In the battle to link real-world criminals to their anonymous bitcoin troves, Chainalysis has found a “meaningful” edge: a block explorer website that scrapes visitors’ internet protocol (IP) addresses.
According to leaked documents reviewed by CoinDesk, Chainalysis, the largest of the blockchain tracing firms, owns and operates walletexplorer.com. Like other block explorers, the service lets anyone view the history of public cryptocurrency wallet addresses. Chainalysis figures that bad actors would use its site to check transactions without fear of “leaving a ‘footprint’” on crypto exchanges, the documents said.
But where the exchanges – and presumably most block explorers – have no eyes, Chainalysis has set its sights. It “‘scrapes’ the IP addresses of suspicious” users that fall into the honeypot of walletexplorer.com according to the documents.
“Using this dataset we were able to provide law enforcement with meaningful leads related to the IP data associated with an address,” the documents, translated from Italian, say. “It is also possible to conduct a reverse lookup on any known IP address to identify other BTC addresses.”
In doing so, Chainalysis has effectively weaponized an unassuming website without disclosing its ties. It has never publicly associated itself with walletexplorer.com, although a note at the bottom of the site’s homepage says its “author” now works at Chainalysis. The website was created in 2014, according to site registration documents that make no mention of Chainalysis.
A spokesperson for Chainalysis declined to comment.
The documents, from an undated Chainalysis presentation to Italian police investigating the dark web, appeared late Monday on DarkLeaks, itself a dark web site only accessible through anonymizing browsers like Tor. CoinDesk has verified the documents’ authenticity.
The slide deck shines new light on the full range of tools that Chainalysis uses to assist law enforcement in nabbing illicit actors. The company is primarily known for parsing publicly available transaction data rather than using subterfuge.
But its honeypot works, according to the leaked slide deck. Chainalysis cited a June 2020 case in which walletexplorer.com nabbed a ransomware suspect’s IP address – hours after they were suspected of depositing funds through the over-the-counter (OTC) desk of crypto exchange Huobi.
The documents also show that Chainalysis thinks it can trace transactions in monero (XMR), which many consider to be the cryptocurrency with the strongest privacy defenses.
“Of the cases that Chainalysis worked on in collaboration with law enforcement, we were able to provide usable leads in approximately 65% of cases involving [m]onero,” the documents say.
Justin Ehrenhofer, a member of the Monero Space work group, cautioned not to read too much into this claim.
“‘Usable leads’ is very nonspecific and can mean a wide variety of things,” he wrote in an email to CoinDesk. “For example in the best of cases for law enforcement, it can lead to real identities behind transactions. However, it can also relate to false information, such as a fake/stolen identity or a Tor address. All metadata is useful in investigations, and the extent to which this information is extremely variable.”
Likewise the word “cases” is used broadly, referring to “all Chainalysis-involved cases including Monero, not specific Monero transactions,” wrote Ehrenhofer. “So if someone used Monero but then also revealed information out of band that was used, that would likely qualify as a ‘success’ case by Chainalysis’s measure.”
Nevertheless, he offered a note of caution: “Monero users who care about their privacy should always use Monero using their own node.While there are some remote Monero nodes available over Tor, it is still best to run your own.”
Another way Chainalysis captures Bitcoin user data is by running nodes that verify transactions, the documents confirm. This allows the company to capture data leaks on the publicly accessible internet, or clearnet, from users’ simplified payment verification (SPV) wallets. Those services were designed to prioritize easy storage over foolproof security (although to be fair they are arguably more secure than wallets that rely on APIs to verify transactions).
“The downside to this design is that when the user wallet connects to the network, a variety of information is revealed – the user’s IP address, the full set of addresses in the wallet (used and unused) and the version of the wallet software,” according to the slide deck. “Chainalysis runs a series of nodes on the Bitcoin network … and if a user connects to one of our nodes, we receive the above information.”
This data can be a boon to investigators. Chainalysis cites the “Welcome to Video” child pornography ring bust. One of the suspects in that case was identified in part because his Bitcoin node was running on the clearnet.
Indeed, government clients turn to Chainalysis for help tracking down nodes. The Treasury Department’s Office of Foreign Assets Control (OFAC) is one such partner: it requested permission in early 2021 to utilize Chainalysis’ “Rumker” tech in an effort to sanction crypto actors.
On Tuesday OFAC issued its first-ever sanction against a crypto exchange for facilitating ransomware payments.
That Chainalysis runs its own data-capturing nodes would not come as a surprise to privacy-focused Bitcoiners; the community has long suspected as much.
“We’ve always known that they’re running nodes – it’s just a matter of which services they’re connected to,” said Colin Harper, the head of content at Luxor Tech, a bitcoin mining company.
Still, the story illustrates Chainalysis’ game plan in tracking illicit crypto for law enforcement partners. It’s not enough to trawl public transaction histories. To succeed, the company must amass data troves itself.
UPDATE (Sept. 21, 18:25 UTC): Adds detail about walletexplorer.com in sixth paragraph.
UPDATE (Sept. 21, 19:25 UTC): Adds comments from Monero community representative.
UPDATE (Sept. 21, 21:15 UTC): Adds final section on Chainalysis’ use of nodes.