Cyber-Block-Forensics

Bitcoin, Ethereum, Ripple, Litecoin and Monero: Since 2017 cryptocurrencies have been well known in society and recorded millions of users. Cryptocurrencies advertise with high anonymity, decentrality and limited regulation in comparison to regular currencies. One of the main features of cryptocurrencies is the storage of the whole transaction history in a public blockchain, which can be accessed to seek patterns between transactions and addresses and trace entities.

The objective of Cyber-Block-Forensics is to evaluate existing analysis tools for Bitcoin, Ethereum and Monero and improve existing heuristics for classification and clustering of transactions and addresses. Furthermore, the team's own transactions will be traced through the blockchain to test heuristics and other assumptions regarding aspects such as exchanges or gambling sites.

We have completed the construction of the server infrastructure and the corresponding software tools. A toolchain now makes it possible to create transaction chains based on an input address or transaction, a specified period, and other parameters. These can then be analysed using known heuristics. The first results were presented at the conference Polizeiinformatik 2021 and will be published accordingly.

The project team is currently working on an implementation to classify Bitcoin addresses using supervised machine learning. Mixing services, (illegal) marketplaces, and gambling sites are of particular interest here. For this purpose, information about the addresses of publicly known entities is queried from the Internet and stored in a database. Helpful information can be, for example, the number and frequency of transactions, the distribution over time, or the values transferred. The algorithm then tries independently to assign this training data to the correct class. Once we have trained the algorithm, we can apply it to unknown data.

In the future, we plan to extend the classification to include entire transaction graphs. For this purpose, the graphs are reduced into a matrix that algorithms can read using graph embedding.

We expect this to result in an improved classification through a more considerable amount of input data. In addition, this procedure does not depend on external sources but can be formed directly from the existing database of Bitcoin transactions.