Analyzing Hack Subnetworks in the Bitcoin Transaction Graph
AAnalyzing Hack Subnetworks in the BitcoinTransaction Graph
Daniel Goldsmith ∗ , Kim Grauer † , and Yonah Shmalo ‡ ChainalysisOctober 2019
Abstract
Hacks are one of the most damaging types of cryptocurrency relatedcrime, accounting for billions of dollars in stolen funds since 2009. Profes-sional investigators at Chainalysis have traced these stolen funds from theinitial breach on an exchange to off-ramps, i.e. services where criminalsare able to convert the stolen funds into fiat or other cryptocurrencies. Weanalyzed six hack subnetworks of bitcoin transactions known to belong totwo prominent hacking groups. We analyze each hack according to eightnetwork features, both static and temporal, and successfully classify eachhack to its respective hacking group through our newly proposed method.We find that the static features, such as node balance, in degree, andout degree are not as useful in classifying the hacks into hacking groupsas temporal features related to how quickly the criminals cash out. Wevalidate our operating hypothesis that the key distinction between thetwo hacking groups is the acceleration with which the funds exit throughterminal nodes in the subnetworks.
Keywords—
Cybercrime, Network Analysis, Hacks, Cryptocurrency, Bitcoin, Cyber-security, Temporal Networks, Sociotechnical Systems
Introduction
The Bitcoin network is a distributed, public ledger, secured through blockchain tech-nology. All transactions occur between two distinct public addresses and are perma-nently recorded on the specific blockchain built for bitcoin. The process of securingthese transactions is handled by bitcoin miners, who use their computing power tosolve complex cryptographic problems and in the process verify blocks and transac-tions [1]. ∗ [email protected] † [email protected] ‡ [email protected] a r X i v : . [ phy s i c s . s o c - ph ] O c t nyone can create a bitcoin address to receive funds through a variety of softwareprojects such as Blockchain.info [2] or Electrum wallets [4]. Additionally, there is nolimit to the number of bitcoin addresses that any individual or organization can make.There are also no requirements for verifying your identity in the process of addresscreation. It is completely free to make an address, however, it costs money to transfermoney on the network by paying transaction fees.Because of the ease of transactions between pseudonymous addresses, cryptocur-rencies, and bitcoin in particular have been especially attractive to criminals who bothexploit technological vulnerabilities and prefer to move funds through the pseudony-mous bitcoin transaction network to avoid detection by law enforcement [10]. Indeed,the amount of cybercrime involving cryptocurrencies has grown via ransomware [10],scamming activity, phishing scams, and hacking of exchanges or wallets [3].Notably, exchange hacks are one of the most costly types of cryptocurrency relatedcrime. Hackers have stolen $1.7 billion dollars worth of cryptocurrency from exchangessince 2011 [3]. Tracing stolen funds in order to freeze the assets of the perpetrators isone of the most effective ways of safeguarding against future attacks, as this methodremoves bad actors from the ecosystem and disincentivizes similar activity from otheractors. Typically, either government or private cyberinvestigators, take up the task oftracing stolen cryptocurrency funds. Their investigations begin with a known addressthat has been hacked. They then follow the funds through up to thousands of differentaddresses until the funds hit a service (an off-ramp), i.e. an alternative means ofcashing out the stolen bitcoin. Ideally, an investigator will trace funds to a service sothat a subpoena can be issued to the service to unmask the identity of the criminal.These investigations result in traced out subnetworks representing the flow of stolenbitcoin from the point of breech on an exchange through exit ramps. The subnetworksanalyzed here were provided by investigators at Chainalysis, a firm specializing inblockchain investigations.We present research to algorithmically visualize and analyze hack cash out subnet-works that capture the temporal behavior of hackers and locate the stolen funds. Wethen build similarity matrices based on eight graph features, run community detectionover those matrices, and successfully classify certain hacks to the known hacking or-ganization to have carried out the attack. We find that temporal features, such as therate at which the hackers send funds to exit ramps, are the most effective features touse for grouping specific hacks together and classifying them to their hacking groups. Algorithmically traversing hack subnetworks and its limi-tations
We investigate bitcoin hacks by traversing subnetworks of nodes that have been builtout by professional crime investigators. These hack subnetworks are comprised ofnodes that have either directly or indirectly received hacked funds.We then create visualizations to identify trends in the hack and to better under-stand the time patterns specific to each hack as the stolen bitcoin flows to terminalnodes, see Figure 8. In some cases, when the level of obfuscation is minimal, investi-gations tracking stolen funds often terminate at services (see Methodology section onidentifying services), simply because criminals want to change their stolen bitcoin forfiat currency, or at least convert it to a another cryptocurrency.Yet cryptocurrency investigations are usually much more complex then this [14].Often, the investigator may not know if a node belongs to a service, particularly in the case of a mixing service. Furthermore, stolen bitcoin from some of the largest hacksmay utilize laundering mechanisms in which OTC brokers act as third party sellersallowing for a change of hands to an entity that is no longer behind the hack. Thisactivity can not be detected through blockchain analytics unless their is a source ofground truth confirming the funds passing through on OTC broker. Without this con-firmation, the funds would appear to move from one pseudonymous node to another.Sometimes the investigations are so complex that the investigator simply cannot gothrough the process of tracing every single stolen bitcoin to an cash out point. In thiscase, the investigator may choose to chase particularly promising leads, rather thenspend the time to analyze every single transaction that occurred. Additionally, theactual concept of a terminal node may be less clear. At any given time, stolen fundsmay be sitting idly in non-service clusters for extended periods of time. In practice,it is common for funds to slowly leak out of these “holding” clusters [3]. In this case,a node is neither clearly a pass through address nor a terminal node.In all of these cases, using the actual hack subnetwork may be insufficient forconducting a comprehensive analysis to determine the underlying trends. We thereforedevelop the concept of terminal nodes to monitor funds leaking out through bothknown exit points, such as identified services, and unknown exit ramps, which arecandidates for terminal nodes.Because the graphs have such limitations, we develop a parameter, ρ , to defineterminal nodes based on the ratio of sending to receiving activity for a cluster. The ρ parameter can be set by the investigator as a way to modify the natural edges of thegraph. Continuously varying the ρ parameter from 0% to 100%, and observing thesubsequent changes in the stolen funds flowing to terminal nodes, is also an effectivemethod upon which we build our pipeline in the following section. ethodology Pipeline
1. We first gather subnetworks of known hacks that have been built out by profes-sional investigators. • Due to the sensitivity of this data and relative infrequency of hack events,the result of this process provided a small set of anonymized, curatedsubnetworks that trace stolen funds from the origin of the hacks to all endpoints of interest. • It is at this point that we introduce a new tool for analyzing these subnet-works for additional insights that we can eventually return to the investi-gators and compliance officers at exchanges.2. We traverse these subnetworks from the starting clusters until the funds havebeen fully cashed out at exit points, i.e. terminal nodes. • An element of complexity emerges in this analysis that requires additionalattention, namely that the terminal nodes require a more rigorous defi-nition than any cluster sitting on the outskirts of the subnetwork sincemany of these terminal nodes act as sinks but still slowly leak funds de-spite maintaining control over the majority of their hacked balance.3. Next, to better visualize the temporal activity in the hacks, we create two timeseries that display the activity of the hacked funds. • First, we measure how active the hackers are over time by computing thenumber of transfers the hackers make each day, as seen in Figure 6. • Second, we measure the funds traced as they move to terminal nodes, asseen in Figure 8. As the funds move through terminal nodes, the shareof funds still held by hackers decreases. A fully tracked hack subnetworkwould be visualized by the funds decreasing from 100% to 0% of funds stillheld by the hacker over the number of days that it takes to fully exit thefunds through terminal nodes.4. We then generate distributions for the following features for each hack subnet-work: • Logarithm of Hack balance of all nodes, see Figure 3. • Weighted In-degree of all nodes, see Figure 4. • Weighted out-degree of all nodes, see Figure 5. • Logarithmic difference of the average percent of funds still in play, acrossall ρ values, derived from data shown in Figure 8. • Second difference of the average percent of funds still in play, across all ρ values, derived from data shown in Figure 8. • Logarithmic difference of the standard deviation of the percent of fundsstill in play, across all ρ values, derived from data shown in Figure 9. • Average number of transactions to terminal nodes per day, across all ρ values, derived from data shown in Figure 6. • Terminal Nodes as a function of ρ , see Figure 7. . Afterwards, we create similarity matrices corresponding to each distribution,whose elements are the pairwise similarities of the distributions correspondingto each of the hack subnetworks via the 1-Dimensional Wasserstein Distance,i.e. the Earthmover Distance [5][8].6. We run two community detection algorithms, Modularity Optimization [6][12]and Walktrap [7][13]. We compare the output of the overall approach across thesimilarity matrices for all the distributions against our ground truth attributionof the two underlying hacking groups and demonstrate the potential for such amethod by properly reattributing the hack networks to their respective groups.7. Lastly, we review the output communities and test our hypothesis that thefeatures relating to the hack dynamics are more informative in classifying thehacking groups than the static network features. Identifying Services
A typical service can control thousands of addresses, while larger services can evenmanage into the millions. We identify services by exploiting features unique to theBitcoin blockchain. There are many different approaches that blockchains employ tocryptographically verify transactions, but the Bitcoin blockchain relies on UnspentTransaction Outputs (
UTXO’s ) to record all transactions. A UTXO is the unspentoutput of a previous transaction that a user is entitled to transfer to another bitcoinaddress. Every wallet that holds a positive bitcoin balance is in possession of at leastone UTXO. When multiple UTXO’s are held by a single user and spent together ina transaction, it then becomes possible to definitively ascribe common ownership toall of the UTXO’s that were spent together. This concept of a cospend is the basisof the clustering activity used by blockchain analysis firms such as Chainalysis toidentify clusters of addresses controlled by a single entity. The network then becomescomprised of cospend clusters, i.e. nodes, composed of multiple addresses rather thanlong chains of single-use addresses [11].Once addresses have been mapped to a node through cospending activity, the nodecan be mapped to a named entity by interacting directly with it. For the exampleof an exchange, this process can occur by visiting an exchange’s website, depositingfunds on the exchange, and tracing that transaction via a block explorer [2]. Onlyservices with publicly available address information can be identified in this way.When stolen funds arrive at a known service, such as a an exchange, we can assumethat the hackers have attempted to cash out their funds. Professional investigatorstrace funds through these nodes to create hack subnetworks that capture as much ofthe meaningful movement of the stolen funds as possible.
Defining Terminal Nodes
There are four types of terminal nodes discussed in this paper. 1) A known serviceterminal node that is a confirmed service through the process mentioned above ofpairing ground truth knowledge with cospending activity. These services can be ex-changes, mixers, gambling sites, merchant service platforms, or any exit ramp throughwhich a criminal can off-load stolen bitcoin to an institutional cryptocurrency player.2) An unknown service node, where the investigator has reason to believe a node isbehaving like a service and will therefore terminate the investigation at that point, 3) node that the investigator has no reliable information for, or 4) a node in which theinvestigation terminates because the investigator decided not to pursue the lead.By default, terminal nodes are the edges of the graph subnetwork. Ideally, asubnetwork of a hack would track 100% of the funds from the point of a hack throughall exit ramps. This would allow us to set ρ = 0 .
00, as the terminal nodes wouldsimply be all the natural edges of the graph. In this case, the investigator would tracefunds to a service, whether it be an exchange, mixing site, gambling site, etc. ρ = 0 . ρ as: ρ = weighted in-degreeweighted out-degree ,i.e. the ratio of the amount of funds sent to received.Others have proposed using ratios of the in/out degrees when studying the BitcoinTransaction Graph, but in different contexts and not as a node-level feature [9].Figure 2 shows the spectrum of ρ values and their subsequent interpretation. Figure 2: Spectrum of rho values and their significance
Visualizing temporal behavior in the hack subnetworks
The temporal visualizations are shown in Figures 6 and 8. Figure 6 shows the numberof transfers over time within the hack subnetwork so that the investigator can get asense of how active the hackers are over time. They can answer questions such as: doesthe hacking group consistently make transactions over time, or do they tend to movefunds according to a temporal pattern. A pattern may be indicative of an algorithmmoving the funds, as opposed to actual individuals approving the transactions.Figure 8 shows how the funds exit over time through terminal nodes. It allows aninvestigator to see the exiting strategy of the hacking group in time. For example, dothe hackers exit the funds in one period of time, or consistently over a longer durationof time? Each of these strategies has implications for how the investigator profiles thehacking group overall. For example, a hacking group that exits all the funds throughone exchange in one day may be less organized and less well-funded than a hacking roup that gradually, through thousands of strategic transactions, exits the funds overa long period of time.The trends are made visible by restructuring the hack subnetworks into time series.Figure 6 demonstrates how active the hackers are by using the number of transactionsthey carry out as proxies.Figure 6 allows us to see the way the hackers utilize terminal nodes. Hacking groupalpha (A1) is much more active, slowly moving funds through terminal nodes over ashorter period. Hacking group beta (B1) utilizes fewer transactions in general, buttends to send all of their transfers to terminal nodes in a short period of time. In thecase of chart B1 in Figure 6, the hackers sat on their funds for a long period of timebefore abruptly exiting over 70% of the funds through a few exit ramps within a oneweek period.To test the hypothesis that the hackers are best classified using temporal featuressuch as the rate at which funds cash out at terminal nodes, we vary ρ in the followingsensitivity analysis section to observe stolen bitcoin exiting through terminal nodesunder a range of conditions. Sensitivity Analysis of ρ We allowed ρ to range from 0.02 to 0.98 to test the implications of gradually changethe ρ parameter. A cluster with a very low ρ value, e.g. ρ = 0 .
1, would have to holdon to more 90% of the funds it received to be considered a terminal node. On theother hand, a very high ρ value, e.g. ρ = 0 .
9, allows a cluster to retain only 10% ofthe funds it received from the hack in order for it to be considered a terminal node. Ahigher ρ will capture many more terminal nodes, as it is an easier condition for nodesto meet.A lower ρ value means that the there are fewer terminal nodes picked up in thegraph, and the criteria for being “of interest” to an investigator is extremely high. Avery low ρ specifies that wallets of interested are those which may only hold smallamounts of the total funds that it received. A node holding over 90% of the fundsmight be a holding wallet gradually leaking out funds, it might be a consolidationwallet for a criminal ring, a wallet associated with other types of criminal activity, oreven a point of conversion to another cryptocurrency if, for example, the wallet is anExodus wallet, which allows for wallet level cryptocurrency conversions.Choosing the right value for ρ allows us to optimally grow the hack subnetwork suchthat it would include the paths of interest without becoming too large to meaningfullyanalyze. We found that setting the ratio too high resulted in a less meaningful yetlarger hack subnetwork, where the terminal nodes did not adequately capture dynamicsof interest, and setting the ratio to be too low did not include clusters that likely shouldhave been included.Applying a range of ρ from ρ = 0 .
02 through ρ = 0 .
98, in increments of 0 . ρ typically revealed how much of the funds the investigator tracked, at thesame time, changing the ρ value does not impact the overall cash out trend witnessedby the investigator.These results indicate that varying ρ may not be useful for understanding thebehaviors of the hacker, but is a useful tool for identifying nodes of interest that couldbe possible leads to the investigator. Indeed the variance in the ρ parameter provedone of the most useful tools for running community detection. e finally then needed to handle the introduction of funds at a time later thanthe hack by either the same or different user. To account for this, we either add thesenew flows to the funds at the start and work with the new total as our amount ofhacked funds, or we incorporate these flows into our ρ definition, by stating a furtherconstraint that if ρ >
1, then it is a terminal node and we do not follow its flowsforward in time. In the case of the former, we can track all funds engaged in clearlyillicit activity, regardless of source, while in the case of the latter, we are activelyrestricting the subnetwork to funds that explicitly originated from the source of thehack.
Feature Definitions
The goal when selecting which distributions to analyze was to capture the behaviorof movement of the hacked funds in a precise way. To confirm the hypothesis thatthe two hacking groups exhibit different cashout strategies, we decided to consider theempirical distributions of 8 different features, as mentioned in Step 4 of the Pipeline.We define several of the features in our analysis as follows:1. Hack balance of all nodes.
Bal = log( weighted in-degree − weighted out-degree )2. Logarithmic first difference of the average, LDA , percent of amounts still in play,
AIP , across all ρ values. LDA = log( E [ AIP ( t +1)] E [ AIP ( t )] )3. Second difference of AIP, across all ρ values. Second Diff(AIP) = LDA ( t +1) − LDA ( t ) LDA ( t )
4. Logarithmic difference of the standard deviation,
LDST , of the
AIP , across all ρ values. LDST = log( E [( AIP ( t +1) − E [ AIP ( t +1)]) ] E [( AIP ( t ) − E [ AIP ( t )]) ] )5. Average number of transactions to terminal nodes, TTN per day, across all ρ values. Transactions = E [ T T N ] imilarity Matrices Once all of the normalized histograms were generated, we measure the pair-wise simi-larity between them, per variable, via the 1-Dimensional Wasserstein Distance, a.k.a.the Earthmover Distance or L Norm. Generally, the L p Norm is defined as: W p ( F, G ) = ( (cid:82) | F − ( u ) − G − ( u ) | p du ) /p , where F and G are empirical distribution functions with generalized inverses, F − and G − [8]. Community Detection
After the similarity matrices are computed for the distributions of interest, the goalbecomes differentiating between the two hacking groups. We propose a method ofrepresenting the similarity matrices as networks and searching for two distinct com-munities via both Modularity Optimization and Walktrap and comparing the results.Modularity Optimization [12] consists of finding a near maximal value for Mod-ularity, Q , returned from the communities applied to some null model of networkformation, typically a Random Network. Q = m (cid:80) vw [[ A vw − k v k w m ] δ ( c v , c w )] , where m is the number of edges in the network, A vw is 1 when nodes v and w areconnected and 0 otherwise, k v is the sum of A vw over w , and δ ( i, j ) is 1 when i and j are equal and 0 otherwise.Walktrap [13] operates similarly, also attempting to optimize the same modularity, butwith a focus on short random walks exiting communities as the explicit motivationand approach.Both algorithms are built for analyzing large networks, and their true modularityoptimization functions are not explicitly the Q written above, but a derived form.We utilized both methods as independent confirmation rather than any benefitsfrom their relative optimizations. As the resulting networks are small, with one nodecorresponding to each hack, are eight distributions analyzed, and two applications ofcommunity detection, any conclusions drawn from our method are only tentative sinceno conclusive results can be drawn from such small amounts of data. Nevertheless, wepropose the full method as technically sound and a novel tool in the analysis of hacksubnetworks in the bitcoin blockchain. Results ρ , TvRFigure 8: Amount in Play over Time12igure 9: Standard Deviation of Amount in Play over TimeFigure 10: Similarity Matrices of Feature Distributions for Hacking Groups Aand B 13able 1: Summary Statistics for Each HackHack Txs Nodes Avg In Deg Avg Out Deg Clust. CoeffA1 1,981 1,257 1.02 1.02 0.001A2 421 55 1.11 1.11 0.041A3 607 218 1.05 1.05 0.008B1 190 176 1.01 1.01 0.000B2 374 335 1.06 1.06 0.002B3 57,299 174 1.62 1.62 0.068Figure 11: Communities for all features’ similarity matrices - First by Walktrapthen Modularity Optimization As discussed in the Methodology, the communities shown in Figure 11 correspondto those identified by two clustering algorithms with the first two rows being Walktrap’soutput communities on each distribution’s similarity network, and the second tworows being the results obtained via Modality Optimization. As can be seen, similaritymatrices derived from different distribution comparisons, whether analyzed by thesame or different algorithm lead to different observed communities. Though theyare often different, the communities do share some common characteristics with eachother. For example, for all but the clustering of Balance similarity and TvR, nodes { B , B , B } are always clustered together. Furthermore, 9 out of the 16 clusters haveat least two members of group A together.To better quantify consensus among the results in 11, we first find one node N which remains in the same group through all of the methods (we chose node B6)so as to establish a common group naming (in other words, it is no longer the casethat a node is either in the blue or the red group seen in Figure 11, rather that eachnode is either in the same group as our fixed node or in the opposite group), andthen we generate a number n i,j associated to each node i and community j , with j ∈ { , , , ..., } , setting n i,j = 1 if i is in the same group as N and n i,j = 0 therwise. We then compute the probability of node i being in the same group as N with p = (cid:80) j =1 n i,j . Finally we bisect the vector of values to along its median andobtain the grouping { A , A , A } , { B , B , B } .This process was repeated using two feature set combinations. The first set con-tained all 8 features, and its resulting vector was (0.625, 0.5, 0.1875, 0.8125, 1, 1).The second set included only temporal features, namely: LDA, Second Diff(AIP),LDST, and ATVR and had a resulting vector of (0.25, 0.5, 0, 1, 1, 1). Note, thatthe ground-truth vector is simply (0, 0, 0, 1, 1, 1). In both cases, the bisection worksto successfully find the two communities. In the case of only temporal features, theresults are even more compelling where 0.5 can be used to bisect the set of hacks intotheir respective communities. Discussion
We ran this analysis on historical hacks curated by Chainalysis investigators. The 6hacks analyzed were carried out by 2 distinct and well-known hacking groups. Dueto ongoing investigations, the names of the hacking groups cannot be revealed at thistime.Analyzing the subnetworks using our proposed methodology allowed investigatorsto observe the cash out methods for the different hacking groups. Analyzing eachsubnetwork based on features above allowed for greater understanding of each specifichack and hacking group, as well as the ability to successfully classify hackers via ourpipeline.
Hacking Group Alpha
We analyzed three distinct hacks carried out by hacking group alpha. Hacking groupalpha is a large, well-funded organization. The hacks analyzed in this paper revealthat the subnetworks tracing funds stolen by hacking group alpha are highly complex,with the stolen funds moving through many nodes. The stolen bitcoins are slowlycashed out through terminal nodes overtime. Investigators confirmed this trend.Funds flowing to terminal nodes from the three hacks visualized in Figure 8 furtherconfirm this trend. Stolen bitcoin being moved by hacking group alpha appear toslowly leak out of possession of the hackers through terminal nodes. Taking both thefirst and second differences for the amount in play visualized in Figure 8 demonstratesthat the acceleration at which stolen funds exit through terminal nodes is a significantmeans of clustering the graphs. Just taking first differences successfully clusters hackA3 and hack A1 together. Visually, A1 and A3 are more similar. Looking at thesecond differences, i.e. the acceleration, for the amount in play visualized in Figure8 is most successful at finding communities of hacks. Running community detectionon the similarity matrices for the second differences of the amount in play successfullyidentifies that A1, A2, and A3 belong in the same community.The number of transfers that the hackers use to move the funds has also provensignificant for helping to effectively classify the hacks according to their hacking groups.As shown in Figure 6, hack A2 and A3 appear to have similar trends in terms of thenumber of transfers made each day following the hack. The community detection thatwe ran on the hacks classified these two hacks together when looking only at trendsin the frequency of transactions sent to terminal nodes. nalysing the variance in the ρ parameter, as visualized by Figure 9 captures howthe share of funds exiting through terminal nodes changes as ρ approaches 1. Thestandard deviation for the ρ parameter as ρ approaches 1 approximates the variety inbehavior for terminal nodes. Using the log difference in standard deviation across theamount in play by varying ρ allows us to classify hacks A3 and A1 together. Boththese hacks had similar changes in the amount in play for each ρ over time, whereasA2 had some uncharacteristic behavior for hacking group alpha around day 250. A2was a much smaller sized subnetwork, with only 55 nodes, than A1 and A3, with 1257and 218 respectively. This made the standard deviation of the amount exiting throughterminal node more sensitive as ρ increased.We investigated whether the distribution of balances across all the nodes in thehack would be a useful indicator to help classify hacks. This was one of the weakestfeatures used to classify the hacks into hacking groups. As shown in 3 there is awide variety in the distribution across all the nodes in the graph based on their hackbalances. Hack A3’s distribution, for example, had a higher peak, meaning many ofthe hacks in A3 held a similar balance. Yet A2 had much more variety across the nodeswithin the graph in terms of how much stolen bitcoins each node ended up holding.Using the distribution of the log balance by nodes was not useful on its own to helpclassify hacks, and caused one of the few instances of mistakenly grouping hacks A3and B4 together as seen in Figure 11. Hacking Group Beta
We then analyzed three hacks carried out by the second hacking organization referredto here as hacking group beta. When visualizing the hack subnetworks for hackinggroup beta, there are striking differences in the cash out mechanisms. Hacking groupbeta tends to send a majority of its funds through terminal nodes over a short periodof time. They tend to sit on their funds quietly, sometimes moving some funds throughwallets of interest, but have a characteristically abrupt cash out pattern.This pattern is visualized in Figure 8, where hacks B1, B2 and B3 all have notablevertical drops, representing abrupt moments of cashing out through terminal nodes.Running our community detection algorithms on the first differences of this activitysuccessfully classified all B hacks as belonging together, see Figure 11, yet also iden-tified hack A2 as fitting a similar pattern. The second differences for the amount inplay chart is the best at predicting the proper community assignment. Its top perfor-mance can be attributed to its correctly capturing the acceleration of the funds exitingthrough terminal nodes, which confirms the hypothesis put forward by investigatorsabout temporal trends in exiting funds.All of the hacks from hacking group beta have a large variance for ρ as ρ approachesone, which can also be visualized in 8. This signifies a large range in sending versusreceiving behavior for the nodes within the hacking group beta hacks. Funds areexiting through a wide variety of nodes, and not simply hitting one exit point whichonly ever received funds.Looking at the distribution of balances held by the nodes within the subnetworkdemonstrates the variety of node behaviors present. However, this was again a weakfeature when it came to classifying the hacks through community detection. Hack B1had many nodes that passed through mixing services which were unclustered in thesubnetwork. The mixers would siphon off parts of the stolen funds into consolidatorwallets in similar patterns. The investigator only tracked the fattest paths, leavingmany of the known nodes passing through mixers with a similar balance. Using balance istribution when the graph is not fully built out was shown not to be useful forcommunity detection.We next looked at the variation in the AIP over all ρ as visualized in Figure 9. Theshape of this graph visualizes how ρ affects the share of funds exiting through terminalnodes. Almost all of hack B1’s funds exit through a wide variety of terminal nodes onthe first day. The standard deviation peaks at this point, followed by a long period ofno fund movements. We successfully classified hacks B1, B2, and B3 together usingour community detection algorithms, but hack A2 was mistakenly grouped in whenusing this feature, as shown in Figure 11.We then analyzed the number of transactions going to terminal nodes in Figure 6.The number of transactions showed no clear visible pattern to help classify the hacksinto hacking groups. While the community detection algorithms successfully classifiedall three hacks from hacking group beta together, it also picked up hack A1. Key Takeaways
We began this analysis by talking with Chainalysis investigators about what theyknew about the hacking groups. They indicated that the key differentiation betweenthe two groups, is the pattern by which they hold funds and the subsequent rate atwhich they cash them out. Our analysis confirms this hypothesis.We conclude that static features of the charts, such as balance distributions, indegrees, and out degrees are not useful features for classifying the hacks into hackinggroups. There are many limitations to these static features. To start, they likelyrequire a fully built out, comprehensive graph. Many of the graphs we chose to analyzewere incomplete from the start. This means the takeaways from the static features ofthe charts were also fundamentally incomplete.More importantly, our hypothesis of focusing on the temporal features of the sub-networks, rather than the static features was validated. The results indicate that thepatterns by which the subnetworks evolve over time serve as useful features for optimalclassification based on the method described in this paper. The optimal classificationsin Figure 11, specifically the second difference - or acceleration - of AIP, are mostcharacteristic of the subnetworks temporal nature. Varying ρ to alter our level of res-olution into terminal nodes also plays a role in the usefulness of our temporal featuresand the resulting classifications. The correct classifications were obtained when simi-larity matrices were built from these temporal features and the community detectionalgorithms was subsequently run to differentiate the hacking groups based on thesefeatures exclusively. Conclusion
Hacks represent an important challenge for law enforcement, the Bitcoin community,and financial institutions. There is opportunity for an algorithmically informed ap-proach to analysis of existing hacks as well as real time monitoring of hacks. Thisresearch represents an attempt at building a more rigorous framework for such anapproach via an analysis of both the static and temporal features of hack subnetworksand suggests that the temporal features represent an important avenue of explorationfor a deeper understanding of the hack subnetworks. uture Work Due to the small sample size, and the sensitive nature of the underlying data, the toolswe develop are currently useful for visualization and description rather than conclusivestatistical analysis of existing hacks. We aim to continue gathering data and expandour analysis.
Acknowledgements
We thank the Chainalysis investigators for their collaboration.
Author’s contributions
DG, KG, and YS designed research, performed research, and wrote the paper. Allauthors read and approved the final manuscript.
Funding
This research was funded by Chainalysis.
Availability of data and materials
Due to the sensitivity of the underlying data, we cannot currently release our dataset.
References [1] S. Nakomoto, Bitcoin: A Peer-to-Peer Electronic Cash System, https://bitcoin.org/en/bitcoin-paper , Accessed: 2019-09-30[2] BLOCKCHAIN LUXEMBOURG S.A., Block Explorer, blockchain.info , Ac-cessed: 2019-09-30[3] Chainalysis, Chainalysis Cryptocrime Report 2019, https://blog.chainalysis.com/2019-cryptocrime-review , Accessed: 2019-09-30[4] Electrum, Electrum Wallet, https://electrum.org/ , Accessed: 2019-09-30[5] D. Schuhmacher, , Wasserstein distance in 1 dimension Rpackage, Accessed: 2019-09-30[6] G. Csardi, Modularity Optimization R package, https://igraph.org/r/doc/modularity.igraph.html , Accessed: 2019-09-30[7] P. Pons, Walktrap clustering R package, https://igraph.org/r/doc/cluster_walktrap.html , Accessed: 2019-09-30[8] L. Rueshendorff, Encyclopedia of Math entry on Wasserstein Metric, ,Accessed: 2019-09-30[9] A. Bovet et al., Network-based indicators of Bitcoin bubbles, Arxiv, 2018
10] D.Y. Huang et al., Tracking Ransomware End-to-end, 2018 IEEE Symposium onSecurity and Privacy (SP): 20-24 May 2018 San Francisco, CA, USA, 2018[11] S. Meiklejohn et al., A fistful of bitcoins: characterizing payments among menwith no names, IMC ’13 Proceedings of the 2013 conference on Internet measure-ment conference: 23 - 25 October 2013; Barcelona, Spain, 2013[12] A. Clauset et al., Finding community structure in very large networks, PhysicalReview E, 2004[13] P. Pons et al., Computing communities in large networks using random walks,International Symposium on Computer and Information Sciences: October 26-28,2005, Istanbul, Turkey, 2013[14] M. Nouh et al., Cybercrime Investigators are Users Too! Understanding the Socio-Tehnical Challenges Faced by Law Enforcement, Proceedings of the 2019 Workshopon Usable Security (USEC) at the Network and Distributed System Security Sym-posium (NDSS), 24-27 February 2019, San Diego, CA, USA., 201910] D.Y. Huang et al., Tracking Ransomware End-to-end, 2018 IEEE Symposium onSecurity and Privacy (SP): 20-24 May 2018 San Francisco, CA, USA, 2018[11] S. Meiklejohn et al., A fistful of bitcoins: characterizing payments among menwith no names, IMC ’13 Proceedings of the 2013 conference on Internet measure-ment conference: 23 - 25 October 2013; Barcelona, Spain, 2013[12] A. Clauset et al., Finding community structure in very large networks, PhysicalReview E, 2004[13] P. Pons et al., Computing communities in large networks using random walks,International Symposium on Computer and Information Sciences: October 26-28,2005, Istanbul, Turkey, 2013[14] M. Nouh et al., Cybercrime Investigators are Users Too! Understanding the Socio-Tehnical Challenges Faced by Law Enforcement, Proceedings of the 2019 Workshopon Usable Security (USEC) at the Network and Distributed System Security Sym-posium (NDSS), 24-27 February 2019, San Diego, CA, USA., 2019