Researchers Unmask Anonymous Tor Users By Tracking Bitcoin Transactions

February 7, 2018 2:18 PM UTC

Did you purchase something illegal on the Silk Road years ago, when this darknet market was still up and running? Did you pay with Bitcoin? If the answers to both questions are positive, you might have a cause for concern. It’s not only because the amount you spent for some naughty trifle back then can be worth a high-end vehicle today. It’s also because the evidence of that transaction may still be possible to retrieve, although the Silk Road was shut down in 2013.

Researchers at Qatar University and the Qatar Computing Research Institute at Hamad Bin Khalifa University released a report on January 23, 2018, where they demonstrated how Bitcoin transaction analysis can be leveraged to de-anonymize Tor users. In more than 100 cases, they were able to link somebody’s shady blockchain transactions to those people’s publicly available accounts. Moreover, the analysts managed to associate more than 20 of those public accounts with payments on Tor hidden services, including the Silk Road and The Pirate Bay.

Here is a statement from the report that speaks volumes about the scope of the problem:

“Due to its pseudonymity model, Bitcoin lacks retroactive operational security, which means historical pieces of information could be used to identify a certain user.”

There is a certain degree of duality in the nature of Bitcoin privacy-wise. On the one hand, this cryptocurrency is not directly monitored by any financial institution or government, therefore it should be extremely problematic to establish ties between a Bitcoin transaction and the user’s real-life identity. On the other hand, the ledger of all Bitcoin transactions called the blockchain keeps track of all transfers from one address to another.

Once you find out an individual’s Bitcoin address, it shouldn’t be too painstaking to figure out who they are submitting funds to or receiving them from. What can tangle this type of OSINT (open-source intelligence) is the user’s effort to split those transactions by leveraging intermediary addresses, or the use of laundering services that obfuscate details on the actual sender and recipient of the payment.

Unfortunately, there is very little academic research being done on the subject of exploiting these hallmarks of the Bitcoin architecture to identify payment transactions on the dark web. To their credit, the researchers from Qatar have made a real breakthrough in this direction by harvesting data that literally lays on the surface. First, they collected tens of Bitcoin addresses that Tor hidden services use or used for donations and other day-to-day deals. These services include WikiLeaks, Snowden Defense Fund, The Pirate Bay, ProtonMail, the Silk Road, and Agora, to name a few. Next, they obtained a list of thousands of Bitcoin addresses by traversing people’s public accounts, such as Twitter and Bitcoin Talk forum.

By simply juxtaposing these two sets of addresses, the analysts were able to spot 125 transactions made to the accounts of the services under scrutiny. Obviously, it doesn’t take a rocket scientist to link these payments to users’ public accounts. These transactions included 46 donations to WikiLeaks, 10 fund transfers to The Pirate Bay, and 22 payments to the Silk Road criminal marketplace.

Speaking of the latter, some of these 22 individuals completely neglected OPSEC (operations security) as they were careless enough to publicly disclose their full names, email addresses, locations, ages, and genders. One of them was found to be a teenager when dealing with the dark web service in question. There is a particularly strong reason for 18 of these people to start worrying as their transactions were tied to Bitcoin Talk. The thing is, this forum is being bombarded by subpoenas requesting users’ registration details and other confidential information.

The Qatari researchers emphasize that they conducted their analysis using simple techniques that are available to the general public. They found Bitcoin addresses anyone else can spot and performed a regular matching routine. Furthermore, no instruments available to official authorities were at their disposal, as opposed to the case where the IRS (U.S. Internal Revenue Service) demanded that the Coinbase wallet provider disclose some customers’ Bitcoin addresses. Obviously, more motivated sleuths with plenty of resources and time on their hands can unveil the details of users who take their OPSEC much more seriously.

Law enforcement agencies have demonstrated that they are willing to investigate past misdemeanors by scrutinizing the blockchain. For instance, a former FBI agent stated in the courtroom that he had traced a transfer of $13.4 million worth of Bitcoin from the Silk Road marketplace to the computer of its founder Ross Ulbricht. Another case involved a German national who was fined 3,000 Euros by local law enforcement for ordering cannabis from the Silk Road years back.

All of these caveats as to the privacy aspects of using Bitcoin have made its aficionados more vigilant when transacting. The same applies to dark markets, including those for contraband and ransomware, which are shifting away from Bitcoin due to increased regulation attempts by governments and the apparent privacy shortcomings mentioned above. Malicious economies are increasingly switching to the use of altcoins boasting better privacy by design, such as Monero and Zcash.

However, based on the findings of the Qatari researchers, even a more scrupulous privacy hygiene may leave a trail of breadcrumbs leading to a specific individual, no matter how much time has passed since the Bitcoin transaction took place. The blockchain stores it all and cannot be edited. Erasing Bitcoin address details from public profiles may not do the trick either – the entry may have been cached and can thus be retrieved afterward.

The author, David Balaban, is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. 

Featured image from Shutterstock.

Last modified: May 20, 2020 9:06 PM UTC

Show comments