Learn the basics of Bitcoin transactions & tracking methods for law enforcement, including tools & techniques to enhance your investigations.
This ACFCS contributor report, initially published on July 17, 2024, by the Association of Certified Financial Crime Specialists (ACFCS), includes editing and content contributions from Brian Monroe, ACFCS VP of Content.
In this article by longtime fincrime fighter Ervin Zubic, head of blockquiry, he offers a practical guide to help law enforcement officers at all levels better understand the basics of how Bitcoin transactions work, explore manual tracking techniques, and highlight tools that can simplify illicit value tracking efforts.
As more officers encounter crypto in their work, understanding the basics of Bitcoin transactions and how they intersect with both the virtual and physical worlds will become an increasingly vital skill — including banks and crypto exchanges.
Banks are typically called the “on-road and off-road” of virtual value exchange transactions, meaning that if an investigator can build a strong enough case by following the blockchain and overcoming regional or jurisdictional hurdles, they could use subpoena powers to investigate, seize, and freeze assets in the real world.
How Bitcoin Can Help Track Down Criminals (HBO). Source: VICE News on YouTube.
Bitcoin has become a significant component of modern investigations, particularly when dealing with financial crime.
This article, inspired by my recent engagement with local law enforcement on a complex case involving Bitcoin and an investment scam, aims to demystify the cryptocurrency for officers new to its intricacies.
The case revolved around a sophisticated network where criminals used Bitcoin to defraud investors, promising high returns and then disappearing with the funds.
This presented a significant challenge for investigators, who initially struggled to trace the digital breadcrumbs. Through diligent analysis and the use of blockchain analytics tools, we managed to uncover the transaction paths and link them to real-world entities.
Many local law enforcement departments are still unable to handle cryptocurrency investigations effectively.
This does not imply a lack of capability — many departments are proficient — but the focus here is on providing foundational knowledge to those unfamiliar with cryptocurrency investigations.
As more officers encounter crypto in their work, understanding the basics of Bitcoin transactions and how they intersect with both the virtual and physical worlds will become an increasingly vital skill.
In this article, we’ll cover the basics of how Bitcoin transactions work, explore manual tracking techniques, and highlight tools that can simplify your tracking efforts.
By the end, you’ll have a solid understanding of Bitcoin transactions and be able to explain the underlying processes confidently. This knowledge will be invaluable if you need to testify, enabling you to go beyond merely stating, “We plug in the values, and the software tracks it.”
Additionally, you’ll develop the skills needed to identify and correct errors that the software might occasionally make, ensuring accuracy in your investigations.
In some cases, it could behoove an investigator to follow the money in a virtual world back to its connections in the real world, including brick-and-mortar banks and crypto exchanges.
Banks are typically called the “on-road and off-road” of virtual value exchange transactions, meaning that if an investigator can build a strong enough case by following the blockchain and overcoming regional or jurisdictional hurdles, they could use subpoena powers to investigate, seize, and freeze assets in the real world.
Understanding these dynamics will not only enhance your investigative skills but also empower you to leverage the full potential of blockchain analytics in your law enforcement efforts.
Bitcoin’s transparency has paradoxically made it a tool for both legitimate and illicit purposes. Crypto scams extend beyond foreign nation-states like Russia, Iran, and North Korea or foreign money laundering and sanctions-busting networks. Street-level criminals use crypto transactions for various reasons, appearing in city, county, and state investigations. For example, in addition to high-profile investment frauds, crypto is prevalent in pig butchering scams where victims are groomed into fraudulent investments and business email compromise attacks where illicit payments are funneled via the Bitcoin blockchain. Common crypto scams include blackmail, sextortion, and ransomware, which are the most reported types, according to data analyzed from over 250,000 abuse reports. Today, Bitcoin is used in a wide range of criminal activities, from smaller-scale crimes like drug deals to large ransomware payments, all exploiting its perceived anonymity.
Bitcoin’s immutable ledger has enabled law enforcement to resolve significant cases swiftly, often in a matter of months rather than years. For example, in one landmark case, Michael Kane and Shane Hampton were sentenced to prison for manipulating cryptocurrency prices and committing securities fraud. They used an automated bot to place spoof and wash trades, fraudulently inflating the price of their token, Hydro, leading to millions in illicit profits. By meticulously tracing these fraudulent transactions on the blockchain, authorities could link the scheme back to the perpetrators and secure convictions.
Similarly, Remy St. Felix orchestrated a series of violent home invasion robberies across multiple states, targeting cryptocurrency owners. His crew used physical violence to force victims to drain their crypto accounts, stealing substantial amounts of digital currency. Investigators, leveraging blockchain analysis and traditional surveillance methods, unraveled the network, leading to the arrest and conviction of St. Felix and his co-conspirators. These examples highlight how blockchain technology, combined with diligent investigative work, can lead to the rapid resolution of complex crypto-related crimes.
The global response to Bitcoin’s use in crime has led to the implementation of stringent Anti-Money Laundering (AML) regulations aimed at enhancing transparency and traceability of crypto transactions. The Financial Action Task Force (FATF) has provided guidelines that serve as a framework for these regulations. One key aspect of these guidelines is the Travel Rule, which mandates that crypto exchanges collect and share detailed transaction information. In the European Union, this will be enforced starting December 30, 2024, under the Markets in Crypto-Assets (MiCA) regulation. The Travel Rule requires that information such as the names, distributed ledger addresses, and account numbers of both the originator and beneficiary be included in each transaction, regardless of the amount. This presents challenges due to the pseudo-anonymous nature of Bitcoin, making it difficult to capture and share this information accurately. Consequently, international cooperation and advanced blockchain analytics tools are essential for effective enforcement, ensuring that AML measures can adapt to the complexities of the digital age.
A key concept in understanding Bitcoin transactions is cryptocurrency addresses. These are strings of letters and numbers functioning similarly to email addresses or bank account numbers, giving users the capability to exchange Bitcoins on the blockchain.
A Bitcoin address functions like an email address in that it allows you to send and receive Bitcoin. It is created from a public key and is formatted in a specific way (often using base58). However, a Bitcoin address is not the same as a wallet. A wallet is a digital tool that can manage multiple Bitcoin addresses along with their corresponding private keys.
Public Key: Functions like a mailbox where anyone can send Bitcoin to you. It forms part of the Bitcoin address.
Private Key: A private key, acting like a password, unlocks the Bitcoin held at a specific address, enabling you to spend it. Possessing someone’s private key means having control over the Bitcoin at that address.
Different types of Bitcoin addresses have been developed over time, each with unique characteristics:
Pay-to-Public-Key-Hash (P2PKH) addresses are the original Bitcoin address type, introduced with Bitcoin’s launch in 2009. These addresses start with “1” and are 25–34 alphanumeric characters long, representing the hash of a recipient’s public key. They provide a way to send funds directly to the associated Bitcoin wallet.
Introduced in 2012, Pay-to-Script-Hash (P2SH) addresses start with “3” and allow users to send funds that can only be spent if certain customized rules are met. This enables more advanced transactions, such as multi-signature transactions requiring multiple private keys to validate.
The bech32 format, introduced in 2017, is a more efficient way to encode Bitcoin addresses. Prefixed with “bc1q,” these addresses help reduce network traffic by allowing more transactions per block. They are also case-insensitive, reducing user errors.
Adopted in 2021, Taproot addresses (starting with “bc1p”) enhance privacy by making all Bitcoin transactions look similar on the blockchain. They also improve efficiency by allowing the network to process more signatures in parallel and are case-insensitive like bech32 addresses.
Understanding these addressing schemes is crucial for law enforcement. It allows officers to interpret the complex yet immutable trail of activity on the blockchain and recognize various Bitcoin address formats, preventing critical evidence from being overlooked.
At its core, Bitcoin operates as a decentralized peer-to-peer electronic cash system without a centralized authority, like a bank, controlling the network. Instead, every Bitcoin transaction is recorded on a public ledger called the blockchain, organized in sequential batches known as blocks.
Every Bitcoin transaction is made up of inputs and outputs:
Inputs: The sender’s Bitcoin addresses and the amounts they want to transfer.
Outputs: The recipient’s addresses and the payment amounts.
However, transactions are more complex than simply moving money from a sender to a receiver. They consume and re-allocate all the sender’s previous unspent transaction outputs (UTXO) when creating new transaction outputs.
Let’s say that Alice wants to send 1 BTC to Bob, her transaction doesn’t merely deduct 1 BTC from her Bitcoin address. Instead, it consumes all her UTXOs from previous transactions — say 2 BTC in this case. The transaction then creates two outputs: 1 BTC sent to Bob’s address and the remaining 1 BTC sent back to Alice as change.
Now let’s look what a similar transaction would look like if viewed via blockchain explorer. In our case we will use blockchain.com/explorer. Consider a transaction with the following inputs and outputs:
Input Addresses:
Address 1 (1Gw192…): 10.1 Bitcoin
Address 2 (1Fw7Wv…): 0.03 Bitcoin
Output Addresses:
Address 1 (1NXw4u…): 0.01 Bitcoin
Address 2 (16zy2q…): 10.03 Bitcoins
In this example, any single input could cover the amount sent to the first output address. However, both inputs combined are needed to cover the second output. This practice is commonly referred to as co-spending, where multiple inputs are used in a single transaction. This suggests the primary payment is to the second output address,16zy2q,
and the first output address is likely the change address, 1NXw4u
.
To help you get comfortable looking at the Bitcoin transaction lets look at few different examples using blockchain.com.
You can explore this transaction on blockchain.com by clicking on this link, which links to Bitcoin address 17H6CDXUbZVUJEDKP6IBKPKIEXDX116J
.
At 6:43 AM on October 10th, 2017, 1MWP6S
sent a total of 1.05 BTC to 17H6CD
.
The address 17H6CD
then received 0.944 BTC, while 1GMJK
received 0.1146 BTC.
One hour later, at 7:43 AM, 17H6CD
sent 0.944 BTC to two addresses:
1HJAH3
received 0.5186 BTC.
136DCK
received 0.42 BTC.
This breakdown helps us understand the activity of the 17H6CDXUbZVUJEDKP6IBKPKIEXDX116J
address. Remember, when you send Bitcoin, you don’t just send the exact amount you want to transfer. Instead, the transaction consumes all available UTXOs (Unspent Transaction Outputs) from previous transactions, and any leftover amount is sent back to you as “change” to a new address. This is similar to paying with cash and receiving change back.
Now let’s look at another transaction and see if we can figure out which address is a change address. To follow along, click this link, which resolves to transaction 03BA36A19BB7CB3EDE88DD4CCA78A9BED380524C8995A6A910E98F944EE91053
on blockchain.com. Here’s what you’ll see, three addresses are sending coin to two addresses:
Input Values:
1FKRSN
(1 BTC)
16SFXO
(0.0999 BTC)
1C3NQA
(0.0789 BTC)
Output Values:
19GMGG
(0.0788 BTC)
1PSKXK
(2 BTC)
Why are three addresses sending Bitcoin to two addresses? Well, we can assume that 19GMGG
is the change address because all three inputs were needed to pay for the 1PSKXK
output. The remaining amount likely goes back as change to 19GMGG
. If 19GMGG
was the target recipient we would only need one address to pay our target recipient. So now we can assume that 1FKRSN,
16SFXO,
1C3NQ
& 19GMGG
likely belong to the same person or entity.
Let’s continue and identify more addresses within the same cluster. If you’re following along on blockchain.com, click on the change address 19GMGG
. This will display all the activity associated with 19GMGG
. You should see a total of 8 transactions, with 5 showing Bitcoin flowing into 19GMGG
. Incoming transactions are marked by a green arrow pointing down. Expand each incoming transaction to confirm that 19GMGG is the change address in all of them. Therefore, the following addresses belong to the same owner: 19GMGG,
1A6GHK,
1AAEIH,
1GC3RJ,
1CMBBD,
19GCG8,
1EJYSC,
1C3NQA,
16SFXO,
1FKRS.
To illustrate the flow of money, let’s manually sketch out the transactions we reviewed. In this sketch, the change address is placed at the center, labeled “chg.” The blue circles represent addresses that belong to the same owner, forming a clustered group. To continue tracking the money, we would next focus on the gray circles, applying the same process to follow the transactions further.
Thankfully, we do not have to manually track and cluster these addresses across multiple transactions. If we did, that would be very painful and time consuming. Advanced blockchain analytics tools like Chainalysis, TRM Labs, Elliptic, MetaSleuth, and breadcrumbs can simplify this process. These tools provide powerful visualizations and automated clustering algorithms, enabling you to quickly identify connections and patterns within the blockchain data. See example below, figure 12.
However, understanding the basics of Bitcoin transactions and being able to manually interpret blockchain data is crucial. It not only enhances your investigative skills but also ensures that you can verify and correct the outputs generated by these software tools. Embrace the power of blockchain analytics, and let these tools transform complex data into actionable intelligence, making your investigative process more efficient and effective.
To elevate your investigative capabilities, integrating advanced techniques can provide deeper insights and uncover illicit activities with greater precision.
Blockchain explorers like blockchain.com are invaluable tools that provide detailed transaction histories and patterns. For instance, when using a blockchain explorer, you can trace the flow of funds through various addresses and identify red flags indicative of illicit activity. These include:
Use of Mixers: Mixers, or tumblers, are services that mix potentially identifiable cryptocurrency funds with others to obscure the trail back to the fund’s original source. If you notice transactions where large amounts are split into many small transactions and then recombined, this could be a sign of mixing.
Touching Sanctioned Wallet Addresses: If a transaction history shows connections with addresses known to be associated with sanctioned entities or individuals, this is a significant red flag. Regularly updating your list of such addresses and cross-referencing them during investigations is crucial.
Microstructuring: Similar to financial microstructuring, if transactions are split into many smaller ones needlessly (to avoid detection thresholds), it could indicate an attempt to evade monitoring systems.
For example, consider a case where a large amount of Bitcoin is transferred to an address, immediately split into numerous smaller transactions, passed through several intermediary addresses, and finally aggregated back into a single address. This pattern suggests attempts at obfuscating the original source of funds, likely pointing to illicit activity.
Cluster analysis is another powerful technique, where repeatedly sending change back to the same addresses often indicates that these belong to the same user or entity. Investigators should also look for:
Recurrent Addresses: Regular use of certain addresses for receiving change might suggest these belong to the same person or entity, forming a cluster.
Temporal Patterns: Frequent transactions between a set of addresses within a short time frame could indicate coordinated activity.
Linking Wallets: By analyzing transaction histories, you might find patterns where multiple addresses are used in tandem, revealing a larger network of activity.
For example, a cluster analysis of addresses frequently interacting with known illicit addresses might show a web of transactions, highlighting a network of related entities engaged in money laundering.
Visualization tools that map out transaction flows can help investigators see patterns and relationships in complex transactions. Using tools like Chainalysis or TRM Labs, investigators can:
Identify Patterns: Look for circular patterns indicating mixing, star patterns suggesting a single point of control, or branching patterns showing funds being dispersed across many addresses.
Trace to Onroads and Offroads: Identify points where cryptocurrencies are exchanged for fiat currency (onroads) or vice versa (offroads), which often happen at exchanges or through OTC brokers. Following these can lead to identifying the perpetrators.
Tie Blockchain Addresses to Real Entities: Investigators can link blockchain addresses back to real-world entities by correlating transaction data with other digital footprints like email addresses used in exchanges, social media profiles, or IP addresses logged by service providers. For instance, past cases have successfully linked Bitcoin addresses to individuals by tracking email addresses used during registration on exchanges and cross-referencing with other public records.
Consider a scenario where investigators used a combination of blockchain analysis and traditional detective work to crack a case involving a Ponzi scheme. By following the digital trail, they identified the exchange where the scammers converted Bitcoin to cash, subpoenaed the exchange for account details, and linked those accounts to the scammers’ real identities through associated email addresses and IP logs.
By leveraging these advanced techniques, law enforcement and compliance teams can significantly enhance their ability to track, analyze, and ultimately dismantle illicit networks operating in the cryptocurrency space. Understanding the detailed transaction patterns, utilizing sophisticated tools for visualization, and combining blockchain analysis with traditional investigative methods are key strategies in modern financial crime investigations.
Here and back again, don’t bluster at clusters, learn to hash things out.
If this article piqued your interest, don’t stop here! Dive deeper into the fascinating world of cryptocurrency investigations with Nick Furneaux’s book or explore certification options through reputable blockchain analytics companies I mentioned above.
To learn how to track the movement of assets using a blockchain analytics software, explore this hands-on guide to mastering MetaSleuth.
Unmask crypto money laundering with our new guide to OSINT and blockchain analytics. Read on…
Discover how blockchain is transforming industries on the Blockchain Insights Hub. Follow me on Twitter for real-time updates on the intersection of blockchain and cybersecurity. Subscribe now to get my exclusive report on the top blockchain security threats of 2024. Dive deeper into my blockchain insights on Mirror.xyz.