Analyzing Hack Subnetworks in the Bitcoin Transaction Graph

TL;DR

This paper investigates bitcoin hack subnetworks, revealing that temporal features, especially the speed of fund cash-out, are crucial for classifying hacking groups, advancing understanding of criminal behaviors in cryptocurrency networks.

Contribution

Introduces a novel classification method based on temporal features to distinguish hacking groups in bitcoin transaction subnetworks.

Findings

Temporal features outperform static features in classification accuracy.

Speed of fund cash-out is a key differentiator between hacking groups.

Proposed method successfully classifies hack subnetworks into their respective groups.

Abstract

Hacks are one of the most damaging types of cryptocurrency related crime, accounting for billions of dollars in stolen funds since 2009. Professional investigators at Chainalysis have traced these stolen funds from the initial breach on an exchange to off-ramps, i.e. services where criminals are able to convert the stolen funds into fiat or other cryptocurrencies. We analyzed six hack subnetworks of bitcoin transactions known to belong to two prominent hacking groups. We analyze each hack according to eight network features, both static and temporal, and successfully classify each hack to its respective hacking group through our newly proposed method. We find that the static features, such as node balance, in degree, and out degree are not as useful in classifying the hacks into hacking groups as temporal features related to how quickly the criminals cash out. We validate our operating hypothesis that the key distinction between the two hacking groups is the acceleration with which the funds exit through terminal nodes in the subnetworks.