research-article

Public Access

Watch Your Back: Identifying Cybercrime Financial Relationships in Bitcoin through Back-and-Forth Exploration

Authors:

Pedro Moreno-Sanchez,

Juan CaballeroAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 1291 - 1305

https://doi.org/10.1145/3548606.3560587

Published: 07 November 2022 Publication History

Abstract

Cybercriminals often leverage Bitcoin for their illicit activities. In this work, we propose back-and-forth exploration, a novel automated Bitcoin transaction tracing technique to identify cybercrime financial relationships. Given seed addresses belonging to a cybercrime campaign, it outputs a transaction graph, and identifies paths corresponding to relationships between the campaign under study and external services and other cybercrime campaigns. Back-and-forth exploration provides two key contributions. First, it explores both forward and backwards, instead of only forward as done by prior work, enabling the discovery of relationships that cannot be found by only exploring forward (e.g., deposits from clients of a mixer). Second, it prevents graph explosion by combining a tagging database with a machine learning classifier for identifying addresses belonging to exchanges.

We evaluate back-and-forth exploration on 30 malware families. We build oracles for 4 families using Bitcoin for C&C and use them to demonstrate that back-and-forth exploration identifies 13 C&C signaling addresses missed by prior work, 8 of which are fundamentally missed by forward-only explorations. Our approach uncovers a wealth of services used by the malware including 44 exchanges, 11 gambling sites, 5 payment service providers, 4 underground markets, 4 mining pools, and 2 mixers. In 4 families, the relations include new attribution points missed by forward-only explorations. It also identifies relationships between the malware families and other cybercrime campaigns, highlighting how some malware operators participate in a variety of cybercriminal activities.

References

[1]

2014. BTC-E and Bitcointalk.org Hacked? https://www.reddit.com/r/Bitcoin/comments/2mc8nc.

[2]

2014. Warning: New email scam people are apparently falling for - "secret doubling address". https://www.reddit.com/r/Bitcoin/comments/2fq3uc.

[3]

2019. Brief analysis of Redaman Banking Malware (v0.6.0.2) Sample. http: //www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html.

[4]

2019. Coinpayments - Service Restriction Notice. https://bitcointalk.org/index. php?topic=5156686.

[5]

2019. Linux mining virus-sysupdate. https://programmerclick.com/article/47131149819/.

[6]

2019. LocalBitcoins Statement on the Coming AML regulations and Compliance. https://localbitcoins.com/blog/aml-regulations-compliance.

[7]

2020. Bitcoin Porn Scam and Sextortion. https://www.onlinethreatalerts.com/article/2020/4/9/bitcoin-porn-scam-and-sextortion/.

[8]

2020. pr0fessionalcrackers telegram channel. https://ru.tgchannels.org/channel/MrPr0gr4mmer.

[9]

2022. Bitcoin Abuse. https://www.bitcoinabuse.com.

[10]

2022. Bitcoin Explorer. https://www.blockchain.com/explorer.

[11]

2022. Bitcoin OTC. https://bitcoin-otc.com.

[12]

2022. Bitcoin Talk Forum. https://bitcointalk.org.

[13]

2022. Chainalysis. https://www.chainalysis.com/.

[14]

2022. Elliptic. https://www.elliptic.co/.

[15]

2022. MINE.exchange. https://mine.exchange.

[16]

2022. Satoshi DICE. https://satoshidice.com/.

[17]

2022. Wallet Explorer. https://www.walletexplorer.com/info.

[18]

2022. Wasabi Wallet. https://wasabiwallet.io/.

[19]

2022. Watch your back repository. https://github.com/cybersec-code/watchyourback.

[20]

Elli Androulaki, Ghassan O. Karame, Marc Roeschlin, Tobias Scherer, and Srdjan Capkun. 2013. Evaluating User Privacy in Bitcoin. In Financial Cryptography and Data Security.

[21]

M. Bartoletti, B. Pes, and S. Serusi. 2018. Data Mining for Detecting Bitcoin Ponzi Schemes. In Crypto Valley Conference on Blockchain Technology.

[22]

Devon Beckett. 2021. Bitcoin Fog Affidavit by Internal Revenue Service. https://storage.courtlistener.com/recap/gov.uscourts.dcd.230456/gov.uscourts.dcd.2 30456.1.11.pdf.

[23]

Juan Caballero, Gibran Gomez, Srdjan Matic, Gustavo Sánchez, Silvia Sebastián, and Arturo Villacañas. 2022. GoodFATR: A Platform for Automated Threat Report Collection and IOC Extraction. CoRR abs/2208.00042 (July 2022). https: //doi.org/10.48550/arXiv.2208.00042

[24]

CERT Polska. 2015. Case Study of Malicious Actors: Going Postal. https: //maldroid.github.io/docs/ThePostalGroup.pdf.

[25]

Nicolas Christin. 2013. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. In The World Wide Web Conference.

[26]

Richard Clayton, Tyler Moore, and Nicolas Christin. 2015. Concentrating Correctly on Cybercrime Concentration. In Workshop on Economics of the Information Society.

[27]

UK Gambling Commission. 2020. LCCP Condition 17.1.1 - Customer identity verification. https://www.gamblingcommission.gov.uk/licensees-and-businesses/lccp/condition/17-1-1-customer-identity-verification.

[28]

Mauro Conti, Ankit Gangwal, and Sushmita Ruj. 2018. On the Economic Significance of Ransomware Campaigns: A Bitcoin Transactions Perspective. Computers & Security 79 (2018), 162--189.

Digital Library

[29]

Nikhilesh De. 2021. US Officials Arrest Alleged Operator of $336M Bitcoin Mixing Service. https://www.coindesk.com/us-officials-arrest-alleged-operator-of- 336m-bitcoin-mixing-service.

[30]

Kobi Eisenkraft and Arie Olshtein. 2019. Pony's C&C servers hidden inside the Bitcoin blockchain. https://research.checkpoint.com/2019/ponys-cc-servers-hidden-inside-the-bitcoin-blockchain/.

[31]

Europol. 2019. Multi-million euro cryptocurrency laundering service Bestmixer.iotaken down. https://www.europol.europa.eu/newsroom/news/multi-million-euro-cryptocurrency-laundering-service-bestmixerio-taken-down.

[32]

Martin Gill and Geoff Taylor. 2004. Preventing Money Laundering or Obstructing Business? Financial Companies' Perspectives on ?Know Your Customer' Procedures. British Journal of Criminology 44, 4 (2004), 582--594.

[33]

Steven Goldfeder, Harry A. Kalodner, Dillon Reisman, and Arvind Narayanan. 2018. When the cookie meets the blockchain: Privacy risks of web payments via cryptocurrencies. PoPETs 2018 (2018), 179--199.

[34]

Gibran Gomez, Pedro Moreno-Sanchez, and Juan Caballero. 2022. Watch Your Back: Identifying Cybercrime Financial Relationships in Bitcoin through Back-and-Forth Exploration. CoRR abs/2206.00375 (June 2022). https://doi.org/10.48550/ARXIV.2206.00375

[35]

Mikkel Alexander Harlev, Haohua Sun Yin, Klaus Christian Langenheldt, Raghava Rao Mukkamala, and Ravi Vatrapu. 2018. Breaking Bad: De-Anonymising Entity Types on the Bitcoin Blockchain Using Supervised Machine Learning. In Hawaii International Conference on System Sciences.

[36]

David Harley and Aleksandr Matrosov. 2011. TDL4 and Glupteba: Piggyback PiggyBugs. https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/h.

[37]

Bernhard Haslhofer, Roman Karl, and Erwin Filtz. 2016. O Bitcoin Where Art Thou? Insight into Large-Scale Transaction Graphs. In SEMANTiCS Conference.

[38]

Jaromir Horejsi and Joseph C Chen Salgado. 2019. Glupteba Hits Routers and Updates C&C Servers. https://www.trendmicro.com/enus/research/19/i/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions.html.

[39]

D. Y. Huang, M. M. Aliapoulios, V. G. Li, L. Invernizzi, E. Bursztein, K. McRoberts, J. Levin, K. Levchenko, A. C. Snoeren, and D. McCoy. 2018. Tracking Ransomware End-to-end. In IEEE Symposium on Security and Privacy.

[40]

Shane Huntley and Luca Nagy. 2021. Disrupting the Glupteba operation. https://blog.google/threat-analysis-group/disrupting-glupteba-operation/.

[41]

Augusto Remillano II, Jakub Urbanec, and Wilbert Luy Saias. 2019. Skidmap Malware Uses Rootkit to Hide Mining Payload. https://www.trendmicro.com/enus/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html.

[42]

Marc Jourdan, Sebastien Blandin, Laura Wynter, and Pralhad Deshpande. 2018. Characterizing Entities in the Bitcoin Blockchain. In IEEE International Conference on Data Mining Workshops.

[43]

Harry Kalodner, Malte Möser, Kevin Lee, Steven Goldfeder, Martin Plattner, Alishah Chator, and Arvind Narayanan. 2020. BlockSci: Design and Applications of a Blockchain Analysis Platform. In USENIX Security Symposium.

[44]

Paul Kimayong. 2019. Masad Stealer: Exfiltrating using Telegram. https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram.

[45]

Brian Krebs. 2022. Conti Ransomware Group Diaries, Part I: Evasion. https://krebsonsecurity.com/2022/03/conti-ransomware-group-diaries-part-i-evasion/.

[46]

Seunghyeon Lee, Changhoon Yoon, Heedo Kang, Yeonkeun Kim, Yongdae Kim, Dongsu Han, Sooel Son, and Seungwon Shin. 2019. Cybercriminal Minds: An Investigative Study of Cryptocurrency Abuses in the Dark Web. In Network and Distributed Systems Security Symposium.

[47]

K. Liao, Z. Zhao, A. Doupe, and G. Ahn. 2016. Behind Closed Doors: Measurement and Analysis of CryptoLocker Ransoms in Bitcoin. In APWG Symposium on Electronic Crime Research.

[48]

Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah. 2016. Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence. In ACM SIGSAC Conference on Computer and Communications Security.

Digital Library

[49]

Y. Lin, P. Wu, C. Hsu, I. Tu, and S. Liao. 2019. An Evaluation of Bitcoin Address Classification based on Transaction History Summarization. In IEEE International Conference on Blockchain and Cryptocurrency.

[50]

Gil Mansharov and Alexey Bukhteyev. 2019. In the footsteps of a sextortion campaign. https://research.checkpoint.com/2019/in- the-footsteps-of-a-sextortion-campaign/.

[51]

Gregory Maxwell. 2013. CoinJoin: Bitcoin privacy for the real world. https://bitcointalk.org/index.php?topic=279249.0.

[52]

Damon McCoy, Andreas Pitsillidis, Jordan Grant, Nicholas Weaver, Christian Kreibich, Brian Krebs, Geoffrey Voelker, Stefan Savage, and Kirill Levchenko. 2012. PharmaLeaks: Understanding the Business of Online Pharmaceutical Affiliate Programs. In USENIX Security Symposium.

[53]

Sarah Meiklejohn, Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker, and Stefan Savage. 2013. A Fistful of Bitcoins: Characterizing Payments among Men with No Names. In Internet Measurement Conference.

Digital Library

[54]

M. Möser, R. Böhme, and D. Breuker. 2013. An Inquiry into Money Laundering Tools in the Bitcoin Ecosystem. In APWG eCrime Researchers Summit.

[55]

Luca Nagy. 2020. Glupteba: Hidden Malware Delivery in Plain Sight. https://news.sophos.com/wp-content/uploads/2020/06/gluptebaf inal.pdf.

[56]

Satoshi Nakamoto. 2008. Bitcoin: A Peer-to-Peer Electronic Cash System. (2008). https://bitcoin.org/bitcoin.pdf.

[57]

Masarah Paquet-Clouston, Bernhard Haslhofer, and Benoit Dupont. 2019. Ransomware Payments in the Bitcoin Ecosystem. Journal of Cybersecurity 5, 1 (2019).

[58]

Masarah Paquet-Clouston, Matteo Romiti, Bernhard Haslhofer, and Thomas Charvat. 2019. Spams Meet Cryptocurrencies: Sextortion in the Bitcoin Ecosystem. In ACM Conference on Advances in Financial Technologies.

Digital Library

[59]

S. Pletinckx, C. Trap, and C. Doerr. 2018. Malware Coordination using the Blockchain: An Analysis of the Cerber Ransomware. In IEEE Conference on Communications and Network Security.

[60]

Rebecca S. Portnoff, Danny Yuxing Huang, Periwinkle Doerfler, Sadia Afroz, and Damon McCoy. 2017. Backpage and Bitcoin: Uncovering Human Traffickers. In ACM SIGKDD International Conference on Knowledge Discovery and Data Mining.

Digital Library

[61]

Dorit Ron and Adi Shamir. 2013. Quantitative Analysis of the Full Bitcoin Transaction Graph. In Financial Cryptography and Data Security.

[62]

Dorit Ron and Adi Shamir. 2014. How Did Dread Pirate Roberts Acquire and Protect his Bitcoin Wealth?. In Financial Cryptography and Data Security.

[63]

Jan Rubín. 2019. Clipsa - Multipurpose password stealer. https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/.

[64]

Evyatar Saias. 2021. Bitcoins, blockchains, and botnets. https://blogs.akamai.com/sitr/2021/02/bitcoins-blockchains-and-botnets.html.

[65]

Michele Spagnuolo, Federico Maggi, and Stefano Zanero. 2014. BitIodine: Extracting Intelligence from the Bitcoin Network. In Financial Cryptography and Data Security.

[66]

Tsuyoshi Taniguchi, Harm Griffioen, and Christian Doerr. 2021. Analysis and Takeover of the Bitcoin-Coordinated Pony Malware. In ACM ASIA Conference on Computer and Communications Security.

[67]

Ege Tekiner, Abbas Acar, A. Selcuk Uluagac, Engin Kirda, and Ali Aydin Selçuk. 2021. SoK: Cryptojacking Malware. In IEEE European Symposium on Security and Privacy.

[68]

Taylor Tepper and John Schmidt. 2021. Best Crypto Exchanges For 2021. https: //www.forbes.com/advisor/investing/best-crypto-exchanges/.

[69]

US Department of Justice. 2017. Russian National And Bitcoin Exchange Charged In 21-Count Indictment For Operating Alleged International Money Laundering Scheme And Allegedly Laundering Funds From Hack Of Mt. Gox. https: //www.justice.gov/usao-ndca/pr/russian-national-and-bitcoin-exchange-charged-21-count-indictment-operating-alleged.

[70]

Shaun Waterman. 2017. European police take down criminals behind two big ransomware strains. https://www.cyberscoop.com/ctb-locker-cerber-ransomware-arrests-europol-mcafee/.

[71]

Haohua Sun Yin and Ravi Vatrapu. 2017. A First Estimation of the Proportion of Cybercriminal Entities in the Bitcoin Ecosystem using Supervised Machine Learning. In IEEE International Conference on Big Data.

[72]

Ziyun Zhu and Tudor Dumitras. 2018. ChainSmith: Automatically Learning the Semantics of Malicious Campaigns by Mining Threat Intelligence Reports. In IEEE European Symposium on Security and Privacy.

Cited By

Zhang BShi FXu CXue PSun J(2024)CAKGC: A Clustering Method of Cybercrime Assets Knowledge Graph Based on Feature FusionAdvanced Intelligent Computing Technology and Applications10.1007/978-981-97-5606-3_15(168-185)Online publication date: 30-Jul-2024
https://doi.org/10.1007/978-981-97-5606-3_15
Sangher KSingh APandey HKumar V(2023)Towards Safe Cyber Practices: Developing a Proactive Cyber-Threat Intelligence System for Dark Web Forum Content by Identifying CybercrimesInformation10.3390/info1406034914:6(349)Online publication date: 18-Jun-2023
https://doi.org/10.3390/info14060349
Li KGuan SLee D(2023)Towards Understanding and Characterizing the Arbitrage Bot Scam In the WildProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36267837:3(1-29)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3626783
Show More Cited By

Index Terms

Watch Your Back: Identifying Cybercrime Financial Relationships in Bitcoin through Back-and-Forth Exploration
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation

Recommendations

Analysis and Takeover of the Bitcoin-Coordinated Pony Malware
ASIA CCS '21: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security

Malware, like all products and services, evolves with bursts of innovation. These advances usually happen whenever security controls get ''good enough'' to significantly impact the revenue stream of malicious actors, and in the past we have seen the ...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference

Although network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
1,007
Total Downloads

Downloads (Last 12 months)493
Downloads (Last 6 weeks)55

Reflects downloads up to 22 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang BShi FXu CXue PSun J(2024)CAKGC: A Clustering Method of Cybercrime Assets Knowledge Graph Based on Feature FusionAdvanced Intelligent Computing Technology and Applications10.1007/978-981-97-5606-3_15(168-185)Online publication date: 30-Jul-2024
https://doi.org/10.1007/978-981-97-5606-3_15
Sangher KSingh APandey HKumar V(2023)Towards Safe Cyber Practices: Developing a Proactive Cyber-Threat Intelligence System for Dark Web Forum Content by Identifying CybercrimesInformation10.3390/info1406034914:6(349)Online publication date: 18-Jun-2023
https://doi.org/10.3390/info14060349
Li KGuan SLee D(2023)Towards Understanding and Characterizing the Arbitrage Bot Scam In the WildProceedings of the ACM on Measurement and Analysis of Computing Systems10.1145/36267837:3(1-29)Online publication date: 12-Dec-2023
https://dl.acm.org/doi/10.1145/3626783
Gomez Gvan Liebergen KCaballero JMeng WJensen CCremers CKirda E(2023)Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and CoverageProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623094(3183-3197)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623094
Caballero JGomez GMatic SSánchez GSebastián SVillacañas A(2023)The Rise of GoodFATRFuture Generation Computer Systems10.1016/j.future.2023.02.012144:C(74-89)Online publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1016/j.future.2023.02.012
Tovanich NCazabet R(2023)Fingerprinting Bitcoin entities using money flow representation learningApplied Network Science10.1007/s41109-023-00591-28:1Online publication date: 15-Sep-2023
https://doi.org/10.1007/s41109-023-00591-2
Loporchio MBernasconi ADi Francesco Maesa DRicci L(2023)Is Bitcoin gathering dust? An analysis of low-amount Bitcoin transactionsApplied Network Science10.1007/s41109-023-00557-48:1Online publication date: 15-Jun-2023
https://doi.org/10.1007/s41109-023-00557-4

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents