Exchange Blog Cryptocurrency Blog
Search the Community
Showing results for tags 'advisorbm-osint'.
-
In today's world, most cybercrimes are committed with the use of Bitcoin wallets. Laundering, Hacking, Blackmail, etc. That's why I decided to write an article on identifying the owner of a BTC Wallet. It's trivial, but it's important. The easiest thing you can do when trying to figure out the owner of such a wallet is to look at its transactions thanks to blockchain. A blockchain is a database with transactions consisting of a sequential chain of digital blocks, each block storing information about the previous block and the next block. To view transactions, we can use a simple blockchain explorer WalletExplorer. Transaction Visualization and Analysis To visualize Bitcoin-Wallet transactions I can recommend you the service OXT.ME, as the service I used before for the same purpose (Crystal Explorer) has been disabled for several weeks now. OXT is only available to PC users, with a minimum screen extension of 1280*520 pixels, which to me seems justified. Sometimes, the graphics get so big that it will be difficult to understand something from a phone or tablet. Service will be available to you immediately after registration. There is also an analogue of the aforementioned service, Blockpath. Personally for me, it is not as convenient as OXT, but as they say to taste and color there is no comrade, so a little talk about this service. Here, too, certainly has its advantages, the tab "Accounts", for example, which shows a detailed report on the last transaction. Blockpath has no screen resolution limitations and registration is not required. Looking for linked wallets Analyzing transactions, it is possible to find certain patterns in user's transfers, for example, we can notice that a person once a month sends money to a certain address, this is the same pattern. Let's analyze different patterns: - Subscription payment. The user sends a fixed amount of money every month/year/day etc. Perhaps he is paying for a subscription on some service. This can be checked by googling the wallet to which the funds are sent, most likely, as a result you will get a link to pay for a web resource. - Payment for work, or blackmail If you see a fixed amount of money being sent each month/year/day, we can assume that this is payment for work, especially if the recipient's bitcoin wallet is similar to a personal one. It could also be blackmail, it's hard to tell the difference. If the amount is not fixed and $150 is sent in one month and $200 in the second, it could be blackmail, of course, it is impossible to say for sure. - Distribution of funds If we see that the owner of a wallet irregularly and chaotically sends large amounts of money to another wallet, we can assume that he is distributing funds between his wallets. - Bitcoin Mixer applied Bitcoin Mixer is an anonymizing service that makes it much more difficult to track Bitcoin transactions. When a user sends a transaction through it, the mixer breaks it down into many small pieces and then mixes it with other people's transactions so that not a single "piece" of the original transaction remains in a particular user's transfer. If you see that a certain amount of money has been sent to different wallets over a period of time, a mixer has probably been used. By using a bitcoin mixer, the user is trying to hide something from the public, usually money laundering. Tracing such a transaction is extremely difficult and will take you some time. Feedback sites There are special sites that contain a database of complaints about Bitcoin-Wallets scammers, hackers, blackmailers, etc. Bitcoin Abuse This is the most popular complaint service for Bitcoin-Wallets, the service allows you to leave a tag and write your own review. Checkbitcoinadress Shows the balance in euros, dollars and BTC, finds the possible owner, mentions on the Internet and on forums, as well as other information. And, of course, it shows complaints, tags and countries of the person who complained. Traceer In principle, the service is no different from the first, but there may be complaints that are not in the other reviews I will not go on to list the other reviews, because there are so many of them. You can find them by searching on Google Check the wallet for suspicious activity and "dirty money". Services showing bitcoin wallet scoring will help us. Scoring is a system of evaluation, which helps financial institutions to predict payment discipline of people, who applied for a loan. The service I use most actively AMLBot. The service shows trust score and describes cryptocurrency activity in a detailed report, based on its own algorithms. The pluses are that it is all in the form of Telegram-Bot, and the minuses are that the service is paid. Well, if you are not ready to pay money for scoring, then BitRank for you. This service will show you trust score without registration and payment. Of course, there will not be a detailed description of cryptocurrency activity, but there will be a score from 0%-100%. Search the Internet What is the first thing you will do when faced with the task of figuring out the owner of a BTC-Purse? That's right - google him. As a result, you can get mentions on forums, mentions on websites, maybe someone left a wallet as payment details, or a donation. It is better to use different search engines, especially the ones listed below. Яндeкc , Google , DuckDuckGo (Resources with the .onion domain zone will be available.) You can also access Bing, Yahoo, Swisscows, etc. You can use Google-Dorking for a more efficient search. Google Dorking involves using advanced operators in the Google search engine to search for specific strings of text in search results. You can use banal "BTC-wallet" to sift out unnecessary results, or more advanced, but still banal "BTC-wallet" site:Interesting site, it will help determine the involvement of your site to the wallet. Or, you can use more advanced search methods and use with this cheat sheet. By following this link you can observe 15 thousand Google Dorks designed for BTC-Wallets. Of course, it will take a lot of time to try them all, so you can use only those that interest you. Monitoring cryptocurrency wallets It is possible to track the activity of purses through specialized services. One of these services is, Cryptocurrencyalerting. The service will send you a message about decreasing, increasing amount of money in this crypto-wallet. So there is a function that will notify about any crypto-wallet activity. The service allows you to notify about the action in any way you want. With a message in Telegram, phone call, push notification, etc. There is also a service cryptotxalert, with similar functionality. Of the pluses here, the fact that you can set the amount of money, and when you top up your wallet to this amount of money, you will receive a notification. The message comes in the form of push notification and no more, if in the previous service, you can get a notification in ten convenient ways, then there is only one way. Well, if you are too lazy to do the investigation yourself, or at this point you do not have enough experience, just turn to the professionals, and evil will be punished! Original article>>> #Osint_Cryptocurrency #Osint2023 #osint-scammer #example-osint #osint-exploration #AdvisorBM-osint
-
- osint_cryptocurrency
- advisorbm-osint
- (and 3 more)
-
Original text and other information on OSINT is available at>>>> His nostrils were permanently flared, as though he sniffed invisible winds of art and commerce. William Gibson, "Count Zero" In this article I will show: How, using the basics of financial investigation and OSINT, we can prove the affiliation of cryptocurrency addresses How by analyzing the transactions of two or more ETH addresses, we can aggregate them into a cluster (i.e. multiple addresses controlled by the same entity) How the attacker's economic activity dataset changes once the addresses are clustered together Let's get started! The most popular onchain detective ZachXBT once posted the following tweet For those unfamiliar with English, let me explain. Using a phishing site, a hacker gained access to the victim's address and stole 3 ERC-721 tokens (NFT). Immediately after the theft (i.e. after sending the tokens from the victim's address to his address, 0x864875aef79B107221bEE89C8ff393BD2B666d96) the hacker sold the NFT on the marketplace Opensea.io. The criminal profits were then laundered through the Tornado.Cash mixer. While our hands are itching to get the target address into https://etherscan.io sooner rather than later, we'll stop on the shore and turn to the theory. The criminal first stole and then sold tokens that use the Ethereum blockchain infrastructure. In order to operate the tokens, you need some amount of cryptocurrency to pay transaction fees. In our case it is the Ethereum blockchain, which means you need some ETH to send tokens or sell them. Let's try to find out where the hacker's address 0x8648... ETH he needed to pay commissions came from. This line of enquiry is called a source search Open Etherscan, insert the address, see the first transactions. They will be right at the bottom of the page. And here are the ones we need: 1, 2. The sender of the funds in the transaction table is always shown on the left of the IN (incoming transaction) or OUT (outgoing transaction) bar So, we have identified the source of the funds, which is address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6. What can we extract from this information? In our case, the first address of the hacker, 0x8648... (aka Fake_Phishing5435 in the picture above) never received any funds before the transactions we detected. So address 0xa474... is the sponsor address (or funding address) with respect to the hacker address, or 0x8648..., or Fake_Phishing5435. Most often the sponsor address is affiliated with a target address. The owner of the sponsor address could be, for example, some customer who has paid for services with crypto. Or, for example, the sponsor address is operated by a cryptocurrency exchange whose services are used by the owner of the target address. But even more often, both the target address and the sponsor address have the same owner. Let's analyze the transactions of the sponsor address and try to figure out which option would be correct in our case. The most interesting direction in the case of the sponsoring address is to try to detect suspicious transactions (such as the theft of NFT). To do this, open the address in Etherscan.io and go to "ERC-721 token Txns", which is the section responsible for NFT transfers. We see four transactions, two incoming, two outgoing. The first NFT, Mutant Ape Yacht Club (MAYC), was sold half an hour after receipt. The second, Azuki, 9 (!) minutes later. Seems suspicious to me! But how do we prove that these transactions are not a normal sale, but a real theft? By the consequences! In order to sell MAYC, you have to contact the Opensea marketplace's smart contracts. When you interact with them, the marketplace will automatically generate a profile for you, accessible via a link like "https://opensea.io/ETH_Address". I should also add that Opensea.io actively cooperates with law enforcers and also actively assists victims. In case of hacking, the stolen tokens are blocked and the hacker's account is banned, making his profile inaccessible. Let's try to open the profile of address 0xa474... and examine the transaction history. To do so, go to https://opensea.io/0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6. oops! the address was banned....... We now know two facts about the sponsor address: it transferred money to the hacker's address, which was then used as a commission, and also made questionable transactions with NFT, for which it was banned from Opensea.io. The target address also made questionable transactions with NFT and was banned from Opensea.io. Now let's find out where the criminally obtained coins were sent to. To do this, let's examine the transactions in chronological order and try to find the incoming transactions immediately after the sale of (possibly) stolen NFTs. In this way, we will determine the amount of criminally acquired funds. The transactions we are looking for are found in the Internal Txns section: The hacker received a total of 23.8 ETH. To do this, let's examine the transactions in chronological form and try to find the incoming transactions immediately after the sale of (possibly) stolen NFTs. Who else sent the stolen coins to address 0x945b...? Target address! Withdrawal transactions of stolen funds highlighted in yellow Let's find out what address 0x945b was used for... To do that, we again study the transactions in chronological order, we are interested in all incoming and outgoing transactions after the address received the stolen funds. Target email address (13 ETH) was the first one to receive the stolen funds. Next, address 0x945b accumulated presumably stolen funds from several other addresses, including the target address. The money was then, as ZachXBT wrote, withdrawn to the Tornado.Cash mixer The money sent to the mixer was grouped into two payments of 100 ETH, of which 125 ETH originally belonged to the target address, 13 ETH to the sponsoring address, and the remaining 62 ETH to other addresses. It turns out that either the hacker owns all five addresses and uses 0x945b as an intermediate point before money laundering, or the owner of 0x945b is a separate criminal (money launderer) whose services are used by several criminals at the same time. Let's briefly examine the other hacker addresses: as you can see from the graph, they too have interacted with NFT on Opensea. Let's use the old vetting method and... one of the addresses is in a ban on Opensea! The second address is not in the ban, but appears in the ZachXBT investigation. Here you can see the names and faces of our heroes, the dangerous cybercriminals. Mathys and Camille together Well here comes our friends Mathys and Camille from romantic France shitting themselves hard by posting a screenshot of one of their profiles on Opensea with previously stolen NFTs on their personal Twitter. This profile appears in our investigation, on the graph is address 0x5bb51... Admittedly, I even got a little upset at this stage. How is it, we've only just started and they've already found everyone for us! But I decided not to dwell on Mathis and Kamila and go a bit further and try to add new factors to my investigation. Back to the sponsor address. The sponsor address, like most addresses on the Ethereum network, has its own sponsor address (pardon the recursion). Let's find it! This time the sponsor address is signed in the block browser as Fake_Phsihing5099. Comments about the affiliation of all the addresses appearing in the investigation seem to me to be redundant with: Having discovered the new sponsor address I decided to go towards the final destination of the funds and figure out exactly where Fake_phishing5099 was sending the dirty money. After looking through all the transactions, I found an interesting address 0x27429f480a3E2a69D7E4D738EBc54AeB4096eb43. The owner of this address, according to a thread on epicnpc.com, is spamming in Discord (Discord is where many of the victims received the phishing links). Diwan Nuri (judging by the content of the thread, that's the name of the address owner) was so far-sighted and wise that he registered the forum account with his personal email. This wasn't enough, so he decided to screw one of his potential clients by sending them his ETH address in addition to the email. According to the record we found, Diwan graduated from German Aletta-Haniel-Gesamtschule and now earns his living by spamming and scamming. So, after studying 6 cryptocurrency addresses and their transactions, we found out that: 5-6 of the addresses in question were communicating with NFT. 4 six analyzed addresses were involved in illegal activity and got banned at Opensea 4 six investigated addresses were "skimming" for the withdrawal of funds to the Tornado.Cash mixer 2/six of the addresses have been implicated in existing investigations 6 addresses have close economic ties The couch is not as simple as it looks! In my opinion, the discovered facts are enough to merge the addresses into a cluster. Which addresses do we merge: Target address 0x864875aef79B107221bEE89C8ff393BD2B66d96 Target Address 0xA474cE48300D91334339fb5aDeF99A1B11B1cfe6 Hackers' complementary address #1 0x38dB16DA44A61560e04E94DCb71c3E64Aa94d318 Hackers secondary address #2 0x5bb5180D8b84d754F56e2BC47Dc742d0f5Ac37FE The laundering address 0x945b4a77649Ebe89eABAf03F78A0C8993f99bd41 Fake_Phishing5099 0xdE09020653cA303CFC143d23A18183299558065F What can we learn after clustering the addresses together? First, our 'friends made about $1.7M on such a scam. One million was sent to the Tornado.Cash mixer. Second, just over $300k went to centralised exchanges (those with KYC procedures, cooperating with law enforcement, etc.). $285k went to Coinbase. Thirdly, we will get a much more detailed list of counterparties of this criminal group, which (as in the case of Couch, for example) can lead to interesting findings. And it could help law enforcement to trace the stolen money back to exchanges and exchanges. Conclusions As you can see from the material above, cryptocurrency is far from always anonymous. By properly applying OSINT and financial investigation techniques and methods, as well as knowing the theory of cryptocurrency, even large thefts can be successfully investigated, let alone small ones like the one we discussed today. What can we do concretely? Look for the source of the funds (sponsor address) and the final destination of the funds. Analyse in detail the transactions of each address in question. We can cluster the addresses based on this data. This may be done either within the software you are using, e.g. Cheynalisis, or logically. If the software you have available does not support clustering, I recommend exporting the transactions of the addresses you want from Etherscan.io and then merging multiple tables into one. After aggregating the addresses into a cluster, in our case we were able to understand the approximate volume of the thefts committed and also find out information about which exchanges the money from those thefts was being withdrawn to. We also learned that around a million dollars had been withdrawn to Tornado.Cash, which is a ready-made money laundering charge in some jurisdictions! Original text and other information on OSINT is available at>>>>
-
- osint_cryptocurrency
- advisorbm-osint
- (and 3 more)