Bitcoin's blockchain provides inalterable evidence, stored on thousands of computers, of every Bitcoin transaction that's ever taken place. Many of the transactions recorded on that distributed ledger are crimes: Billions of dollars in stolen funds, contraband deals, and paid ransoms sitting in plain sight, yet obscured by unidentifiable Bitcoin addresses and, in many cases, tangles of money laundering.

But a group of Cambridge cybersecurity researchers now argues that one can still distinguish those contraband coins from the legitimate ones that surround them, not with any new technical or forensic technique, but simply by looking at the blockchain differently—specifically, looking at it more like an early 19th century English judge.

View more

In a paper published last week, the Cambridge team argues for a new way of tracing “tainted” coins in the blockchain, particularly ones that have been stolen or extorted from victims and then sent through a series of transactions to hide their ill-gotten origin. Rather than try to offer any new detective tricks to identify the source of a Bitcoin transaction hiding behind a pseudonymous address, their idea instead redefines what constitutes a dirty bitcoin. Based on a legal precedent from an 1816 British court decision, they posit that the first coin that leaves a Bitcoin address should be considered the same coin as the first one that went into it, carrying with it all of that coin's criminal history. And if that coin was once stolen from someone, he or she may be allowed to claim it back even after it has passed through multiple addresses.

'One unlucky person is going to end up holding the stolen bitcoin.' Ross Anderson, Cambridge University

The Cambridge researchers have gone so far as to code a proof-of-concept software tool, which they plan to release later this year, that can scan the blockchain and, starting from known instances of Bitcoin theft, theoretically identify the same tainted coins, even if they’ve hopped around the blockchain for years.

“The software we’re going to publish will let you know whether your favorite bitcoin was ever owned by Ross Ulbricht or Mt. Gox,” says Ross Anderson, the Cambridge computer science professor who leads the research group, referring to the convicted administrator of the Silk Road Bitcoin drug market and the first major Bitcoin exchange Mt. Gox, which went bankrupt in 2014 after being robbed of 850,000 bitcoins. “What we’re providing is software that’s very much better than anything that went before at tracing stolen property that happens to be a cryptocurrency, or if you wish, drug money or the proceeds of money laundering.”

Defining Dirty Money

Tracing bitcoins has long been easy in theory: The blockchain's public record allows anyone to follow the trail of coins from one address to another as they're spent or stolen, though not always to identify who controls those address. But that tracing becomes far dicier when Bitcoin users put their coins through a "mix" or "laundry" service—sometimes in the form of an unregulated exchange—that jumbles up many people's coins at a single address, and then returns them to confuse anyone trying to trace their path. In other cases, users bundle together their transactions through a process called Coinjoin that gives each spender and recipient deniability about where their money came from or ended up.

For companies like Chainanalyis, Coinfirm, and Ciphertrace that offer to trace stolen or "tainted" coins—and who generally don't make their methodology public— that leaves limited options. They can either treat any coin that comes out of a mix that includes tainted coins as fully "dirty," or more reasonably, average out the dirt among all the resulting coins; put one stolen coin into a mix address with nine legit ones, and they're all 10 percent tainted. Some academics have called this the "haircut" method.

But Anderson argues that haircut tracing quickly leads to enormous parts of the blockchain being a little bit tainted, with no clear answers about how to treat an infinitesimally unclean coin. Often the fraction can be so small it has to be rounded up, leading to artificial increases in the total "taint" recorded.

But when Anderson mentioned this problem in January to David Fox, a professor of law at Edinburgh Law School, Fox pointed out that British law already provides a solution: An 1816 precedent known as Clayton's Case, which dealt with who should be paid back from the remaining funds of a bankrupted financial firm. The answer, according to the presiding judge, was that whoever put their money in first should take it out first. The resulting first-in-first-out—or FIFO—rule became the standard way under British law to identify whose money is whose in mixed-up assets, whether to resolve debts or reclaim stolen property.

Unmixing Coins

So Anderson and his team of researchers started to consider what that rule would look like applied to Bitcoin's blockchain. Mix up a dirty coin and nine clean ones in a laundry address or exchange, and all 10 coins that came out would be defined by the same order they went in—even if that order was just a millisecond's difference in which transaction was written to the blockchain's record first. If the first bitcoin to go into the mix were stolen, the first to come out of the mix would be considered that same coin, and thus still stolen. "It allows us to see through the great majority of the algorithms people use to try and mix and obscure the origins of bitcoin transactions," says Anderson.

And doesn't that essentially make bitcoin laundries into reverse lottery systems, where an arbitrarily chosen person ends up holding a stolen coin that might be claimed back by a theft victim? Anderson argues that the principle has worked for centuries as part of British law. And if innocent users end up having their coins claimed as stolen property, they'll quickly learn to stay away from Bitcoin laundries and shady exchanges. "One unlucky person is going to end up holding the stolen bitcoin," Anderson says. "If you’re not the person who went in with the stolen bitcoin in the first place, you’re never going to play that game."

When the researchers tried out their FIFO analysis on Bitcoin's actual blockchain, they found that in massive thefts—like the 2012 heist that took 46,653 bitcoins from the cloud provider Linode, or the 2014 theft of 896 bitcoins from bitcoin "bank" Flexcoin—they could create far tidier answers about where those stolen coins ended up than the haircut method could. Using the FIFO method, they linked the Linode haul to fractions of tainted bitcoins at around 372,000 addresses, compared with 2.7 million tainted bitcoins with the haircut method. (The latter number would mean a single theft had tainted nearly 5 perceent of the whole blockchain, the researchers point out.) For the Flexcoin attack, they traced fractions of the stolen coins to just 18,000 accounts, compared with 1.4 million using the haircut system.

Accountability at a Cost

For the Cambridge researchers' technique to be put into practice, of course, it would have to be adopted by the people who actually make the rules about what constitutes a tainted bitcoin—governments around the world, or at the very least, Bitcoin exchanges or banks trying to avoid handling dirty money. But simply by publishing the results of their FIFO blockchain, as they plan to do later this year, the researchers may influence how those power brokers determine which coins they consider tainted.

If their system is adopted, it would come at a price, argues Sarah Meiklejohn, a professor of cryptography and security at the University College of London. "It basically destroys all privacy solutions for Bitcoin," Meiklejohn says simply. After all, innocent users sometimes put their bitcoins through laundries, too, to keep their legal but sensitive transactions private. "The default level of anonymity in Bitcoin is not very high, and there are legitimate reasons for people to want to make it higher. It’s not a good thing for everyone to have no anonymity."

'It basically destroys all privacy solutions for Bitcoin.' Sarah Meiklejohn, University College of London

The legal basis for FIFO, particularly in the US, also isn't quite as simple as the Cambridge researchers describe, says University of Texas law professor Andrew Kull. In some cases, judges instead use pro rata tracing—the haircut approach in which all the mixed accounts hold a proportional amount of the tainted assets—or a technique called "Jessel's Bag," which takes money from guilty parties before innocent ones.

And how ownership tracing works in practice can depend on myriad factors like the statutes of a particular state, the decisions of a judge, and whether the asset is defined as money or as a commodity, which is hardly a simple question in the case of Bitcoin. FIFO is "just a convention. It doesn’t have any inner logic to it at all," Kull points out. "It's arbitrary, but it’s as good as anything else between two people who are innocent."

Arbitrary as it may be, FIFO does have hundreds of years of legal history behind it, the Cambridge researchers argue. And given how powerful it may be as a mechanism for sorting out mixed-up bitcoins, it could be only a matter of time until someone applies that precedent to try to claim their stolen stash.

"Some people will sue regulated Bitcoin exchanges and say, 'You’ve been receiving stolen goods and they were mine. Kindly compensate me,'" Anderson says. "When the first such case hits a sufficiently senior court for it to set a precedent, that will be of enormous importance to the entire cryptocurrency world."

Attack the Blockchain