across eight application domains, three distinct clusters are identified. The clusters differ noticeably in terms of the frequency of accessing services (H(2)=260, p=.00), payments (H(2)=257, p=.00) and voting (H(2)=254, p=.00), which indicates that for certain user groups, speculating and investing are not the major use cases for cryptocurrency. The frequencies across all domains are similar within each of the three clusters, outlining passive investors, all-out activists and moderate conservatives. The findings contribute to research on cryptocurrency adoption, have implications for cryptocurrency regulation and provide the cryptocurrency industry with an improved understanding of their users.
Conference Paper
Full-text available
West African okra [WAO] (Abelmoschus caillei (A. Chev.) Stevels.) is the amphidiploid hybrid product of A. esculentus and A. manihot found under cultivation and in the wild in humid and sub-humid parts of West, Central, and East Africa. It accounts for five to ten percent of okra cultivated globally and the yield depends on the landrace or cultivar as well as other specific agro-morpho-economic traits due to the enormous intra-specific variations inherent in the genetic resources. WAO is common in traditional agriculture systems and markets within its range and collection, cultivation, utilization, and conservation are linked to local knowledge systems and practices. The leaves, fruits, seeds, floral parts, and stems are considered invaluable because of the food and income security, medicinal and industrial potentials. Women and young girls are the major custodians of the genetic resources of WAO. However, the introduction of exotic and improved varieties is eroding landraces and cultivars, whose potentials have not been maximized. Therefore, there is a need to collect, document, and explore the potentials of WAO genetic resources. Information on the diversity and distribution can contribute to the rational use and conservation of WAO. Although it is a multipurpose crop, only food use is widely reported and the plant can benefit from research into the industrial potentials of the wood, mucilage, and other phytochemicals. Also, fibres from WAO are comparable and considered a substitute for cotton, jute, and other members of its family – Malvaceae. Threats from soilborne microorganisms and the reference of WAO as a minor crop is challenging the huge socio-economic potentials of the crop. Breeding resistant and improved varieties from landraces and cultivars will benefit WAO genetic resources.
Article
Full-text available
With the wide application and development of blockchain technology in various fields such as finance, government affairs and medical care, security incidents occur frequently on it, which brings great threats to users’ assets and information. Many researchers have worked on blockchain abnormal behavior awareness in respond to these threats. We summarize respectively the existing public blockchain and consortium blockchain abnormal behavior awareness methods and ideas in detail as the difference between the two types of blockchain. At the same time, we summarize and analyze the existing data sets related to mainstream blockchain security, and finally discuss possible future research directions. Therefore, this work can provide a reference for blockchain security awareness research.
Article
Full-text available
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we consider the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
Conference Paper
Full-text available
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we characterize longitudinal changes in the Bitcoin market, the stresses these changes are placing on the system, and the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
Conference Paper
This article presents an explicit freestart colliding pair for SHA-1, i.e. a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps. Only 10 days of computation on a 64-GPU cluster were necessary to perform this attack, for a runtime cost equivalent to approximately \(2^{57.5}\) calls to the compression function of SHA-1 on GPU. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough of 2005. In particular, we reuse the recent work on 76-step SHA-1 of Karpman et al. from CRYPTO 2015 that introduced an efficient framework to implement (freestart) collisions on GPUs; we extend it by incorporating more sophisticated accelerating techniques such as boomerangs. We also rely on the results of Stevens from EUROCRYPT 2013 to obtain optimal attack conditions; using these techniques required further refinements for this work. Freestart collisions do not directly imply a collision for the full hash function. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how GPUs can be used very efficiently for this kind of attack. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational and financial cost required for a SHA-1 collision computation. These projections are significantly lower than what was previously anticipated by the industry, due to the use of the more cost efficient GPUs compared to regular CPUs. We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 quickly. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before concrete attacks such as signature forgeries appear in the near future.
Conference Paper
We propose Mixcoin, a protocol to facilitate anonymous payments in Bitcoin and similar cryptocurrencies. We build on the emergent phenomenon of currency mixes, adding an accountability mechanism to expose theft. We demonstrate that incentives of mixes and clients can be aligned to ensure that rational mixes will not steal. Our scheme is efficient and fully compatible with Bitcoin. Against a passive attacker, our scheme provides an anonymity set of all other users mixing coins contemporaneously. This is an interesting new property with no clear analog in better-studied communication mixes. Against active attackers our scheme offers similar anonymity to traditional communication mixes.
Conference Paper
We provide a first systematic account of opportunities and limitations of anti-money laundering (AML) in Bitcoin, a decentralized cryptographic currency proliferating on the Internet. Our starting point is the observation that Bitcoin attracts criminal activity as many say it is an anonymous transaction system. While this claim does not stand up to scrutiny, several services offering increased transaction anonymization have emerged in the Bitcoin ecosystem - such as Bitcoin Fog, BitLaundry, and the Send Shared functionality of Blockchain.info. Some of these services routinely handle the equivalent of 6-digit dollar amounts. In a series of experiments, we use reverse-engineering methods to understand the mode of operation and try to trace anonymized transactions back to our probe accounts. While Bitcoin Fog and Blockchain.info successfully anonymize our test transactions, we can link the input and output transactions of BitLaundry. Against the backdrop of these findings, it appears unlikely that a Know-Your-Customer principle can be enforced in the Bitcoin system. Hence, we sketch alternative AML strategies accounting for imperfect knowledge of true identities but exploiting public information in the transaction graph, and discuss the implications for Bitcoin as a decentralized currency.
Coin.mx Execs Arrested for Operating Illegal Bitcoin Exchange
  • S Higgins
Higgins, S.: Coin.mx Execs Arrested for Operating Illegal Bitcoin Exchange (2015). http://www.coindesk.com/coin-mx-arrested-operating-illegal-bitcoin-exchange/
Nginx CVE for version 1
Nginx CVE for version 1.0.14 (2013). CVEdetails.com
This POODLE Bites: Exploiting The SSL3. Fallback, https
  • Bodo Mller
  • Thai Duong
  • Krzysztof Kotowicz
Bodo Mller, Thai Duong and Krzysztof Kotowicz, This POODLE Bites: Exploiting The SSL3. Fallback, https://www.openssl.org/ bodo/ssl-poodle.pdf, 2014
SHA-1 Deprecation: No Browser Left Behind
  • M Prince
Prince, M.: SHA-1 Deprecation: No Browser Left Behind. https://blog.cloudflare. com/sha-1-deprecation-no-browser-left-behind
The POODLE Attack and the End of SSL 3
  • R Barnes
Barnes, R.: The POODLE Attack and the End of SSL 3.0 (2014). https://blog. mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/