Crypto Updates

Part 1: Blockchain Analytics is More of an Art Than Science

Part 1: Blockchain Analytics is More of an Art Than Science

Websites like can use anyone to report BTC addresses linked to suspicious activity. The reliability of such information can be very low. According to, our address of interest received over 767 BTC. implies this address to be linked to a large offshore cryptocurrency exchange, which is corroborated by commercial blockchain analytics tools.

Indeed, commercial blockchain analytics tools identify this address as belonging to a large offshore cryptocurrency exchange.
So what about the nature of the activity? Is the exchange user involved in ransomware?

Further research connects this address to an exchanger called

  • the Bitcoin Abuse crowd-reported ransomware operator?
  • A large offshore cryptocurrency exchange?
  • Coinguru?
  • …all of the above?!

We have first-hand evidence of 1JxXMEbYX6juuEK7QPe6CxGXywQ91ZB5mZ being used by Coinguru, an exchange service operating an account on a large offshore cryptocurrency exchange. Exchangers like Coinguru often use bigger platforms’ infrastructure to reduce costs and get access to liquidity. We refer to these as nested services. These also cater to users who might not want to go to the trouble of creating their accounts on an exchange. Some nefarious actors may use these services to cash out of illicit funds.

For labeling purposes, it would suffice to say this is an exchange-owned address. If a regulator or a law enforcement agency investigating ransomware-related transactions decides to enquire about the details, the cryptocurrency exchange will refer them to Coinguru who would be best positioned to provide further information on specific transactions.

Evidence can vary in quality and blockchain analytics is no exception. Sometimes you might stumble upon a “smoking gun”, but it’s more likely you will need to spend time corroborating incomplete, circumstantial, fragmented, or straight out misleading evidence. Even the weakest evidence can hint at a particular activity or entity behind it.

As we’ve already seen, crowd-reported sources such as Bitcoin Abuse stand at the bottom of the reliability ladder. Not that they should be discounted, but evidence leading to attribution of crypto addresses is best gathered from the source. In the case of exchange services, the source would be their website displaying a deposit address.

The ultimate attribution comes from the ability to interact with the service, earning such evidence the highest confidence score. Yet, this is often prohibited, especially when investigating activities such as terror funding (TF). In cases like these, research shifts into the world of open-source intelligence (OSINT). Much can learn from aggregator websites, online forums, chat groups, mobile communication platforms, hidden domains on the Tor network, and information scraping in an automated fashion by third-party vendors. But even the best evidence is not helpful without proper investigative tools.

Blockchain investigation tools include blockchain analytics software, private and open source databases, search engines, etc. The best investigative practice is to combine a mix of these tools, including available software, and corroborate evidence using independent sources. Sometimes, yet, those sources can offer conflicting information.

For instance, consider this address: 1N9SxKeNvFoBFuFKEDU8yFCwPwoeHqgmhu.
Imagine an investigator receiving intelligence linking this address to the sale of Child Sexual Abuse Material (CSAM). Attribution of this address will vary depending on which blockchain analytics tool you consult: some don’t have it labeled at all, while others attribute it to merchant service. Open-source research confirms that this particular service allowed users to upload files and sell them for various cryptocurrencies. Addresses like the one above were generated for every user and were all connected to different types of activity, depending on what an individual user was buying.
While some uploads to this merchant service have been benign, some were identified as illicit, according to the Internet Watch Foundation (IWF), a non-profit combating the distribution of CSAM. Reportedly, the same merchant service was also used for ransomware decryptor key uploads. So, can the address of interest belong both to an illicit vendor and to the merchant service? Yes.
The correct way to attribute this service in a blockchain analytics tool would be to take all the known addresses associated with the service and label them. Then, as a result of investigating individual addresses and their related activities, specific labels should be applied to documented findings. Labeling the whole service as illicit would be a misattribution. It can impact tools and services that rely on blockchain analytics data, such as transaction monitoring systems or law enforcement subpoenas, leading to increased false-positive alerts and erroneous leads.
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Popular

To Top