Communications of the ACM

92 COMMUNICATIONS OF THE ACM | APRIL 2016 | VOL. 59 | NO. 4 followed using the methodology described above (i.e., at each hop we continued along the chain by following the change address, and considered the other output address to be a meaningful recipient of the money). After following

100 hops along each chain, we observed peels to the services listed in Table 2.

In this table, we see that, although a longitudinal look at the balances of major services did not reveal where the money went, following these chains revealed that bitcoins were in fact sent to a variety of services. The overall balance was not highly affected, however, as the amounts sent were relatively small and spread out over a handful of transactions. Furthermore, while our analysis does not itself reveal the owner of 1DkyBEKt, the flow of bitcoins from this address to known services demonstrates the prevalence of these services ( 54 out of 300 peels went to exchanges alone) and provides the potential for further de-anonymization: the evidence that the deposited bitcoins were the direct result of either a Ponzi scheme or the sale of drugs might motivate Mt. Gox or any exchange (e.g., in response to a subpoena) to reveal the account owner corresponding to the deposit address in the peel, and thus provide information to link the address to a real-world user.

Tracking thefts. To ensure that our analysis could be applied more generally, we turned finally to a broader class of criminal activity in the Bitcoin network: thefts. Thefts are in fact quite common within Bitcoin: almost every major service has been hacked and had bitcoins (or, in the case of exchanges, other currencies) stolen, and some have shut down as a result.

To begin, we used a list of major Bitcoin thefts found at
https://bitcointalk.org/index.php?topic=83794. Some of
the thefts did not have public transactions (i.e., ones we
could identify and study in the block chain), so we limited
our attention to the ones that did. For each theft, we first
found the specific set of transactions that represented the
theft; that is, the set of transactions in which the sender
was the service and the recipient was the thief. Starting
with these transactions, we did a preliminary manual
inspection of the transactions that followed to determine
their approximate type: we considered aggregations, in
which bitcoins were moved from several addresses into
a single one; folding, in which some of the aggregated
addresses were not clearly associated with the theft; splits,
in which a large amount of bitcoins was split among two
or more addresses; and finally peeling chains, in which
smaller amounts were peeled off from a succession of
one-time change addresses. Our results are summarized
in Table 3.

Briefly, the movement of the stolen money ranged from quite sophisticated layering and mixing to simple and easy to follow. Examining thefts therefore provides another demonstration of the potential for anonymity provided by Bitcoin, and the ways in which current usage falls short of this potential. For the thieves who used the more complex strategies, we saw little opportunity to track the flow of bitcoins (or at least do so with any confidence that ownership was staying the same), but for the thieves that did not there seemed to be ample opportunity to track the stolen money directly to an exchange.

One of the easiest thefts to track was from Betcoin, an early gambling site that was shut down after its server was hacked on April 11, 2012 and 3171 BTC were stolen. The stolen bitcoins then sat in the thief’s address until March 15, 2013 (when the bitcoin exchange rate began soaring), when they were aggregated with other small addresses into one large address that then began a peeling chain. After 10 hops, we saw a peel go to Bitcoin- 24, and in another 10 hops we saw a peel go to Mt. Gox; in total, we saw 374.49 BTC go to known exchanges, all directly off the main peeling chain, which originated directly from the addresses known to belong to the thief.

In contrast, some of the other thieves used more sophisticated strategies to attempt to hide the flow of money; for example, for the Bitfloor theft, we observed that large peels off several initial peeling chains were then aggregated,

Service

First Second Third Peels BTC Peels BTC Peels BTC

Bitcoin- 24 1 2 3 124 Bitcoin Central 2 2 Bitcoin.de 1 4 Bitmarket 1 1 Bitstamp 5 97 1 1 BTC-e 1 250 CAVirtEx 1 3 1 10 3 22 Mercado Bitcoin 1 9 Mt.Gox 11 492 14 70 5 35 OKPay 2 151 1 125 Instawallet 7 39 5 135 2 43 WalletBit 1 1 Bitzino 2 1 Seals with Clubs 1 8

Coinabul 1 29

Medsforbitcoin 3 10

Silk Road 4 28 5 102

Along the first 100 hops of the first, second, and third peeling chains resulting from the withdrawal of 158,336 B TC, we consider the number of peels seen to each service, as well as the total number of bitcoins (rounded to the nearest integer value) sent in these peels. The services are separated into the categories of exchanges, wallets, gambling, and vendors.

Table 2. Tracking bitcoins from 1DkyBEKt.

Theft BTC Date Movement Exchanges? MyBitcoin 4019 Jun 2011 A/P/S Yes Linode 46,648 Mar 2012 A/P/F Yes Betcoin 3171 Mar 2012 F/A/P Yes Bitcoinica 18,547 May2012 P/A Yes Bitcoinica 40,000 Jul 2012 P/A/S Yes Bitfloor 24,078 Sep 2012 P/A/P Yes Trojan 3257 Oct 2012 F/A No For each theft, we list (approximately) how many bitcoins were stolen, when the theft occurred, how the money moved after it was stolen, and whether we saw any bitcoins sent to known exchanges. For the movement, we use A to mean aggregation, P to mean a peeling chain, S to mean a split, and F to mean folding, and list the various movements in the order they occurred.