Traking the BTCs
sextortion, blackmail scam, ransomware …
Who has not ever received a message of the type of blackmail scam? Have you ever wondered if this scam works? The only purpose of these types of scam messages is to clean our wallet, sure?
I’ve always been curious about this topic and have wondered if there were people who actually fell for this scam. This article resolved my doubt… or not?
Normally I get a blackmail scam message in my spam folder. However, the day I decided to investigate this topic, I didn’t receive any message. So I visited Bitcoin Abuse Database. BitcoinAbuse is a public database of bitcoin addresses used by scammers, hackers, and criminals. This is equivalent to Spamhaus, but applied to bitcoin addresses. I wouldn’t be honest with you if I said I was looking for an interesting one, I simply chose the first one on the list, that day was January 27, 2019+ 2.
The first thing I analysed was the transactions of the chosen bitcoin address. I recommend reading the comments that the complainants have written in the reports, they also provide information.
All the information found is collated between various sources of information, not only in BitcoinAbuse but also BitcoinWhosWho among others.
In the comments written by the complainants, I found loads of email addresses. To be able to analyse them, I used the Bitcoin Abuse query API.
You have to be very sure when starting an investigation of email addresses. You don’t know if the complainants have correctly analysed the headers of the message, on the other hand, in this case, the email addresses are false since what matters is the transfer to the bitcoin address indicated in the message.
The e-mail addresses found belonged to domains generally implicated in crimes of this type. You do not need to indicate them.
I began to analyse the outbound transactions. I used Maltego with its Bitcoin transform.
Maltego is an intelligence tool specifically Open Source Intelligence (OSINT). Trust me, this is a good data mining tool. The only problem with this is the time you spend setting up third-party APIs.
I started my research by analysing the outbound transactions of the bitcoin address.
This research leads nowhere, few transactions and little money. So I changed the course of the investigation and analysed the incoming transactions. Here I started to discover bitcoin addresses with medium and large amounts of money.
The diagram gets complicated😅
After spending a few hours analysing transactions, I found a bitcoin address that caught my attention. I looked for several bitcoin databases and … since 2018 there have been reports from that specific address. This one has been involved in: theft of wallets even if they had the 2FA activated, mining (cloud mining scam), theft of cryptocurrencies and/or other crimes. I found some IPs, domains and even some hidden services on the DarkNet. A lot of information, all of it irreverent.
I focused my analysis on the bitcoin address. I share with you some images because a picture is worth a thousand words.
Yes, you’ve seen that correctly. Those amounts correspond to bitcoins. This animated gif shows the amounts.
In this last gif, I show you how to play with money. They start from a bitcoin address, with a certain amount, carry out several transactions, the intermediaries keep their contribution, and that amount returns to the same address as the beginning. Round-trip transactions.
I have a personal record: 79639818.21211306 BTC.
This article left you standing for personal reasons. When I returned to the article I thought about starting a new line of research, to see if the hidden service led to a website on the Darknet, but something told me to go to bitcoinAbuse and analyse another address. It had been a couple of months and I was curious about how this network had grown.
This time I will publish the BTC 1Ps2HsbfZ9yuCyFzWdWFwMgnHGgs9Bnv5h. Here you can see the results. You know, a picture is worth…😆
Well, there is a relationship between them.
Conclusion
I believe that the bitcoin addresses that were used for the blackmail and extortion crimes are the BTC’s mule addresses. I feel I have invented a new concept.
They also work as a cover for ransomware payments or other operations that you can find in the Darknet.
As a curious note, I detected the payment in bitcoins of certain crimes. This is because a generated bitcoin address is usually used when the user visits the page. That address is added to the user’s cookie so it is almost impossible to follow the transactions, this means their traceability.
I hope you liked it. That’s all folks.
