Install blockchain.info Transforms from the Transform Hub, use the search bar or filter your results.
Create a New Graph in the upper left corner or use the hotkeys (CTRL + T).
Select Bitcoin Address Entity from the Entity Palette & drag it onto the graph.
Address: 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX
If the Double Arrow on the right is clicked, all available Transforms are ran on the Entity.
If the + symbol is clicked, we can see all available Transforms and run them independently of each other.
Here are the Transforms we can run on a Bitcoin Address Identity.
Click the Arrow in the upper left to return to the pervious menu.
Click the Double Arrow beside “blockchain.info (Bitcoin)” to run all Transforms.
The Transforms returned more Transactions and Bitcoin Address Entities.
Select one of the Bitcoins Addresses and under Detail View, there is a link to blockchain.com with more information.
On this page there is summary information:
- Address
- Format
- Transactions
- Total Received
- Total Sent
- Final Balance
Click on the transaction hash, we will be brought to a page with the following information about the transaction
- Size
- Weight
- Included in Block
- Confirmations
- Total Input
- Total Output
- Fees
- Fee per byte
- Fee per vbyte
- Fee per weight unit
- Value when transacted
The page also has information about Inputs & Outputs
Going back Maltego, to organize your graph you can enable collections and group your Entities so it is easier to visualize the data. You can then Select specific Entities (CTRL + Click) and transfer them to a new graph by right clicking and selecting the Move to New Graph button in the lower left corner of the pane.
Once you have the Entities on a new graph run the Transform “To Block Height” on one of the transaction IDs.
Block Heights are useful for determining where in the blockchain the transaction occurred.
Here is a large amount of bitcoin being transferred from Address 1F1tA > 1Ez69
The Transaction ID 7ecad & Block Height 305451 are also displayed in the example below.
Trace where the currency is going by running the “To Destination Addresses” Transform on Transaction Entities
We can then identify more Transaction IDs, Addresses & Block Heights by running further Transforms from blockchain.info.
It is possible to trace large amounts of cryptocurrency between addresses. Below is a large amount of Bitcoin being transferred from 1F1Aa > 1a8LD
A graph can be as big as needed but it is with best practices to keep your graph organized. In the image below we can see that all of these funds end up in a single wallet. Sometimes an owner of cryptocurrency can be de-anonymized by “know your customer” cryptocurrency exchanges (KYC). These exchanges gather personal information like name, address, phone number, banking information and other identifying information about the owner of that account.
Analysts can gather information though freely available Open Source Intelligence (OSINT) platforms.
They can then ask questions while investigating like:
- Can the funds, assets, gov. grants, gov. loans, illegitimate bank accounts be traced back to a business or entity being investigated?
- Were the funds obtained illegally or related to criminal activity or a legitimate source?
- Was there an initial crime then a financial crime, or both?
- Is it possible to trace the funds from its origins all the way through to the destination?
- Were funds/assets diverted to from a legitimate source to illegitimate ones?
- Was there an attempt to launder funds?
- Does it look like the transactions are being obfuscated or layered?
- Is it possible there is any KYC data on these transactions?
- If so, was there suspicious activity by a high ranking corporate official or chief executive?
- Don’t forget you use your OSINT tools while performing your investigation & take notes often.