Behind the chain of obscurity : methodologies for cryptocurrency forensic analysis

Abstract

Bitcoin and alternative cryptocurrencies are decentralised digital currencies that allow users to anonymously exchange money without requiring the presence of a trusted third party. The privacy components of cryptocurrency can facilitate illegal activities and present new challenges for cybercrime forensic analysis. Tackling such challenges motivates new research interest in cryptocurrency tracking. This thesis explores and proposes novel methodologies and improvements to existing cryptocurrency tracking and analysis methodologies. Our first contribution explores the most commonly used cryptocurrency tracking methodology named Taint Analysis and investigates a potential improvement to the methodology’s tracking precision with the implementation of address profiling. We also introduce two context-based taint analysis strategies and hypothesise behaviours related to the tracked Bitcoins context to create a set of evaluation metrics. We conducted an experiment using sample data from known illegal Bitcoin cases to illustrate and evaluate the methodology, and the results reveal distinct transaction behaviours in tracking between the results with and without address profiling for all of the metrics. Our second contribution proposes a cryptocurrency tracking methodology named Address Taint Analysis that is capable of tracking zero-taint coins created by Privacy-Enhancing Technologies (PETs) called centralised mixer services, which are untrackable with taint analysis tracking. Our results indicate that our proposed address taint analysis can trace the zero-taint Bitcoins from nine well-known mixer services back to the original Bitcoins. Our third contribution investigates and proposes a detection method for Wasabi Wallet’s CoinJoin transactions, which is one of the most recent well-known PET services. Our fourth contribution introduces an open-source library for cryptocurrency tracking and analysis named, TaintedTX , that we utilised to perform our research experiments. The library supports a variety of taint analysis strategies that users can select to track targeted transactions or addresses. The library also includes a compilation of utility functions for address clustering, website scraping, transaction and address classifications.