Coinmonks
Published in

Coinmonks

Free Bitcoin Forensics - Part 1

https://blockchair.com/bitcoin/transaction/7a3fb18c76b3f54606b065209521f6a678692a592c8bcd7460d7dcf8d06faf19
  1. All the sender addresses belong to the same person/entity.
https://blockchair.com/bitcoin/transaction/0ec7de5b781fe8bff7638dca5f40e8d157287ed83496ae96b430d34c12ec8490
https://blockchair.com/bitcoin/transaction/941b29236d767bd7bbc61c85574c891c18ac4ea5f514c0e76f38a3507fde9c0c
https://blockchair.com/bitcoin/transaction/5d3c39bbd3d606c43e9146dcbf41d1d93b70023b68bf818e46b23fe71744bcaf
https://blockchair.com/bitcoin/transaction/11a3c72f534e594a46e45eefa191f205d45f00d4a2b36104f0abe95df61182d4
https://twitter.com/binance/status/961666467325358081?lang=en
https://blockchair.com/bitcoin/transaction/b3dcc5d68e7ba4946e8e7fec0207906fba89ccb4768112a25d6e6941f2e99d97
  • Address reuse — as mentioned, address reuse is horrible for your privacy, especially if the address is reused for change.
  • Unnecessary inputs — in the following transaction it is very likely that the address that starts with 363… is the change address while the address starting with 1Kr… is the destination because if the opposite was the case, the transaction would not need to have as many inputs, one would have been enough (although some wallets are badly programmed and take unnecessary inputs for no reason, so take this with a grain of salt):
  • Round numbers — if one of the outputs has a round amount (say exactly 1 BTC) it’s more likely to be the destination address. The same thing applies when the amount denominated in USD is round (say output was worth exactly 100 USD at the time it was transferred).
  • Sending to a different address type — most wallets designate the change address to be the same type as the input addresses, so you may be able to rule out outputs that do not match the input address type.
  • Wallet quirks — some wallets will always put the change address first, last, or in some other non-random way.
  • Fee bumping — generally, the fee will be bumped from the change address output. If an observant attacker monitors the mempool before the fee was bumped and after they would be able to pick up on which output is the change.
  • One of the outputs being vastly bigger than the other — referring to situations like this:
https://blockchair.com/bitcoin/transaction/bf6b6841085d799cf7225d3c1bef1edc854508e51c37e6ecd3f854b2238271b6
  • Even without the change address being reused, it would have been obvious it was the change address due to the output being so much bigger than the others. In all likelihood, the other outputs are payouts of some sort.
https://twitter.com/binance/status/961666467325358081?lang=en
https://www.reddit.com/r/CryptoCurrency/comments/6ind8l/bitcoin_address/

Also, Read

Get Best Software Deals Directly In Your Inbox

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store