bitcoin transaction tracing technology introduction

Posted by tzul at 2020-03-27

1、 Bitcoin traceability background

1.1 transaction volume of bitcoin

At present, bitcoin has been born for 10 years. Although it is the block chain with the slowest transaction speed and the lowest performance among all digital currencies / public chains, it is still the chain with the safest, most active and most transactions.

According to bitcoin's programming logic, bitcoin generates one block every 10 minutes, each block is about 1MB in size. After segwit (isolation witness) is turned on, the average block size of bitcoin can reach 1.2MB, and the average peak transaction speed of bitcoin can reach 4.5 transactions per second.

The maximum number of transactions carried by bitcoin network per year is 142 million (4.5 * 3600 * 24 * 365 = 141912000). The maximum block size increase of bitcoin per year is 61.6gb (1.2 * 3600 * 24 * 365 / 1024 = 61.6gb). Based on the number of transfers on the bitcoin chain, the volume of transactions on exchanges, and bitcoin's average price against the US dollar in 2017 / 2018, bitcoin's trading volume reached US $858 billion in 2017. In 2018, the number of bitcoin transactions reached about $3.2 trillion.

1.2 bitcoin security events

In February 2014, at that time, Mt. GOx, the world's largest exchange, announced the loss of 850000 bitcoin at a market price of about 500 million US dollars, and Mt. GOx formally applied for bankruptcy protection.

In 2014, the average daily bitcoin transaction volume of the six major dark networks reached 650000 US dollars.

On January 5, 2015, bitstamp confirmed the loss of 19000 bitcoins.

On February 15, 2015, biter stole 7170 bitcoins.

On February 18, 2015, the bitcoin piggy bank claimed to have stolen 3000 bitcoins.

In the early morning of August 3, 2016, bitfinex, the largest US dollar bitcoin trading platform, posted a notice on its official website. Due to a security vulnerability on the website, bitcoin held by users was stolen. Later, Reuters reported that 119756 bitcoins were stolen, with a total value of about 65 million US dollars.

On June 29, 2017, bithum, the largest bitcoin exchange in South Korea and the top five bitcoin exchanges in the world, found that it had been hacked, and the personal information of more than 30000 customers had been stolen. This hacked invasion resulted in the loss of billions of won to investors.

From 2:00 a.m. to 3:00 a.m. on April 22, 2017, youbit, the Korean bitcoin exchange, stolen 3831 bitcoins and issued Fei tokens as user loss vouchers. On December 19, it was reported that it was attacked again by hackers, causing a serious loss equivalent to 17% of its total assets. The exchange said it was close and filed for bankruptcy.  

Due to the characteristics of non real name and global circulation, bitcoin has become a hard currency in illegal transactions such as dark net and money laundering. With the spiral increase of bitcoin users and acceptability, the daily bitcoin trading volume of exchanges is increasing, and a large number of exchanges are being targeted by hackers every day. Similar problems need to be solved, such as the flow of bitcoin funds after the exchange has stolen bitcoin, the tracing of bitcoin's whereabouts in illegal bitcoin transactions such as dark net and money laundering.

Similar problems are the main background of bitcoin transaction tracing.

2、 Bitcoin tracing technology

2.1 real time transaction tracing of bitcoin

For the real-time tracing demand of a single bitcoin transaction, you can visit the blockchain browser and input the unique txid (transaction ID) generated by the transaction to observe the capital flow. It can also directly call the RPC interface provided by bitcoin client, directly interact with the leveldb of bitcoin all node client, so as to achieve the requirement of monitoring the real-time transaction dynamics of specific address.

2.2 historical transaction trace of bitcoin

In special cases, there will be a traceability demand for specific funds in a single historical bitcoin transaction or for specific funds sources in a single historical bitcoin transaction. As there are thousands of transactions involved, and there may be hundreds of thousands of transactions on a single address, as well as the use of key by leveldb, the all node original bitcoin client Due to the limitation of value storage, bitcoin's blockchain browser can't present the capital flow in utxo mode. The technologies and products introduced in this paper are mainly aimed at tracking and tracing the capital flow of historical specific transactions.

2.3 bitcoin tracing principle

Bitcoin system has no concept of balance. It uses utxo model (unspent transaction outputs). In the process of transaction, wallet balance is often said to be a utxo set of wallet address. Therefore, in the bitcoin network, the transaction output stores the bitcoin balance, which is exactly the unused transaction output, and the input of each transaction actually refers to the output of the last transaction. The figure below shows the process of transaction input and output in bitcoin system.

We see a connection between the transaction and the transaction. The output of that transaction is the input of this transaction, and the output of this transaction is the output of another transaction, so the transaction chain is generated. The transaction chain is very long, and it will not stop until the end of the world.

If you want to trace the source or destination of a black user's BTC, as long as you can get the BTC account address of the user, then you can find all the transactions that have recently been associated with the account txid, and trace back along the transaction tree, all the coinbase records or the destination of all the spent utxos of the address. Under the premise of modern powerful CPU and memory, this traceability can be achieved, which is also the basic principle of bitcoin traceability.

2.4 bitcoin wallet, address, utxo, mixed currency

In the process of tracing, there will be some problems. All user addresses are hash codes. The tracers do not know who the addresses are in the real world, and they cannot find out who the transactions are related to in the real world. So it is very important for the analysis and portrait of bitcoin address.

There are several basic concepts in bitcoin traceability, such as wallet (ID), bitcoin address (bitcoin address), utxo and mixed currency, which need to be briefly introduced before address analysis.

Due to the design of account model and transfer change mechanism of bitcoin utxo, each transfer through the wallet may cost utxo with multiple addresses. For example, txid is 584892254e5bd6837f12930c6bba972a8206249af3e68f4f865ebb26115d20c2.

As you can see, the input has three addresses: 18zrprkzj1yuvy5ufd56chb6wyjvo48ewf, 1933phfhk3zgfqnlgsdxvqcn32k2buxy8a, 1bexdzrcbfj491rfla167ecbhytbbshke9, which belong to a wallet. Since the bitcoin at the address of 18zrprkzj1yuv5ufd56chb6wyjvo48ewf may completely come from the last transaction, at this time, the bitcoin will be marked as 0 to represent the non mixed currency transaction. The bitcoin of 1933phfk3zgfqnlgsdxvqcn32k2buxy8a and 1bexdzrcbfj491rfla167ecbhytbbshke9 will be marked as 2, which means that the bitcoin has nothing to do with this tracking. And 1dtxuk73bfubrnmmdkitdixdkk1vv3c4a will be marked as 1, proving that the bitcoin tracked this time has been mixed.

Txid is 80cd9ee58f25645efdc5bc53c2af7601dc7e0411c5ec40ce7c32bc5ea3dda41. You can see that only one address 1933phfk3zgfqnlgsdxvqcn32kbuxy8a is used in the wallet, but many utxos of this address are spent.

Individuals, mining pools, exchanges, specific institutions may hold multiple wallets. A single wallet can contain multiple addresses, and the bitcoin "balance" on each address consists of a single or multiple unused utxo sets bound to the address.

2.5 bitcoin wallet portrait data and address portrait data

By comparing the 250 GB full amount data of bitcoin with more than 400 million transaction data for access and de duplication analysis, we have analyzed nearly 300 million bitcoin addresses in total, including about 20 million addresses with balance. According to the existing cold wallet address of the exchange, the wallet address of the mining pool and the bitcoin trading address of the published website, according to the characteristics of address trading, bitcoin address balance, total out, total in, total in, out first time, etc Last time, first time and last time are analyzed and marked by comparing the total trading relationship of special currency. At present, 43741745 wallets, 51380177 with tags and 24911 with tags are analyzed from more than 300 million bitcoin addresses.

The address of the tag is included. The main information of the intercepted part is shown in the following chart.

2.6 IP positioning of bitcoin traders

Because bitcoin is based on P2P technology, it does not use VPN or tor technology to Hide IP. Websites like bitnodes can easily and accurately compare the country distribution of special currency clients for statistics.

To locate the participating IP addresses of bitcoin traders in the specified region, only the corresponding number of probe nodes need to be deployed in the corresponding region, and the IP addresses of the clients initiating the transaction can be filtered and recorded through the algorithm.

3、 Bitcoin traceability case demonstration

Beijing Lianan has developed a set of historical full amount bitcoin transfer traceability analysis system through utxo features and the method of building bitcoin full amount address profile, which can analyze the specific capital destination or specific capital source in a historical single bitcoin transaction and make it graphical The form is displayed, and the key exchanges, mining pools and bitcoin service website wallets are marked with full bitcoin address profile.

3.1 tracking the flow of funds in the slkroad bitcoin

The case of backward tracking is based on a bitcoin transaction that is more controversial between bitcoin and reddit.

It can be seen that on March 10, 2014, there was a large transfer transaction of 110000 bitcoin on the bitcoin chain. On the deal, it is widely believed to be the wallet address of the silk road. Due to the large time span and bitcoin blockchain browser does not support full portrait address library and utxo capital flow tracking, the common method can not achieve such a sensitive capital flow tracing.

It can be seen that the number of points (wallets) in each layer increases exponentially above the fourth layer. The transfer is analyzed and counted by self-developed system.

Analysis parameters of this analysis. Analyze the height of starting block 281935, the corresponding starting time 2014-03-10, the height of cut-off block 500000, the corresponding closing time 2017-12-19, the bitcoin threshold 50btc, the number of layers 40, and the statistics of bitcoin capital flow of non mixed currency (Mark 0) as follows.

It should be noted that the above chart is an analysis of the non mixed currency fund flow of the 111114.61735989 bitcoin transfer, so the bitcoin in the chart is completely from the original 111114.61735989 bitcoins. As you can see, 7442 bitcoins have been traced exactly.

3.2 analysis on the source of recharge users of a pornographic website

The tracing of bitcoin transaction is based on the tracing of recharge address of a pornographic website.       

You can see that the pornographic website supports bitcoin recharge and purchase members. From the blockchain browser, it can be seen that there are 14 transaction recharge records at this address.

The following is the recharge details of the 14 transactions.

It can be seen that there are 4 transactions in which the user directly withdraws and recharges the currency through the fire currency network.          

4、 Bitcoin transaction trace scene and significance

4.1 investigation of illegal transactions

Bitcoin transaction tracking and traceability system can help law enforcement and financial institutions identify and prevent illegal activities such as fraud, extortion and money laundering using cryptocurrency. Through the graphical interface, users can easily compare the source and destination of the special currency transaction for in-depth investigation.

Input only need to provide bitcoin address and a transaction ID of the address, the system will automatically find all paths for manually identifying and investigating the source and destination of funds.

4.2 KYT

For the exchange, money laundering such as dark net and terrorism is a high-risk transaction. Exchanges need an automated way to assess money laundering risk so that they can meet regulatory requirements. KYT (know your transaction) is a cryptocurrency transaction monitoring solution to meet this demand. Through the KYT API, you can monitor a large number of activities and continuously identify high-risk transactions.  

*Author of this article: Beijing chain safety laboratory, reprint please indicate that it is from