Behind the chain of obscurity : methodologies for cryptocurrency forensic analysis
Abstract
Bitcoin and alternative cryptocurrencies are decentralised digital currencies that
allow users to anonymously exchange money without requiring the presence of a
trusted third party. The privacy components of cryptocurrency can facilitate illegal
activities and present new challenges for cybercrime forensic analysis. Tackling such
challenges motivates new research interest in cryptocurrency tracking. This thesis
explores and proposes novel methodologies and improvements to existing cryptocurrency tracking and analysis methodologies.
Our first contribution explores the most commonly used cryptocurrency tracking methodology named Taint Analysis and investigates a potential improvement to
the methodology’s tracking precision with the implementation of address profiling.
We also introduce two context-based taint analysis strategies and hypothesise behaviours related to the tracked Bitcoins context to create a set of evaluation metrics.
We conducted an experiment using sample data from known illegal Bitcoin cases to
illustrate and evaluate the methodology, and the results reveal distinct transaction
behaviours in tracking between the results with and without address profiling for all
of the metrics. Our second contribution proposes a cryptocurrency tracking methodology named Address Taint Analysis that is capable of tracking zero-taint coins created by Privacy-Enhancing Technologies (PETs) called centralised mixer services,
which are untrackable with taint analysis tracking. Our results indicate that our proposed address taint analysis can trace the zero-taint Bitcoins from nine well-known
mixer services back to the original Bitcoins. Our third contribution investigates and
proposes a detection method for Wasabi Wallet’s CoinJoin transactions, which is one
of the most recent well-known PET services. Our fourth contribution introduces an
open-source library for cryptocurrency tracking and analysis named, TaintedTX ,
that we utilised to perform our research experiments. The library supports a variety of taint analysis strategies that users can select to track targeted transactions
or addresses. The library also includes a compilation of utility functions for address
clustering, website scraping, transaction and address classifications.