P

LECTURE 11 Blockchain Forensics Notes

Blockchain Technology in the Context of Cryptocurrency

  • Blockchain relies on Distributed Ledger Technology (DLT).

  • DLT records transactions, these transactions are validated by a 'consensus pool' or committee of nodes

  • Once a threshold of nodes agree, the transaction is committed to a block.

Distributed Ledgers

  • DLT depends on an immutable (unchangeable) series (chain) of blocks.

  • Blocks represents a log of transactions.

  • Immutability (unchangeable or unable to be altered) is crucial feature of DLT

  • The large number of independent participants make the creation of blocks a trustless process. (no single entity is in authority/just trust in the system)

  • Every participating Full nodes keeps a copy of the ledger.

    Cryptocurrency

  • Not all blockchains impliment cyptocurrencies

  • Cryptocurrencies can be exchanged for fiat currency.

  • Their value can be unperdictable

  • Short-term stability allows money movement while retaining value, decoupled from banks, but lacks on-chain oversight.

Cyber Criminal Uses of Blockchain

'Rug Pull' scams

A rug pull is a type of cryptocurrency scam where the developers of a crypto project — often a new token, NFT collection, or DeFi platform — suddenly abandon the project and run away with investors’ funds, leaving the token worthless.

  • 'Rug Pull' scams involves

    (1) dumping: only limited supply is sold to victims; scammers hold the

    majority and dump once a target price is reached

    (2) liquidity pulls on decentralized exchanges (Dexes). Tokens are listed

    on a dex, paired with a currency such as Ethereum. Scammers steal ‘legitimate’ currency from liquidity pools.

    A less common scam is to Sell order limits

  • This involve coding restrictions into the blockchain/token contracts to limit sell off for victims.

  • Both types of scam rely on Hype and social media interaction

Ransomware

  • Ransomware uses cryptocurrency (Bitcoin) for ransom payments.

  • Bitcoin's transparency risks attacker identification SO criminals mitigate this by using “tumblers” and other money laundering methods

Limits of Anonymity in Cypto

  • Wallet addresses are unique but not explicitly linked to real-world identities.

  • Ransomware MUST share addresses for payment collection.

  • Scammers use social media, sometimes sharing addresses.

  • Cyptocurrency Exchanges increasingly require identity information and a linked bank account.

    Important Forensic Features

  • Transparency: Most blockchain projects don't obfuscate transactions; wallet addresses are unique identifiers.

  • Immutability: ‘Minted’ blocks cannot be changed; minting fake blocks requires control of a majority of nodes.

  • Ease of obtaining records

  • Non-fungibility: Transactions are linked to sender and receiver.

OSINT-based Forensic Techniques for Blockchains

: Challenges

1. We must identify the flow of money through one or more distributed ledgers

2. We must understand how smart contracts/minting functions work

3. Where possible, we must link virtual to real identities

4. We must verify our findings

Tracing Money Flow in Blockchain

  • Blockchain features aid tracing: transparency, immutability, non-fungibility.

  • Transparency allows easy observation.

  • Immutability ensures historical data is trusted.we can trust

    historical data hasn’t been modified

    Non-fungibility: most blockchain projects allow pairwise linking of

    transactions – tokens have history

Data Acquisition Blockchain Explorers

  • Block Explorers are websites that allow ledger data to be viewed and exported

    • Blockchain data is pre-processed and usually highly visual

    • Rich data for analysing historic trends

    • Not usually optimised for building transaction chains

    Blockchain APIs    

  • Block explorers may also provide interfaces for code to interact with their services directly

  • Application Programming Interfaces (APIs) can

    speed searches:

    – Highly parallel queries to web services

    – Automated data gathering

    – Allows the use of Python and C++ to develop

    complex series of queries and in-depth search

    Crawling Local Data    

  • All public ledgers can also be downloaded and locally processed

  • Some tools, such as BlockSci [6] and BitIodine [7], provide tools to parse locally stored blockchain data

  • Like Blockchain APIs, these tools allow us to code specific queries and visualise data

  • The Bitcoin blockchain is currently 637.26 GB in size

    (18/02/2025)

    Building Transactions    

  • Transaction chains are likely to be longer than 3 ‘links’

    – Ransomware transaction chains have at least 2 non-exchange wallets

    – Shortest possible legitimate transaction chain is:

    Entry EXCH -> OBSERVED WALLET -> Exit EXCH

  • Transaction chains can be very long even when money flow is organic/legitimate

    s

Graphing Transactions

  • Trends can be visualized -addresses can be visualised as nodes & Vertices represent unidirectional money flow.

  • Complex transaction trees can complicate processing and visualisation

  • Bitcoin tumblers complicate processing BY mixing legitimate and illegitimate funds in a complex series of transactions

    Tracking Currency Conversion

  • Exchanges represent a special challenge

  • We need to know how money enters (or more usually) leaves blockchain

  • We need to know if opaque (private) chains such as Monero are used to confuse tracing

  • This could be crucial for identifying criminals or beneficiaries of crime

  • The goal of most cyber criminals is to convert cryptocurrency into fiat currency

Linking Money Flow to Identities

  • 'Rug Pulls' may rely on reputation.

  • Proof of participation and purchase- Promoters may share proof of buy-in to incentivise victims

    Transaction tracking can determine complicity or innocence

  • Social media crawlers and OSINT are crucial; Spiderfoot searches for 'wallet-like strings' in social media posts

    Complications

  • (1) Limited transactions per wallet policy

    – Users can maintain privacy across many transactions by splitting them over many wallets

  • (2) Fully decoupling cryptocurrency from real-life identity

    – By avoiding discussion of wallets and activities on social media, identity cannot be linked to wallet addresses

    – This may be difficult for scams relying on reputation

  • (3) Barter or Contribution-in-kind

    Avoiding exchanges to prevent linking of identity and wallets

Ongoing Challenges include:

  • 1. Anonymity in attacks not relying on reputation.

  • 2. Inability to track 'side-channel' transactions.

  • 3. Difficulty predicting transactions/behavior.

  • 4. Specialist knowledge required for smart contracts and backend code review.

    Actual vs ‘Total’ Money Flow Example: This legitimate transaction is ‘worth’ 2.7billion. However, only 92.55 is finalized for receiver.