The focus of today’s Tricky Thursday is OSINT and Bitcoin – how to identify Bitcoin addresses, wallets, transactions, users and their associations.
Bitcoin (BTC) entered the realm of global mainstream focus after its parabolic growth in 2017 – so I assume you are at least somewhat familiar with it, what it is, what it does and how it can be useful.
If not, then check out some of these educational resources to read / watch / listen about Bitcoin:
Bitcoin is used as a means of exchange and a store of value by many shady actors, from money launderers and drugs dealers to terrorists and even spy agencies.
Bitcoin is not completely anonymous however and the Bitcoin blockchain is one of the underused and underrated OSINT tools out there.
So let’s check out some OSINT tricks:
BLOCKCHAIN EXPLORER – https://www.blockchain.com/explorer – a great start to bitcoin transaction analysis, it provides a glimpse into the activity on the Bitcoin network.
Allows you to search for a particular bitcoin address, transaction hash, or block number.
WALLET EXPLORER – https://www.walletexplorer.com – it’s a Bitcoin block explorer with address grouping and wallet labelling functions. Searching for one or several Bitcoin addresses might allow you to identify a specific wallet they belong to.
Let’s take this BTC address – 16JAUnuvxQ6BdfX4DwsEVTWgd3a8oitu8h
Using the Wallet Explorer you can group and analyse transactions and other addresses that have been positively identified as belonging to the one and the same wallet, in this case [001e0c6430].
LOCAL BITCOINS – https://localbitcoins.com – the most popular peer-to-peer Bitcoin exchange with a global reach. You can find Bitcoin sellers and buyers operating in your area and using various payment methods.
Useful information readily available includes a person’s nickname, language spoken, recent activity and more.
INTELLIGENCE X – https://intelx.io – not specific to Bitcoin and blockchain, but very useful at searching for any open source of intelligence pertaining to BTC addresses, wallets, transactions, websites, usernames etc.
For instance, searching for this Bitcoin address 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw reveals some interesting associations:
May 23, 2017 | by Alex Berry, Josh Homan, Randi Eitzman | Threat Research WannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities. The malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017. The malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands $300 or $600 USD (via Bitcoin) to decrypt the data.
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
BITCOIN WHO’S WHO – https://bitcoinwhoswho.com – another OSINT resource where BTC users can tag addresses with specific information.
Very useful for detecting and labelling addresses associated to scams, ransomware, sextortion and other illegal activities identified by users worldwide.
BITCOIN RICH LISTS – these resources allow you to track and in some cases attribute BTC “whale” addresses to particular entities, like online exchanges.
NOTE: After the notable seizures of Bitcoin associated with criminal activities, the FBI’s Bitcoin addresses featured several times among the largest holders of Bitcoin!
… and finally, the Good Old Uncle Google!
Google search engine does a great job of matching Bitcoin addresses to dates, transactions, specific amounts and so on.
If you know the exact amount of Bitcoin you want to track but don’t know exact dates of the transaction or other variables, you can Google this exact BTC amount followed by search parameters like the date (YYYY-MM-DD format) and the URL.
“0.01180489 BTC” AND “2020-01-19” inurl:blockchain