Free Bitcoin Forensics - Part 3

Pagan
Coinmonks
Published in
8 min readJun 15, 2021

--

Greetings and welcome to the 3rd and final part of the “Free Bitcoin Forensics” blog series. You can read the first 2 parts here:

In this part, we put some of the knowledge outlined in the previous parts to practice and attempt a small investigation of our own. For that we will be investigating the relatively recent hack of “Cashaa India”, you can read about the incident here:

The hackers stole 335.91312085 from Cashaa worth around 12,5 million at the time of the theft. All the funds were sent to address: 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek

This is all the information we will need to start the investigation. I must admit I have not done more research about this hack besides reading the Cashaa page linked earlier, so let’s hope this information is accurate. This investigation is only for demonstration purposes.

The initial hack transaction can be seen here:

Let’s look at the address to which the Cashaa funds were sent:

https://www.blockchain.com/btc/address/14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek

Immediately we can notice that this address has had several transactions before it received the Cashaa stolen funds to deposit.

The 3 transactions address 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek has participated in before the initial hack transaction are:

A deposit of 1.05977049 BTC.

A withdrawal of 1.05977049 BTC

A deposit of 0.10000000

The withdrawal is the most interesting transaction for us as we cannot be sure if the input addresses in the deposit transactions belong to the target or someone else, but we can be reasonably sure of this with the withdrawal transaction. The withdrawal transaction also has the characteristics of neither CoinJoin nor even PayJoin (as it only has one output). The 3 other input addresses in the withdrawal transaction that we can be reasonably sure belong to our target are:

Together with the address 14RYUUaMW1shoxCav4znEh64xnTtL3a2Ek all these addresses comprise a “wallet” as they are very likely owned by the same entity. This is identified by the oxt.me block explorer as well, the statistics of this wallet can be seen here:
https://oxt.me/entity/tiid/2914263901

Sadly, we do not get much more information from exploring this wallet as all the 3 mentioned addresses have only received 1 deposit tx before participating in the withdrawal with our main target address.

So, let’s continue with the investigation and start following the main stolen funds, first though, since we are quickly getting more and more information, it would be wise to note it down on an excel file or something like that. Here is the information we have so far:

If you’re brave enough you can download the excel sheet here (generally it’s not the best idea to download random excel files from the internet):
https://mega.nz/file/GgBVRSJL#m5YNVesOJuxl30S_2HtWKB9F8Nq12X7xtKK-KqunpN4

When we start following the main stolen funds we can immediately notice that the funds went in a “peeling style” type of transactions where each input was split up into 2 outputs, those 2 outputs participated in 2 separate transactions where the funds were once again split up into 2 outputs and so on. Eventually, all but one output ended up in multi-input transactions where some inputs could not be reliably traced back to the original stolen fund’s transaction, let’s call these transactions “Wall” transactions as this is where our mini-investigation will end, the likelihood that the “Wall” transactions were made by the hacker are significantly lower than the peeling transactions (the peeling transactions all have only one input so they cannot be conventional CoinJoins or PayJoins also the peeling tx’s volume can all be directly traced back to the original hack tx).

We can visualize the transaction graph that we get by exploring “peeling” transactions and stopping at “wall” transaction with the help of oxt.me:

Let’s note down all the “peeling” transactions to the excel file and explore them a bit more:

There were 39 peeling-style transactions, with most of them happening between July 11th and 13th of 2020. All but one of these transactions have only one or 2 outputs, the only exception to this is transaction 5849b97dfb910c609d17006cbe3d573ad5b06cec7af3c566bf910e6eb4256b2a which had 3 outputs, the tx ID of this transaction as well as all the other transactions that originate from it is marked in orange. If we check them in oxt.me explorer, we can clearly see that they form a separate “fork” from the other peeling transactions:

It’s quite possible that these transactions were made with a different wallet or by a different entity.

The addresses marked by yellow in the excel sheet belong to a wallet according to oxt.me, a description of these wallets can be found below in the same excel tab:

As you may notice a few of these wallets have a very high number of addresses and transactions, likely they are operated by exchanges or other large entities.

Finally, we can notice that there is one underlined address. The UTXO that was sent to address bc1qacl0kqht4yzzcq5afu9emwuu93mzwlcx2c59p5 remains unspent to this day (at the time of writing, June 2021). A dedicated investigator could keep track of this address by using cryptotxalert.com or a similar tool.

If we move on to analyze “Wall” transactions, things start becoming interesting:

We can start noting down all sort of interesting information, such as transaction volume and the volume that can be directly traced back to Cashaa:

More importantly, we can start roughly categorizing what type of transactions these “wall” transactions are:

It is worth analyzing all of these transactions deeper, but obviously, deposits to exchanges are the most important type of tx from the forensics standpoint as the exchanges to which the funds were sent may have the identity of the hacker/hackers. Since this investigation is only for demonstration purposes, I’ll only be taking a closer look at the deposits to exchanges:

There are 7 such transactions, with most of the deposits going to Huobi and a few deposits going to Bitzatlo and Kraken exchanges. The fact that the funds were sent to addresses belonging to these exchanges was detected by oxt.me, however, it is certainly possible that funds were also sent to addresses of other exchanges but oxt.me simply does not index those exchanges.

The minimum amount deposited to these exchanges which are traceable to Cashaa hack is 26,3 BTC and the maximum is 32 BTC. Please, however, note that this does not mean that these exchanges have received the funds directly from the hacker, it’s possible that the funds have left the target's hands by this point and were sent to their addresses by partners or simply other people (for example if the hacker/s used swap exchanges or sold the BTC to someone directly). In any case, these exchanges are the best lead that an investigator would have (and the best they could hope for) so the next step for the investigator would be to contact the exchanges in question to learn what information they have. If the investigator cooperates with the police or is part of the police, they are certain to receive all the information these exchanges have.

I’ll end the investigation here, it can certainly be stretched much further as we haven’t even explored wallets discovered in the peeling style transactions or the other wall transactions, nor have we made any attempts to determine what wallets the target was using (or more realistically, determine for which transactions different wallets were used), nor have we made any attempts to determine the rough time zone of the target. All of these things may be done by an actual investigator who is more serious about the investigation. Nonetheless, I hope that it sufficiently established the power Bitcoin forensics sometimes has and this series has been useful for any privacy enthusiasts.

Also, Read

--

--

Coinmonks
Coinmonks

Published in Coinmonks

Coinmonks is a non-profit Crypto Educational Publication. Other Project — https://coincodecap.com/ & Email — gaurav@coincodecap.com

Pagan
Pagan

Written by Pagan

Just a hobbyist crypto enthusiast :)

Responses (1)