Bitcoin forensics with CipherTrace on Maltego
CipherTrace Integration into Maltego Significantly Expands Bitcoin Forensics Capabilities
Maltego is a popular security research and forensics tool produced by Paterva. Investigators use it as a powerful data mining tool because it allows them to create directed graphs that combine disparate digital forensics, perform a deeper analysis, and gain a more comprehensive perspective. Maltego focuses on providing a library of transforms (a transform is a piece of code that works like an API to link capabilities in different platforms and applications) to combine security data feeds from open source and private intelligence, and then visualising that information in a graph format. A new seamless integration of the of CipherTrace cryptocurrency intelligence platform into Maltego allows users to easily risk-rate and trace tainted bitcoin addresses and transactions.
A free trial is now available on the Maltego transform hub which you can access by logging into Maltego and installing the CipherTrace transforms directly. If you don’t have Maltego, you can download free “Community” version here.
The CipherTrace transforms access advanced CipherTrace blockchain intelligence, which combines millions of new attribution data points through advanced machine learning algorithms to identify a variety of risky locations.
CipherTrace blockchain intelligence identifies risky transaction characteristics and locations, including known criminal, dark market and gambling sites as well as mixers.
Mixing services are money laundering services also known as Mixers, Tumblers, and Foggers. A cryptocurrency tumbler or cryptocurrency mixing service offers users the opportunity to mix potentially identifiable or ‘tainted’ cryptocurrency funds with others. The intention is obviously to make it difficult to follow the trail back to the funds’ original source.
Mixing helps to protect privacy, but it can also be used for money laundering by mixing illegally obtained funds with legitimate funds. Mixing large amounts of money may be illegal—i.e., in violation of anti-money laundering laws.
Maltego and CipherTrace Connect the Dots
The combination of Maltego and the CipherTrace platform is an exciting development for investigators. Essentially, it helps to connect the dots by linking disparate elements of the digital evidence involved in money laundering as well as criminal or illicit uses of cryptocurrencies. It also enables cryptocurrency investigation to be tightly coupled and interrelated with different pieces of the digital puzzle.
To install the CipherTrace transforms in Maltego, simply select CipherTrace in the Maltego Transform Hub.
A window will appear giving you the option to install CipherTrace.
After you click Install, a window appears, confirming the installation of 13 CipherTrace transforms.
The transforms operate at three levels—bitcoin address, bitcoin transaction and bitcoin wallets. Bitcoin Address and Bitcoin Transaction transforms enable you to calculate the current state of a coin or transaction: i.e., its risks and attribution details.
CipherTrace Bitcoin Address Transforms
A bitcoin address is a public cryptographic key that “owns” bitcoins. This address is used to uniquely identify bitcoins. The person or persons who know the corresponding private key can send those bitcoins to any other address. The cryptographic keys that control an address are typically stored on a users’ computers or on their mobile devices in a software app.
Addresses can be explored in the CipherTrace Bitcoin Address transform.
The Detail View will explain why a transaction received a particular risk rating
You can also augment these results with additional details gleaned from fetching IP addresses, inbound and outbound transactions, and wallet transaction data.
Selecting the Bitcoin Address transform “To Detail [CipherTrace]” returns a variety of useful details. This is an example of a money mixing, laundering, service.
The “To Inbound transaction [CipherTrace]” and “To outbound Transaction [CipherTrace]” transforms allow you to move back and forth through time in the blockchain forensics data. This capability enables you to trace the addresses to see if they have been tainted and ascertain the risks associated with bitcoin addresses, transaction, and wallets.
For instance, the screen above shows a high-risk transaction with a known dark market.
CipherTrace Bitcoin Transaction Transforms
Alternatively, you can perform a trace based on a transaction.
A transaction is a record in the public bitcoin blockchain that records the movement of bitcoins, or portions of them, from one address to another. Transactions are uniquely identified by a transaction ID. A transaction has one or more outputs, and can be looked up in the CipherTrace Transaction transform screen.
CipherTrace Bitcoin Wallet Transforms
The CipherTrace transaction tracing options include destination addresses, source addresses, and risk scoring. You can gain wallet information by tracing the addresses of the transactions. All of the data provided can easily integrate into other Maltego transforms to make your investigations and research as seamless and intuitive as possible.
A wallet address is a way of grouping bitcoin addresses into one group that is likely to be controlled by a single user or by a service. These groupings may not be 100% accurate. There are a number of ways to compute wallet addresses. One way is the “multi-input clustering” method, which allows you to analyze multi-input transactions and associate them with known patterns.
CipherTrace Bitcoin Wallet Transforms
Wallets can be used to identify exchanges, locations, and other details.
Where does the entity information come from?
The CipherTrace platform uses state-of-the-art tracing and software tools to gain attribution on global entities, allowing you to distinguish risky and tainted addresses and wallets from safe ones.
Why does the transform return no information
There are three potential causes of empty results:
- The blockchain is busy and your query timed out so you must retry it.
- CipherTrace Address transform will return no information if you input a transaction ID
- CipherTrace transaction ID transform will return no information if you input bitcoin address
What is the difference between low- and high-risk address/transactions?
Transaction risk scores are aggregated based on the input and output addresses. Address risk scores are calculated through deep research into address interactions and past transactions. Low-risk scores are given to addresses and transactions that have no negative attribution or risky behavior. High-risk scores are calculated based on direct association with illegal/high-risk sites or where the entity conducting the transaction has directly interacted with other high-risk addresses.
How do you determine the owner of a wallet?
It is the entity that CipherTrace identifies through attribution and clustering algorithms; it is not an actual individual.
How can you view all properties of an address/wallet/transaction?
You will find all property information in the lower right corner of the Maltego graphing window. Alternatively, you can double-click on any entity within the graph to view properties as well.
1 person likes this