Bitcoin Forensics and its Practice with case Study

-

Bitcoin Forensics
1.     Crimes associated with Bitcoins
Present century is encircled by the technological revolution and various new inventions are taking place with the rapid pace. A lot of money is flowing in areas of Artificial Intelligence and FinTech industry as a result of great start-up revolution.In last few years, countless users across the globe were attacked by ransomwares and malicious programmes which have capability to encrypt their systems and demanded ransom in terms of Bitcoins to decrypt the locked systems. The crypto criminals received thousands of cryptocurrencies - mostly Bitcoins and fiat currency.
Online transactions revels digital footprints. Any digital banking transaction activity can be tracked by banks, security agencies or central authorities. Due to such reasons new decentralized transaction technology evolved. In this technology each transaction can be identified but sender and receivers of that amount are remaining anonymous. Due to such anonymity and decentralization – no regulatory authority.
Bitcoin is one type of cryptocurrency which is widely used by the users foreasy and anonymous transactions. And due to its anonymity it ispopular among crypto criminals.
Bitcoins is evolved as blockchain based virtual currency, but afterwards due to its anonymity nature crypto criminals used it for illegal purpose. There are various crimes committed over darkweb and even in Ransomware as a Service.
Here we discuss on types of crimes involving Bitcoins as a payment means for getting illegal goods and services.

1.1          Using bitcoins over Darkweb for illegal purchase.
The darkweb - a wide collection of anonymous networks, from tiny peer-to-peer networks to large wide area IP switched anonymous networks. Few popular networks like Freenet, I2P and Tor which is operated by public agencies and individual users. Some of the hidden services over dark web is:
·         Piracy
·         Ransomware as a Service
·         Drugs
·         Illegal Documents like passports, visa etc.
·         FinTech Fraud&Gambling
·         Hacking
·         Anonyms Hosting
·         Whistleblower
·         Human Trafficking
·         Weapons and ammunition
There are few Darkweb sites accepting Bitcoin as a payment and few seized by security agencies. Data are sourced from www.gwern.net.
Table 1 : Darknet sites accepting bitcoin, current and past
Market
Launch date
End date
Closure reason
Dream
November 15, 2013
Operational

Outlaw
December 29, 2013
May 16, 2017
Hacked
Silk Road 1
January 31, 2011
October 2, 2013
Raided
Black Market Reloaded
June 30, 2011
December 2, 2013
Hacked
AlphaBay
December 22, 2014
July 4, 2017
Raided
Tochka
January 30, 2015
Operational

Crypto Market / Diabolus
February 14, 2015
Operational

Real Deal
April 9, 2015
Operational

Darknet Heroes
May 27, 2015
Operational

Agora
December 3, 2013
September 6, 2015
Voluntary
Nucleus
October 24, 2014
April 13, 2016
Scam
Middle Earth
June 22, 2014
November 4, 2015
Scam
BlackBank
February 5, 2014
May 18, 2015
Scam
Evolution
January 14, 2014
March 14, 2015
Scam
Silk Road Reloaded
January 13, 2015
February 27, 2016
Unknown
Anarchia
May 7, 2015
May 9, 2016
Unknown
Silk Road 2
November 6, 2013
November 5, 2014
Raided
The Marketplace
November 28, 2013
November 9, 2014
Voluntary
Blue Sky Market
December 3, 2013
November 5, 2014
Raided
Abraxas
December 13, 2014
November 5, 2015
Scam
Pandora
October 21, 2013
August 19, 2014
Scam
BuyItNow
April 30, 2013
February 17, 2014
Voluntary
TorBazaar
January 26, 2014
November 5, 2014
Raided
Sheep
February 28, 2013
November 29, 2013
Scam
Cloud-Nine
February 11, 2014
November 5, 2014
Raided
Pirate Market
November 29, 2013
August 15, 2014
Scam
East India Company
April 28, 2015
January 1, 2016
Scam
Mr Nice Guy 2
February 21, 2015
October 14, 2015
Scam
Andromeda
April 5, 2014
November 18, 2014
Scam
Topix 2
March 25, 2014
November 5, 2014
Voluntary

2       Frauds related to crypto currencies and case study
Crypto currencies are widely used due to its anonymity nature and decentralized mechanism. Initially these currencies are used by the dark net markets for purchasing the goods or services anonymously. After that few dark web markets used crypto currencies for illegal transactions. The biggest hike in these currencies was happen after it used in trading and money laundering. Frauds related to such currencies like phishing, hacking, fake ICOs, fake exchanges, hard cash to digital currency conversations, ponzi schemes, multilevel marketing or pyramid schemes etc.  Now a day’s digital currencies i.e. crypto currency is being demanded as ransom.Bitcoin also asked from victims, when their computer systemsinfected viaRansomware or malware.
Law enforcement agenciesare concerned in investigating those virtual currencies which can be used for illegal transactions, human and drug trafficking. Crypto criminals use bitcoin like crypto currency because of its anonymity. Victimsor sometimes culprits can easily setup or open a digital wallet to transact bitcoin without furnishing identity of user. There is no any central authority like bank or government, to regulate or collectuser related information.
There are common crypto currencies frauds tactics are as under
2.1 Hacking and Phishing
This is one of the common and old tricks used by crypto criminals. Fraudulent email is sent from authenticemail id, faking users to go through or click on a malicious but look alike genuineURL or sometimes send review forms and ask users to fill the form in details. These URLs usually contain malware that infect or drop malicious agents like spywares or key loggers to systems. After thencrypto criminals can clone the victim’s data, stealing other important information related to wallets etc.
Case Study: Many investors of crypto currencies approached the law enforcement agencies or government authorities after they lost hard cash earned money invested in fake bitcoin wallets, schemes. One of the lady from India lost Rs35 lakh to crooks who promised to help retrieve the earlier amount.


2.2 Fake apps and social media accounts: 
Fake apps over app stores in popular smart devices, after installing it, sometimes spread malwares and also install add-on for mining the crypto currencies through devices. In some cases, fake websites and social network handles are used to cheatinnocent people. Few social chat apps also created the groups and attract innocent users to buy or sell Bitcoins and take advantage of users.
Case Study: Few crypto currency exchangers, received messages asking them to deposit a certain amount of money as part of a survey in exchange for bitcoins. These messages were sent out from a Twitter handle that looked very similar to cryptocurrency exchange’s actual account. Local law enforcement agency caught one Telegram account for Bitcoin investors in India, few of members’ advice investors to invest into their own ICOs and once investor invest money they closed Telegram group. Few of the scams are listed by https://deadcoins.com/.   

2.3 Ponzi schemes: 
In such crime, Multi Level Marketing or fraudulent ICO is used. Crypto Criminals impress the investors by showing them golden future of huge return in small investment. Almost investor fall into pray of this kind of ponzi scheme and also fetch innocent relatives or other investor to be a part of such fraudulent schemes and became victim. 
Case Study: In the case of GainBitcoin, culprit had promised investors a 10% monthly return on cryptocurrency investments for 18 months under multi-level marketing (MLM) schemes such as the Bitcoin Growth Fund.
In another case, investors in OneCoin, another company that launched a digital coin-led investment scheme, realised that the firm didn’t even have a registered office address or a bank account. Nearly 400 people were taken in by the promise of high returns.

2.4          Fake Exchanges , Wallets:
Fake Exchanges and wallets might look like genuine exchange, but they’re operated by the crypto criminals. They market fake exchanges and wallets massively over social networks. They also gave juicy schemes to attract victims, even offering “bonuses” to investors who deposit huge investment. Once they got the enough investment they closed or discontinue the exchange or wallet. This kind of exchanges and wallets are not associated or registered.In some cases they have investors hard earned moneyand these fake exchanges or wallets may charge incredibly high service fees and make victim investor difficult to withdraw amount or sometime steal their investment altogether.
Case Study: Plenty fake exchanges and digital wallets were uncovered by the Bitcoin community and financial authorities across the globe. One of the fake exchanges was BitKRX, named after Korea Exchange (KRX), the largest financial trading platform in South Korea established by KOSDAQ, South Korea Futures Exchange and South Korea Stock Exchange.The BitKRX exchange marketed itself as a branch of KRX, coaxing users into its platform by promoting its businesses as a regulated and legitimate venture led created by KRX.
(Source: https://cointelegraph.com/news/south-korean-government-concerned-with-scams-in-bitcoin-market-fake-exchanges)

2.5               Exchanges under attack: 
Hackers primary targets ‘Bitcoin Exchange Online services’ that store the private keys forusers or investors. Hackers dumping the database of all acquired private keys and gain the control of the exchange data of bitcoins addresses. Hacker get and use acquired bitcoins wherever they want to use. Hackers illegally acquireshuge amount of dollars in bitcoin by using mobile numbers &email addresses.

Fraudulent marketing through social media (Source: Quora)
Case Study: In this yearIndia based cryptocurrency exchange, was hacked and hacker acquired around 438 bitcoins worth 1.8 million dollars. The firm named an employee in a first information report filed later that month, while promising to refund money to its investors in due time. It’s the first time that an exchange came under attack in India. (Source: Times of India)

3.Checklist to safeguard from crypto currency frauds:
Few common checklist for avoiding crypto currency scam is mentioned here (Source: https://www.finder.com/bitcoin-scams)
·        Does the website connect securely over https (not http)? If the address starts with “http” instead of “https,” the data you send to the website is not secure.

·        Can you see the word “Secure” or an image of a padlock in your web browser’s address bar? This indicates that a website is secure.

·        Does the website’s URL have any noticeable spelling mistakes or errors? If so, it could be a fake.

·        Does the site feature bad grammar, awkward phrasing or spelling mistakes? If it does, this doesn’t necessarily indicate a scam, but it does mean you should proceed with caution.

·        Does the website promise abnormally high returns? (For example, does it claim you’ll be able to double your investment?) This should raise a big red flag and is a common indicator of a scam.

·        Is there an “About us” page? Does it show the real people behind the company? Does it provide any details about where the company is registered? If there’s little or no information about who the company is and what it does, you could be dealing with a scam.

·        Do legitimate, reputable websites link to this site? This could indicate that the site is trusted and respected.

·        What do other users say about the website? Are there any negative reviews and, if so, what do they say? The crypto community is usually pretty quick to spread the word about scams.

·        Who is the registered owner of a domain or website? Is the owner hidden behind private registration? Has the domain been registered for less than six months? (You can find this information by searching for the platform’s URL registration details on a site like WHOis.net). The more information you can find about the people/company behind a website, the better.

·        Is there anything else about the website that raises red flags or just seems too good to be true?

4. Bitcoin transaction tracking using blockchain
Bitcoin and other alternative coins can be tracked using one of the several blockchain explorers. It is important to remember that each coin has its own individual blockchain. The following figure shows the recent blocks which have been mined by various cryptocurrency miners, the time and the number of transactions in a particular block that have been mined. All the successive blocks are linked with their preceding blocks which ensures that fake transactions can not be inserted into the block chain.

If the metadata of one of the block : #551843 is looked upon the following details are obtained as shown in figure. The block consists of 1873 transactions totalling to 12.5 bitcoins.


Mined blocks containseveral information regarding the transactions which have been included in those blocks. Information such as a unique transaction ID, transaction time, sender wallet address, receiver wallet address, miner wallet address and amount such as sent, received and miner fees. The same have been depicted in the following figure.

Anonymity in bitcoin:
The following figure shows that several senders have combined a perticular bitcoin value which has been sent to a single wallet address. The bitcoin network achieves anonymity regarding the sender if such protocol is used.

Bitcoin Wallet:
A bit coin wallet is represented by a hexadecimal string of 34 characters. The wallet is accessible through its own and unique wallet key which is of 256 bit in length and consist of 64 characters. It is impossible to derive the key from the wallet address as it will required enormous amount of processing power and may take hundreds of years to unlock a single wallet. Attacks such as brute force using rainbow tables are possible but due to the wallet key size, it becomes infeasible and intangible to deploy the required processing power.

Bitcoin transaction tracking:
To achieve anonymity, the bitcoin network employs several techniques. It is possible to analyze the sender and the receiver of the coins by analysis of the complete block chain. There are a limited number of intermediate transactions between the sender and the receiver due to the payment of fees which is required for each transaction irrespective of the amount of bitcoin transferred. The following figure shows some of the large transfers which have been made in a single transaction between a set of senders and receivers.

The following figure depicts the ongoing transactions within a specific political geographic boundary (India). Each transaction can be further followed as all the transactions between the senders and the receivers are public and are available from the blockchain. This tracking of transactions within a geographic boundary is limited by the privacy of the miners, sender and receivers and may not be available in all the cases.
Intermediary transactions which are used to impede the tracking of senders and receivers have been depicted in the following figure. The figure also shows that the sender makes one transaction to himself using an intermediary transaction. As every transaction costs a miner fee, it restricts employing such intermediary transactions for small amounts to be transfers.

As the IP addresses of the miners are available to the mining pools and it is upon their discretion to keep them secure or hidden. There are several mining pools which allows public access to the IP address of the miners using intermediary subsidiaries which provide blockchain analysis and tracking tools.One such example has been depicted in the following figure.

Case Study of investigation of illegal mining through Company’s resources:
Mr. X, working at professional firm, which is associated with high performance computing systems. Mr. X knows very well that mining through company’s resources can be given good amount of bitcoins in his wallet. He is started on miner application on his home laptop and using high performance server IP he created one admin account. He is regularly mining the bitcoin and adds inside his wallet, after a month few indications were noticed by the information security unit, but they cannot identify the person. Mr. X already left the company within that month. After conducting digital investigation of disks and network logs they identified one blockchain link with transaction address. After reversing the transaction address and finding common bitcoin address they identified the actual amount and exchange details. Afterwards company lodged a police complaint. Police investigated the case and found few information through getting information from exchange and wallet provider.  
          Maltego is providing community level free tool for identifying and visualizing such transaction. Following figure depicts the transaction details.
 
Tracking the other transactions using blockchain visualization, as shown in figure.


Comments

Post a Comment

Popular posts from this blog

Introduction To Big Data Forensics

-
Image
Introduction Big Data forensics is a new type of forensics, just as Big Data is a new way of solving the challenges presented by large, complex data. Thanks to the growth in data and the increased value of storing more data and analyzing it fast—Big Data solutions have become more common and more prominently positioned within organizations. As such, the value of Big Data systems has grown, often storing data used to drive organizational strategy, identify sales, and many different modes of electronic communication. The forensic value of such data is obvious: if the data is useful to an organization, then the data is valuable to an investigation of that organization. The information in a Big Data system is not only inherently valuable, but the data is most likely organized and analyzed in such a way to identify how the organization treated the data. Big Data forensics is the forensic collection and analysis of Big Data systems. Traditional computer forensics typically foc...
Read more

CYBER SECURITY: Improving Cyber Defense Through Coherent Joint Red Team and Blue Team

-
Image
CYBER SECURITY:   Improving Cyber Defense Through Coherent Joint Red Team and Blue Team by David Mugisha,  Student of  Ms.Digital Forensics and Information Security (Gujarat Forensic Sciences University) Abstract Over the years, the investments in security moved from nice to have to must have, and now organizations around the globe are realizing how important it is to continually invest in security. This investment will ensure that the company stays competitive in the market. Failure to properly secure their assets could lead to irreparable damage, and in some circumstances could lead to bankruptcy. Due to the current threat landscape, investing only in protection isn't enough. Organizations must enhance their overall security posture. This means that the investments in protection, detection, and response must be aligned. Due to the emerging threats and cyber security challenges, it is necessary to change the methodology from prevent breach to ass...
Read more

Digital Forensics: Investigation VS Security

-
Image
Digital Forensics: Investigation VS Security  by David Mugisha,  Student of  Ms.Digital Forensics and Information Security (Gujarat Forensic Sciences University) Abstract : The past decade has seen previously unimagined advances in technology, and although those developments have benefited individuals and businesses alike, they have also become tools for fraudsters and cyber criminals to steal money and data, and avoid detection. Hackers use technology to hide their illicit activities and to move funds across jurisdictions and around the globe. Their operations are complex and they have significant resources to help them evade detection. This means that those tasked with investigating cyber criminal activity have had to keep pace. We are seeing a new breed of investigators, the digital forensic practitioner, Cyber Security professionals who traces these criminals and their activities. As with other types of evidence, the courts make no presumption tha...
Read more