BITCOIN
De-anonymization and Money Laundering Detection
Strategies
Bernhard Haslhofer
Austrian Institute of Technology (AIT)
APWG eCrime Symposium
Barcelona, 2015-05-26

BITCRIME
• Bilateral (AT/DE) research project (10/2014 - 10/2016)
• Multidisciplinary team of researchers, policy makers,
and law enforcement agencies
• Goal: research strategies for mitigating crime risks in
virtual currencies
• https://www.bitcrime.de/
2

De-anonymization
Strategies
Cross-reference block chain and external data
3

E1 Tx
A1
A2
A3
Cross-reference block chain
and external data
(cf. Reid and Harrigan 2013)4

E2
E1 Tx
A1
A2
A3
Ty
A1
A4
A5
Cross-reference block chain
and external data
(cf. Reid and Harrigan 2013)5

E2
E1 Tx
A1
A2
A3
Ty
A1
A4
A5
Cross-reference block chain
and external data
(cf. Reid and Harrigan 2013)6

E1
Tx
A1
A2
A3
Ty
A1
A4
A5
Cross-reference block chain
and external data
(cf. Reid and Harrigan 2013)7

E1
Tx
A1
A2
A3
Ty
A1
A4
A5
indexed. While previous works [2, 4] employed a forked version of bitcointools 4
, the newer bitcoin clients
indexed the full blockchain using LevelDB instead making the publicly available bitcointools obsolete.
Instead, we used Armory 5
to parse through the blockchain, and wrote wrapper classes that extracted the
relevant information required to construct the transaction graph.
5.1.2 Web Scraping
Many users, in particular early adopters, are interested in driving bitcoin use into more mainstream public
use. One way they do this is to try to encourage transactions. A common practice is to attach a bitcoin
address as a signature to emails or forum posts. In forum posts especially, users contribute to the community,
for example with new mining software or a tutorial on how to get set up to use bitcoins, and leave their
address in the signature block. They expect to receive tips from forum readers that find their post helpful.
This practice created a natural attack vector to the anonymity of the block chain. We can easily tie user
information to transactions in the block chain.
We used a python package called Scrapy6
to fetch and parse the forum pages(fig. 3). We wrote a spider
that crawls bitcointalk.org in a breadth-first manner looking for post signatures that might contain bitcoin
addresses (i.e. it matched the regular expression r‘1.{26,33}’). We then took this string and verified that it
was a legitimate bitcoin public key (bitcoin addresses include a built-in checksum) to avoid attempting to
annotate a large number nodes that can’t possibly appear in the blockchain.
Figure 3: A typical user signature line that includes a bitcoin address for ‘tipping’.
We were able to find a large number of forum users that can be directly linked to their keys in the
transaction graph. We ran the scraping code for just under 30 hours. During this time we followed links
up to four deep from the home page. This covered a total of 44,086 pages and 89,088 posts that included a
A3
Cross-reference block chain
and external data
(cf. Fleder et al. 2015)8

E1
Tx
A1
A2
A3
Ty
A1
A4
A5
indexed. While previous works [2, 4] employed a forked version of bitcointools 4
, the newer bitcoin clients
indexed the full blockchain using LevelDB instead making the publicly available bitcointools obsolete.
Instead, we used Armory 5
to parse through the blockchain, and wrote wrapper classes that extracted the
relevant information required to construct the transaction graph.
5.1.2 Web Scraping
Many users, in particular early adopters, are interested in driving bitcoin use into more mainstream public
use. One way they do this is to try to encourage transactions. A common practice is to attach a bitcoin
address as a signature to emails or forum posts. In forum posts especially, users contribute to the community,
for example with new mining software or a tutorial on how to get set up to use bitcoins, and leave their
address in the signature block. They expect to receive tips from forum readers that find their post helpful.
This practice created a natural attack vector to the anonymity of the block chain. We can easily tie user
information to transactions in the block chain.
We used a python package called Scrapy6
to fetch and parse the forum pages(fig. 3). We wrote a spider
that crawls bitcointalk.org in a breadth-first manner looking for post signatures that might contain bitcoin
addresses (i.e. it matched the regular expression r‘1.{26,33}’). We then took this string and verified that it
was a legitimate bitcoin public key (bitcoin addresses include a built-in checksum) to avoid attempting to
annotate a large number nodes that can’t possibly appear in the blockchain.
Figure 3: A typical user signature line that includes a bitcoin address for ‘tipping’.
We were able to find a large number of forum users that can be directly linked to their keys in the
transaction graph. We ran the scraping code for just under 30 hours. During this time we followed links
up to four deep from the home page. This covered a total of 44,086 pages and 89,088 posts that included a
A3
Cross-reference block chain
and external data
(cf. Fleder et al. 2015)9

De-anonymization
Strategies
Learn P2P Network Topology
10

Learn P2P Network Topology
Bitcoin network
E2
E1
C
Attacker Machines
Connect to Bitcoin servers
Log servers forwarding IPx
(Biryukov et al., 2014)11

Bitcoin network
E2
E1
C
forward IPx
Attacker Machines
Connect to Bitcoin servers
Log servers forwarding IPxIPx: {E1, E2, …, En}
(Biryukov et al., 2014)
Learn P2P Network Topology
12

Bitcoin network
E2
E1
C
Attacker Machines
Listen for transaction hashes
Log first q servers
forwarding Tx hash
Compare sets and
suggest pairs (IP, T)
IPx: {E1, E2, …, En}
(Biryukov et al., 2014)
Learn P2P Network Topology
13

Bitcoin network
E2
E1
C
forward Tx
Attacker Machines
Listen for transaction hashes
Log first q servers
forwarding Tx hash
Tx: {E1, E2, …, En}
Compare sets and
suggest pairs (IP, T)
IPx: {E1, E2, …, En}
(Biryukov et al., 2014)
Learn P2P Network Topology
14

Money Laundering
Detection Strategies
Scan block chain for known patterns
15

Scan block chain for known
patterns
Placement Layering Integration
Smurfing/
Structuring
Problem: Mixing services can anonymize relationship
between sender and receiver
16

Reverse Engineer Mixing
Services
(Möser et al., 2013)17
Problem: Mixers work very well -> finding relations is hard

Money Laundering
Prevention Strategy
Transaction Blacklisting
18

19
Towards Risk Scoring of Bitcoin Transactions
Malte M¨oser, Rainer B¨ohme, and Dominic Breuker
Department of Information Systems, University of M¨unster, Germany
Abstract. If Bitcoin becomes the prevalent payment system on the In-
ternet, crime fighters will join forces with regulators and enforce black-
listing of transaction prefixes at the parties who offer real products and
services in exchange for bitcoin. Blacklisted bitcoins will be hard to spend
and therefore less liquid and less valuable. This requires every recipient of
Bitcoin payments not only to check all incoming transactions for possible
blacklistings, but also to assess the risk of a transaction being blacklisted
in the future. We elaborate this scenario, specify a risk model, devise a
prediction approach using public knowledge, and present preliminary re-
sults using data from selected known thefts. We discuss the implications
on markets where bitcoins are traded and critically revisit Bitcoin’s abil-
ity to serve as a unit of account.
1 Introduction
Whenever a merchant receives a 100-dollar note, she is well advised to carefully

References
• HM Treasury (2015). Digital Currencies: response to the call for
information. Available at: https://www.gov.uk/government/consultations/digital-
currencies-call-for-information
• Reid and Harrigan (2013). An Analysis of Anonymity in the Bitcoin
System. Available at: http://arxiv.org/abs/1107.4524
• Fleder et al. (2015). Bitcoin Transaction Graph Analysis. Available at:
http://arxiv.org/abs/1502.01657
• Biryukov et al. (2014). Deanonymization of clients in Bitcoin P2P
network. Available at: http://arxiv.org/abs/1405.7418
• Möser et al. (2013). An Inquiry into Money Laundering Tools in the
Bitcoin Ecosystem. Available at: https://maltemoeser.de/paper/money-laundering.pdf
20