Purpose The purpose of this paper is to determine if Bitcoin transactions could be de-anonymised by analysing the Bitcoin blockchain and transactions conducted through the blockchain. In addition, graph analysis and the use of modern social media technology were examined to determine how they may help reveal the identity of Bitcoin users. A review of machine learning techniques and heuristics was carried out to learn how certain behaviours from the Bitcoin network could be augmented with social media technology and other data to identify illicit transactions. Design/methodology/approach A number of experiments were conducted and time was spend observing the network to ascertain how Bitcoin transactions work, how the Bitcoin protocol operates over the network and what Bitcoin artefacts can be examined from a digital forensics perspective. Packet sniffing software, Wireshark, was used to see whether the identity of a user is revealed when they set up a wallet via an online wallet service. In addition, a block parser was used to analyse the Bitcoin client synchronisation and reveal information on the behaviour of a Bitcoin node when it joins the network and synchronises to the latest blockchain. The final experiment involved setting up and witnessing a transaction using the Bitcoin Client API. These experiments and observations were then used to design a proof of concept and functional software architecture for searching, indexing and analyzing publicly available data flowing from the blockchain and other big data sources. Findings Using heuristics and graph analysis techniques show us that it is possible to build up a picture of behaviour of Bitcoin addresses and transactions, then utilise existing typologies of illicit behaviour to collect, process and exploit potential red flag indicators. Augmenting Bitcoin data, big data and social media may be used to reveal potentially illicit financial transaction going through the Bitcoin blockchain and machine learning applied to the data sets to rank and cluster suspicious transactions. Originality/value The development of a functional software architecture that, in theory, could be used to detect suspicious illicit transactions on the Bitcoin network.
Purpose The purpose of this paper is to highlight the intelligence and investigatory challenges experienced by law enforcement agencies in discovering the identity of illicit Bitcoin users and the transactions that they perform. This paper proposes solutions to assist law enforcement agencies in piecing together the disparate and complex technical, behavioural and criminological elements that make up cybercriminal offending. Design/methodology/approach A literature review was conducted to highlight the main law enforcement challenges and discussions and examine current discourse in the areas of anonymity and attribution. The paper also looked at other research and projects that aim to identify illicit transactions involving cryptocurrencies and the darknet. Findings An optimal solution would be one which has a predictive capability and a machine learning architecture which automatically collects and analyses data from the Bitcoin blockchain and other external data sources and applies search criteria matching, indexing and clustering to identify suspicious behaviours. The implementation of a machine learning architecture would help improve results over time and would be less manpower intensive. Cyber investigators would also receive intelligence in a format and language that they understand and it would allow for intelligence-led and predictive policing rather than reactive policing. The optimal solution would be one which allows for intelligence-led, predictive policing and enables and encourages information sharing between multiple stakeholders from the law enforcement, financial intelligence units, cyber security organisations and fintech industry. This would enable the creation of red flags and behaviour models and the provision of up-to-date intelligence on the threat landscape to form a viable intelligence product for law enforcement agencies so that they can more easily get to the who, what, when and where. Originality/value The development of a functional software architecture that, in theory, could be used to detected suspicious illicit transactions on the Bitcoin network.
Purpose This paper aims to demonstrate the utility of a target-centric approach to intelligence collection and analysis in the prevention and investigation of ransomware attacks that involve cryptocurrencies. The paper uses the May 2017 WannaCry ransomware usage of the Bitcoin ecosystem as a case study. The approach proves particularly beneficial in facilitating information sharing and an integrated analysis across intelligence domains. Design/methodology/approach This study conducted data collection and analysis of the component Bitcoin elements of the WannaCry ransomware attack. A note of both technicalities of Bitcoin operations and current models for sharing cyber intelligence was made. Our analysis builds on and further develops current definitions and strategies for sharing cyber threat intelligence. It uses the problem definition model (PDM) and generic target network model (TNM) to create an analytic framework for the WannaCry ransomware attack scenario, allowing analysts the ability to test their hypotheses and integrate and share data for collaborative investigation. Findings Using a target-centric intelligence approach to WannaCry 2.0 shows that it is possible to model the intelligence problem of collecting and analysing data related to inflows and outflows of Bitcoin-related ransomware transactions. Bitcoin transactions form graph networks and allow to build a target network model for collecting, analysing and sharing intelligence with multiple stakeholders. Although attribution and anonymity prevail under cryptocurrency usage, there is a means for developing transaction walks using this method to target nefarious cryptocurrency exchanges where criminals are inclined to cash out their proceeds of crime. Originality/value The application of a target-centric intelligence approach to the cryptocurrency components of a ransomware attack provides a framework for intelligence units to break down the problem in the financial domain and model the network behaviour of illicit Bitcoin transactions relating to ransomware.
This comprehensive overview of analysis techniques for illicit Bitcoin transactions addresses both technical, machine learning approaches as well as a non-technical, legal, and governance considerations. We focus on the field of ransomware countermeasures to illustrate our points.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2025 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.