The Devil Behind the Mirror: Tracking the Campaigns of Cryptocurrency Abuses on the Dark Web

TL;DR

This paper systematically analyzes cryptocurrency-related illicit activities on the dark web by harvesting a large dataset, identifying campaigns, and characterizing transactions to better understand and detect illegal operations.

Contribution

It provides a comprehensive multi-dimensional study of dark web cryptocurrency abuses, including dataset collection, campaign detection, and analysis of illicit transactions.

Findings

Identified 2,564 illicit sites and 1,189 illicit blockchain addresses.

Revealed 90.8 BTC in revenue from illicit activities.

Discovered 66 underlying illicit campaigns.

Abstract

The dark web has emerged as the state-of-the-art solution for enhanced anonymity. Just like a double-edged sword, it also inadvertently becomes the safety net and breeding ground for illicit activities. Among them, cryptocurrencies have been prevalently abused to receive illicit income while evading regulations. Despite the continuing efforts to combat illicit activities, there is still a lack of an in-depth understanding regarding the characteristics and dynamics of cryptocurrency abuses on the dark web. In this work, we conduct a multi-dimensional and systematic study to track cryptocurrency-related illicit activities and campaigns on the dark web. We first harvest a dataset of 4,923 cryptocurrency-related onion sites with over 130K pages. Then, we detect and extract the illicit blockchain transactions to characterize the cryptocurrency abuses, targeting features from single/clustered addresses and illicit campaigns. Throughout our study, we have identified 2,564 illicit sites with 1,189 illicit blockchain addresses, which account for 90.8 BTC in revenue. Based on their inner connections, we further identify 66 campaigns behind them. Our exploration suggests that illicit activities on the dark web have strong correlations, which can guide us to identify new illicit blockchain addresses and onions, and raise alarms at the early stage of their deployment.