Sign in Subscribe
OSINT

How I Research a Bitcoin Wallet's Past: OSINT for Cryptocurrency Investigation Part 2

Explore the intricate world of Bitcoin address research using Blockchair and Oxt.me. Learn to uncover transaction details and patterns for deeper insights into crypto activity.

Tom Caliendo

5 min read
How I Research a Bitcoin Wallet's Past: OSINT for Cryptocurrency Investigation Part 2
A picture of a picture

I will share how I perform general research on a Bitcoin address. We will focus on using the blockchair.com and oxt.me websites. (The same information is also available on various other crypto websites.)

Using Blockchair

Starting with a very basic search, we go to blockchair.com (though we could also use blockchain.com) and input a Bitcoin address into the search function. Blockchair will let you search all sorts of cryptocurrency addresses.

Blockchair example

The standard results for a basic search will pull off the address, along with some basic facts like the current balance and total amount of currency received and spent over its lifetime. The results will also list the address’s history of transactions. 

Each transaction is listed individually and includes basic information. Note that “transaction hash” is a unique transaction identifier. 

Transaction history example

By default, Blockchair does not identify the addresses sending and receiving funds for each transaction. To see this information, you need to click the circle next to where it says “show inputs and outputs”. This results in the transactions being displayed, as shown in the following screenshot.

Transaction history example

Using Oxt.me

We move on to oxt.me, which has several functions that identify relevant information about a Bitcoin address. The following screenshot shows the standard address profile page that oxt.me pulls up when you search for a Bitcoin address. 

Different information is displayed depending on which tab is clicked. Below, see the “Summary” section. 

The Summary includes a timeline for the address’s balance over its lifetime. In this case, the address appears to have held funds for only short durations interspersed with periods of having a zero balance.

The Summary section lists that the current address balance is zero and shows the total amount of Bitcoin received and the total amount sent. In this case, we see that the total received is the same amount as the total sent. 

This behavior is telling. When an address immediately gets rid of whatever funds it receives, that is a sign that it is a kind of transit point. Often, the address is being used by the owner to move funds between different addresses that may also be controlled by the same owner.

When you see identical amounts for each incoming and outgoing transaction, it suggests the money is potentially being laundered or being moved for illicit purposes. Many criminals use several bitcoin wallets to transfer money, making it more difficult to track and recover.

Address summary example

The Activity section shows the life of the address in terms of activity or transactions. It shows over 700 transactions. We also see that at any given time the number of incoming transactions perfectly matched the number of outgoing transactions. 

Address activity example

The Volume section shows the amount of currency flowing in and out, regardless of the number of transactions. We see that the amount of currency sent to the address matched the amount sent out roughly at the same time. 

Address volumes example

The Temporal Patterns section shows how often transactions occurred based on the time of day and day of the week.

Address temporal patterns example

Individual Transactions

We can use the same website to analyze a specific transaction.

Transaction summary example

The Inputs & Outputs section, as its name suggests, shows the transactions' and addresses' inputs and outputs.

Transaction inputs & outputs example

Click on the symbol next to the first address and see this message pop up:

“Display/hide probabilities that a link exists between this input and the outputs of the transaction”
Popup message example

Then, a percentage appears next to the two output addresses, giving the estimated likelihood of each address being linked to the first. In this example, the output addresses are deemed linked to the first, meaning they likely have the same owner. Remember that in Bitcoin transactions, the excess funds from the transaction go to a newly created “change address” owned by the same owner of the sending address.

Inputs & outputs example

The website will also guess that several addresses are owned by the same owner. 

The website also provides this warning about these guesses:

“Identification of entities and clustering of addresses is a work in progress. These data are built upon heuristics which may produce false positive or false negative and you shouldn’t consider them as complete, exhaustive or established facts.”

After guessing at an unidentified owner, the website will then assign the anonymous owner a unique identifier. 

In the image above, the website estimated that one of the addresses was owned by an anonymous owner of several other addresses. This anonymous owner was assigned the identifier “ANON-4946167712.”

By clicking on “ANON-4946167712,” we are brought to this page of information on the owner.

Owner example

The anonymous owner profile will identify the other linked addresses and provide general details on the unnamed owner.

That’s it for now!

Resources

Part one of this article: OSINT for Cryptocurrency Investigation

Blockchain – https://www.blockchain.com/explorer

Blockchair – https://blockchair.com/