An Inquiry into Money Laundering Tools in the Bitcoin Ecosystem
Jul 1, 2014 5:31pm
Since its creation in 2009, the cryptographic digital currency Bitcoin has grown quickly in terms of popularity and market capitalization. In only a few years, Bitcoin became a multibillion-dollar industry as measured by its market value. Many who are frustrated with incumbent banks and financial service providers praise Bitcoin as a revolutionary force in the financial industry. However, the system has also attracted malicious users hoping to disguise their actions, presumably due to Bitcoin’s alleged anonymity. Apart from cybercrimes targeting Bitcoin directly (e.g., theft), it is increasingly used to indirectly facilitate all sorts of criminal activities by providing a payment infrastructure over which law enforcement agencies have little oversight or control.
With anti-money laundering (AML) being a well-established topic, can traditional regulations be applied to Bitcoin in the same way they are used in the traditional banking sector? Our belief is that such attempts are doomed to fail. One of AML’s cornerstones is the Know Your Customer principle (KYC), which requires banks to verify the identities of their customers. To demonstrate commitment to regulatory compliance, several companies in the Bitcoin ecosystem increased their KYC efforts. For instance, some exchanges require their users to provide scanned government IDs or even traditional bank accounts for verification. To see why these measures cannot really solve the problem, we have to discuss a few technicalities of Bitcoin first.
Bitcoin can be thought of as a decentralized public ledger storing all (valid) transactions ever made. In order to spend bitcoins, a user must prove that he received bitcoins in the past. He does so by referencing an existing transaction in which bitcoins were sent to a specific public key, and by signing the new transaction with the corresponding private key. The public key, also called the address, serves as an account identifier while the private key is used to prove ownership. As a consequence of this protocol, spending bitcoins today requires to reference transactions from the past. All these transactions and their references together form the transaction graph. It can be analyzed by everyone who downloads and parses the block chain.
The first obstacle to KYC in Bitcoin is that everyone can create accounts simply by creating public/private key pairs locally on his own computer. Bitcoin users can create as many transactions between as many fake accounts as they like. Simply establishing the relationship between a single address and an identity, as done by Bitcoin companies trying to implement KYC, is not enough; you also have to find all the other addresses of a user. This is a nontrivial problem and is the main reason that Bitcoin is often called an anonymous system.
Recently, heuristic techniques to analyze the transaction graph have been explored that challenge Bitcoin’s anonymity. The goal of these techniques is to establish relationships between addresses based on relationships between transactions. Knowing the identities behind only a few addresses collected through KYC could then be enough to reason about the identities behind large parts of all other addresses.
These techniques will never be perfect though, and countermeasures are already in place to prevent them from functioning. So called mixing services have emerged; these services bring together multiple Bitcoin users and shuffle their bitcoins (cf. Figure 1). Image that Alice, Bob and Charlie all have one bitcoin, each associated with a certain address Alice1, Bob1 and Charlie1. To shuffle, they all send their bitcoin to a mixing service and provide that service with a new address, say Alice2, Bob2 and Charlie2. For each of these new addresses, the mixing service selects any of the bitcoins it got and forwards it to the address. As a result, relations in the transaction graph eschew the relationships between addresses.
Figure 1: How Bitcoin mixing services work
We analyzed three of these services: Bitcoin Fog, the Send Shared functionality of Blockchain.info (which, in the meantime, has been discontinued and replaced by a new service based on the CoinJoin protocol) and BitLaundry. We paid small amounts of bitcoins to these services and created an outpayment. We then tried to trace these transactions starting from the payout back to the transaction we used to send money to the service.
Figure 2: BitLaundry transaction graph
Our results suggest that mixing services work as hypothesized and make it impossible to find exploitable connections in the transaction graph. An exception to the rule was BitLaundry (cf. Figure 2), which returned parts of the bitcoins we payed in directly back to us. For both Send Shared and Bitcoin Fog we were not able to find direct connections. For the latter service, we were however able to observe a specific pattern of how outpayments are processed. The payments we received came from a long peeling chain, i.e. a chain from which small amounts of bitcoins are branched off from a large sum of bitcoins. Following these chains to their origin led us to multiple large transactions that combine a large number of transactions into one (cf. Figure 3). These transactions suggest the service had funds at its disposition exceeding a 6-digit dollar amount at the time of the study. The funds that we sent to the service remained untouched for about half a year before they were combined with funds from other transactions. This fortifies the assumption that the service owns a large amount of bitcoins.
Figure 3: Bitcoin Fog transaction graphAn important implication of our study is that a traditional KYC approach does not make much sense in Bitcoin because we can never have perfect knowledge of identities behind the addresses. So what can we do instead? One important property of Bitcoin is that all transactions are visible in the block chain. Hence, Bitcoin could be regulated through blacklisting of transactions. Once a transaction is known to be involved in a crime, that transaction could be invalidated; this invalidation would be propagated through the transaction graph which reduces the value of all subsequent transactions. This would deter users from mixing bitcoins as they would be at risk of receiving “dirty” bitcoins from the service, thereby making it hard for criminals to get rid of their loot. Since the risk of receiving dirty bitcoins depends on the old transaction being referenced by a new one, you could say that not all bitcoins would be the same if such a blacklisting policy was in place. Fungibility - a property of goods suggesting that all units of that good are worth the same - is an important property of a currency, though, as a currency has to serve as a unit of account. Fungibility in the Bitcoin system would be undermined by blacklisting.
Editor's note: The full version is available here. This won best paper at the 2013 eCrime Research Summit.