1. MEASUREMENTS IN CRYPTOCURRENCY NETWORKS
Analytics Techniques, Applications, and Challenges
Dr. Bernhard Haslhofer
TMA Expert Summit, Vienna
2018-06-26

2. CRYPTOCURRENCIES @ TMA ?

3. • Bitcoin: A (very very) brief Introduction
• Network Abstractions & Clustering Heuristics
• GraphSense Cryptocurrency Analytics Platform
• Application Example: Ransomware Study
• Challenges & Future Research
MY PLAN FOR TODAY
3

4. TRANSACTION PROCESSING
Broadcast
Transaction
Blockchain
4
Bitcoin P2P Network

5. TRANSACTION PROCESSING
Collect pending
Transactions
Blockchain
5
Bitcoin Miners
Bitcoin P2P Network

6. TRANSACTION PROCESSING
Find & Broadcast
Block
Bitcoin P2P Network
Bitcoin Miners
Blockchain
6

7. TRANSACTION PROCESSING
Synchronize
Blocks
Blockchain
7
Bitcoin P2P Network

8. ANATOMY OF A BITCOIN TRANSACTION
8
txid: a6b06e...
blockhash: 0000ba7..
txid: 7f252a ….
vout: 1
scriptSig: Signature
value: 0.00460479
n: 0
addresses: [1Archive…]
value: 0.00566296
n: 1
addresses: [1MuSWq…]
List of inputs List of outputs
Bitcoin
Addresses
Reference to unspent
output of previous
transaction (UTXO)

9. • Bitcoin: A (very very) brief Introduction
• Network Abstractions & Clustering Heuristics
• GraphSense Cryptocurrency Analytics Platform
• Application Example: Ransomware Study
• Challenges & Future Research
MY PLAN FOR TODAY
9

10. CRYPTOCURRENCY ANALYTICS | TAXONOMY
10
My focus today
Cryptocurrency
Analytics
P2P Network
Analytics
Blockchain Analytics
Network Abstractions Clustering Heuristics
[Biryukov et al., 2014]

11. 11
BLOCKCHAIN ANALYTICS | OVERVIEW
Blockchain Analytics
Network Abstractions Clustering Heuristics
Transaction Network
Address Network

12. 12
TRANSACTION NETWORK
t1
t3
t2
t4
[Reid and Harrigan 2012]
{Value, Timestamp}
directed
acyclic
temporal

13. 13
TRANSACTION NETWORK | CONSTRUCTION
txid: a6b06e...
blockhash: 0000ba7..
txid: 7f252a ….
vout: 1
scriptSig: Signature
vin
value: 0.00460479
n: 0
addresses: [1Archive…]
vout
Target node id
Source node id
Timestamp (via referenced block)
Value

14. 14
ADDRESS NETWORK
a1
a2
a3
a5
a7 a8
a6
a9 a10
[Fleder et al. 2015, Filtz et al. 2017]
(bi-)directed
cyclic
{No. Transactions,
Estimated Value}

15. 15
ADDRESS NETWORK | CONSTRUCTION
txid: a6b06e...
blockhash: 0000ba7..
txid: 7f252a ….
vout: 1
scriptSig: Signature
vin
value: 0.00460479
n: 0
addresses: [1Archive…]
vout
Source node id
Target node id
No Transactions = aggregated count of edges with same node ids

16. 16
ADDRESS NETWORK | ESTIMATED VALUE
inputs and outputs as shown in Table I.
Fig. 2. Bitcoin transaction value assignment
Therefore, we estimate the flow of actual Bitcoins betw
two addresses using the following formula:
TABLE I. BITCOINFLOW
Transaction Formula Estimated BTC
A1 A3 3 * (2/7) 0.857
A2 A3 3 * (5/7) 2.143
A1 A3 4 * (2/7) 1.143
A2 A4 4 * (5/7) 2.857
IV. ANALYSIS
a1 → a3 = 3 ∗
#
$
a1
tx
a2
a3
a4
2 3
45
[Filtz et al. 2017]

17. 17
BLOCKCHAIN ANALYTICS | OVERVIEW
Blockchain Analytics
Network Analysis Clustering Heuristics
Multiple-Input Heuristics [Nakamoto, 2008]
Change Heuristics [Meiklejohn, 2013]
Temporal Behaviour [Ortega, 2013]
Transaction Fingerprinting [Fleder et. al, 2015]

18. c1
c1
MULTIPLE INPUT HEURISTICS
18
a1
tx
a2
c2
a2
ty
a3
Same address
[Nakamoto, 2008]

19. c1
MULTIPLE INPUT HEURISTICS
19
a1
tx
a2
a2
ty
a3
Tag
Tag
[Nakamoto, 2008]

20. 20
BLOCKCHAIN ANALYTICS
Blockchain Analytics
Network Abstractions Clustering Heuristics

21. c6c5
c4
c7
c3
c2
c1
21
CLUSTER NETWORK
a1
a2
a3
a5
a7 a8
a6
a9 a10
Estimated Value
No. Transactions
directed
cyclic

22. • Bitcoin: A (very very) brief Introduction
• Network Abstractions & Clustering Heuristics
• GraphSense Cryptocurrency Analytics Platform
• Application Example: Ransomware Study
• Challenges & Future Research
MY PLAN FOR TODAY
22

23. GRAPHSENSE | APPROACH
23
A
A A
AA
C
T
BlockchainAddress
Graph
Address
Cluster
Tags
Enrichmentprocess
Statistics (as of Sept. 2017)
Transactions: 249,408,683
Addresses: 296,862,290
Clusters: 30,645,426
Address graph
- nodes: 296,862,290
- edges: 1,567,227,841
All data points are pre-computed and stored in
a de-normalized form

24. GRAPHSENSE | ARCHITECTURE
Exchange
Rates
Attribution
Tags
Bitcoin
Transactions
Aggregated Raw
Data
Precomputed Views
and Networks
GraphSense
Dashboard
Advanced
Analytics

25. GRAPHSENSE | OPEN SOURCE !!!
25

26. • Bitcoin: A (very very) brief Introduction
• Network Abstractions & Clustering Heuristics
• GraphSense Cryptocurrency Analytics Platform
• Application Example: Ransomware Study
• Challenges & Future Research
MY PLAN FOR TODAY
26

27. • Ransomware has become dominant
cybercrime threat
• Over 500 families
• Ransom payments almost exclusively in
Bitcoin
• More comprehensive, evidence-based
picture still missing
RANSOMWARE STUDY | MOTIVATION
27

28. 1. Collect seed addresses associated
with ransomware family
2. Map seed addresses to address and
cluster networks
3. Retrieve expanded addresses,
relevant transactions, outgoing
relationships, etc.
4. Plot, analyze, etc.
RANSOMWARE STUDY | METHOD
28
address, family
1KQETJqKzUHUmCBXQgwzWt2cLcgwty5st1,AdamLocker
17T3wKnZByNR2uofqq5mdHY4bSUB2S4E3t,Alphabet
1NEcE8ffNZqAucBtp42a5YXMMUSLY7YfEP,AngleWare
2cX4MWcTFbmKgPQX1irMiDsU84dXB6LFBv,APT
377CY1m8W2qbQQX5HHjziimdh2faGjDeLv,APT
19zvMSm7qSQgFXCckXBjstdVdbT99ZuWBP,Badblock
….

29. RANSOMWARE STUDY | RESULTS
29
the overall direct nancial impact of the 35 families studied in this
paper. The basis for our estimation was the time-ltered expanded
ransomware dataset described in Section 3.3. In order to avoid
double-counting of ransomware payments, we removed known
collector addresses from that dataset.
Table 4 presents the lower bound revenue of the Top 15 ran-
somware family that made the highest amount of revenue in the
dataset. It shows revenues in Bitcoin (BTC), rounded to two decimal
places, and in U.S. dollars USD.
Family Addresses BTC USD
1 Locky 6,827 15,399.01 7,834,737
2 CryptXXX 1,304 3,339.68 1,878,696
3 DMALockerv3 147 1,505.78 1,500,630
4 SamSam 41 632.01 599,687
5 CryptoLocker 944 1,511.71 519,991
6 GlobeImposter 1 96.94 116,014
7 WannaCry 6 55.34 102,703
8 CryptoTorLocker2015 94 246.32 67,221
9 APT 2 36.07 31,971
10 NoobCrypt 17 54.34 25,080
11 Globe 49 33.03 24,319
12 Globev3 18 14.34 16,008
13 EDA2 23 7.1 15,111
14 NotPetya 1 4.39 11,458
15 Razy 1 10.75 8,073
Table 4: Received payments per ransom family (Top 15).
We nd that the top ransomware family in our dataset is Locky,
with a lower bound revenue of USD 7,834,737 dollars. The second
ransomware family is CryptXXX with a lower bound revenue of
AP
CryptXX
CryptoLock
CryptoTorLocker20
DMALocker
ED
Glo
GlobeImpost
Globe
Loc
NoobCry
NotPet
Figure 3: Mean payment per family with standa
rors.
revenue is observed: the ransomware occupying the 1
Razy, barely yielded USD 8,073 dollars in revenue.
When comparing the above revenues with ndings
other studies, we observe similarities and discrepancies
for Locky and CryptXXX are consistent with the results
Bursztein et al. [4]. They found that the Locky ransomw
proximately USD 7,8 million dollars and the CryptXXX
approximately USD 1.9 million dollars. However, there
crepancies in the revenue results for CryptoLocker: Bu
estimated the Cryptolocker revenue at USD 2 million
519,991 dollars in our study. Yet, Liao et al. [17] mea
toLocker payments from September 2013 until January
was the main activity period of that ransomware, an
lower bound revenue of USD 310,472, which is much
result. Another discrepancy lies in the result of the S
somware: USD 1.9 million for the Bursztein et al. rese
USD 583,498 dollars in this study. The dierences ma
the dierent number of seed addresses used in the Bu
research, which is not displayed in their presentation
we identify high or moderate performing ransomware f
as DMALockerv3, GlobeImposter, or NoobCrypt that did
in their study.
Lower Bound Direct Financial Impact

30. RANSOMWARE STUDY | RESULTS
30
ments in the Bitcoin Ecosystem WWW’2018, April 2018, Lyon, France
e ransomware families belonged to the Localbit-
which is an exchange that allows individuals to
ns to people who are geographically close.
mation, the outgoing-relationship analysis also
ies together. It illustrated that the Globe and
ent money to the same collector address, which
based on their shared naming features, but was
h our methodology. Similarly, 10 key addresses
om both the TowerWeb and Cryptohitman ad-
y, we can assume that these two families might
me real-world actors who may run two families
ultaneously or may launder money on behalf of
roups.
ound Revenues
nsomware money ows, we assessed the lower
each ransomware family and thereby estimated
nancial impact of the 35 families studied in this
r our estimation was the time-ltered expanded
et described in Section 3.3. In order to avoid
f ransomware payments, we removed known
from that dataset.
s the lower bound revenue of the Top 15 ran-
●
●
●
●
●
●
●
●
●
●
● ●
●
●
●
1031
593
480
36
4690
245
108
2698
534
1035
225 171
15
7713
278
$0
$2,500
$5,000
$7,500
APT
CryptXXX
CryptoLocker
CryptoTorLocker2015
DMALockerv3
EDA2
Globe
GlobeImposter
Globev3
Locky
NoobCrypt
NotPetya
Razy
SamSam
WannaCry

31. RANSOMWARE STUDY | RESULTS
31
●● ●
●
●
●●●●●●
●●●
●
●
● ●
●
●
●
●
●●●
●
●●
●
●
●
●
●●
●
●
●
●
● ●
●●
●
●
●
●●
●
● ● ●
●
●
●
●
●
●
●●
●●●● ●●●●● ● ● ● ● ●● ●● ●● ●● ● ● ●● ● ● ●
●
● ● ●●
WannaCry
SamSam
05/2017 06/2017 07/2017 08/2017 09/2017 10/2017
01/2016 07/2016 01/2017 07/2017
$0
$200,000
$400,000
$600,000
$0
$25,000
$50,000
$75,000
$100,000
Figure 4: Longitudinal payment trend per family.
ows of ransomware payments and identify destinations, such as
Bitcoin exchanges or gambling services, when contextually related
information (tags) was available. Our method is reproducible and
could be repeated for additional families with an updated seed
dataset. Plus, computation of address clusters over the most recent
state of the Bitcoin blockchain, along with more identication of
clusters belonging to specic groups, could greatly increase the
knowledge on the dierent end routes of ransomware monetary
ows.
However, we are well aware that our approach has a number
of limitations. First, our methodology relies on a set of seed ad-
dresses manually collected and the eectiveness of the multiple-
input heuristics for uncovering previously unknown addresses
linked to this family. Thus, it misses other ransomware families as
well as other addresses that might belong to the same family, but
cannot be linked to the same cluster. Still, the more addresses from
various families become available, the more accurate the picture of
the overall market for ransom payments will become. We address
this limitation by constraining our analysis to lower bound direct
nancial impacts, to ensure we are not claiming to assess the total
impacts of a ransomware family or of the entire market for ransom
payments.
Second, our approach is limited by the extent and quality of the
attribution data (tags) available. Without this information, clusters
remain anonymous and inferences about their real-world nature are
impossible. Nevertheless, we believe that such data will increasingly
● ●●●●●●●●●●●●●●
●
●●●●●●●●●●●●●●●●●●●●●●
●●●
●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●●● ● ● ●●●●●●●●●●●● ●● ●●● ● ●● ●● ●●●● ●● ●● ● ●
●● ●
●
●
●●●●●●
●●●
●
●
● ●
●
●
●
●
●●●
●
●●
●
●
●
●
●●
●
●
●
●
● ●
●●
●
●
●
●●
●
● ● ●
●
●
●
●
●
●
●●
●●●● ●●●●● ● ● ● ● ●● ●● ●● ●● ● ● ●● ● ● ●
●
● ● ●●
WannaCry
SamSam
Locky
01/2016 07/2016 01/2017 07/2017
04/2016 07/2016 10/2016 01/2017 04/2017
$0
$2,000,000
$4,000,000
$6,000,000
$8,000,000
$0
$200,000
$400,000
$600,000
$25,000
$50,000
$75,000
$100,000
th
5
O
to
ad
o
w
B
in
co
da
st
cl
k
o
d
in
li
w
ca
va

32. RANSOMWARE STUDY | RESULTS
32
Ransomware Payments in the Bitcoin Ecosystem
Masarah Paquet-Clouston
GoSecure Research
Montreal, Canada
mcpc@gosecure.ca
Bernhard Haslhofer
Austrian Institute of Technology
Vienna, Austria
bernhard.haslhofer@ait.ac.at
Benoit Dupont
Université de Montréal
Montreal, Canada
benoit.dupont@umontreal.ca
ABSTRACT
Ransomware can prevent a user from accessing a device and its
les until a ransom is paid to the attacker, most frequently in Bit-
coin. With over 500 known ransomware families, it has become
one of the dominant cybercrime threats for law enforcement, secu-
rity professionals and the public. However, a more comprehensive,
evidence-based picture on the global direct nancial impact of
ransomware attacks is still missing. In this paper, we present a
data-driven method for identifying and gathering information on
Bitcoin transactions related to illicit activity based on footprints
left on the public Bitcoin blockchain. We implement this method
on-top-of the GraphSense open-source platform and apply it to
empirically analyze transactions related to 35 ransomware families.
We estimate the lower bound direct nancial impact of each ran-
somware family and nd that, from 2013 to mid-2017, the market
for ransomware payments has a minimum worth of USD 12,768,536
(22,967.54 BTC). We also nd that the market is highly skewed with
only a few number of players responsible for the majority of the
payments. Based on these research ndings, policy-makers and law
enforcement agencies can use the statistics provided to understand
the time of writing, there are 5051 known ransomware families
detected and almost all of them demand payments in Bitcoin [27],
which is the most prominent cryptocurrency.
Yet, global and reliable statistics on the impact of cybercrime
in general, and ransomware in particular, are missing, causing a
large misunderstanding regarding the severity of the threat and
the extent to which it fuels a large illicit business. Most of the
statistics available on cybercrime and ransomware are produced
by private corporations (cf. [29, 38, 39]) that do not disclose their
underlying methodologies and have incentives to over- or under-
report them since they sell cybersecurity products and services
that are supposed to protect their users against such threats [23].
Also, both cybercrime and ransomware attacks take place in many
regions of the world and reporting the prevalence of the threat on a
global level is dicult, especially when it involves a blend of fairly
sophisticated technologies that may not be familiar to a large num-
ber of law enforcement organizations [23, 37]. This is unfortunate
because the lack of reliable statistics prevents policy-makers and
practitioners from understanding the true scope of the problem,
the size of the illicit market it fuels and prevents them from being
Preprint available at: https://arxiv.org/abs/1804.04080

33. • Bitcoin: A (very very) brief Introduction
• Network Abstractions Clustering Heuristics
• GraphSense Cryptocurrency Analytics Platform
• Application Example: Ransomware Study
• Challenges Future Research
MY PLAN FOR TODAY
33

34. • Network Dimensions
• 300M nodes, 1.5B edges
• Degree distribution
• Highly skewed (super-clusters)
• Requirement: quick results
CHALLENGES | EFFICIENT PATH COMPUTATION
34
Ecosystem
Exit Point
(e.g., Exchange)
Focus
address or
cluster

35. CHALLENGES | POST-BITCOIN CURRENCIES
35
Stealth addresses
Ring signatures
Ring CTs
Shielded transactions Smart Contracts

36. QUESTIONS? IDEAS?
bernhard.haslhofer@gmail.com
http://graphsense.info/
36

37. • [Nakamoto, 2008]: Bitcoin: A peer-to-peer electronic cash system
• [Reid and Harrigan 2012]: An Analysis of Anonymity in the Bitcoin System
• [Meiklejohn, 2013]: A fistful of bitcoins: characterizing payments among men with no names
• [Ortega, 2013]: The bitcoin transaction graph—anonymity
• [Biryukov et al., 2014]: Deanonymisation of clients in Bitcoin P2P network
• [Fleder et. al, 2015]: Bitcoin Transaction Graph Analysis
• [Haslhofer et. al, 2016]: O Bitcoin Where Art Thou? Insight into Large-Scale Transaction Graphs.
• [Möser and Böhme, 2016]: Join Me on a Market for Anonymity
• [Harrigan and Fretter, 2016]: The Unreasonable Effectiveness of Address Clustering
• [Filtz et al, 2017]: Evolution of the Bitcoin Address Graph
• [Miller et al, 2017]: An Empirical Analysis of Linkability in the Monero Blockchain
• [Kumer et al, 2017]: A Traceability Analysis of Monero's Blockchain
• [Quesnelle 2017]: On the Linkability of ZCash transactions
REFERENCES
37