The Bitcoin whitepaper specifies the risks of revealing owners of addresses. It states that “if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.” Five years later, we have seen many projects which look at de-anonymising entities in Bitcoin. Such projects use techniques such as address tagging and clustering to tie many addresses to one entity, making it easier to analyse the movement of funds. However, this is not only limited to Bitcoin but also occurs on alternative cryptocurrencies such as Zcash and Monero. Thus tracing transactions on-chain is a known and studied problem.

But we have recently seen a shift into entities performing cross-currency trades. For example, the WannaCry hackers laundered over $142,000 Bitcoin from ransoms across cryptocurrencies. The issue here is that cross-chain transactions appear to be indistinguishable from native transactions on-chain. For example, to trade Bitcoin for Monero, one would have to send the exchange bitcoin, and in return, the exchange sends the user some coins in Monero. Both these transactions occur on separate chains and do not appear to be connected, so the actual swap can appear to be obscured. This level of obscurity can be used to hide the original flow of coins, giving users an additional form of anonymity.

Thus it is important to ask whether or not we can analyse such transactions and the extent of the analysis possible, and if so, how? In our paper being presented today at the USENIX Security Symposium, we (Haaroon Yousaf, George Kappos and Sarah Meiklejohn) answer these questions.

Our Research

In summary, we scraped and linked over 1.3 million transactions across different blockchains from the service ShapeShift. In doing so, we found over 100,000 cases where users would convert coins to another currency then move right back to the original one, identified that a Bitcoin address associated with CoinPayments.net address is a very popular service for users to shift to, and saw that scammers preferred shifting their Ethereum to Bitcoin and Monero.

We collected and analysed 13 months of transaction data across eight different blockchains to identify how users interacted with this service. In doing so, we developed new heuristics and identified various patterns of cross-currency trades.

What is ShapeShift?

ShapeShift is a lightweight cross-currency non-custodial service that facilitates trades which allows users to directly trade coins from one currency to another (a cross-currency shift). This service acts as the entity which facilitates the entire trade, allowing users to essentially swap their coins with its own supply. ShapeShift and Changelly are examples of such services.

For example, you can easily trade your Bitcoin for some Zcash, and vice versa. It works as a four-step process seen above.

Select the types of coin you have and coin you want to receive Give them the address of where you want your output coins to be delivered. The website then presents you with an address where you can send your coins Send them your coins Upon receiving and confirming your input coins (with some background checks) they proceed to send the converted equivalent (minus any fees) to your address

On the blockchain, this appears as two separate transactions, for example, if you want to trade Bitcoin and Zcash there will be two transactions, one on each chain.

Our work aims to find the link between the shifts, in order to trace the coins as they move cross-chain.

General Statistics

We scraped over 2.8 million transactions for 13 months from ShapeShift’s official API. We analysed the top 8 coins (Bitcoin, Bitcoin Cash, Litecoin, Dogecoin, Dash, Ethereum, Ethereum Classic and Zcash) which accounted for 2.3 million trades.

Tracking Cross-Currency Activity

The first step of our analysis was to identify the Shapeshift transactions in both the blockchains involved.

We scrape the API for transactions

We search the blockchains for matching transactions

We start by identifying the deposit of coins from the user to the service on the blockchain. In the example above the user sent ‘0.51…’ bitcoin, thus we search the chain for transactions with this value within the timestamp. Above we find such an example.

We feed this into the API and obtain the corresponding output.

We then feed the suspected output address into the ShapeShift API; if this is valid, the API will provide us with the corresponding output transaction.

Results

The main outcome was that we found it is possible to identify a large percentage of ShapeShift transactions cross-chain. This allowed us to take the analysis a step further and identify patterns of usage. Our interest in these particular patterns of behaviour was largely based on the role they play in tracking money as it moves across the ledgers of different cryptocurrencies and test the validity of the implicit assumption made by criminal usage of the platform: that ShapeShift provides additional anonymity beyond simply transacting in a given currency.

Passthrough

A pass-through transaction represents the full flow of money from the input to the output currency. This forms the cross-chain link which could represent the user converting their coins or perhaps paying someone while using ShapeShift as an intermediary.

For the best case, Zcash, we traced over 90% of cross-chain transactions. For the worst case, Bitcoin, we found 76% of cross-chain transactions.

U-turn

U-turns are two distinct transactions which occur both close in time and value. The output value of the first shift is compared with the input value of the second. This is an important metric as it helps us follow the movement of coins and finds users who either used the same coin or same address between shifts.

From our dataset, we found over 107,000 transactions which were close in proximity, but looking into them further reveals over 10,000 had re-used an address where they had received coins, and just over 1,100 re-used the exact same coins.

Round-trips

Round-trips are similar to u-turns, whereby we look for two shifts, both in close time and value. However, we only use one identifier whereby the original sender of BTC is the same address as the one receiving the money in the second shift.

We found over 95,000 transactions, whereby 10,490 of them returns coins to the same address. The advantage over the U-turns here is that identities in both of these transactions are known.

Ethereum Scams

As of January 2019, EtherScamDB (a website which collects and lists Ethereum address involved in a scam) had over 6,000 scams with nearly 2,000 associated addresses. We found that 194 of these addresses had been involved in 853 transactions to ShapeShift, of which 688 had been marked as ‘complete’. Across these completed transactions, 1,797 ETH was shifted to other currencies: 74% to Bitcoin, 19% to Monero, 3% to Bitcoin Cash, and 1% to Zcash. The scams which successfully shifted the highest volumes belonged to trust-trading and MyEtherWallet scams.

Trust-trading is a scam where users send coins to prove the legitimacy of their addresses, after which the traders “trust” their address and send back higher amounts (whereas in fact, most users send money and simply receive nothing in return). This type of scam shifted over 918 ETH, the majority of which was converted to Bitcoin (691 ETH, or 75%).

We identified one address, associated with a trust-trading scam, that participated in 34 distinct round-trip transactions, all coming back to a different address from the original one. All these transactions used Bitcoin as curOut and used the same address in Bitcoin to both receive and send coins; i.e., we identified the u-turns in Bitcoin according to our address-based heuristic.

Privacy Coins

We looked at whether users make use of the features provided by privacy coins within their transactions, specifically focusing on Dash and Zcash.

In Zcash, the privacy feature is the shielded pool. Users who interact with this pool are able to hide information relevant to their transaction such as senders, recipients and values. The amount of information hidden depends on the type of transaction committed.

We looked at a number of interactions but for brevity mention only one in this blog post: the case of a user sending money directly from the pool to ShapeShift. In terms of the privacy guarantees, this means the sender of the coins is hidden. We found 3,808 transactions which had performed this transaction of today’s value is equal to 774,000 USD.

For more case studies, such as StarScape Capital’s scam, trading bots and other usages of Zcash and Dash privacy features, please see our paper.