Towards Malicious address identification in Bitcoin

TL;DR

This paper investigates the use of temporal and graph-based features to identify malicious Bitcoin addresses, demonstrating that existing approaches from other cryptocurrencies can be adapted after change-address clustering.

Contribution

It shows that temporal features can be effectively extracted from Bitcoin addresses post change-address clustering and that machine learning can detect malicious behavior across different temporal granularities.

Findings

Temporal features are applicable after change-address clustering.

Bitcoin address behavior is similar to Ethereum in key metrics.

Three suspects exhibited malicious behavior not previously marked.

Abstract

The temporal aspect of blockchain transactions enables us to study the address's behavior and detect if it is involved in any illicit activity. However, due to the concept of change addresses (used to thwart replay attacks), temporal aspects are not directly applicable in the Bitcoin blockchain. Several pre-processing steps should be performed before such temporal aspects are utilized. We are motivated to study the Bitcoin transaction network and use the temporal features such as burst, attractiveness, and inter-event time along with several graph-based properties such as the degree of node and clustering coefficient to validate the applicability of already existing approaches known for other cryptocurrency blockchains on the Bitcoin blockchain. We generate the temporal and non-temporal feature set and train the Machine Learning (ML) algorithm over different temporal granularities to validate the state-of-the-art methods. We study the behavior of the addresses over different time granularities of the dataset. We identify that after applying change-address clustering, in Bitcoin, existing temporal features can be extracted and ML approaches can be applied. A comparative analysis of results show that the behavior of addresses in Ethereum and Bitcoin is similar with respect to in-degree, out-degree and inter-event time. Further, we identify 3 suspects that showed malicious behavior across different temporal granularities. These suspects are not marked as malicious in Bitcoin.