Crypto Tracing 101: Bitcoin
Cryptocurrencies are often perceived as anonymous and therefore difficult to trace. This misconception has contributed to their use in fraud, theft, ransomware, sanctions evasion and other financial crimes. In reality, most major blockchains operate as public, immutable ledgers, meaning every transaction is permanently recorded and visible. Effective crypto tracing, however, depends on understanding how each blockchain functions at a technical level. Without this foundation, transaction data can be misleading or misinterpreted.
This article is the first in a Crypto Tracing 101 series where we discuss appropriate tracing methods and blockchain analytics tools that can speed up the crypto tracing process. In part 1 we will focus on Bitcoin, introducing the unique mechanics of Unspent Transaction Outputs (“UTXO”) model and its role in tracing the movement of funds. Part 2 will explore Ethereum, which operates on a fundamentally different, account-based model.
Bitcoin Transactions
Every Bitcoin (“BTC”) transaction is recorded on a public ledger called the blockchain where each transaction can be viewed publicly. Each Bitcoin transaction is made up of two key components: “Inputs” and “Outputs”:
Inputs refer to the sender’s address(es) and the amount the sender wants to transfer.
Outputs refer to the recipient’s address(es) and the payment amounts.
Let’s see the below example where Sakamoto has three BTC and wants to send two BTC to Cathie.
Unlike a bank transaction (where funds move from a sender to a recipient), Sakamoto cannot simply send two BTC to Cathie. In a Bitcoin transaction, all of the sender’s BTC will be consumed and their previous unspent transaction outputs (UTXO) reallocated, creating new transactions outputs. In this case, the transaction will consume all of Sakomoto’s 3 BTC, creating two outputs: two BTC will be sent to Cathie’s address, and one BTC will be sent back to Sakamoto, as “change”.
Using the above real-life example from Blockchain Explorer, we can identify the following details of the two inputs and two outputs:
What do we observe and what do the transactions suggest?
Any single input could cover the amount sent to the first output address.
Both inputs combined are needed to cover the second output.
This suggests the primary payment is to the second output address, 16z…ngQ, and the first output address is likely the change address, 1NX…odQ.
Points to note
Bitcoin addresses have been developed over time, each with unique characteristics.
The above addresses start with a 1. This is a Pay-to-Public-Key-Hash (P2PKH) address and is the original Bitcoin address type, introduced with Bitcoin’s launch in 2009 and the address evolves starting with 3, bc1q, and bc1p.
Potential Red Flags
If large amounts of transactions are split into many small transactions and then recombined, this could be a sign of mixing. It may also be the case that a large amount are split into many smaller ones needlessly (to avoid detection thresholds), and may indicate an attempt to evade monitoring systems.
For example, a large amount of Bitcoin is transferred to an address. It then immediately splits into numerous smaller transactions, passed through several intermediary addresses, and finally aggregated back into a single address.
Further complexity in analysing crypto transactions comes into play when it involves the use of mixers or tumblers. These are services that mix potentially identifiable cryptocurrency funds with others to obscure the trail back to the fund's original source.
In addition, Bitcoin’s “settlement” speed – around 10 minutes for a transaction – is much shorter than that of traditional cross-border bank remittance which may take 1-3 business days. A bad actor can deploy a complex chain of transactions within just several hours. Thus, time is of the essence in the field of crypto tracing. A victim may manually track and cluster these addresses across multiple transactions. However, that would be a very painful and time-consuming exercise. Engaging an expert with appropriate advanced blockchain analytics tools can simplify this process.