Communications of the ACM

exchange. While sites like localbitcoins.com and bitcoinary. com do allow users to avoid exchanges (for the former, by pairing buyers directly with sellers in their geographic area), the current and historical volume on these sites does not seem to be high enough to support cashing out at scale.

In this section, we argue that this centrality presents a unique problem for criminals: if a thief steals thousands of bitcoins, this theft is unavoidably visible within the Bitcoin network, and thus the initial address of the thief is known and (as most exchanges try to maintain some air of reputability) he cannot simply transfer the bitcoins directly from the theft to a known exchange. While he might attempt to use a mix service to hide the source of the money, we again argue that these services do not currently have the volume to launder thousands of bitcoins. As such, we explore in this section various alternative strategies that thieves have developed for hiding the source of stolen bitcoins. In particular, we focus on the effectiveness of Heuristic 2 in de-anonymizing these flows, and thus in tracking illicitly obtained bitcoins to exchanges (and thus, e.g., providing an agency with subpoena power the opportunity to learn whose account was deposited into, and in turn potentially the identity of the thief). For this to work, we do not need to (and cannot) account for each and every stolen bitcoin, but rather need to demonstrate only some flow of bitcoins directly from the theft to an exchange or other known institution.

To demonstrate the effectiveness of Heuristic 2 in this endeavor, we focus on an idiom of use that we call a “ peeling chain.” The usage of this pattern extends well beyond criminal activity, and is seen (for example) in the withdrawals for many banks and exchanges, as well as in the payouts for some of the larger mining pools. In a peeling chain, a single address begins with a relatively large amount of bitcoins (e.g., for mining pools it starts with the 25 BTC reward). A smaller amount is then “peeled” off this larger amount, creating a transaction in which a small amount is sent to one address and the remainder is sent to a one-time change address. This process is repeated— potentially for hundreds or thousands of hops—until the larger amount is pared down. By using Heuristic 2, we are able to track flows of money by following these change links systematically: at each hop, we look at the two output addresses in the transaction. If one of these output addresses is a change address, we can follow the chain to the next hop by following the change address (i.e., the next hop is the transaction in which this change address spends its bitcoins), and can identify the meaningful recipient in the transaction as the other output address (the “peel”).

Silk road and Bitcoin savings & trust. One of the most
well-known and heavily scrutinized addresses in Bitcoin’s
history is 1DkyBEKt—full address: 1Dky-BEKt5S2GDt-
v7aQw6rQepAvnsRyHo YM—which is believed to be associ-
ated with Silk Road and was active between January and
September 2012. Starting in January, the address began to
receive large aggregate sums of bitcoins; in the first of these,
the funds of 128 addresses were combined to deposit
10,000 BTC into the 1DkyBEKt address, and many trans-
actions of this type followed. All together, the address re-
ceived 613,326 BTC in a period of eight months, receiving
its last aggregate deposit on August 16, 2012.
Then, starting in August 2012, bitcoins were aggregated
and withdrawn from 1DkyBEKt: first, amounts of 20,000,
19,000, and 60,000 BTC were sent to separate addresses;
later, 100,000 BTC each was sent to two distinct addresses,
150,000 BTC to a third, and 158,336 BTC to a fourth, effectively
emptying the 1DkyBEKt address of all of its funds.
Due to its large balance (at its height, it contained 5% of all
generated bitcoins), as well as the curious nature of its rap-
idly accumulated wealth and later dissolution, this address has
naturally been the subject of heavy scrutiny by the Bitcoin
community. While it is largely agreed that the address is
associated with Silk Road (and indeed our clustering heu-
ristic did tag this address as being controlled by Silk Road),
some have theorized that it was the “hot” (i.e., active) wal-
let for Silk Road, and that its dissipation represents a chang-
ing storage structure for the service. Others, meanwhile,
have argued that it was the address belonging to the user
pirate@ 40, who was responsible for carrying out the larg-
est Ponzi scheme in Bitcoin history (the investment scheme
Bitcoin Savings & Trust, which is now the subject of a lawsuit
brought by the SEC11).
To see where the funds from this address went, and if
they ended up with any known services, we first plotted the
balance of each of the major categories of services, as seen
in Figure 2. Looking at this figure, it is clear that when the
address was dissipated, the resulting funds were not sent en
masse to any major services, as the balances of the other cat-
egories do not change significantly. To nevertheless attempt
to find out where the funds did go, we turn to the traffic anal-
ysis described above.

In particular, we focus on the last activity of the 1DkyBEKt address, when it deposited 158,336 BTC into a single address. This address then peeled off 50,000 BTC each to two separate addresses, leaving 58,336 BTC for a third address; each of these addresses then began a peeling chain, which we

Date

Perc e n t ag eo f to t al b al anc e

0 2 4 6 8 10 12 14

2010–12– 29 2011–08–05 2012–03–12 2012–10– 18 exchanges mining wallets gambling vendors fixed investment

Figure 2. The balance of each major category, represented as a percentage of total active bitcoins; that is, the bitcoins that are not held in sink addresses.