How to Do Blockchain Analysis: Case Study (Ethereum)

A Lesson in Blockchain Investigation

Looking for more investigative and analytical research like this? Make sure to check out our Telegram and Twitter.

This piece was curated by the CEO and Owner of Zerononcense.

Recently, a friend contacted me and said,

“Hey! ProofofResearch! Have you seen these updates by ‘Whale Alerts’ in Telegram?”

Since I had not yet noticed any alerts from the bot thus far that day (May 25th, 2019), I responded ‘no’ and asked them what they were talking about.

They then replied by sending over the following string of messages (forwarded):

The text of the first message is the most important, so that will be transcribed below for the benefit of all readers:

“⚠️ 50 #ETH (12,552 USD) of stolen funds transferred from Laundered Cryptopia Hack to Unidentified Exchange

Tx: https://t.co/aJgqZUydrU

ℹ️ Address report limit increased to 100,000 USD”

However, it is the third message that piqued my curiosity the most.

Specifically, the third message states:

“The unidentified exchange is very likely Huobi again. Thanks to @chiachih_wu”

The fact that the ‘unidentified exchange’ was suspected to be none other than Huobi and that the message was implying that this was a recurring incident (via their use of the word ‘again’), gave me an itch to investigate the situation.

Another reason why I was prompted to investigate this link was because I had posted a blockchain analysis in which I had revealed Huobi was a major conduit for money laundering in the crypto space.

That thread can be found below:

With all of this in mind, I felt compelled to do some investigative research on my own.

But this time, rather than barreling into the project head first, I decided that I would take the opportunity to use this case as a learning opportunity for those that are new to the world of blockchain investigation.

So this piece will serve as an exercise in blockchain investigation (alongside us actually investigating the nature of the transaction in question).

Beginning Our Blockchain Investigation

Step #1

First thing we need to do is look at the actual transaction in question here that was reported by Whale_Alerts.

You can find that here: https://t.co/aJgqZUydrU (https://whale-alert.io/transaction/ethereum/f4b2014bd3772632b15daa2393983d708f6925b9caf8ec15b545be17b34fce90)

That link takes us to this page (https://whale-alert.io/transaction/ethereum/f4b2014bd3772632b15daa2393983d708f6925b9caf8ec15b545be17b34fce90).

That link takes us to this page. (Screenshot below)

From here, we’re going to go ahead and copy/paste the ‘Hash’. That’s the TX ID for the transaction in question.

Note: This site does contain a direct link to etherscan.io, but we’re not going to be lazy and click that because we want to get some good investigative practice in.

Moving Forward

If you’ve copied the hash, then you should have the following copied in your clipboard: f4b2014bd3772632b15daa2393983d708f6925b9caf8ec15b545be17b34fce90

Once that is done, open up a ‘notepad’ or some other place where you can take notes on the situation.

Do not skip this step above ^^^: If you don’t take proper notes while doing a blockchain investigation, then your investigation will be fruitless.

Once your notepad is open, notate the following:

1. The ‘Laundered Cryptopia Hack’ Address (59b9ae720c112a177f439b829bd6b51ca5aeafec)

2. The ‘Unidentified Exchange’ Address (59d6c2321ac30d641180464700f4f7100998dd15)

3. The Hash of the Transaction (f4b2014bd3772632b15daa2393983d708f6925b9caf8ec15b545be17b34fce90)

4. The link where we got this information from (for future reference): https://whale-alert.io/transaction/ethereum/f4b2014bd3772632b15daa2393983d708f6925b9caf8ec15b545be17b34fce90

5. What Blockchain is This Transaction On? (Ethereum/Bitcoin/Litecoin?): Ethereum

Step #2

Now, continuing on where we left off — we’re going to go to etherscan.io first and input the hash.

So, let’s put in ‘https://etherscan.io’ in our browsers.

If you’ve done so, you’ll end up at this screen:

From here, we’re going to put in the hash (if you took notes this is no problem for you)

If you have done this correctly and then hit, ‘Enter’, then you’ll notice that WhaleAlerts was correct in their transcription of the two involved addresses in this transaction.

Step #3

Now, let’s click on the recipient address.

That will take us here.

If you’ve followed all of the steps correctly — you’ll end up at the page displayed above in the screenshot.

Notice that there are only 11 transactions in this address.

So how could this be Huobi? (Don’t worry, we’ll get to our answer soon)

Brief Recap on Deposit Addresses

Recently, Zerononcense covered the concept of ‘Deposit Addresses’, ‘Hot Wallet Addresses’, and ‘Cold Wallet Addresses’ in full in the Zerononcense Telegram.

Key Things to Remember

A) Deposit Addresses can receive funds from anyone, but in MOST cases, they always send funds to the same outgoing address in every outgoing transaction.

B) Usually all of the funds that are sent into this wallet are sent out of it almost immediately after. Example: If you were to send 5 $ETH to this address, it would then send out 5 $ETH accordingly to the address we mentioned in ‘A’ (the constant outgoing address).

C) Because of ‘A’ and ‘B’, the balance of these wallets is almost always zero (perhaps there will be dust leftover in certain instances.

D) That address that we mentioned in ‘A’, should be a BIG address (i.e., a hot wallet address for an exchange/service of some sort).

E) [Non-Criteria] Deposit Addresses are created by exchanges for customers. Thus, in the interest of smart practice, customer funds are almost always sent to hot wallet addresses. There are rarely cases where we see customer deposit wallet addresses at an exchange being sent directly to a cold wallet address for any reason. This would not only be illogical, but inefficient and unsafe as well.

With all of the above in mind, let’s go ahead and take another look at this wallet that was labeled as ‘Huobi’ by ‘Whale Alert’ and see if it fits any of the above criteria for a deposit address.

Evaluating Criteria ‘A’ for a Deposit Address (Check)

As can be seen in the picture above, all sends (withdrawals) from our target address [Unidentified Exchange] are to the same address. So we can cross ‘A’ off of our lists because it has that characteristic.

Evaluating Criteria ‘B’ for a Deposit Address (Check)

We can cross off ‘B’ as well because all the incoming deposits are sent off as withdrawals to that address as well.

The deposits/withdrawal pairs are color coded for easier identification.

Evaluating Criteria ‘C’ for a Deposit Address (Check)

The balance of the ‘Unidentified Exchange’ is Zero (no funds), so we can check off ‘C’ on our list as well.

Evaluating Criteria ‘D’ for a Deposit Address (Check)

Evaluating this criteria will be a bit more complicated because this requires a more intuitive evaluation than what we did for ‘A’, ‘B’, and ‘C’ on our list.

Specifically though, we can validate ‘D’ by visiting 0x7ef35bb398e0416b81b019fea395219b65c52164 (this is the wallet that our suspected deposit address has sent all of its funds to).

Let’s see what we find there.

Exploring 0x7ef35bb398e0416b81b019fea395219b65c52164

Upon clicking this wallet on Etherscan (or visiting the link directly), we should see the following (note that this information is current to May 25th, 2019):

A cursory glance shows us that 0x7ef35bb398e0416b81b019fea395219b65c52164 more than likely belongs to an exchange of some sort.

The # of transactions shows that it probably is a hot wallet address as well.

However, before we state this for sure, let’s check.

How to Differentiate Between a Hot Wallet Address and a Cold Wallet Address

Many novice blockchain investigators will make the same assumption that we made at the end of the previous section (“it probably is a hot wallet address”), which is thinking that a wallet with significant funds ($150M+ in this case) with a large # of transactions must automatically be a hot wallet of some sort.

But there were a few things that were ‘off’ about this wallet that provide some clues that tell us this may not be the case.

1. The fact that there is $150M+ worth of Ethereum in this address, which is significantly more than what any hot wallet usually holds or should be holding, is cause for question. This is because putting this much of one’s funds at ‘risk’ in an online wallet that would be used extremely frequently for outgoing transactions in such an antagonistic environment (remember, exchanges have a large target on their back that says “ROB ME!”) is extremely dumb and unnecessarily risky.

2. The screenshot that we saw only showed incoming transactions, not outgoing ones. A normal hot wallet will have numerous outgoing transactions (perhaps a few hundred in a given day). The fact that we saw none on the first page is definitely worth noting.

So let’s look a little closer.

Viewing the Transaction History of Our Supposed ‘Hot Wallet’

The last 20 pages worth of transactions are all DEPOSITS into this address.

The screenshot above shows the wallet’s history going back to 3 days prior to this moment.

So we can officially rule out the idea of this being a hot wallet of any sort for any exchange because no exchange can go 3 entire days without sending a single outgoing transaction (unless they’re having major issues or they are insolvent).

So, let’s use Etherscan.io to check the last outgoing transaction. We do that by going back to the wallet’s main page, first.

Then, we do the following:

Click the ‘View Outgoing Txns’ option once it appears in the dropdown menu.

Once this is done, you should see the following (minus the markings that I made here to draw your attention to certain things):

An Astute Blockchain Investigator Will Notice The Following

A) There are 2,257 outgoing transactions total in the wallet’s history. This is in comparison to the 68k+ total that it has received. This represents only 3.3% of the total transactions that have taken place with this address.

B) The outgoing transaction amounts are all significant. They are only two different outgoing transaction amounts in the screenshot that we can see. They are: 20,000 Ether and 1,551 Ether.

C) The last outgoing transaction was for 20,000 Ether and that was on January 27th, 2019, nearly 4 months ago.

So at this point, we should be able to conclusively state that this is not a hot wallet of any kind. However, it does make a solid candidate for a cold wallet address of some sort.

So let’s do a little more digging.

How Do We Figure Out Who This Wallet Belongs To?

This is a great question and it essentially serves as the crux of our investigation.

Step #1 is to check the ‘comments’ on Etherscan.

Most of the time with big addresses, you’ll just see people begging for free Ethereum in the comment section (which you’ll eventually find serves as a nice, homely touch) — but there are a number of occasions where you’ll come across an address that has been marked by blockchain investigators like myself and others that label them for our own validation later and for the benefit of others that are curious about the wallet’s ownership.

So, let’s see what we can find.

In order to access the comment section of a particular wallet address, we’ll need to do the following:

#1 — Go back to the wallet’s main page

Once there, you simply click on the ‘comments’ tab to see if we can find anything fruitful.

Below is a screenshot of what can be seen:

This comment was added 6 hours ago.

So this is a good lead, but we can’t just take this person’s word.

Time for Google

Google is the most commonly used resource in the world when it comes to investigation/research, so it makes sense that it is often underestimated when it comes to figuring out certain information — namely in this case.

However, we’re going to consult Google to figure out if this lead will bear any fruit for us.

Specifically, the contributor in the comment section stated that the address is a “Huobi Global” address.

Using that information, we’re going to go ahead and initiate a simple Google search and see what we find (because Google tracks the hell out of everyone, search results will be slightly different for some people because they try to cater specifically to everyone’s interests in the most intrusive way possible).

It Appears ‘Huobi Global’ is Some Sort of New Huobi Product

The first lead I found was on the website, ‘CryptoBrowser’. The article in question is not specifically about Huobi Global, but it does mention that there was a new launch of a Huobi exchange in Russia in December 2018.

As it pertains to ‘Huobi Global’, the article states:

“Huobi Cloud allows the company’s partners to quickly establish stable and secure digital asset exchanges using Huobi’s system and expertise. The partners can also access Huobi Global’s wallet system, order matching system, clearing and asset management systems. Moreover, the partners will be able to share the Huobi’s market data, liquidity, and depth.”

Hmm, that’s interesting. Specifically, this statement draws intrigue:

“The partners can access Huobi Global’s wallet system…”

Does that mean that the person commenting was suggesting the wallet we came across on Etherscan is tied to the ‘Huobi Global Wallet’ system?

The above question serves as a pretty strong hypothesis, so we’ll keep that in our back pocket for the time being.

Let’s move forward and see what else we find.

Social Media for ‘Huobi Global’

Below is a link to the ‘Huobi Global’ Twitter account:

https://twitter.com/huobiglobal?lang=en

Dead Ends

While the information above is interesting and serves as food for thought, none of it gives us any specific leads. So we’ll need to look at the wallet interactions to see if we can source any clues that way.

Using ‘Bloxy’

If you’ve never heard of ‘Bloxy’ before, allow this to be your introduction.

Bloxy is an Ethereum-based blockchain explorer, just like Etherscan.io.

The only difference is that Bloxy provides more in-depth metrics for addresses than what we can feasibly find on Etherscan.io.

This doesn’t necessarily mean that Bloxy is inherently ‘better’ than Etherscan.io, because Etherscan.io is better for us to visit when we’re trying to conduct cursory searches of Ethereum wallets.

So, here’s what we’re going to do:

Step #1

Visit https://bloxy.info/

That should take you to this screen:

Step #2

Input the wallet address (0x7ef35bb398e0416b81b019fea395219b65c52164) we’re looking to examine into the search bar on the homepage.

That will take us to this page:

Step #3

From here, we’re going to scroll down to the bottom of the page until we come across a panel called “Relations with other addresses”. It will be on the right side of the page:

Why We’re Interested in These Addresses

We want to know what’s going on with these addresses for a few reasons.

Below are a couple of those reasons:

A) If you’re in doubt about the identity of a wallet address, there is a lot that can be learned by looking at the addresses that it interacts with the most. Fortunately, Bloxy provides that information for us.

B) Not only can these addresses help us figure out the identity of our main address, it may also serve as a vital piece to the puzzle in figuring out what the purpose of the target address may be.

We Can See Some Significant Transfers Between the 10 Addresses Our Target Address Interacted With Most

Based on what we can see above, it should be evident that there is a pretty strong relationship between our target address and these 10 listed wallets.

Analyzing the Wallet Relationships

In order to analyze these wallet relationships, we’re going to start by listing what the top 5 wallet addresses are in the list (we should do top 10, but we don’t want to make this investigative review too tedious here).

The top 10 address interactions with our target address (from most interactions to fewest) are:

1. 0xf4f5dfc21e36da84001be2aa09fe2c87231ba666

2. 0x16a101c7e9aecb1cc83a9af78cbaa938fea548c0

3. 0x58a3a65a964369f3bb2ec535b26e81fb09187d95

4. 0xf775a9a0ad44807bc15936df0ee68902af1a0eee

5. 0x3061e2da9d2c013400de89e80dc6494eb7d727ec

Let’s Head Back to Etherscan.io

As stated before, Etherscan.io has the ‘friendliest’ interface when it comes to looking at these addresses on the surface.

Reviewing Address #1

Address #1 can be found here on Etherscan.io.

On its face, there’s nothing remarkable about this address:

Its worth noting that there are a significant number of transactions, however.

Moving forward though, the one thing that may confuse those that are unfamiliar with Etherscan.io is the fact that there are transactions that appear to have ‘no value’ to them.

The reason why Etherscan.io shows the value of these token transfers as ‘zero’ Ethereum is because there isn’t actually Ethereum (apart from the ‘gas’ used) being transacted in the transfer.

Fortunately, however, Etherscan.io has a panel for applicable wallets labeled, ‘Erc20 Token Txns’.

We’re going to go ahead and click on this link next:

https://etherscan.io/address/0xf4f5dfc21e36da84001be2aa09fe2c87231ba666

Here, we’ll be able to see the flow of these ERC20 transactions, which will show us the following:

https://etherscan.io/address/0xf4f5dfc21e36da84001be2aa09fe2c87231ba666#tokentxns

What we see above in this address is very interesting, all things considered.

What Are We Looking At in Address #1?

At this point in our analysis, we should pause for a moment and assess the facts that we know must be true, at a minimum:

1. We can see that this address (#1) is sending funds to a wallet labeled Huobi 3. This wallet has this label because it has received from Etherscan.io directly. We can trust Etherscan.io on this way, they are typically very reliable in their identification of wallets.

2. The transactions are being sent in a style that is typical of a deposit address. Remember the characteristics of a deposit address that we labeled above. If you don’t remember, please review this piece as a recap.