mixing services: tracing anonymous bitcoins · survey of bitcoin mixing services: tracing anonymous...

19
Survey of Bitcoin Mixing Services: Tracing Anonymous Bitcoins September 2015 | novetta.com | Copyright © 2015, Novetta, LLC. White Paper

Upload: others

Post on 30-May-2020

44 views

Category:

Documents


6 download

TRANSCRIPT

Survey of Bitcoin Mixing Services:Tracing Anonymous Bitcoins

September 2015 | novetta.com | Copyright © 2015, Novetta, LLC.

White Paper

Survey of Bitcoin Mixing Services: Tracing Anonymous Bitcoins

1 · INTRODUCTION

3 · THE BITCOIN BLOCKCHAIN

4 · BITCOIN MIXING SERVICES

5 · ANALYSIS

6 · PROCEDURE

8 · RESULTS: TAINT ANALYSIS

10 · RESULTS: PATTERN ANALYSIS

15 · MIXING SERVICE SUMMARIES

16 · CONCLUSIONS

17 · ABOUT NOVETTA

PAGE 1SURVEY OF BITCOIN MIXING SERVICES

INTRODUCTION

The public often views Bitcoin as a means to send funds anonymously. However, users may underestimate the

amount of personally identifying information (PII) inherently linked to this digital currency. To comply with Anti-

Money Laundering and Know Your Customer regulations, online marketplaces monitor user activity and collect PII

from the bank accounts and credit cards used to purchase Bitcoins. This information ultimately creates a discoverable

link between real-world identities and online Bitcoin transactions. To eliminate this anonymity threat, privacy-

conscious users rely on Bitcoin mixing services to remove identity-based connections from their coins.

Though mixing services have practical uses within the Bitcoin network, these services can also be instrumental in

money laundering schemes. Specifically, mixing services provide a means for malicious actors to deposit ill-gotten

coins and receive new coins deposited by legitimate users. Without a provable link between the coins deposited and

those withdrawn, law enforcement officials cannot confidently associate the illicit funds with a single individual.

This study examines whether provable links can be established between addresses1 in a mixing scheme, assesses

whether individual mixing services exhibit identifiable fingerprints, and determines if signs of mixing are apparent

within the Bitcoin blockchain. Evaluating these aspects of Bitcoin mixing provides insight into how well mixing

services preserve anonymity and to what extent correlations can be drawn between suspect mixing addresses.

1 A Bitcoin address is the pseudonymous public key used to identify accounts within the Bitcoin network.

PAGE 2SURVEY OF BITCOIN MIXING SERVICES

BITCOIN MIXING

Mixing services achieve anonymity by combining

multiple users’ Bitcoins/transactions into a common

pot, shuffling coins amongst several intermediate

addresses, and depositing funds into new, unused

receiving addresses. This process strips connected PII

from the coins and complicates fund tracing. Figure

1 illustrates a simplified mixing transaction. The end

nodes (teal) represent a user’s addresses, while the

middle nodes (dark blue) represent addresses run by

the mixing service. Though the diagram displays a linear

transaction chain, Bitcoin mixing services often divide

and transfer funds between many mixing addresses to

make fund tracing more difficult.

IDENTITY IN ONLINE PAYMENTS

By design the Bitcoin network does not collect PII.

Instead, it creates a pseudonymous network by

randomly assigning public keys (Bitcoin addresses)

to identify accounts, and private keys to validate

transactions. To protect against double spending of

Bitcoins, unauthorized spending of Bitcoins, and mining

fraud, the network broadcasts a public ledger known as

the blockchain. This ledger contains details for every

transaction conducted since the currency’s inception.

Though the blockchain recorded data does not directly

pose a threat to anonymity, it can be aggregated and

associated with additional information to create links

to real-world identities. With this in mind, mixing

services are evaluated in this study based on their

ability to conceal four types of identity data: personal,

behavioral, financial, and network.

Personal Identity Data • Information linking an online

account or commodity to a real-world identity. This

data is often collected during account registration and

includes data points such as name, email address, date

of birth, and SSN. Although usually self-reported, it can

be extrapolated from linked services and accounts.

Behavioral Identity Data • Predictable navigational

patterns observed during an online session. This

data is often compared to data collected from other

users and compared against prior logins to determine

abnormal behavior. In this study, mixing service

behavior is evaluated instead of user behavior. Mixing

service behavior primarily includes transfer patterns

(e.g. reusing addresses, time analysis, and balance

differences).

Financial Identity Data • Data used to facilitate

payments, including financial account numbers,

transaction amounts, and account balances. For

Bitcoins, this information includes Bitcoin addresses

and transaction times. In this study, all Bitcoins were

purchased on LocalBitcoins using prepaid gift cards to

limit non-Bitcoin financial data.

Network Identity Data • Information used to uniquely

identify devices communicating across the internet.

This data includes IP addresses, browser configurations,

and cookies. To standardize testing, TOR was used

in this study to access all mixing services. All TOR

browsers appear uniform, reducing the probability

of unique identification based on network data, thus

eliminating the need to further evaluate network

identity data.

Figure 1: Bitcoin mixing progression

PAGE 3SURVEY OF BITCOIN MIXING SERVICES

THE BITCOIN BLOCKCHAIN

The Bitcoin network is known as a trustless system,

meaning that the network does not have a central

authority responsible for validating transactions.

Instead, it relies on a network of Bitcoin miners to

maintain the publically available blockchain.

As the name suggests, the blockchain comprises a series

of linked blocks, beginning at time zero with the Genesis

Block. Blocks contain transaction details and are added

in chronological order (as shown in Figure 2) at a rate

of 6 blocks per hour. When a new block is added, each

prior block in the chain gains an added confirmation.

More confirmations decrease the likelihood of including

fraudulent transaction data. For this reason, Bitcoin

transfers are not typically considered final until 6 block

confirmations are recorded.

At any given time, the blockchain should only have

one path leading back to the Genesis Block. In some

instances the blockchain may fork (Figure 2). This

occurs when two similar blocks are simultaneously

added to the blockchain by competing Bitcoin miners.

Though both paths may be valid at first, only one will

remain in the blockchain. The chain that goes on to

contain the most blocks (shown in dark blue) remains

as the only valid path. Shorter, forked chains (shown in

red) become invalid or “orphaned” and no longer serve

as confirmations for prior blocks.

Transaction details in each block include Bitcoin

addresses, balances held (in Bitcoins, BTC), and the IP

addresses which broadcast the transactions. Platforms

such as Blockchain.info use this data to produce visual

representations of fund movement across Bitcoin

addresses (Figure 3). As shown in Figure 3, addresses

(circles) send coins to other addresses depicted to their

immediate right.Figure 2: Blockchain confirmations

Figure 3: Transaction output chain (Blockchain.info)

PAGE 4SURVEY OF BITCOIN MIXING SERVICES

BITCOIN MIXING SERVICES

Bitcoin mixing services obfuscate funding sources

by breaking links between PII and Bitcoins. Each

mixing service accomplishes this through different

techniques. Although mixing services rarely disclose

their exact mixing technique, common mixing schemes

have known differences.

MIXING SCHEMES

In a traditional mixing scheme, the mixing service

combines funds into a communal pot. The funds within

the communal pot are often earmarked to designate

the depositor and then redirected to other withdrawing

users (colored arrows in Figure 4). Mixing services may

also operate multiple communal pots, allowing a user

to deposit and withdraw funds from separate pots.

Additional anonymizing options include depositing

and withdrawing to multiple addresses, enforcing time

delays, and varying transaction fees. These options

increase anonymity by reducing inherent correlation

between originating and receiving addresses; an

observer will not know exactly when, or exactly how

much, funds are expected to appear in the receiving

address(es).

Figure 5: CoinJoin mixing technique

Alternatively, services can use a modified mixing

technique known as CoinJoin. Instead of pooling users’

coins in a common pot, this mixing technique makes

multiple transactions appear as a single transaction within

the blockchain. CoinJoin alone does not completely sever

the link between originating and receiving addresses;

rather, it makes tracing funds more difficult.

As illustrated in Figure 5, a single CoinJoin mixing

transaction has inputs from multiple identities/

addresses (multiple input addresses can belong to a

single identity). When posted to the blockchain, the

transaction outputs appear as uniform payments with

identical timestamps. These payments are theoretically

indistinguishable, thus obfuscating the source.

Even if an outside observer knows the identities

depositing coins, connections between senders and

receivers are unclear. The more users included in

a single CoinJoin transaction, the harder it is to link

originating and receiving addresses. However, this

is limited by the number of users looking to transfer

similar amounts within a common time period.

Figure 4: Traditional mixing technique

PAGE 5SURVEY OF BITCOIN MIXING SERVICES

MIXING SERVICE SELECTION

The mixing services used in this study represent a wide array of mixing techniques and were chosen based on their

surmised popularity2. Mixing services selected (listed in Table 1) also:

• Were compatible with an anonymizing network tool (e.g. TOR)

• Required minimal registration

• Had transaction minimums under $25 USD

• Had minimal cost and/or fees

ANALYSIS

Five address types are typically present in mixing transactions (Figure 6): originating, depositing, intermediate,

withdrawing, and receiving. Although a single Bitcoin address may serve multiple roles (e.g. a withdrawing address

for one transaction may serve as an intermediate in another), in this study addresses were classified by their

relationship to the tested originating address.

Table 1: Mixing service specification summary

Figure 6: Mixing address definitions

2 Mixing services commonly appearing in Bitcoin forums were believed to have a large number of users.

Mixing Service Min Transfer

Max Transfer Cost/Fees Delay Time Account

RequiredData

Retention

BITMIXER

URL: bitmixer2whesjgj.onion0.01 BTC

Varies by current size of reserve

0.5%to 3.5% + 0.001 BTC

per receiving address

Instant No 12 hours

BIT LAUNDER

URL: Bitlaunder.comNone None

2% (Quick)

3% (Secure)

Up to 24 hours

Yes:user name password

email address

Unknown

SHARED COIN

URL: blockchatvqztbll.onion0.01 BTC 50 BTC 0.0005 BTC 30 sec

to 5 min

Yes:user name password

email address

Unknown

BITCOIN BLENDER

URL: bitblendervrfkzr.onion0.01 BTC None Random:

1 - 3%Random:

0 – 99 Hours

Yes:user name password

Log files:24 hours

All Files: 10 days

PAGE 6SURVEY OF BITCOIN MIXING SERVICES

Though Figure 6 shows a linear progression, mixing

services commonly employ a virtually unlimited

number of depositing, intermediate, and withdrawing

addresses. This makes manual analysis of the blockchain

across multiple mixing transactions difficult. However,

automated analysis tools exist which can facilitate

discovering correlations between addresses. These

tools examine the history of a Bitcoin address and draw

associations between the examined address and other

addresses. This study used Taint Analysis, provided by

Blockchain.info, as the primary automated analysis tool.

TAINT ANALYSIS

Within the Bitcoin network, “taint” is the percentage

of funds received by one address that can be traced to

another. Examining taint provides insight into a Bitcoin

mixing service’s efficacy. A successful mixing service

should reduce the taint between the originating address

and the receiving address to zero. Any quantifiable

measure of taint between two addresses creates a

link between the two and may be used to discover

previously unknown addresses in a payment scheme.

Taint Analysis returns a list of addresses related to the

queried address (Figure 7). Each address is shown with

a branch association, taint percentage, and count. The

Branch column color codes related transactions. Branch

numbers identify how many branches an address

appears in, whereas Count indicates how many times

that address transferred coins to other addresses within

those branches.

Figure 7: Taint Analysis

PATTERN ANALYSIS ON ADDITIONAL DATA POINTS

In addition to automated analysis, transaction histories

were manually examined for patterns in the following

data points: timing, fees, and branching.

Timing pattern analysis examined timestamps across

mixing transactions. Differences in timing between two

subsequent transactions or two actions (e.g. depositing

and withdrawing) helped identify time delay patterns,

and determine when mixing transactions would most

likely appear in the blockchain.

Fees deducted analysis examined the ratio of sent vs

received Bitcoins within a transaction. Specific patterns

evaluated included: predictable address balances

during mixing, observed fee deduction, and repetitive

balance differentials between subsequent addresses in

a payment chain.

Branch analysis examined the tree diagrams provided

by Blockchain.info. Notable patterns included repetition

of common addresses, number of addresses involved,

and mixing services’ address branching patterns – both

leaving the originating address and converging on the

receiving address.

PROCEDURE

Effectively evaluating the performance of Bitcoin

mixing services depended on emulating a realistic

mixing environment. To create a realistic anonymous

payment scheme, Bitcoins were purchased from the

LocalBitcoins currency exchange without providing

PII3. Bitcoins were then evenly distributed into offline

addresses stored on a local device4.

4 Offline Bitcoin addresses used in this study were managed through the MultiBit Bitcoin client.

3 Sellers on LocalBitcoins (www.localbitcoins.com) accept payment via gift cards and rarely require PII for purchases.

PAGE 7SURVEY OF BITCOIN MIXING SERVICES

Fifteen (15) transactions were conducted: 12 mixed

transactions and 3 controls. Three replicate trials were

completed through each mixing service evaluated

(Figure 8). Transfers directly between MultiBit5 addresses

served as controls. All trials transferred ~ $20.00 USD6,

chosen to represent a common mixing amount well

below traditional fraud reporting requirements.

Trials 1 and 2 were initiated within 24 hours of one

another. Trial 3 was conducted ~5 months after trials

1 and 2 to examine mixing services for temporal

behavioral changes. All originating and receiving

addresses were unique to each trial.

All mixing services were accessed through TOR using

an “.onion” address unless otherwise stated. Settings

were chosen to maximize anonymity by selecting

the maximum values, as permitted by the study time

frame, for number of transaction iterations, number of

withdrawals, and time delay. Table 2 shows the options

selected at each mixing service; available options

varied by service.

Figure 8: Procedural summary

Table 2: Mixing service anonymity settings selected

6 Mixed amounts (BTC) differ between trials due to fluctuations in the value of Bitcoin.

7 Shared Coin’s anonymity settings changed after trial 2: Transaction iterations are no longer directly chosen.

5 MultiBit was used as the offline Bitcoin client for managing addresses in this study.

Mixing Service Trial (s) Option(s) Selected Mixed Amount (BTC)

BITMIXER

1Fee: 2.0012%Time Delay: 24 hours 0.055

2Fee: 1.9957%Time Delay: 24 hours

0.055

3Fee: 2.0%Time Delay: 24 hours

0.0849

BIT LAUNDER1 and 2 Launder Method: Secure

Time Delay: 3 hoursNumber of Withdrawals: 5

0.055

3 0.0849

SHARED COIN

1 and 2 Transaction Iterations: 10 0.050

3Transaction Iterations: 7Privacy: Normal/Higher7 0.084

BITCOIN BLENDER

1Min Time Delay: 24 hoursMax Time Delay: 24 hours

0.054

2 0.05473013

3 0.0834774

PAGE 8SURVEY OF BITCOIN MIXING SERVICES

RESULTS: TAINT ANALYSIS

Taint analysis requires two separate queries per

transaction, one each for the receiving and originating

address. Receiving addresses were queried using the

Received (Origin) Taint option, which returns addresses

that sent Bitcoins to the queried address. Originating

addresses were queried using the Sent (Reversed)

Taint option, which returns addresses that received

coins from the queried address.

Table 3 shows taint analysis results for each trial

in this study. The presence of a known receiving

or originating address in these results indicates a

discoverable connection between the sender and

receiver. Control trials confirmed the taint analysis tool

correctly identified correlations between originating

and receiving addresses.

When examined using Sent (Reversed) Taint, none

of the mixing transactions revealed the known

receiving address. However, when examined using

Received (Origin) Taint, a known originating address

was discovered for one of the three replicate trials

in two mixing services: Bit Launder and Shared Coin.

The Bit Launder trial showing Received (Origin) Taint

coincided with a known mixing service error, resulting

in reimbursed funds and a resubmission of the mixing

request. The Shared Coin trial showing Received

(Origin) Taint was trial 3 in which only 7 transaction

iterations were used, rather than the 10 used in trials 1

and 2. These anomalies likely led to the detected taint.

In addition to looking at direct linkage between the

known originating and receiving addresses, taint

analysis was used to look for recurring addresses across

replicate trials within each mixing service. Recurring

addresses indicate that patterns can be drawn from

mixers’ address selection. Mixing services with a

greater number of recurring addresses are more

Table 3: Taint Analysis for known addresses

Mixing Service Trial (s)

Sent (Reversed) Taint Received (Origin) Taint

Known Addresses

Taint Percentage

Known Addresses

Taint Percentage

BITMIXER 1, 2, and 3 None N/A None N/A

BIT LAUNDER1 None N/A 1 Originating 0.0000683737%

2 and 3 None N/A None N/A

SHARED COIN

1 and 2 None N/A None N/A

3 None N/A 1 Originating 0.0000000002%

BITCOIN BLENDER

1, 2, and 3 None N/A None N/A

CONTROL

1 2 Receiving3.5140575693%2.3153777826%

1 Originating 100%

2 None N/A 1 Originating 100%

3 1 Receiving 0.058038109% 1 Originating 100%

PAGE 9SURVEY OF BITCOIN MIXING SERVICES

susceptible to mixing service identification and

Bitcoin tracking, due to the increased amount of

behavioral data points surrounding these known,

recurring addresses.

Addresses appearing across multiple mixing

transactions can be used to positively identify the

associated mixing service. These addresses can also be

monitored for transfers involving an expected amount,

increasing the odds of associating an originating and

receiving address.

Recurring address patterns were only examined for

Received (Origin) Taint, as Sent (Reversed) Taint only

returned a maximum of 3, non-reoccurring addresses

for any trial. Table 4 shows the number of recurring

addresses across trials for each mixing service.

All mixing services reused multiple intermediate

addresses to mix coins between trials 1 and 2.

However, only two mixing services, Bit Launder and

Bitcoin Blender, reused intermediate addresses

between either trial 1 or trial 2 and trial 3.

Of the four mixing services tested, Bitcoin Blender’s

mixing technique appears to have the greatest temporal

variation, as indicated by the low number of recurring

addresses. In addition, Bitcoin Blender did not use any

intermediate addresses across all three trials.

Bit Launder reused the most addresses between trials

1 and 2 and reused one address across all three trials.

This intermediate address accounted for 50.00% of

the Received (Origin) taint in all 3 trials, indicating

that address is likely a pivotal and stable intermediate

address to the Bit Launder mixing technique. This

address alone can identify the use of Bit Launder’s

mixing service and provide a substantial number

of behavioral data points to better fingerprint the

mixing service.

The greater number of recurring addresses between

trials 1 and 2, when compared to trial 3, is likely due to

the time delay in conducting the transactions. Trials 1

and 2 were conducted within 24 hours of each other,

whereas trial 3 was conducted five months later. This

implies that fingerprinting mixing services, solely

by intermediate addresses used, will likely have a

strong temporal component and require frequent,

regular mixing trials to identify. This, particularly for

Bit Launder, leaves users vulnerable to planned timing

attacks: if it is known that a target user has deposited

coins to this mixing service, an outside observer can

deposit coins shortly after to better identify relevant

receiving branches.

Table 4: Received (Origin) Taint analysis count of common addresses

Mixing ServiceTrial Comparisons

Trial 1 vs Trial 2 Trial 2 vs Trial 3 Trial 1 vs Trial 3 All 3 Trials

BITMIXER 61 0 0 0

BIT LAUNDER 1,424 2 2 1

SHARED COIN 130 0 0 0

BITCOIN BLENDER 7 3 1 0

PAGE 10SURVEY OF BITCOIN MIXING SERVICES

RESULTS: PATTERN ANALYSIS

TIMING PATTERNS AND FEES

Table 5 shows the total time taken to mix Bitcoins and

the fees for each trial. Total times were calculated as

the difference between originating and receiving

transaction timestamps. Timing analysis is inconclusive8.

Balance differences for BitMixer did not reflect the

mixing service’s stated fees. As indicated in Table 2,

mixing fees of 1.9957% - 2.0012% were selected,

however 2.589% - 2.910% fees were deducted. This

unexpected fee deduction behavior makes tracing

funds mixed through BitMixer more difficult.

For BitMixer, Bit Launder, and control transactions,

fees were deducted from the transferred funds (i.e. in

BitMixer trial 1, 0.055 BTC was sent from the originating

address to the mixing service, but only 0.053399 BTC

was deposited in the receiving address). Shared Coin

and Bitcoin Blender deducted fees from the balances

credited to the account rather than coins marked

for mixing (i.e. in trial 2, Bitcoin Blender marked

0.05473013 BTC available for mixing, though 0.55 BTC

was deposited – 0.0026987 BTC subtracted for fees

prior to any mixing attempt).

BRANCH ANALYSIS

The subsequent pages discuss the branch pattern

analysis for each mixing service. The diagrams

presented visualize the branching patterns seen in

tree charts provided by the blockchain.info analysis

tool (Figure 3). Diagrams depict the progression of

funds from one address to another across multiple

generations in a payment scheme. Circles represent

addresses - teal circles indicate originating and

receiving addresses used in this study and polygons

represent branches with multiple addresses (with

number of addresses indicated in white).

8 As trials 1 and 2 for each mixing service were initiated in the same 24 hour time frame from the same originating address, positive linkage between the originating and receiving addresses was not always possible. If positive identification could not be made, it was inferred that funds were sent to the receiving address for trial 1 prior to the receiving address for trial 2. This uncertainty applies to timing differences for trials 1 and 2 at Bitcoin Blender and Bit Launder. This does not affect any BitMixer or Shared Coin trials or any trial 3 transaction.

Table 5: Timing and fees

Mixing Service

Total Time (HH:MM:SS) Total Fees in BTC(Total Fees as a % of Mixed Funds)

Trial 1 Trial 2 Trial 3 Trial 1 Trial 2 Trial 3

BITMIXER 24:16:24 24:04:13 24:21:500.00160066

(2.910%)0.00159763

(2.905%)0.002198(2.589%)

BIT LAUNDER 20:10:42 00:44:54 07:44:340.00165(3.00%)

0.00165(3.00%)

0.002547(3.00%)

SHARED COIN 18:23:50 00:45:06 00:29:36 N/A: Could not be reliably determined

BITCOIN BLENDER 20:07:05 23:56:38 88:03:500.00026987

(0.491%)0.00026987

(0.491%)0.0014226(1.676%)

CONTROL N/A N/A N/A0.0001

(0.182%)0.0001

(0.182%)0.0001

(0.182%)

PAGE 11SURVEY OF BITCOIN MIXING SERVICES

BitMixer: Branch Analysis

Both transactions (trial 1 and trial 2) stemming from the

originating address exhibited similar mixing patterns.

Though the depositing addresses were different for both

trials, each transaction fed into a common intermediate

address in the third generation (Figure 9a, red outline).

Fund progression beyond this node was identical for

both trials, indicating transactions occurring at similar

times are grouped into the same mixing pools.

Both trial 1 and trial 2 receiving addresses traced back

to a common address shown as the first generation

(Figure 9c, red outline).9 The common address split

funds into two branches, each containing a series of

withdrawing addresses. Each withdrawing address

in the chain recorded one transaction - payment to a

receiving address with the remainder deposited into

a new withdrawing address (used in the subsequent

generation). A similar pattern was observed in trial 3

(Figure 9d).

Figure 9: BitMixer branch analysis

Transaction branching from Originating Address

a. Trials 1 and 2

Transaction branching to Receiving Address

c. Trials 1 and 2

b. Trial 3 d. Trial 3

9 BitMixer was the only mixing service to have both receiving addresses trace back to a common address, and both originating addresses lead into a common address for trials 1 and 2.

PAGE 12SURVEY OF BITCOIN MIXING SERVICES

In all three trials, the addresses in the second generation

(Figure 9c and Figure 9d, orange outlines) transferred

the entirety of their balances into a subsequent

address in the third generation. This pattern, unique to

Bitmixer’s mixing technique, appears prior to the series

of withdrawing addresses.

Trial 3 did not demonstrate a branching pattern

stemming from the originating address (Figure 9b). This

suggests that Bitcoins are stored in a common pot and

do not undergo further mixing until required for another

user’s withdrawal. Branching patterns stemming from

the originating address in trials 1 and 2 emerged weeks

after the transactions were submitted, whereas trial 3

was evaluated days after the transaction was submitted.

The timing of the fourth generation appearance in the

originating address branching schemes (Figure 9a and

Figure 9b) varied from ~4 days to ~31.5 days across the

three trials.

Bit Launder: Branch Analysis

Trial 1 and 2 exhibited identical branching patterns

stemming from their originating addresses, as illustrated

in Figure 10a. Trials 1 and 2 shared a single common

address, which appeared multiple times in the same

generations (Figure 10a, red outline). The same

repeated address was found in trial 3 in a similar

pattern (Figure 10b, red outline).

Both receiving addresses, for trials 1 and 2, appeared in

the same transaction branch. The withdrawing address

for trial 1 was reused in four successive payouts

(Figure 10c, red outline) before it was discontinued,

whereas the withdrawing address for trial 2 was

reused in three (Figure 10c, orange outline) before it

was discontinued. Trial 3 also showed repeated usage

of a single withdrawing address through successive

payouts (Figure 10d, red outline).

The recurring address identified in the originating

payment trees (Figure 10a and Figure 10b, red

outline) directly funded the first generation address

of the receiving payment branch shown in Figure 10c.

Repeated usage of this address makes identification of

Bit Launder transactions within the blockchain easier.

Transaction branching from Originating Addressa. Trials 1 and 2

Transaction branching to Receiving Addressc. Trials 1 and 2

b. Trial 3 d. Trial 3

Figure 10: Bit Launder branch analysis

PAGE 13SURVEY OF BITCOIN MIXING SERVICES

Figure 11: Shared Coin branch analysis

Shared Coin: Branch Analysis

All trials exhibited similar branching patterns stemming

from the originating address. Though trial 1 and 2

were not involved in the same transaction pathway,

both originating addresses placed funds into the same

depositing address. Across all three trials, the third

generation did not contain any repeated intermediate

addresses.

Shared Coin demonstrated a receiving payment

scheme consistent with the CoinJoin protocol. Each

payout transaction was shared by approximately 20

individuals; the payments to these individuals were

each conducted with an identical timestamp. Typically,

each node branched into >15 addresses. This pattern

continued for each generation in the payment scheme.

Transaction branching from Originating Address

a. Trials 1 and 2

Transaction branching to Receiving Address

c. Trials 1, 2 and 3

b. Trial 3

PAGE 14SURVEY OF BITCOIN MIXING SERVICES

Bitcoin Blender: Branch Analysis

Bitcoin Blender did not exhibit similar branching

patterns from the originating addresses for any of the

three trials. The fifth and sixth generations of trial 1

(Figure 12a) and trial 2 (Figure 12b) show considerable

differences between the number of addresses utilized

and the distribution of addresses across payment

branches. Trial 1 and 2 did not share any common

addresses through the first six generations.

Trial 3 did not demonstrate a branching pattern

stemming from the originating address (Figure 12c).

The lack of a branching pattern indicates that deposited

coins are stored in a reserve and are not mixed further

until they are required for another user’s withdrawal

(as noted for BitMixer). However, in all three trials the

transfer between the depositing address and the third

generation intermediate address contained a 0.001 BTC

loss; this behavior was unique to Bitcoin Blender.

All receiving addresses appeared in separate

payment branches and received payments from

different withdrawing addresses. In trial 1 and trial

2, withdrawing addresses were reused multiple

times before retirement (Figure 12d and Figure 12e,

red outline). Trial 3 did not contain any repetitive

withdrawing addresses. The pattern leading to the

receiving address in trial 3 was linear compared to

trials 1 and 2, which started with 13 and 20 addresses,

respectively, in the first generation.

In all three trials, the next to last generation tracked

in the receiving chain exhibited behavior unique

to Bitcoin Blender: the address (Figure 12d, Figure

12e, and Figure 12f, orange outline) received the

full balance of Bitcoins from its predecessor minus

0.0001 BTC.

Figure 12: Bitcoin Blender branch analysis

Transaction branching from Originating Address

a. Trial 1

Transaction branching to Receiving Address

b. Trial 2

c. Trial 3

e. Trial 2

f. Trial 3

d. Trials 1

PAGE 15SURVEY OF BITCOIN MIXING SERVICES

MIXING SERVICE SUMMARIES

BITMIXER

Fees are selected by the user and are highly variable

(up to 4 decimal places). Therefore, proving ownership

of an address based on balance differences is

difficult. However, BitMixer exhibited the most

consistent timing delays, which may prove useful

in associating originating addresses with possible

receiving addresses.

The mixing service’s tendency to reuse communal pots

for storing and redistributing Bitcoins makes it readily

identifiable in the blockchain and makes it easier to

monitor for addresses depositing to and receiving

coins from the service.

BIT LAUNDER

A first attempt at trial 1 failed due to a glitch at the

mixing service. This resulted in a refund of deposited

coins to the originating address used for trial 1. The

refunded coins likely caused the 0.0000683737%

taint value recorded for trial 1 (Table 3).

Bit Launder complicates analysis by using

unpredictable payout timing. However, the mixing

service uses repetitive withdrawing addresses,

which makes it easier to monitor the blockchain for

suspect receiving addresses, and to calculate possible

originating addresses via balance differentials.

The receiving address received 97% of the funds

marked for mixing. This indicated that the service

subtracts a predictable, flat fee (3%) consistent with

those listed on the website. This increases the odds

of correctly associating an originating address with

a receiving address due to the predictable, exact

balances that will appear in a receiving address.

SHARED COIN

Deposits appeared immediately within the Shared

Coin My Wallet profile. However, these credited coins

could not be transferred until an undisclosed number

of block confirmations occurred in the blockchain.

Transaction fees were deducted from the remaining

coins in the Shared Coin My Wallet profile, instead of

the coins marked for mixing.

The exact amount marked for mixing (0.05 and

0.084) did not appear in the originating payment

tree. Concealing this amount effectively prevents

balance differences from being calculated. Given that

the mixing service also includes several (often 15+)

similar payouts in a single transaction, both balance

differences and time analysis are of little use for

tracking payments. However, given the unusual nature

of payment branches, transactions involving Shared

Coin are the most easily identifiable in the blockchain.

BITCOIN BLENDER

Bitcoin Blender does not credit user profiles with

the total amount marked for deposit. Instead, it

subtracts fees prior to the mixing transaction (e.g.

0.055 deposited, 0.05473013 credited in trials 1 and

2). The amount marked for mixing and the amount

received was identical. This indicates that fees are

not subtracted from the coins used for mixing, thus

making balance difference analysis less significant.

PAGE 16SURVEY OF BITCOIN MIXING SERVICES

Timing analysis reliability is also reduced due to

variable time differences recorded between deposits

and withdrawals across trials.

Bitcoin Blender was most recognizable by its repetitive

use of a single withdrawing address in trials 1 and 2.

However, this pattern was not maintained into trial 3.

Other identifiers included the 0.001 BTC deduction

between the addresses in generation two and three

of the originating branch, and the 0.0001 BTC balance

difference between two addresses in the receiving

branch (Figure 12d, Figure 12e, and Figure 12f, orange

outline). These patterns were observed across all

three trials.

CONCLUSIONS

Taint Analysis cannot overcome most mixing methods

employed by the services evaluated in this study.

Therefore, mixing services can effectively sever direct

linkage between originating and receiving addresses.

This disconnect indicates that each of the mixing

services evaluated successfully eliminated personal

and financial identity data points from the mixed

Bitcoins. However, introducing a Bitcoin mixing service

increases the number of discoverable behavioral

identity points. As found in this study, unique Bitcoin

mixing characteristics can be used to fingerprint each

mixing service.

Pattern analysis showed that all evaluated mixing

services use repetitive mixing techniques across

replicate trials. Specifically, recurring addresses, fees,

and branching patterns are all viable data points to

use in identifying a specific mixing service.

Shared Coin was the most readily identifiable mixing

service based on blockchain examination. The multi-

branch payout schemes (Figure 11c), consistent with

the CoinJoin protocol, are not common within the

blockchain. Therefore, this mixing service can be

detected as the origin or destination of funds for

a known address, solely using the branch payment

pattern.

Bit Launder is most susceptible to correlating an

originating address with a receiving address. The

service subtracts set, flat fees from the mixing amount

and therefore presents predictable receiving amounts.

When these amounts appear in known Bit Launder

payout branches, there is a strong likelihood that it

can be correlated to a known originating address.

Branching patterns proved to be reasonably consistent

over a six month period for all mixing services. This

suggests that fingerprinting can provide long term

use in Bitcoin tracking efforts. Identifying mixing

service fingerprints provides a starting point for

conducting targeted supervision of fund progression.

By narrowing the field to a limited number of possible

originating and receiving addresses, analysts can

likely use the limitations of each service to better

correlate originating and receiving addresses,

thereby increasing the likelihood of successfully

tracing funds.

KEY POINTS

• Taint Analysis is not capable of drawing

correlations between originating and

receiving addresses when coins are

mixed.

• The Bitcoin mixing services evaluated

successfully remove personal and

financial identity data from Bitcoins, but

introduce additional behavioral data

points.

• Individual mixing services can be

fingerprinted based on discoverable

patterns in their mixing techniques.

Headquartered in McLean, VA with over 700 employees across the US,

Novetta has over two decades of experience solving problems of national

significance through advanced analytics for government and commercial

enterprises worldwide. Novetta’s Cyber Analytics, Entity Analytics and

Multi-INT Analytics capabilities enable customers to find clarity from the

complexity of Big Data at the scale and speed needed to drive enterprise

and mission success. Visit www.novetta.com for more information.

From Complexity to Clarity.

Copyright © 2015, Novetta, LLC.

7921 Jones Branch Dr, Suite 500

McLean, VA 22102

(571) 282-3000 novetta.com

@novettasol

novetta