Analyzing Hack Subnetworks in the Bitcoin Transaction Graph
This work addresses the problem of tracing stolen cryptocurrency for investigators, but it is incremental as it applies existing network analysis methods to new data on hacking groups.
The study analyzed six Bitcoin hack subnetworks to classify them into two hacking groups using network features, finding that temporal features related to cash-out speed were more effective than static features for classification.
Hacks are one of the most damaging types of cryptocurrency related crime, accounting for billions of dollars in stolen funds since 2009. Professional investigators at Chainalysis have traced these stolen funds from the initial breach on an exchange to off-ramps, i.e. services where criminals are able to convert the stolen funds into fiat or other cryptocurrencies. We analyzed six hack subnetworks of bitcoin transactions known to belong to two prominent hacking groups. We analyze each hack according to eight network features, both static and temporal, and successfully classify each hack to its respective hacking group through our newly proposed method. We find that the static features, such as node balance, in degree, and out degree are not as useful in classifying the hacks into hacking groups as temporal features related to how quickly the criminals cash out. We validate our operating hypothesis that the key distinction between the two hacking groups is the acceleration with which the funds exit through terminal nodes in the subnetworks.