TITANIUM: Tools for the Investigation of Transactions in Underground Markets

TITANIUM tool GraphSense

Vienna (25 April 2019)

Background

GraphSense is a cryptocurrency analytics tool developed under the leadership of the Austrian Institute of Technology (AIT). It offers a scalable graph-centric analytics solution for virtual currencies allowing users to explore transactions and follow the money flow. Its most recent release supports four cryptocurrencies: Bitcoin, Litecoin, BitcoinCash and Zcash. GraphSense provides several features for exploring, searching, and inspecting the transaction graph originating from the supported cryptocurrencies.

GraphSense is provided as Open Source software, under the terms of the MIT license. It can be downloaded free of charge for self-hosting from our GitHub repository.

Law Enforcement challenge

GraphSense offers scalable quantitative methods and services that contribute to a better understanding of the structure and dynamics of cryptocurrency ecosystems. The tool is tailored to aid forensic investigations of virtual currency transactions. By semantically enriching transaction graphs with additional information extracted from contextually relevant sources, GraphSense enables a context-based analysis.

GraphSense supports key clustering heuristics and can filter CoinJoin transactions. Multiple addresses are usually controlled by one single entity and they can be grouped together to form a cluster. If a single address within a cluster containing hundreds of thousands of addresses can be attributed, the entire cluster can be attributed to the same entity. In GraphSense, a cluster – like an address – is represented in a graph where neighboring nodes are clusters with which it exchanged money.

In order to associate real-world actors, such as Bitcoin exchanges or gambling sites, with addresses and clusters, information is gathered from publicly available sources. Each tag associates a specific Bitcoin address with some contextually relevant information (e.g., BTC-e.com) about real-world actors and facilitates the interpretation of monetary flows.

The product GraphSense

GraphSense current implementation (release 0.4) consists of several components: a utility for extracting transaction data from the blockchain, a data transformation pipeline built on Apache Spark, a data storage backend exposing a REST API, and an initial Web interface, which supports users in the following tasks:

  • Search address graph: using a Google-like search interface, users can search for cryptocurrency addresses.
  • Explore and traverse transaction graph: : all entities (blocks, transactions, addresses) are exposed as first class resources identified by a unique URI. Relationships between entities are represented as HTTP links.
  • Inspect address cluster: each address is assigned to a cluster, which can be further inspected.
  • Explore address graph: for each address, GraphSense displays a reduced ego-net graph, which allows users to inspect and traverse the address graph.

How can GraphSense and TITANIUM help?

We have developed hands-on cryptocurrency analytics exercises, with which users can learn step by step how to use GraphSense to inspect cryptocurrency ecosystems. The exercises introduce the main functionalities of the tool and how it can be applied for specific analyses that are relevant for LEA investigations.

GraphSense can also be applied in hands-on training for cybercrime specialists who need introduction to specific aspects of blockchain, cryptocurrencies and dark web. In particular, GraphSense can be used to analyze events in cryptocurrency blockchains, e.g. Bitcoin, which are related to crimes such as embezzlement, money laundering, hacking, and ransomware. Next to explaining how cryptocurrency addresses are clustered, GraphSense can be used to demonstrate how cybercrime prosecutors can operate.


For more information about GraphsSense, please contact us.