Illicit Bitcoin Transactions: Analysis Techniques Explained

The primary concern of the crypto regulators and the government is the illicit transaction of Bitcoin which criminals use to launder money and even to fund terrorism.

Most average people believe that these people can hide behind Bitcoin but that is not true.

There are lots of ways in which the enforcement and the government can trace back to a source and destination of any illicit Bitcoin transaction and nab the culprit easily.

They typically follow different analysis techniques to trace illicit Bitcoin transactions.

This comprehensive article will explain all those techniques to you which include everything about it such as:

  • Technical techniques
  • Machine Learning techniques
  • Non-technical techniques
  • The different legal aspects and
  • The governance considerations.

All these techniques are specifically useful to blockchain data and are also very helpful in identifying the anonymous sources in the Bitcoin ecosystem.

You will find that every point is categorically arranged and is adequately illustrated in this article for your better understanding with different ransomware countermeasures. So, read on.

What are the Analysis Techniques for Illicit Bitcoin Transactions?

Analysis Techniques for Illicit Bitcoin Transactions

In order to understand the different analysis techniques for illicit Bitcoin transactions, you will first need to know something about the legal and regulatory efforts put in to enforce law and prevent crime by curtailing the freedom of this open system.

It is also needed to focus a bit on the heuristics and behaviors that are innate in the Bitcoin system to understand how these techniques exploit them.

With such prior knowledge, it will be really easy for you to understand the different analysis techniques to use in the Bitcoin ecosystem to identify illicit transactions in the network.

Regulatory Environment and Compliance Challenges

There is no doubt that the regulatory landscape in the Bitcoin ecosystem, which sidesteps central authority to allow user anonymity, has evolved continuously since Satoshi Nakamoto released the first Bitcoin more than a decade ago.

If you look at it from a US-centric point of view, the laws in the regulatory environment can be broken down into two main categories such as:

  • Those that protect the users of Bitcoin and more importantly
  • Those that particularly address the wider impacts on the society due to the use of Bitcoin by people for illegitimate purposes such as money laundering and funding terrorism.

The virtual currencies are also subject to other issues regarding ownership, attribution and vulnerability to theft.

The crypto systems, as opposed to the conventional financial institutions and money transfer businesses, are comparatively unhindered by the AML-CFT or Anti-Money Laundering and Counter Terrorism Financing regulations.

Apart from that, the crypto system usually does not bother to gather the essential Personal Identifiable Information or PII of the users so that it would help in implementing severe financial transaction reporting measures.

With this the illegal financial activities and misappropriation of funds could be mitigated easily.

However, in June 2018, The Law Library of Congress published a report regarding ‘Regulation of Cryptocurrency in Selected Jurisdictions.’

This report provided a complete review of the crypto regulations and policy stance of a few specific jurisdictions.

In chronological order, these jurisdictions are:

  • Argentina
  • Australia
  • Belarus
  • Brazil
  • Canada
  • China
  • France
  • Gibraltar
  • Iran
  • Israel
  • Japan
  • Jersey
  • Mexico and
  • Switzerland.

Typically, there is a foreign law specialist allotted for each of these jurisdictions to evaluate the legal conditions within each so that the major issues faced by them can be identified.

The Areas of Concern

According to the reports a few specific areas of concern were identified such as:

  • The legality of crypto markets and operations
  • The problems related to taxation and
  • The AML/CTF implications.

The legality of crypto markets revealed how these markets operated in the specific jurisdictions and the specific laws that are enacted for them to operate and to confine their trades.

As for taxation, it involves the ways in which cryptocurrencies are taxed in these regions.

The main issue here is whether or not cryptocurrencies should be considered to be a financial instrument.

And, the Anti-Money Laundering and Counter Terrorism Financing report reveals the volume of Bitcoin crime all over the globe that has attributed to misappropriation of funds and frauds.

Typically, the major parts of the illegal Bitcoin transactions are made from the crypto exchange in one jurisdiction to another across the border.

Looking at the nature of the cross-border transactions, the report emphasizes that there is an immediate need to ensure that the crypto exchanges adopt and comply with appropriate AML and CTF regulations.

Several countries have implemented such laws since then and are reaping the benefits of it.

In addition to that, the report also suggested that there are also a few other specific needs to ensure illicit transactions of Bitcoin are minimized, if not prevented. These are:

  • Individual assessment of risks for specific types of customers and services
  • Assessing the ways in which these services are offered to the customers
  • Finding out whether or not foreign jurisdictions are traversed and
  • Finding out the connection and state of any financial entity that has been offering service in a foreign jurisdiction.

Whether or not taking cue from these suggestions, the 5th Anti-Money Laundering Directive of the European Union 2018 created a legislative framework with respect to virtual currencies and exchanges to prevent and detect money laundering and terrorism financing.

Rise of Financial Intelligence Units

The EU emphasized on having national Financial Intelligence Units or FIUs that will specifically help in combating the risks involved in the anonymity in Bitcoin transactions.

These FIUs should gather information that will allow them to link addresses of virtual currency to the identity of the owners of them.

Several compliance standards and requirements were implemented henceforth such as:

  • Know Your Customer or KYC and
  • Customer Due Diligence or CDD processes.

The EU said that the Financial Intelligence Units as well as the financial institutions will be able to leverage these standards to ensure that the customer identification processes are made mandatory for any reporting entity.

They supported their opinion saying that this will allow the powers that be to assess the behavior of the customers and develop a proper understanding of their predictable financial activities.

Moreover, they said that these KYC and CDD standards will be very effective in countering any AML/CTF threats of misusing digital currencies for criminal intentions and at the same time they will be able to meet the needs for:

  • Legal obligations
  • Consumer protection and
  • Prevention of adverse societal impacts.

The governments of several countries corroborated with it and supported the legislative frameworks as suggested above. This gave rise to several FIUs. Some of the authorities that look after it are:

  • The Financial Crimes Enforcement Network or FinCEN
  • The Financial Action Task Force or FATF and
  • The Australian Transaction Reports and Analysis Centre or AUSTRAC.

Out of all these, FinCEN in particular is the FIU of the US Treasury which supports US and international law enforcement inquiries.

Apart from that, it has also issued an advisory notice and guidance regarding illicit usage of Bitcoin and other virtual currencies in the form of Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies in FIN-2019-G001 (2019).

This comprehensive guidance is meant for any MSBs money services businesses or any person engaged in any kind of business that involves transfer or CVCs or Convertible Virtual Currencies.

It provides them with all the essential explanations and applications of the Bank Secrecy Act and their legal obligations and compliance requirements while dealing with the CVCs.

Read Also:  Can Bitcoin be Seized by Government? (Explained)

The guidance also tells them how their business is conditional on the US Bank Secrecy Act.

FATF, on the other hand, is a secretariat located in the OECD or the Organization for Economic Co-operation and Development headquarters in Paris.

It provides standards and recommendations to more than 200 jurisdictions with the sole intention to prevent terrorism funding and money laundering.

A comprehensive and reliable framework is offered by The FATF International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation–the FATF Recommendations.

This framework includes different provisions such as Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers.

This helps the VASPs to identify different risk indicators according to the VA or Virtual Assets context and allow much better supervision.

And finally, AUSTRAC focuses more on AML-CTF intelligence collection and its analysis. Apart from that, guidance to entities is also provided against the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 and the Financial Transaction Reports Act 1988.

It also offers guidance to prepare and implement AML-CTF programs for virtual currency exchange businesses and manages the register for these businesses in Australia.

So you can see clearly that the global agencies are on the lookout for a more holistic approach to combat illicit transactions of Bitcoin.

According to The Law Library of Congress and CipherTrace, a number of countries are already preparing policy frameworks to regulate cryptocurrencies and implement AML measures that have the potential to reduce criminal funding through different crypto exchanges by as much as 47%.

All these need continual and proper analysis based on different aspects to cover all angles such as:

  • The network
  • Graph theory
  • Predictive features and
  • Machine learning architecture.

Of course, the most important analysis involves the huge datasets behind each Bitcoin or crypto transaction.

Bitcoin Analysis

Everything starts with Bitcoin analysis. It is primarily based on the mechanics and understanding the system.

This includes interaction of the Internet Security Protocols with the Bitcoin protocol.

Apart from that, it also includes examining the working process of Bitcoin mining with a special focus on the rewarding procedure of the participants on the network.

Specific aspects are looked into while making such analysis which includes and are not limited to:

  • Double spending attack
  • Privacy motivations
  • Attack vectors and
  • Anonymity of the Bitcoin system.

These are actually considered to be the basic parameters for analyzing the behavior of Bitcoin transactions.

Analyzing the transaction behavior and usage of Bitcoin will create a montage of information.

However, all of it should be reconstructed forensically so that the target can be detected accurately.

The information gathered can be of different types such as:

  • Technological
  • Criminological
  • Behavioral and
  • Regulatory.

The analysis process will become easy when Bitcoin heuristics is introduced because it will simplify addressing the troubles of attribution.

It will help in categorizing analogous transactional behavior into groups and link services and ownership to the addresses.

There is also a concept of peeling introduced that helps in differentiating the smaller amount of Bitcoin transaction from the larger ones onto another address and the rest sent back to the one-off change address.

Deep drilling into the payment trends is also made in order to have a much better understanding of illegal user activity especially at the source by probing into the ownership and identifying it in the case of any suspicious activity that may have happened.

However, such suspicious activities may take place in the future as well which is why gathering targeted transaction IDs or Bitcoin addresses is necessary for future analysis, prediction, and analysis.

Therefore, it is needed to look into other information and data sources so that the probable fraudulent transactions can be determined.

Bitcoin Network Layer Analysis

This type of analysis helps in Data anonymization. This is a kind of information sanitization process that is followed within the Bitcoin network.

In this process, different aspects are considered such as:

  • The openness of the Bitcoin system
  • The defining features in the anatomy of the Bitcoin transaction and
  • Extensive data gathered from packet detecting software.

Different traffic analyzer tools are used for this to get hold of Bitcoin protocol traffic.

This is done by public key profiling which is a process of building an outline of the transaction flow within the network between the Bitcoin addresses and the IP addresses over time.

It also involves listening on the network to port 8333 used by Bitcoin.

However, this particular approach has its weaknesses. For example, the targeted Bitcoin addresses may change with every transaction frequently.

This will create weak linkages to the network observations. This is due to the P2P propagation of these transactions.

Therefore, the IP address in which a transaction is intercepted may not be that of the actual creator of it and so the Bitcoin Network Layer analysis may not reveal the true identity of a Bitcoin address or usage.

Furthermore, the reliability of this approach is further inhibited if the IP address uses internet connections of a library or a café and especially any open wireless network, Tor exit relay, and Virtual Private Network or VPN.

Apart from that, it is also quite challenging to find a person responsible for illicit Bitcoin transactions or activity due to the Black Hat feature on Bitcoin security while using the Tor application.

This ensures transaction anonymity through the Internet protocol stack which utilizes a particular crypto Dark Wallet service and leverages Darknet.

Evasiveness of IP address is easily accomplished by using a Tor router or Onion Router.

The Bitcoin address and the IP address mappings will be lost when this router is used and the investigator will only have that particular IP address that is linked with the Tor exit node.

This will not help in any type of meaningful analysis whatsoever.

Therefore, in addition to the Bitcoin network analysis different graph data models are also needed to be analyzed along with the relationships and nodes formed on the Bitcoin network in order to analyze illicit Bitcoin activity with relevant insights.

Analysis of Different Graphs

There are different types of graphs to be analyzed to find out illicit Bitcoin transactions.

Directed Acyclic Graph:

DAG or Directed Acyclic Graph is one such type of analysis that is typically made by using the addresses and transactions on the Bitcoin network.

The whole DAG can be broken into two smaller DAGs. The first one can be constructed by tracing the Bitcoin addresses of the users and the second one can be constructed by tracing the transactions over time.

This approach allows mapping and grouping similar behaviors of the Bitcoin users as well as the transactions made by them over time.

This approach also makes the Bitcoin system more analyzable to reveal identity.

Different data sources can be used for this such as off network information which will help to build a directory of the Bitcoin users.

This will help in examining activities, routing behavior, and common transaction usages.

A website called the Bitcoin Faucet2 can also be used which typically uses the TCP/IP Network information for matching IP addresses with Bitcoin addresses and map the geographical usage and address pattern behavior.

However, this can be flawed because the last Bitcoin node IP address routed may not be the originating one.

Transaction Behavior:

This is another part of the analysis that involves the way the Bitcoin addresses operate and the evolutionary behavior of the transactions over time.

This technique also involves machine learning which helps in determining the identity hidden behind the pseudonymous nature of the Bitcoin addresses.

In this process, a large graph is analyzed by using a series of sub-graphs.

This helps in identifying the various characteristic behaviors as well as the Bitcoin transaction flow.

Read Also:  Is Bitcoin Mining Reshaping the Energy Sector?

It makes it very easy to identify the common practices through these patterns among the users that may reflect some suspicious behaviors and activities on the Bitcoin network.

The best part is that these patterns can be reused and applied for other scenarios to find illicit Bitcoin transactions.

Automated Software:

Different types of automated software programs can also be used for forensic analysis of illicit Bitcoin transactions.

The software will provide the framework for developing graph analysis subsequently.

The Bitcoin blockchain can be parsed by using such software to gather addresses and transactions and then expand that with diverse data collected from the web.

This helps further in grouping, contextualizing, and visualizing Bitcoin transaction graphs.

Algorithmic Analyses:

This analysis is done based on the previous analyzing techniques in order to find out suspicious conducts on the Bitcoin network.

This is usually done with reference to and from the perspective of the external data sources such as social media sites and web scraper forums as well as the blockchain data.

This is a specific kind of graph analysis that can be used on those particular transactions that are usually carried out in an attempt to match any doubtful use of Bitcoin addresses.

This type of analysis allows much better behavioral analysis of Bitcoin transactions and behavior due to:

  • The intrinsic data structure
  • The blockchain
  • The activity between the users.

All these along with the analysis of external data regarding malware sites, security reports, cyber security feeds, and indicators of compromise help in revealing the identity of the users which further helps the law enforcement and can be used for intelligence purposes.

More sophisticated graph analysis methods can be used on the sub-graphs of interests of the users which will reveal additional intelligence on the Bitcoin network.

The intelligence related to the transaction behavior may be of different types such as:

  • The reusing frequency of a particular address or addresses
  • Zero balance addresses and
  • The way a large transaction is divided into smaller transactions by using the change address.

There are also other modern techniques followed for algorithmic analysis such as the in-degree figure of inward edges to a node and comparability of nodes on the Bitcoin network.

All these will determine the width of the graphs and try to find out the longest of all shortest paths in the Bitcoin network with the use of specific algorithms such as Bread First Search or BFS algorithm for example.

Machine Learning Analysis

Different machine learning models and algorithm development can be used for different purposes such as:

  • Highlighting classification
  • Sentiment analysis
  • Topic modeling
  • Regression and more.

The machine learning algorithms can be of different types, namely supervised or unsupervised learning which are explained below:.

  • Supervised learning – This is based on training data. It comprises the exact responses to input data. It can be used to categorize future data items.
  • Unsupervised learning – These algorithms do not have any previous knowledge of the structure or domain of the data. Unsupervised algorithms are a very powerful way to detect irregularities in the dataset that is being analyzed.

One most common unsupervised learning algorithm used for identifying illicit Bitcoin transactions is clustering.

In this process, similar as well as distinct attributes in the exposed input data form clusters or groups. This helps a lot in studying Bitcoin systems.

Based on these two different machine learning and Artificial Intelligence techniques, analysis of Bitcoin networks is done to detect money laundering and fraud.

The supervised machine learning techniques examine different aspects such as:

  • The clusters
  • The entities and
  • The categories.

This helps in understanding the control over the Bitcoin funds in the network as well as helps in attributing contextualization of some kind to the groups with respect to the activities performed.

These activities can be either of the following:

  • Mining
  • Exchanging and
  • Mixing.

All these activities are categorized by using the supervised machine learning analyzing techniques based on any criminal activity.

The different types of categories include:

  • Scams
  • Tor markets
  • Ransomware
  • Stolen Bitcoin
  • Mixing
  • Exchange
  • Merchant services
  • Gambling
  • Mining pools
  • Hosted wallets and
  • Personal wallets.

Now, from each of these categories data is collected for analysis.

This data is collected by following a specific methodology and the type of data collected includes:

  • Transactions along with hash, input address, timestamp, value and output address
  • Addresses along with value and number of transactions made with a peer address
  • Counterparties along with their addresses, category, value, and names and
  • Exposure which involves the number of inputs and outputs out of the entire transactions that come from or arrives at a specific service category that helps in risk calculation.

The supervised machine learning technique helps in attributing Bitcoin clusters to the preset categories.

When the anatomy of a Bitcoin cluster is analyzed, it helps in breaking the cluster structure down which helps in categorizing the controlling entities.

However, this particular technique can result in an imbalance of good and bad transactions.

Therefore, other machine learning techniques should also be considered to find illicit Bitcoin transactions.

The unsupervised learning techniques however can cluster objects as well as detect fraudulent Bitcoin activities in a multivariate setup without the need of the training dataset.

This allows the algorithm to set up its own labels when the data is fed in.

This is a performance enhancement as well as a limitation as far as fraud detection is concerned.

Limitation because the unlabeled data requires to be checked manually, modified if necessary, and fed back to the system with context.

It is a performance enhancement because it will help in executing the machine components faster.

Typically, criminal detection is best done by comparing the known criminal elements with the help of a neighborhood-based algorithm because these algorithms normally use classifiers.

These classifiers help the machine to understand the data context. The data will be processed in a much better way.

This ensures easy validation of the results.

Though these are generative machine learning models, they can use Principal Component Analysis or PCA, k-means clustering, and other common techniques to create a model of fair and illicit transaction groups on the Bitcoin network.

However, these methods can only work via deep learning because that allows deeper understanding of the observed data in its context.

Deep Learning:

Deep learning on Bitcoin graph networks enables learning the role played by a node in the network.

This process typically works on the struc2vec algorithm.

Here the nodes that are typically similar are within the close proximity to each other.

When the role played by the nodes is understood with respect to the data embedded, it helps in detecting the similarities between the network and the node that may not belong to the components that are directly connected.

And, if it has a structural info or a Meta data encoded then these node embeddings can prove to be a very powerful and effective way to identify new doubtful relationships within the target Bitcoin network.

However, an alternative to graph embedding can also be used such as Graph Matching Network or GMN.

This technique typically uses the Graph Neural Networks or GNNs to evaluate the graph similarity score.

This can then be scaled up to understand the similarities on the complete graphs by comparing associate nodes in different graphs with the input graphs.

If there is any difference found in the edge features and in the node, the transaction can be deemed as doubtful.

With the help of this technique, even the graphs formed by Bitcoin-ransomware transactions can also be interpreted to understand the differences and similarities in a target network model.

When a GNN for such Bitcoin-ransomware graphs is created it further helps in learning the type of parameters and behaviors the networks may shape up in the future.

Read Also:  Does Bitcoin Help Developing Countries Counter Inflation?

Also, by using graph analysis procedures such as Graph Convolutional Networks or GCN the neural networks may allow embedding of associative information between relationships and nodes that can be used further in machine learning methods.

The GCN will combine the in and out degrees of the neighbor node and propagate these demonstrations as features on the nodes of the Bitcoin network.

Transaction Analysis

Finally, it comes to Bitcoin-ransomware transaction analysis.

As you may know, ransomware is one of the most common and concerning threats to the use of cryptocurrencies.

It is a worry for both the users as well as the developers of cryptocurrencies.

Ransomware allows the cyber criminals to swipe funds from the network and often these crimes go undetected.

Ransomware has gone bigger 2.5 times and therefore it is essential to identify and analyze frameworks.

Typically, a Ransomware Identification Framework or RIF is used to identify ransom payments.

This is done from a set of transactions that is sent to the ransomware cluster and a group analysis is done on the entire network.

These types of analysis help in identifying the money laundering strategies along with the financial infrastructures underlying the ransomware.

Apart from that, such type of analysis also helps in connecting popular services and speculating connections to any illegal activity.

In this method, the RIF analyze a lot of different things at the same time to make the right identification and it include:

  • The total number of transactions made on the network for every seed address
  • The total amount of Bitcoin received or sent and
  • The total number of ransom payments made and received.

There are different sets of parameters used at the individual transaction level in order to build the target network model. These parameters are:

  • The input addresses
  • The output addresses
  • The amount of Bitcoin transferred and
  • The timestamps of such transfers.

In addition to that, there are also some added labels used that help in representing the network depth which indicates the distance from the seed address where such an activity takes place.

It also helps in representing the service identifiers from a blockchain API or Application Programming Interface that signify Bitcoin exchanges.

All these help in making an inflow analysis which shows the group of payments made to the ransom seed address.

It also shows the source of such payments. This is done by careful analysis of the graph created by the incoming ransom payments.

Different graph analysis methods are used for this such as centrality, which helps in classifying addresses of a specific ransomware.

The transaction walks, when produced, will show the specific nodes in the graph where the collectors and the specific services that these node addresses correspond to.

These services can be anything such as:

  • A mixing service
  • A gambling service and even
  • A Bitcoin exchange.

If a time series or longitudinal analysis is conducted on the graphics then it will also show the profile of the ransomware address as well as the ways in which the ransom was collected over time.

More often than not, these profiles are pretty similar.

There is usually an explosion of initial payments at a specific point of time and then it tapers off over the next week or two.

When time series analysis is performed, it typically analyzes the history of the specific collector address in question.

This typically helps in understanding the behavior pattern of the attackers as well as the victims.

It also helps in profiling the incoming and outgoing relationships by moving back and forth in time within that particular Bitcoin address.

All these provide a more targeted system to identify the patterns in a Bitcoin-ransomware transaction graph more precisely.

Ideally, these patterns are one of the most useful structures of interest that provides a footprint to Bitcoin and ransomware activity.

Another useful way is to measure the significance of or the impact created by the ransomware attack by plotting their payment and collection profiles.

Also, looking at the Cumulative Distribution Function or CDF of the ransomware shows the total quantity of ransom collected over the time.

This is however a relatively simpler analysis technique that involves a few blockchain specifics on different change addresses and input transactions.

Ransom addresses can also be identified through the reports and information gathered from the real victims.

Another useful way is by producing synthetic victims under lab control settings.

When micropayments are made, the flow of Bitcoin can be traced by using the clustering process and by co-spending with addresses that generate a transaction that is restricted by the ransom seed wallet.

Apart from that, external data sources may also be analyzed in order to collect information about the ransomware campaigns.

These external sources can be the search history trends of Google or any other.

When such a framework is created and the preliminary detection and collection are completed, payment analysis can be made to identify things such as:

  • The estimated revenue of the ransomware
  • Payment mechanics such as profile and timing
  • Prospective cash-out behavior and more.

Out of all these the cash-out behavior part is one of the most interesting parts of the transaction analysis.

This is because it provides the targeted confirmation on criminal activities and behaviors related to the ransomware attackers with an intention to use their illegal Bitcoin proceeds.

However, the specific techniques for transaction analysis may vary depending on the intelligence-forensics continuum.

However, with the addition of data attributes to the nodes and vertices of a graph by labeling, it will help a lot in finding similarity and trends by using graph machine learning algorithms.

Therefore, to sum up, it can be said that the ability to use high performance computing to huge amounts of transactional and other data in the Bitcoin network and ecosystem may enhance the efficiency of analysis.

However, please be informed that all these techniques explained in this article are pretty restricted on their own.

Therefore, it is needed to use a combination of them to create a more formidable arsenal which will produce results that will be much greater and better than each of these techniques when applied in isolation.

Also, all these techniques to examine Bitcoin blockchain to identify illicit transactions on it need a proper coordination among the humans and machines.

Combining the machine powered analysis techniques with the human expertise and subject matter will help further in contextualizing the available and analyzed data for law enforcement, forensic interpretations, intelligence collection and investigation.

And most importantly, enforcement of AML-CTF laws and KYC provisions for Bitcoin transactions will surely hinder those who want to misuse the innovative functionality for illicit benefits.

However, the law enforcement agencies can only benefit from it only when they, the cryptocurrency service providers, and the Financial Intelligence Units cooperate with each other by sharing information.


So, now you know the different analysis techniques for illicit Bitcoin transactions and why people cannot hide making one.

These techniques allow identifying the real world participants and lower the level of anonymity in a Bitcoin transaction.

This reduces criminal activities which is good for all.