Visualizing Darknet
Network Graph of Silk Road transactions
Introduction
We’re building a visual analytics tool (Cosmograph) capable of rendering network graphs from millions of transactions right on your laptop in real-time. Blockchain transactions provide some of the most interesting and rich graph structures while being intrinsically free of any copyright. So we’ve analyzed one of the most iconic cases in blockchain history: Silk Road.
What is Silk Road?
Silk Road as an online black market and the first modern darknet market. As part of the dark web, it was operated as a Tor hidden service, such that online users were able to browse it anonymously and securely without potential traffic monitoring.
Buyers and sellers conducted all transactions with bitcoins (BTC). Silk Road held buyers’ bitcoins in escrow until the order had been received and a hedging mechanism allowed sellers to opt for the value of bitcoins held in escrow to be fixed to their value in US$ at the time of the sale to mitigate against Bitcoin’s volatility.
The website was launched in February 2011. In October 2013, the Federal Bureau of Investigation (FBI) shut down the website and arrested Ross Ulbricht who was alleged to be the founder and owner of Silk Road.
The FBI initially seized 26,000 bitcoins from accounts on Silk Road. In October 2013, the FBI reported that it had seized 144,000 bitcoins. On 27 June 2014, the U.S. Marshals Service sold 29,657 bitcoins in 10 blocks in an online auction. Tim Draper bought the bitcoins at the auction with an estimated worth of $17 million. In November 2020, the United States government seized more than $1 billion worth of bitcoin connected to Silk Road.
Our approach
We identified some bitcoin addresses connected to Silk Road using OXT, a blockchain explorer which also allows identifying addresses that are likely to be ‘controlled’ by the same entity. We used OXT extensively in our research to identify entities. If not stated otherwise all entities we would refer to were identified using OXT.
We’ve collected transactions for those Silk Road addresses using blockchain.info API and built network graphs to get some insight into the underlying structure of Silk Road. Below we would analyze one of the resulting graph structures we got for the address 184R7cFGqAZaZBuj2rsuExDAJ6iCEs3hXi with the help of Cosmograph.
Graph overview
What we expected
The key elements of the Silk Road payment system are best described by an exhibit displayed in Ross Ulbricht’s trial (please see Figure 1). As far as we understand, modern black markets are using the same or similar system.
So on our graph of Silk Road transactions, we can expect to see at least structures related to exchanges (as buyers would buy coins to make purchases), addresses related to buyers Silk Road accounts, addresses related to buyers Silk Road accounts, structures created during vendors cashouts.
Overview of what we got
In Figure 2 you can see a graph built from all the transactions to or from the address 184R7c* and all connected addresses up to the 4th depth level. Addresses are represented by nodes and BTC transfers between these addresses by links.
The 4th depth level means that on the graph you will see all the addresses our initial address transacted with, all the addresses the previous step addresses transacted with and so on two more times.
For the interactive version of the graph click here.
We got some interesting structures on the graph so let’s try and identify their nature. We would you use a basic understanding of the bitcoin blockchain and OXT. Actually, we got what we expected but also some unexpected structures (see Figure 3).
Structures highlighted in Figure 3: (1) lots of Silk Road addresses; (2) FBI seizure (2013); (3) coin mixers (possibly); (4) exchanges/wallets used to transfer bitcoins (BitPay, BTC-e/BitPay, Bitstamp); (5) dark markets (Sheep Marketplace).
Graph details
Central structure
At the center of our graph we can see address 1BRz3S* with 2479 connections; 7 187 BTC were sent to the address and all of them were spent. We weren’t able to identify what entity the address relates to exactly but we believe that the address belonged to some cryptocurrency exchange which was used in the Silk Road payment system as we can see some characteristic patterns:
(1) A typical incoming transaction would consist of 1 input and 2 outputs (with the larger output going to 1BRz3S*). The input and the larger output would belong to an exchange, the smaller output would belong to a buyer.
(2) A typical outgoing transaction would consist of 1 or several inputs and 2 outputs. The larger output would belong to the same exchange and the smaller output would belong to a buyer.
(3) If you trace the transactions backward or forward you will see the same pattern (1 input with 2 outputs, one is smaller, the other is larger).
Other observations making us to believe that we see the actual Silk Road payment system (please see Figure 6):
- Many of the addresses around central structure relate to Silk Road, which could be sellers cashing out or buyers buying BTC to later purchase something on Silk Road.
- One of the outputs belongs to Bitstamp, which could be someone buying BTC for cash and transferring them to exchange.
- Some of the corresponding addresses are quite large with single transactions of over 40 000 BTC, we weren’t able to identify their nature with sufficient accuracy.
FBI seizure
We believe that what we see in Figure 7 is the first major legally authorized seizure. It happened just after Ross Ulbricht’s arrest in October 2013 and involved more than 29 000 BTC of Silk Road user funds (>1,3 bln USD as of today). 1F1tAa* — the address which is believed to be tied to the FBI and where Silk Road funds were transferred to.
Coinmixers
Cryptocurrency mixing service is a service offered to mix potentially identifiable or ‘tainted’ cryptocurrency funds with others, to obscure the trail back to the fund’s original source. This is usually done by pooling together source funds from multiple inputs for a large and random period and then spitting them back out to destination addresses. As all the funds are lumped together and then distributed at random times, it is very difficult to trace exact coins. (excerpt from Wikipedia)
We’ve identified two addresses that were likely used to mix coins:
- 1MW1Nf*: 23 transactions, 538 bitcoins received and sent (source: blockchain.info)
- 1GjA5a*: 18 transactions, 85 bitcoins received and sent (source: blockchain.info)
We can’t be 100% sure but the structures we see are closely resembling ones expected from coin mixers (please see Figure 8).
Exchange infrastructure (Bitstamp)
One of the larger structures is created around addresses related to Bitstamp cryptocurrency exchange. We’ve identified two main addresses creating this structure:
- 1JL3WqQ*: 146 transactions, 446 BTC sent and received (source: blockchain.info)
- 1AqkB2*: 42 transactions, 150 BTC sent and received (source: blockchain.info)
Also what we see are lots of configurations where bitcoins are sent from multiple addresses to multiple addresses. This could also potentially indicate an attempt to mix coins as discussed above. Please see Figure 9.
Conclusion
Graph visualization allows us to see higher-level structures and relationships, provide first inputs to form hypotheses upon and direct our further inquiry in a more focused way. This approach can be used for analysis of virtually any other transaction types.
