Conference PaperPDF Available

Abstract and Figures

This work briefly examines some of the most relevant Bitcoin Laundry Services, commonly known as tumblers or mixers, and studies their main features to try to answer some fundamental questions including their security, popularity, transaction volume, and generated revenue. Our research aims to inform both legitimate users and Law Enforcement about the characteristics and limitations of these services.
Content may be subject to copyright.
An Analysis of Bitcoin Laundry Services
Thibault de Balthasar1and Julio Hernandez-Castro2(B
)
1Chainalysis Inc., 43 West 23rd Street, 2nd Floor, New York, NY 10010, USA
thibault@chainalysis.com
2School of Computer Science, University of Kent, Cornwallis South,
Canterbury CT2 7NF, UK
jch27@kent.ac.uk
Abstract. This work briefly (An extended version can be found at
https://kar.kent.ac.uk/id/eprint/63502) examines some of the most rel-
evant Bitcoin Laundry Services, commonly known as tumblers or mix-
ers, and studies their main features to try to answer some fundamental
questions including their security, popularity, transaction volume, and
generated revenue. Our research aims to inform both legitimate users
and Law Enforcement about the characteristics and limitations of these
services.
Keywords: Bitcoin ·Tumble r ·Alphabay ·Helix ·Anonymity ·
Cybercrime
1 Introduction to Tumblers
Bitcoin offers pseudo-anonymity [10] because all transactions are visible and
traceable, but no names are stored in the Blockchain. Bitcoin laundry services are
open, like most modern technologies, to dual use. They are employed by regular
users who do not engage in any illicit activities and simply want to improve on
the anonymity features of Bitcoin. On the other hand, they can also be used by
cyber criminals for laundering their ill-gotten gains before exchanging them into
traditional currencies such as Dollars, Euros or Sterling. It is also common for
stolen Bitcoins (i.e. after a wallet compromise or a hack) and for ransom money
to be processed by one or more tumblers to reduce its traceability. In either
scenario, Bitcoin laundry services play a central role in the Bitcoin economy,
but they have been relatively poorly studied [8,9,11], and their operation is not
that well understood. We will try to address this in this work, by focusing on
a small number of very well-known Bitcoin tumblers that vary widely in their
characteristics and sophistication.
Methodology. For this purpose, multiple transactions have been carried out
involving the mixers under study, transactions that have been later carefully
studied for finding patterns, regularities and correlations with a set of tools
we have developed. Using our own tools, and together with other commercially
c
Springer International Publishing AG 2017
H. Lipmaa et al. (Eds.): NordSec 2017, LNCS 10674, pp. 297–312, 2017.
https://doi.org/10.1007/978-3-319-70290-2_18
298 T. de Balthasar and J. Hernandez-Castro
available ones1, it becomes possible to demonstrate that these services suffer
from serious limitations that expose their users to traceability and, sometimes,
even de-anonymisation attacks.
Attacker Model. The attacker model we will consider in this paper is based
around the concept of taint analysis. The objective of taint analysis is to link
multiple Bitcoin addresses. Typically at least one is known to contain stolen
Bitcoins, or Bitcoins that are otherwise clearly linked with a criminal activity,
so establishing this link will show the latter addresses (ones that have received
funds from it) are tainted and, for example, money from them should not be
accepted by reputable merchants or at legitimate exchanges. To break this link
or taint cyber-criminals use mixers, so our aim at attacking a mixer is first and
foremost to be able to characterize all (or a sizable proportion) of the Bitcoins
that have gone through it. Of course, this taint can also be interpreted in terms
of anonymity levels, when tainted addresses and wallets can be linked back to
individuals. Apart from this, we will try to find how exactly these mixers work
and establish clusters or other patterns between input and output addresses so
that, to a certain extent, we can ’reverse’ the operation of a tumbler and, at
least probabilistically, trace back and deanonymise it.
2 Results
We present in the following our most relevant results in terms of security and
privacy characteristics of the mixers we have studied.
2.1 DarkLaunder, Bitlaunder and CoinMixer
Darklaunder, Bitlaunder and CoinMixer are probably the weakest mixers of all
tested in this work. We analyse these jointly because we have reasons to believe
they share a common owner and are almost identical in their functioning and
features. So, albeit in the following we will mostly refer to Darklaunder many
of our findings also apply to Bitlaunder and CoinMixer, which will be explicitly
mentioned only to highlight any differences. Darklaunder is available on both
the clearnet2where it makes usage of CloudFlare (a widely used proxy service)
and on the darknet3. This duality is uncommon in good mixers, as is the use of
CloudFlare.
The service offers two types of laundering: the quick one is claimed to take
between one and six hours to process, and has a 2% fixed fee. The secure one
is said to be dealt with by hand and to be more secure. In this case there is
1In addition to a large set of python scripts developed by the authors, we have also
been given access to some of the proprietary Chainalysis tools.
2At https://darklaunder.com, last accessed on 17/02/2017.
3At http://wwxoxavgqbhthyz7.onion, last accessed on 17/02/2017.
An Analysis of Bitcoin Laundry Services 299
a 3% fixed fee. For both, the lowest accepted sum is 0.01 BTC4. According to
the service’s FAQ, there is an upper limit of 1,000 BTC. To be able to use
the service, registration is mandatory and a username, name, password and
email address have to be provided. This is common in other mixers, but not
a good practice regarding privacy. To launder Bitcoin, the user has to make a
deposit on a given address. When withdrawing, the only choices are the amount
of Bitcoin to withdraw and the destination address. Despite their claim that
it does not keep any personal information, we have found it stores data about
their user’s previous transactions with the service, including their exact date and
time and the involved IPs and Bitcoin addresses. All these weaknesses could be
also found in Bitlaunder. Since there is precedent of authorities arresting owners
of laundering services5, and the service retains full historical transaction data,
this mixer can not be considered secure. In addition, PHP errors creep around
frequently during its usage.
Security Analysis. On top of its bad design, the service is also subject to
other critical problems. First, it is possible to find the IP address of the server
hosting the mixer. This makes easy to establish a link to an individual’s name
and address, and to other mixers he owns and operates. Since the server is using
CloudFlare, which is only an HTTP proxy, the emails sent by the service (in
response to customer’s questions) do not go through it. By analyzing the header
of these emails it is possible to find that the mail server is located at the address
mail.darklaunder.com, which points to the IP address 94.23.45.166. We can,
therefore, access the website directly now without going through CloudFlare.
Furthermore, the SSL certificate used by the service is quite weak: It is using
the SHA-1 algorithm, that is deprecated [3,4], with a 2048-bit key. Finally, the
service certificate is self-signed, and has expired. It was signed in August 2015,
which suggest the service has been probably first online around this time. The
HTTP server used is Nginx 1.0.14, which is a legacy version as the latest one
at the time of writing is 1.10. There are multiple CVEs affecting the server ver-
sion, as shown at cvedetails.com [5], notably CVE-2013-4547, CVE-2013-0337,
CVE-2012-2089 and CVE-2012-1180. An additional serious security issue is that
the server is allowing SSL v3, which is vulnerable to multiple attacks [6,7].
Bitlaunder suffers from many of the previously described problems.
Transactions with the Service. At total of 61 transactions were carried out
with Darklaunder. At the beginning, the transactions were processed correctly
even if the time needed to get the money back was longer than expected, usually
between 8 and 10 h. From the 29th test on, transactions took more than 20 h to
withdraw. From the 45th, it took between one and seven days to get the with-
draw (sometimes, due to multiple failures during the laundering process). Eleven
4During our tests we encountered some issues, and the contact support stated that
the minimum value was 0.5 BTC. This is strange, since despite this message the
mixer eventually worked after some time with the initial 0.01 BTC.
5For example in the case of coin.mx [1,2].
300 T. de Balthasar and J. Hernandez-Castro
transactions have also been made with Bitlaunder but no delays were encoun-
tered, probably because they were requested to be more evenly spaced on time.
For both services, the fees taken have always been exactly as announced, but
once Darklaunder returned the money twice (so we received double the money we
sent!) and another time, the service returned slightly less: 10% of the total sum
was missing. These errors suggest that, at some point, the algorithm in charge
of withdrawing the money was suffering from flaws. Another important mistake
is that the service is using counters as transaction IDs, so the total number of
transactions can be simply read. Furthermore, several issues with the launder-
ing algorithm can be detected after analyzing our database of transactions. First
and foremost, the independent accounts we have used happen to have common
transactions. Also, when the service takes money from the wallet, the transaction
used involves multiple input wallets and they have always exactly two outputs,
one of them, as we will see later, being a central address. This is quite a poor
practice since a malicious user may simply engage in making transactions on a
regular basis to find the addresses of other users, thus partially de-anonymising
the service (Fig. 1).
Fig. 1. Darklaunder: withdrawing to multiple addresses
Tracking the Money. Using a script to trace the money, some common paths
between the addresses used have emerged. In particular, we can detect a path
between wallets and return addresses, showing the anonymity offered by the
service is poor.
Figure 2shows the output of the program we developed to follow the money,
where we can see the results when tracking the wallet generated in the first
transaction with the service. The watch-list is made of the addresses given to
the service to get the money back. We can see that, in this case, the money has
been redistributed to three known addresses generated in the next tests (these
three addresses are the only ones that belong to us within four levels of tracking
for all the tests, however, with a deeper tracking it is possible to find even more).
Drawing and Analysing the Transactions. We will begin the analysis of
the service by using Fig. 3, which is the graph generated after analysing the
transactions we performed with Darklaunder and Bitlaunder, to one level of
depth.
The image allows to quickly visualise the very high centralization of the
service, which is a poor characteristic regarding anonymity. All the wallets are
An Analysis of Bitcoin Laundry Services 301
Fig. 2. Darklaunder: output of the program following the money
Fig. 3. Darklaunder and Bitlaunder transactions, at depth one
sending their funds to address 15u...FKF6. This central address has been used
for the first time on the 18th October 2015 - which matches nicely with our
estimate of the creation time of the service - and has been continuously used
since.
Figure 4shows the number of operations of the 15u...FKF address since its
creation.
Fig. 4. Number of transactions by 15u...FKF, from October 2015 to February 2017
The address has a total of 1,635 operations. The number of credit transac-
tions (934) is roughly equal to the number of debit transactions (719). However,
615uyvmNQtLPyzeNcBCvuvgH4f7MUN6XFKF.
302 T. de Balthasar and J. Hernandez-Castro
this address received money from 4,277 addresses but sent money to only 1,327
addresses. The total in and out by day from the creation of the address to the
26th February 2017 tends to confirm the hypothesis that the address has only
be used as a gateway. We can observe that the credit and debit per day are
approximately equal, leaving the address with only a few bitcoin in reserve. Our
last 2016 test transaction with the service was on the 5th May 2016, and at this
time the wallet7was still using the same central address. However, another
transaction has been carried out on the 27 June, and we can see that the
wallet8has used another address to get back the money: 13K...isR9. This address
has been created on the 15 June 2016, which matches with the moment when
15u...FKF’s traffic started to decrease. In just 10 days, the new address made
110 transactions, sent 187.812357 BTC and received 190.612357 BTC.
By analysing money in, out and the total credit by day of address 13K...isR,
we can see a very similar behaviour to that shown in Fig. 5. We can also observe
that the percentages of credit and debit transactions are similar for the two
addresses. Considering these elements, we can guess that the service periodically
switches its cent ral address. This is a good security practice, but by itself not
sufficient to provide enough anonymity. The characteristics we underlined above
may allow to easily detect these new addresses, thus completely defeating its
security aims.
Fig. 5. Transactions by 13K...isR from June 2016 to March 2017
The interactions involving the central address follow recognisable patterns, as
showninFig.6. We can see that in each case wallets send bitcoins to the central
address (label 1) but sometimes they also send to another addresses (labels 2
and 3). These secondary addresses will receive bitcoins from other transactions
involving the withdraw addresses, and will then send it to other addresses and
back to the central node. Sometimes the rest of the transaction is directly sent to
the central address, as with node 26. Node 6 on the graph represents the address
15v...j2N10. Looking at its transactions is particularly interesting: there are a
total of 51 at the time of writing, and the pattern followed is very characteristic.
The address receives money and then sends it to two types of addresses; most of
the bitcoins go to the central node, but a few of them go to another address (not
the same every time) which is probably there to confuse a potential attacker.
71GgfvBoVpeJLKdVkqMehbFPrm4VjoqUP7.
81MC8VD89moVwXL4s213vNpdbrmUZQZf1DV.
913KtxHChVmGu43A19narE3hbKGCUBGAisR.
10 15vXhKcnNZo6su5PkKeZQPavvFhjVG3j2N.
An Analysis of Bitcoin Laundry Services 303
The fact that the money of all wallets is sent to the central node is a terrible
weakness, since it allows to find the wallet addresses with great ease. In addition,
performing most of the withdrawal transactions within only one or two levels of
the central node is also extremely poor.
Fig. 6. Interaction with central address
When observing the withdrawal transactions, a specific pattern is also inter-
esting to notice: almost every withdrawal is at a distance of one address, as we
can see on Fig. 7which has been adapted from real data. Address 1 (that has
not been analysed) establishes a link between two withdrawals, and Address 2
send the funds to the addresses used to withdraw.
Fig. 7. Interaction between withdrawal transactions.
Using Walletexplorer, we can find that Address 2 belongs to localBitcoins.com
while Address 1 behaves similarly to Addresses 3 and 4. We can see that the debit
transactions follow two distinct patterns. Either the central address gives money
to localBitcoins, or it makes a peeling-chain (which consist in dividing the sums
again and again) and eventually sends money to localBitcoins after a small num-
ber of transactions. Using the information gathered so far, we are now able to
understand the complete workflow of the service, that we display in Fig. 8.
304 T. de Balthasar and J. Hernandez-Castro
Fig. 8. Darklaunder workflow
The wallets are used to credit the central address (1) but at the same time
they can also make use of a change address (7). This change address will receive
credit at the end of the withdraw chain and send it to the central address.
The central address sends Bitcoins to localBitcoins directly but also, sometimes,
starts a peeling chain where bitcoins can be sent to localBitcoins.com during the
process (49, 51) or later (55, 56, 57, 58). Then, localBitcoins sends back money
to the service (17, 28) which starts a new withdraw chain. Using the Chainalysis
tool, a graph of the exchanges has been drawn (Fig. 9).
Fig. 9. Interaction of the service with external clusters
So we can conclude that the laundering algorithm itself is quite poor. The
service is characterised by a heavy centralization because a central address is
gathering all the Bitcoins from the customer’s wallets and receives the rest of the
money at the end of the withdraw chain. Furthermore, it is easy to find a direct
route (only a few levels deep) from the central address to some of the wallets.
Tracking is further facilitated because a significant number of transactions have
multiple input addresses. Finally, the scarcity of traffic makes for an even easier
address identification (Fig. 10).
An Analysis of Bitcoin Laundry Services 305
Fig. 10. Estimated darklaunder transaction volume
2.2 Helix
The Service. Helix is accessible only using Tor11 and offers two different ser-
vices: a standard version and a light version. The two versions only differ in that
the light one allows to withdraw to up to five addresses, and to choose to receive
multiple transactions and/or within a random time delay of a few hours while
the standard version requires registration and allows to manage a wallet and to
automatically mix money send to the wallet to a defined address. Both standard
and light services are taking 2.5% off fees, and only allow withdrawals of 0.02
BTCormore.
Analysis of the Transactions. A total of 34 transactions were carried out
with this service. The money always returned on time, and to the right number
of addresses. On the more negative side, the page which displays the status of
the laundering process has been observed to remain active a few days after the
mixing has finished, when it is claimed to be available only for 24h. Furthermore,
a major problem has been found in the pattern of transactions: Regardless of
whether we ask for multiple transactions or to use multiple addresses, our tests
suggests that there will always be 5 transactions done in total. Some of our
wallets and return addresses (issued from different tests) have also been observed
taking part in the same transactions. Finally, our tests revealed that it always
takes between one and two minutes to make a transaction. The average time is
ninety seconds and the average duration for all the transactions to perform is
five minutes and fifty seconds. This allows for a trivial timing-based attack.
Analysis of the Addresses. Our analysis has started by drawing a graph of
the exchanges we carried out, at a depth level of 2 from our wallet and return
addresses, as shown in Fig. 11.
First, it is possible to observe that the green addresses (which are the
addresses where the coins have been returned) are very close to each other.
Sometimes even present in the same transaction. This can be explained by the
fact that the service is using a peeling chain to fund its customers. An inter-
esting fact is that the transactions in these chains have always a single input
but can have between two and five outputs, thus allowing withdrawals to mul-
tiple customers at the same time. Three addresses involved in a big amount
of transactions are shown in the graph. The one in the center is identified by
11 Main address is at http://grams7enufi7jmdl.onion/helix/light.
306 T. de Balthasar and J. Hernandez-Castro
Fig. 11. Helix light exchanges at depth 2 - August 2016 (Color figure online)
Chainalysis’s tool as part of LocalBitcoins.com. This cluster receives money from
multiple points in peeling chains; This suggests it is widely used by customers
of the service. The two other addresses are identified by the tool as part of the
same cluster, which will be named C112 and studied later. Finally, the graph
shows that multiple addresses are receiving coins from multiple wallet addresses
(in red).
Fig. 12. Helix light withdrawal pattern - February 2017 (Color figure online)
Figure 12 has been drawn using Reactor. It represents the return transactions
made by Helix. The point on the left is a custom cluster, made of all the return
addresses used to perform the tests. The red point on the right is the Helix
cluster, and the big point in the middle is cluster C1. It is possible to observe
that C1 is receiving multiple transactions originated from an important number
of addresses in the graph. This cluster seems to be receiving only coins from the
12 1MiaNEG1jqoAeLPSE8JuZ8ync1e6i1y6ho.
An Analysis of Bitcoin Laundry Services 307
Helix’s peeling chains. The money sent by C1 can not be linked to Helix, but it
is possible to formulate two hypothesis: Either the owner of the service is using
the cluster to recover some money, or this is a very special customer making an
extensive usage of the service (190 BTC have been received).
The second interesting point is that (even though not all the chains are shown
in the graph) all the money that have been sent to the return addresses goes
through the Helix cluster, after a few transactions on the peeling chain. This
allows to guess the algorithm used by the service: it generates multiple wallets
and recovers their money using a few transactions. This money is then directly
sent to a peeling chain for the customers withdrawal.
Assessment of the Service. The Chainalysis’s tool suggests that at least
216,000 BTC have been mixed using this service until early 2017 showing it is
widely13 used. However, our findings indicate that it does not offer adequate
anonymity. We observed that wallets and withdrawals of multiple customers are
present on the same transaction, or very close to each other, so that it is easy to
identify them. For example, by processing regular and small-amount transactions
with the service we can gain valuable insights that can help us compromise its
security and anonymity at a very low cost.
2.3 Alphabay
The Service. Alphabay was accessible only through Tor14 and required to open
a customer account to use it. The registration was straightforward, and only a
username and password were required. A wallet address is automatically gener-
ated by the service for the user, and that address changes every time a deposit
is made. However, the address was still usable seven days after the change. On
top of that, if the generated address is not used after ten days, it will be deleted.
Each deposit to the service must be at least of 0.01 BTC, and it is possible
to withdraw money for a fee of 0.001 BTC. The service offered the possibility
to withdraw to one to five addresses, in an interval of time between one and
twenty-four hours. An option labeled Sent a single transaction suggest that the
service was capable of returning money in multiple transactions.
Transaction Analysis. We performed 35 transactions with the service before
proceeding with a first analysis of the tumbler. Multiple problems were detected
as this early point. First, the service was taking more than what was claimed in
fees (0.007 BTC instead of 0.001). In addition, the money was moved from the
user’s wallet before the withdrawal was carried out. During the tests, we also
noticed that the service was never returning the money in multiple transactions
13 The number of bitcoins in circulation at the time of writing is approximately 16.2
million, according to Blockchain.info.
14 The main address was at pwoah7foa6au2pul.onion, but many others existed to cope
with frequent DDoS attacks.
308 T. de Balthasar and J. Hernandez-Castro
(a feature that is proposed in the form) and that it did not returned money to
multiple addresses if the sum to withdraw is less than (#Addresses ·0.01 BTC).
During our tests, we also notice that the service never returned money by doing
multiple transactions to a single address. This was still true as of our last test
on the 16th February, 2017. Another important problem was in the history of
withdrawals, as IDs are used and they are simply incremental counters that leak
the number of transactions. Using this information we can, for example, estimate
the number of transactions to be around 33.76 per minute between the 4 and the
6 August 2016. Recent cluster size estimation tends to suggest the number of
transactions did not changed a lot a year later. Finally, we can also detect some
specific patterns concerning the number of input and outputs in the transactions
performed by Alphabay, which can allow for simple heuristics to recognize them.
On a more positive note, the money is always returned on time.
Analysis of the Addresses. By drawing the exchanges of the addresses on
two depth levels, we can observe that while the money on the wallet addresses
is going to addresses with a lot of traffic, the withdrawals are performed within
a basic peeling chain. The peeling chain is a pattern of use widely present in
the Bitcoin network; for example, various services often use it to withdraw their
customers. Basically, the chains starts with an address receiving a decent amount
of coins. This address will then send the coins to two (or more) addresses. One
of these addresses will belong to the service and will then send coins to two (or
more) addresses until there is no money left. In our example (Fig. 13), we can see
a withdraw chain started by the service (in blue) with 50 BTC. Another common
characteristic is that the nodes of a peeling chains have only two transactions.
One credit and one debit. In the case that a peeling chain is used by a service,
it can happen that the orange nodes are not to withdraw to a customer but just
a redirection of some part of the money to another peeling chain also owned
by the service. For example, 1dj6nAA7Sp456Ph9EvM8LYnvb6aYX9NPQ is the
start of a classical peeling chain.
Fig. 13. How a peeling chain works (Color figure online)
If we look closely at Fig. 14, the first thing we will notice is that three
addresses on the graph are involved in a lot of transactions. These addresses
An Analysis of Bitcoin Laundry Services 309
Fig. 14. Alphabay exchanges at depth 2.
will be discussed later and will be named A115 (the one on the left), A216 (the
one at the bottom) and A317 (the one on the upper right). We will first focus on
the exchanges carried out by our wallets: We can observe that, every time, the
service is making transactions with the wallet following the exact same pattern.
Money is moved with a transaction having only one input and one output, and
goes to an address which has multiple transactions. We can observe a lot of trans-
actions on this destination address, so we used Chainalysis’s tools to gather more
information.
There are multiple types of clusters we can observe in Fig. 15:
1. Some are identified by Chainalysis as belonging to well-known services, such
as BTC-e or localBitcoins.com
2. Some are not identified as known services, and only receive money from
addresses identified as part of the Alphabay cluster, or from addresses match-
ing the wallet pattern. Then, they send money to an unique service using
different addresses (for example 19Gc...X1d18). In this case, we hypothesize
that Alphabay is using these services to mix the bitcoins.
3. Some are matching pattern 2, but do not send money directly to ser-
vices and instead start peeling chains (e.g.: 1JJww8DFoAp5whSu4oV
89yZyY8MPVomsiz). The peeling chain is probably used to withdraw money
off the service.
4. Some are matching the pattern 2, but sending money directly to multiple
services. We do not have a good enough explanation for these cases.
5. A few clusters are sending and receiving money to/from multiple services.
In this case, they probably belong to services that are not detected by the
tool yet.
15 1HBsi9dDzHQecyy4xtRnvqjiT1KvLUwRcH.
16 16ZZ6svbB36o5Q2gLtAMHMiKJXtbs6nvuF.
17 14cGaFD4iUyqX9NQaB1ff8uLUb42qd5deM.
18 19Gc23Ggr58ZRhemmx7rtZnqTj6tasX1d.
310 T. de Balthasar and J. Hernandez-Castro
What we can tentatively conclude from this study is that Alphabay is using
other third party services to mix their bitcoins, but that it probably also makes
some custom in-house mixing. Here, we can identify a clear flaw: multiple cus-
tomer wallets are sending money to the same address, which could make the
detection of wallet addresses and the tainting process particularly easy. When
studying addresses A1, A2 and A3 in Fig. 15, we observe that these are receiving
a total of 8,582 credit transactions and only 122 debit transactions. Moreover,
the credit transactions have (with a few exceptions) only one input and one
output. This suggests we are dealing with users’ wallets. We noticed that the
clusters have a relatively large number of transactions matching the same pat-
tern: Deposit transactions having one (or two in some cases) inputs and two
outputs.
Fig. 15. Alphabay Wallet exchanges
We then analyzed return addresses. We can see in Fig.15 that these addresses
are often linked together and, sometimes, have associations to addresses
exchanging with many more addresses than usual. In the first case, we observed
that the addresses are part of a peeling chain. These peeling chains are most
of the time tainted with Alphabay addresses, but sometimes we can track-back
their origin to services such as localBitcoins. The second case is a direct with-
draw from a known service (most of the time, localBitcoins). Our address is never
alone on the outputs, and most of the time another output in the withdraw trans-
action leads to Alphabay. On both cases, we can say that the withdraw is not
secure. On the first case, since the peeling chain is highly tainted by Alphabay, it
would be easy to identify withdraw chains tainted by the service. Even without
knowing which cluster Alphabay is, engaging in regular, low-cost transactions
An Analysis of Bitcoin Laundry Services 311
with it should be enough for taint purposes. In the second case, we would need
to know Alphabay’s addresses to be able to find the withdraw addresses. This
would be a little more involved but not too difficult. In any case, this is not the
most common way the money is withdrew.
3 Conclusions
Bitcoin mixers are quite popular nowadays, but even the most well-known and
established ones seem to have serious security and privacy limitations, as exposed
in this work. Together with the major players, a myriad of smaller laundry
services such as Bitlaunder, Darklaunder and Coinmixer exist, and we have
shown some of them offer an appalling service that can seriously compromise
the security and privacy expectations of any legitimate user. Unfortunately also
the major players such as Alphabay and Helix present significant deficiencies.
Our findings show that devising and implementing a secure mixer is far from
an easy task, and as such it is plagued with a multitude of opportunities to
get things wrong and compromise the service. This is refreshing news for Law
Enforcement, who will be able to taint Bitcoin transactions and even back-track
them by using our findings and some readily available technology. But at the
same time this is worrying news to any legitimate Bitcoin user that simply
wants to use these services for the purpose of increasing its anonymity. More
study needs to be done on the advantages and shortcomings of the different
algorithms employed by these tumblers, as a well-founded theoretical analysis
of a highly secure and privacy-aware protocol for providing the required mixing
services is unfortunately still lacking. Whether these mix services will continue to
be popular and profitable in the near future, when alternative cryptocurrencies
that offer improved anonymity and untraceability properties such as Monero or
Zcash become widely accepted, is still an open question.
Acknowledgements
This project has received funding from the European Union’s Hori-
zon 2020 research and innovation programme, under grant agreement
No. 700326 (RAMSES project). One co-author also wants to thank
EPSRC for project EP/P011772/1 on the EconoMical, PsycHologi-
cAl and Societal Impact of RanSomware (EMPHASIS) which partly
supported this work.
References
1. Higgins, S.: Coin.mx Execs Arrested for Operating Illegal Bitcoin Exchange (2015).
http://www.coindesk.com/coin-mx-arrested- operating-illegal-bitcoin-exchange/
2. United States District Court Southern District of New York Sealed Indictment
(2015). http://bit.ly/2aC9Mpl
3. Stevens, M., Karpman, P., Peyrin, T.: Freestart collision for full SHA-1. https://
eprint.iacr.org/2015/967.pdf
312 T. de Balthasar and J. Hernandez-Castro
4. Prince, M.: SHA-1 Deprecation: No Browser Left Behind. https://blog.cloudflare.
com/sha-1-deprecation-no-browser-left-behind
5. Nginx CVE for version 1.0.14 (2013). CVEdetails.com
6. Barnes, R.: The POODLE Attack and the End of SSL 3.0 (2014). https://blog.
mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
7. M¨oller, B., Duong, T., Kotowicz, K.: This POODLE Bites: Exploiting The SSL3.
Fallback (2014). https://www.openssl.org/bodo/ssl- poodle.pdf
8. Meiklejohn, S., Pomarole, M., Jordan, G., Levchenko, K., McCoy, D., Voelker,
G.M., Savage, S.: A fistful of bitcoins: characterizing payments among men with
no names. In: Proceedings of the 2013 Conference on Internet Measurement Con-
ference, pp. 127–140. ACM (2013)
9. Moser, M., Bohme, R., Breuker, D.: An inquiry into money laundering tools in the
Bitcoin ecosystem. In: eCrime Researchers Summit (eCRS), 2013, pp. 1–14. IEEE
(2013)
10. Bitcoin Organisation: Protect your Privacy (2016). https://bitcoin.org/en/
protect-your-privacy
11. Bonneau, J., Narayanan, A., Miller, A., Clark, J., Kroll, J.A., Felten, E.W.: Mix-
coin: anonymity for bitcoin with accountable mixes. In: Christin, N., Safavi-Naini,
R. (eds.) FC 2014. LNCS, vol. 8437, pp. 486–504. Springer, Heidelberg (2014).
https://doi.org/10.1007/978-3-662- 45472-5 31
... Overall, the results showed that offenders prefer sending their illicit proceeds to exchanges and investment services while the use of mixers is minimal. Lastly, several studies analyzed the functioning of mixers by directly transacting with these services in experimental designs (De Balthasar and Hernandez-Castro 2017;Moser et al. 2013;van Wegberg et al. 2018). ...
... Over the years, several blockchain analytics tools have been developed to provide VASPs and law enforcement agencies with clustering and tagging activities. Notably, scholars have also successfully used these tools to analyze criminal activities for research purposes (De Balthasar and Hernandez-Castro 2017;ElBahrawy et al. 2020;Oosthoek et al. 2023). ...
Article
Full-text available
Cybercriminals are commonly assumed to engage in cybercrime for monetary rewards. Like traditional offenders, they must launder their illicit proceeds to obscure the permanent trails in online environments. The mainstream narrative argues that these offenders engage in complex money laundering schemes because of the use of new technologies. However, empirical research on the money laundering activities associated with cybercrime has been scarce. To address this knowledge gap, the present study analyzes money laundering transactions from 182 Bitcoin addresses belonging to 56 members of the Conti ransomware group using blockchain analysis. The results show that offenders are quite unsophisticated when laundering their illicit proceeds. Most of the addresses transact directly with an entity (52%) and concentrate 80% or more of the illicit proceeds in one singular service (69%). In terms of destinations, exchanges and dark web services are the preferred choices, being involved in 71% and 30% of the transactions respectively. Conversely, the use of mixers is more limited (8%). There are significant differences in money laundering strategies used by offenders based on the amounts of illicit proceeds to launder. Implications for research and policy are discussed.
... This leads to the concern that the combination of scalable, irrevocable, and (pseudo-)anonymous payments is very attractive to criminals involved in fraudulent activities and money laundering. Over the years, several methods have been developed to break the pseudo-anonymity that bitcoin is supposed to provide [3][4][5][6][7][8][9] by identifying clusters of addresses. The address clustering problem is a problem that, by its very nature, does not have a precise solution, so heuristic techniques are generally applied [10], i.e., problem-solving strategies that, through the use of shortcuts, approximations, or greedy approaches, aim to find a good and fast solution when an exhaustive search for an exact solution is impractical or senseless. ...
Article
Full-text available
Cryptocurrencies have now become an emerging blockchain-based payment technology; among them, bitcoin is the best known and most widely used. Users on these networks are pseudo-anonymous, meaning that while all transactions from an address are transparent and searchable by anyone, the users’ true identities are not directly revealed; to preserve their privacy, users often use many different addresses. In recent years, some studies have been conducted regarding analyzing clusters of bitcoin addresses that, according to certain heuristics, belong to the same entity. This capability provides law enforcement with valuable information for investigating illegal activities involving cryptocurrencies. Clustering methods that rely on a single heuristic often fail to accurately and comprehensively cluster multiple addresses. This paper proposes Bitcoin Address Clustering based on multiple Heuristics (BACH): a tool that uses three different clustering heuristics to identify clusters of bitcoin addresses, which are displayed through a three-dimensional graph. The results lead to several analyses, including a comparative evaluation of WalletExplorer, which is a similar address clustering tool. BACH introduces the innovative feature of visualizing the internal structure of clusters in a graphical format. The study also shows how the combined use of different heuristics provides better results and more complete clusters than those obtained from their individual use.
... Moreover, they made another conclusion that although analyses and patterns can be found for mixing services, a direct connection between sender and receiver could not be established, and mixers are effective tools for hiding true identity in the Bitcoin network. Another study by Balthasar and Castro of Chainalysis examined three mixing services and tried to find some patterns [20]. This work showed that mixing services followed a specific pattern in their activity, but they did not release any specific pattern. ...
Article
Full-text available
Cryptocurrencies, particularly Bitcoin, have garnered attention for their potential in anonymous transactions. However, their anonymity has often been compromised by deanonymization attacks. To counter this, mixing services have been introduced. While they enhance privacy, they obscure fund traceability. This study seeks to demystify transactions linked to these services, shedding light on pathways of concealed and laundered money. We propose a method to identify and classify transactions and addresses of major mixing services in Bitcoin. Unlike previous research focusing on older techniques like CoinJoin, we emphasize modern mixing services. We gathered labelled data by transacting with three prominent mixers (MixTum, Blemder, and CryptoMixer) and identified recurring patterns. Using these patterns, an algorithm was created to pinpoint mixing transactions and distinguish mixer‐related addresses. The algorithm achieved a remarkable recall rate of 100%. Given the lack of clear ground truth and the vast number of unlabelled transactions, ensuring accuracy was a challenge. However, by analyzing a set of non‐mixing transactions with our model, it was confirmed that the high recall rate was not misleading. This work provides a significant advancement in monitoring mixing transactions, presenting a valuable tool against fraud and money laundering in cryptocurrency networks.
Article
Ethereum is the second-largest blockchain platform, and the financial value of its cryptocurrency has constantly increased. Unfortunately, regulatory challenges have resulted in a surge of scams, particularly phishing, which now accounts for over 50% of fraudulent funds. Therefore, phishing scam issues have become a top priority, thus calling for dynamic early warning and accurate identification to achieve effective market regulation. However, the existing works focusing on phishing address detection do not consider early warnings for phishing scams. Furthermore, these methods depend on static graphs to extract node information and overlook the dynamic evolution process of the Ethereum network. In this paper, we propose EWDPS, a novel framework to achieve dynamic early warning and effectively identify phishing scams on Ethereum. Specifically, we create a new network called the Dynamic Temporal Transaction Network (DTTN), which effectively models the dynamic temporal evolution of transactions. In DTTN, we propose the concepts of Temporal Evolution Interaction Network and Account Feature Interaction Network. Next, we design a novel feature extraction module to capture temporal sequential patterns effectively. This module takes full advantage of the dynamic interaction process of node-related transactions. Finally, we innovatively use the extracted account, network, and temporal features to enhance transaction representation in multiple dimensions. Extensive experiments show that our proposed scheme effectively achieve dynamic early warning and accurately identify phishing scams. EWDPS achieves 92.20% Accuracy, 95.90% Precision, 96.77% Recall, and 96.53% F1-score, and outperforms the state-of-the-art methods in phishing address identification.
Chapter
In Bitcoin, users often use mixing services to conceal the true information of transactions and protect their privacy. In these services, the peeling chain is a common mixing method that distributes funds to users through multiple consecutive transactions connected by change addresses. This paper investigates the peeling chain model in Bitcoin mixing services, categorizing it into three parts: user input transactions, merge transactions, and distribution transactions. Additionally, a peeling chain search algorithm is proposed to detect distribution transactions in the chain, and its validity is demonstrated through experiments. The findings of this study have implications for other Bitcoin mixing services.
Article
Full-text available
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we consider the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
Conference Paper
Full-text available
Bitcoin is a purely online virtual currency, unbacked by either physical commodities or sovereign obligation; instead, it relies on a combination of cryptographic protection and a peer-to-peer protocol for witnessing settlements. Consequently, Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible. In this paper we explore this unique characteristic further, using heuristic clustering to group Bitcoin wallets based on evidence of shared authority, and then using re-identification attacks (i.e., empirical purchasing of goods and services) to classify the operators of those clusters. From this analysis, we characterize longitudinal changes in the Bitcoin market, the stresses these changes are placing on the system, and the challenges for those seeking to use Bitcoin for criminal or fraudulent purposes at scale.
Conference Paper
This article presents an explicit freestart colliding pair for SHA-1, i.e. a collision for its internal compression function. This is the first practical break of the full SHA-1, reaching all 80 out of 80 steps. Only 10 days of computation on a 64-GPU cluster were necessary to perform this attack, for a runtime cost equivalent to approximately 257.52^{57.5} calls to the compression function of SHA-1 on GPU. This work builds on a continuous series of cryptanalytic advancements on SHA-1 since the theoretical collision attack breakthrough of 2005. In particular, we reuse the recent work on 76-step SHA-1 of Karpman et al. from CRYPTO 2015 that introduced an efficient framework to implement (freestart) collisions on GPUs; we extend it by incorporating more sophisticated accelerating techniques such as boomerangs. We also rely on the results of Stevens from EUROCRYPT 2013 to obtain optimal attack conditions; using these techniques required further refinements for this work. Freestart collisions do not directly imply a collision for the full hash function. However, this work is an important milestone towards an actual SHA-1 collision and it further shows how GPUs can be used very efficiently for this kind of attack. Based on the state-of-the-art collision attack on SHA-1 by Stevens from EUROCRYPT 2013, we are able to present new projections on the computational and financial cost required for a SHA-1 collision computation. These projections are significantly lower than what was previously anticipated by the industry, due to the use of the more cost efficient GPUs compared to regular CPUs. We therefore recommend the industry, in particular Internet browser vendors and Certification Authorities, to retract SHA-1 quickly. We hope the industry has learned from the events surrounding the cryptanalytic breaks of MD5 and will retract SHA-1 before concrete attacks such as signature forgeries appear in the near future.
Conference Paper
We propose Mixcoin, a protocol to facilitate anonymous payments in Bitcoin and similar cryptocurrencies. We build on the emergent phenomenon of currency mixes, adding an accountability mechanism to expose theft. We demonstrate that incentives of mixes and clients can be aligned to ensure that rational mixes will not steal. Our scheme is efficient and fully compatible with Bitcoin. Against a passive attacker, our scheme provides an anonymity set of all other users mixing coins contemporaneously. This is an interesting new property with no clear analog in better-studied communication mixes. Against active attackers our scheme offers similar anonymity to traditional communication mixes.
Conference Paper
We provide a first systematic account of opportunities and limitations of anti-money laundering (AML) in Bitcoin, a decentralized cryptographic currency proliferating on the Internet. Our starting point is the observation that Bitcoin attracts criminal activity as many say it is an anonymous transaction system. While this claim does not stand up to scrutiny, several services offering increased transaction anonymization have emerged in the Bitcoin ecosystem - such as Bitcoin Fog, BitLaundry, and the Send Shared functionality of Blockchain.info. Some of these services routinely handle the equivalent of 6-digit dollar amounts. In a series of experiments, we use reverse-engineering methods to understand the mode of operation and try to trace anonymized transactions back to our probe accounts. While Bitcoin Fog and Blockchain.info successfully anonymize our test transactions, we can link the input and output transactions of BitLaundry. Against the backdrop of these findings, it appears unlikely that a Know-Your-Customer principle can be enforced in the Bitcoin system. Hence, we sketch alternative AML strategies accounting for imperfect knowledge of true identities but exploiting public information in the transaction graph, and discuss the implications for Bitcoin as a decentralized currency.
Coin.mx Execs Arrested for Operating Illegal Bitcoin Exchange
  • S Higgins
Higgins, S.: Coin.mx Execs Arrested for Operating Illegal Bitcoin Exchange (2015). http://www.coindesk.com/coin-mx-arrested-operating-illegal-bitcoin-exchange/
Nginx CVE for version 1
Nginx CVE for version 1.0.14 (2013). CVEdetails.com
This POODLE Bites: Exploiting The SSL3. Fallback, https
  • Bodo Mller
  • Thai Duong
  • Krzysztof Kotowicz
Bodo Mller, Thai Duong and Krzysztof Kotowicz, This POODLE Bites: Exploiting The SSL3. Fallback, https://www.openssl.org/ bodo/ssl-poodle.pdf, 2014
SHA-1 Deprecation: No Browser Left Behind
  • M Prince
Prince, M.: SHA-1 Deprecation: No Browser Left Behind. https://blog.cloudflare. com/sha-1-deprecation-no-browser-left-behind
The POODLE Attack and the End of SSL 3
  • R Barnes
Barnes, R.: The POODLE Attack and the End of SSL 3.0 (2014). https://blog. mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/