Skip to main content

Bitcoin Tracking and Analysing with Maltego

Bitcoin and cryptocurrency has been over basically everything. We've all had those awkward conversations over Christmas dinner with that weird uncle where they explain that it's a pyramid scheme or a scam! Well we thought it's time we refreshed some of the BTC transforms in Maltego.

A quick recap of the basics of BTC:

'Addresses' are what you generate from your wallet and people can send and receive money to these

'Transactions' are the well.. transactions, the key point here is that transactions take in addresses(thats plural) that have a value as an input and the addresses as the output that also receive a value.

You can go to https://bitcoin.org/ for a better refresher than this!

As a side note, you may have noticed we have had these transforms before, written originally by the breaker of chains, slayer of elks and herder of cats, Paul Richards. We decided to re-write these for a number of reasons. Firstly, our new born superstar server developer, Andrew Walters, has gone far beyond building us faster, shinier servers and rebuilt how we do things on the backend as a whole. We now have fancy new docker images, error reports that come in quickly and a framework that let's us build faster. As such I decided to rebuild the crypto transforms in a way that allows us to build directly with the Blockchain.info API specifically for Bitcoin. Apart from that we also wanted to have some nested hierarchy to expand from Bitcoin into the other cryptocurrencies like Ethereum, Ripple, Litecoin and others. So please feel free to let us know what you want to see next!

Onward James! So now you have the basics of the how and why, let us take a look at how we can investigate and analyse a bitcoin blockchain. I decided to use https://www.reddit.com/r/SorryForYourLoss/, the saddest of BTC subreddits, where people share their stories about how they lost many Bitcoins, never to see them return!

https://np.reddit.com/r/Bitcoin/comments/5fnsbw/today_i_got_owned_by_someone_who_targeted_my/

This poor person unfortunately ended up getting their friends account scammed! So let's start here, first I paste the URL into Maltego and with its magical regular expressions we see the following URL in the tool and can run our first transform on it!



The first transform is fairly useful, it browses to the page, uses a regular expression to find any BTC addresses and then validates that they pass the check sum so we get the following out:



From here we can isolate the address from the page '1CatXmMAiPKC5uk9UsUjQmFQV4wvGwqAmh' (we don't care for the others) and run the first transform 'to Details' which will go and fetch all the details for this particular address:



Here we can see that there was 1.999 BTC in the account, but it has also sent that somewhere else and the current balance is 0 :(

So let's take a look at the transactions that have been involved with this address. We can either look at transactions where this is the INPUT (meaning it's moving BTC FROM this address) or where it is the OUTPUT ( BTC is moving TO this address ). We want to 'follow the money' so let's look at the transactions where this address is used as INPUT:


We see just the single transaction where the Bitcoin was moved away. It's important to note here the text on each link will give you a rough idea of the transaction but it should be also noted that one transaction could have multiple inputs. For example, if you were paying 6 BTC it could be from an address with 5 BTC and one with just 1 BTC.

Let's look at the addresses where the bitcoin was received for our transaction:



Another address where those pesky hackers have taken the BTC. Let's take a look at the details again. This new address you can see has currently got a balance of 0, so let's do this again! We take this new address and we look at transactions where it is the INPUT ( BTC moving out of the address ) and then any addresses that transaction has as OUTPUT:


Now we can see we have two more addresses we'd need to branch into to keep track of where the original funds went (unless of course those addresses simply contain the funds!)

 The process of following-the-money is a simple iteration of this:
  1. Look at the address (with the transform To Details), see if they have a balance, if they do have the balance that's where the coins went to and you can track them from there
  2. If there is no balance, look at transactions where it is the INPUT and the addresses that are the output from there
  3. Go back to step 1.

If we kept going eventually you might get a slightly larger graph following where the BTC went to:

      







Additionally, when looking at the detail information for an address you can also visualise any tags that are listed from blockchain.info. It is important to note these are user generated and should always be taken with a pinch of salt as many people have been social engineered into believing accounts belong to exchanges/groups via this!



Of course there are other interesting aspects such as looking at a single address and the transaction that moved stolen BTC out and look at other addresses involved as INPUTs to try and find what other addresses were compromised.

Overall this should give you an easy rundown of how to investigate BTC blockchain events and allow you to use all this goodness in Maltego. If you add in the ability to sort the transactions between incoming and outgoing nodes you can look at entire segments of the chain to quickly find the information you are after. Remember the nodes are weighted so nodes with higher BTC values (or for transactions, higher inputs) will be weighted heavier. If you are in block layout this means they will move from top left to bottom right.

While we let you enjoy these BTC transforms we have another exciting post coming up visualising TOR hidden services and what we can do with them. From finding addresses (both email and BTC) to looking these up on the Internet!

Pink fluffy unicorns dancing on rainbows,
-AM

Comments