Welcome back, my aspiring OSINT investigators!
One of the most lucrative areas for OSINT investigators is the Bitcoin and cryptocurrency scam and theft investigations and recovery. As the price of these cryptocurrencies has soared, so has the incidence of scams and thefts. A reputable source has estimated the value of bitcoin and crypto-currency thefts and scams at over $5 billion last year (for more on how hackers are stealing cryptocurrencies, click here)! In addition, the anonymous nature of these transactions leads the perpetrators to believe they will never get caught and brought to justice. This is simply a delusion on their part. Hackers-Arise has successfully made numerous recoveries from crypto-scammers and the FBI recovered the $5 million ransom paid to the Colonial Pipeline attackers. You only need to know how.
In this tutorial, I will show you a few of the key tools for tracing Bitcoin transactions using OSINT tools available to anyone.
Blockchain.com
Blockchain.com is a website that tracks transactions on the blockchain for Bitcoin, Ethereum, and bitcoin cash. For instance, here we entered the wallet address involved in a recent scam we investigated and we can see that this address was involved in 241 transactions with a total value of nearly $500,000.
We can scroll down the screen and see every transaction involving this address.
Bitref.com
Bitref.com enables us to check the balance in any Bitcoin wallet. Entering the same address above, we can see that the wallet has just .00000546 bitcoin. Bitref also lists the last 100 transactions in that wallet.
Bitcoinwhoswho
Bitcoinwhoswho.com is especially valuable in conducting scam investigations. This site not only provides the current balance and number of transactions but also whether the address has appeared on any websites and the IP address of the last transaction.
Note here that our wallet address does not appear on any websites, but the last IP address is shown. We can then take that IP address and put it into one of many IP address search engines such as IPaddresslookup.com and it will tell us the location and ISP of the IP address.
Here we can see, that the last transaction from this wallet came from Norfolk, VA in the US who was using Verizon as their ISP.
Wallet explorer
Wallet Explorer is another useful website for tracking Bitcoin and other cryptocurrency transactions. What makes wallet explorer particularly useful is its algorithm to identify wallet addresses and names. Note that our wallet address here made at least one transaction with Binance.com.
oxt.me is another website for tracking Bitcoin transactions on the blockchain. When we enter our wallet address into oxt.me, it returns key information about its use.
When we click on the Activity tab, we can see all the transactions over time. Note here that the incoming and outgoing transactions are nearly identical in time and amount. This is a key signature of a wallet being used for illicit purposes. The perpetrators immediately send the Bitcoin to another wallet upon receiving it making it harder to trace and recover.
Bitcoinabuse.com
Bitcoinabuse.com specializes in tracking abusive behavior using Bitcoin. This includes fake cryptocurrency investments and exchanges, theft, ransomware, and others. When we entered our wallet address you can see that it has been cited for investment fraud.
Summary
These and other OSINT tools can help you to trace the activity and lead you to the identity of the scammers/thieves. You will likely need additional tools outlined on the OSINT page to identify and locate the scammers/thieves. Once the perpetrators are identified, the next step is recovery.
Hackers-Arise uses all of these tools in conjunction with our own proprietary tools to identify these thieves and recover stolen cryptocurrencies. If you would like our assistance in recovering your cryptocurrencies, go to our Digital Forensic Investigator page and send us a request. We will get back to your promptly.
For those interested in becoming a cryptocurrency investigator, we are now offering a new course in Cryptocurrency Investigations. It is part of the Subscriber Pro training package.