OSINT Guide To Bitcoin Investigations
Bitcoin offers a unique opportunity for financial investigation in that an amateur can easily research a given person’s bitcoin usage.
Bitcoin offers a unique opportunity for financial investigation in that an amateur can easily research a given person’s bitcoin usage.
The most basic framework of financial investigation consists of identifying a target, searching for negative information about them or their past, identifying the target’s associates and then searching for negative information on them. Bitcoin lends itself perfectly to this kind of investigation.
Background information on bitcoin: For those that have no knowledge of bitcoin here is the necessary background information before we start. Bitcoin is only one of many cryptocurrencies. For the purposes of this post we will focus only on bitcoin. Bitcoin, by design, makes the person anonymous but all of their financial transactions are public.
If, for example, someone named Asma wants bitcoin she must get a “wallet,” which will contain one or several bitcoin “addresses.” An address can hold money, send money to another address, and receive money. Asma’s bitcoin activity is public, but her name and identity are theoretically anonymous.
In a scenario where we are given a specific bitcoin address (whether it is anonymous or owned by a known business associate), the following are steps that we can take to investigate.
Blockchain
The Blockchain itself is complex and beyond the scope of this post, but it’s website, Blockchain.com, is a useful tool. The site allows one to lookup a bitcoin address and see all of its past financial transactions in addition to how much currency it currently owns. Every transaction, each time the bitcoin address sent or received money, is listed along with the date, the amount of money transferred, as well as the bitcoin addresses that sent and received the money.
Below is an example of how one transaction is displayed in Blockchain.com.
This may appear confusing but it quite simple if you know what you are looking at. Below is the same transactions but I put colored rectangles in the photo to make it more easily understood. Each transaction has a unique string of numbers and letters (in the red rectangle below) that identifies a specific transaction. This transaction ID is known as a “hash.” Bear in mind that in other contexts, the word hash is used differently.
The bitcoin addresses are also identified by random strings of numbers and letters. The string in the orange rectangle is the ID for a bitcoin address. The address in orange is sending money to a second address that is in a green rectangle. The orange address is sending 0.1988 bitcoin. Note that the acronym used in the photo “BTC” just means bitcoin. A small amount of the bitcoin will go to a fee (seen below the orange address) and the remainder will go to the green address. The number to the write of the green address is the amount received after the fee. And finally on the top right is the date and time of the transaction. For further investigation click on the green address to see what happened with the money next, or click on the orange address to try to find where the money came from.
Note that bitcoin, has “exchanges” where people buy and sell bitcoins. If you find a bitcoin address that has conducted hundreds of thousands of transactions, it is probably owned by an exchange, not a person. If you want to be sure try googling the bitcoin address because many exchanges publicly identify their addresses.
Wallet Explorer
Each bitcoin address is contained in a wallet that may have more addresses. Walletexplorer.com allows one to find the wallet containing the address of interest (the wallet has its own unique number to identify it). This site also allows one to find if there are other addresses in the same wallet. If there are other addresses in the same wallet this means that the person that same person owns the wallet and all of the addresses in it. Therefore, finding the wallet is a great way to find if the owner of one address is also the owner of others.
Bitcoin Who's Who
The previous websites identify someone’s associates and the financial histories of everyone involved. Bitcoinwhoswho.com is a great tool for possibly identifying the address owners and/or if the addresses were involved in a scam. This site has an extensive directory of addresses that were reported for involvement in a scam. The site also has information posted by individuals about a given address, such as an associated social media account. Furthermore, the site includes listings of any time an addresses is referenced on Reddit, tweets, or websites in general.
Bitcoin Abuse
Bitcoinabuse.com is similar to the previous website but has a lot of separate information that can be more in-depth and organized. Bitcoinwhoswho.com will often have more information sources that are shorter and possibly just link to another site (which is still a great source of relevant information). Bitcoin Abuse has invites users to fill out reports on scams. If an address is listed on Bitcoin Abuse it will often be linked to a someone’s account of a scam involving the bitcoin address and will identify an email address that was allegedly used by the scammer.