Unveiling Offshore Banking and Dark Web Operations via Blockchain Analysis: An OSINT Case Study

Cryptocurrency Crimes and Dark Web Links

Cryptocurrency scams and crimes are becoming common, and the dark web often serves as a hub due to its anonymity. But even on the dark web, onion sites can leave behind clues, or 'digital fingerprints,' that help uncover hidden connections.

In this case study, we’ll cover:

• Finding Links Between Onion Sites: How to spot connections between dark web platforms.
• Tracing Bitcoin Transactions: How to connect two Bitcoin addresses.
• Tracking to Exchanges: How to trace transactions back to registered cryptocurrency exchanges.

Here’s a visual overview of what we’ll be exploring:

---

Dark Web Services — Two Examples

In this case study, we’ll focus on three dark web services:

1. BancoPanama : A banking site offering anonymous offshore accounts in exchange for Bitcoin.
2. UnlockDevices : A service that lets users unlock phones anonymously by paying with Bitcoin.
3. Dark Web : The Onion Site.

---

• This case study is not to identify whether these are scam sites or not. Rather, it is to identify the relationship between them, to show that they are owned by the same person, and to trace their blockchain fingerprints to a registered cryptocurrency exchange.

---

Analysis Tools for Dark Web Onion Sites

In this case study, we will utilize the following four tools for analysis:

1. Fresh Onions: A directory of newly discovered onion sites on the dark web.
2. Wallet Explorer: A tool to analyze and trace Bitcoin transactions and wallets.
3. Blockchain Explorer: A comprehensive tool for exploring blockchain transactions and addresses.
4. Tor Browser: A privacy-focused browser for accessing onion sites on the dark web.

Among these, the two most critical tools are Fresh Onions and Wallet Explorer, as they play a pivotal role in uncovering relationships and transactions tied to onion sites.

---

Tool Descriptions

1. Fresh Onions
   Fresh Onions is a web crawler designed specifically for onion sites. It helps uncover hidden information that might not be immediately visible on these sites, making it invaluable for identifying the "digital fingerprints" we are looking for in this investigation.

2. Wallet Explorer
   Wallet Explorer is an excellent tool for analyzing cryptocurrency wallets. It identifies all Bitcoin addresses owned by a single wallet, which is crucial when tracing transactions and understanding the relationships between multiple addresses.

3. Blockchain Explorer
   Blockchain Explorer is a platform you might already be familiar with. It allows for a detailed examination of blockchain transactions and Bitcoin addresses, providing transparency and traceability in cryptocurrency activities.

4. Tor Browser
   Tor Browser is essential for accessing onion links and navigating the dark web securely. It is required to open the onion links mentioned in this case study.

---

Identifying ‘Fingerprints’ Of Dark Web Services

• The relationship between these two dark web onion sites can identified using the Fresh Onion crawler.

• The relevant details we are looking for is an ‘SSH Fingerprint’. Essentially it is a unique marker a site will carry. With Fresh Onions, we can see all of the other sites that hold that same fingerprint.

• This shows that there is a SSH relationship between the two onion sites we identified earlier.

Now let’s take a look at the blockchain evidence.

How to Use Blockchain Forensics on Transactions

The first step in analyzing a dark web site is identifying its cryptocurrency address.

While various cryptocurrencies might be in use, Bitcoin remains the most popular and, fortunately, has a transparent and public blockchain.

From a single Bitcoin address, you can uncover valuable insights, including:

• The total number of transactions.
• The origins and amounts of incoming funds.
• The destinations and amounts of outgoing funds.
• A complete historical timeline of all transactions.
• Other Bitcoin addresses associated with the same wallet.

This last point is where Wallet Explorer proves to be particularly useful. With this tool, you can identify all Bitcoin addresses linked to a single wallet, making it easier to track and analyze transactions.

---

• So what’s the relationship between the two sites I mentioned?

---

Identifying Bitcoin Addresses and Their Relationship

When we examine the Bitcoin addresses through the ‘purchase’ section of the websites, we can identify two main addresses:

• The Bitcoin address of the BancoPanama site, ending in XZ4jo.
• The Bitcoin address of the Dark Web UnlockDevices site, ending in KUrE.

The key observation here is that both addresses belong to the same wallet, indicating that they are owned by the same entity or individual.

I discovered this relationship using Wallet Explorer. By entering one of the Bitcoin addresses into the search bar, we can access the entire wallet and reveal both addresses. A simple ‘CTRL+F’ search highlights that both addresses are part of the same wallet.

---

• Now let’s take a look at the specific transactions of each of these bitcoin addresses.

---

Tracing the Payments Through to an Exchange

The transactions made to these accounts are typical of normal blockchain transactions.

For example, in the transaction below, we see money being transferred from one Bitcoin address to the Dark Web UnlockDevices address, which ends in KUrE.

---

But following the outgoing transactions use more addresses:

• As you can see in the screenshot above, there are a number of addresses included in the same exchange.

For this transaction, the key recipient address ending in Ndpe can be one of two things:

• A bitcoin mixing service, or
• An exchange

For many vendors on the dark web, a mixing service, or cryptocurrency tumbler, guarantees anonymity as it essentially scrambles the addresses and the payments made — perfect for illegal vendors and scammers, not for law enforcement.

• Ndpe is a unique address as the majority of its payments are made into bitcoin address 1NDyJtNTjmwk5xPNhjgAMu4HDHigtobu1s.

You can see this in the screenshots below:

• This bitcoin address ending in bu1s belongs to Binance, a registered cryptocurrency exchange. We can see this through a simple Google search, which also reveals the following Tweet from Binance themselves.

---

Blockchain Analysis of the Ndpe Address

The Ndpe address belongs to the wallet 000030bc2e.

As shown in the screenshot below, this wallet contains over 120,000 Bitcoin addresses, many of which are involved in large volumes of transactions on a daily basis.

Given the volume and nature of the transactions, it’s likely that Ndpe is associated with a cryptocurrency exchange, or it could be a Bitcoin tumbling service. The large number of addresses within this wallet could suggest that it is used to mix or "scramble" transactions, a common practice for enhancing privacy by obfuscating the transaction's original source.

• Each one of the addresses in this wallet use Binance as the final source of all of their transactions.

In the above screenshot, the top five addresses all show their largest payouts to Binance. We can see this on the blockchain.

Here is a recent outgoing transaction to Binance from Fnhy:

• Here is a recent outgoing transaction to Binance from sjjd:

• Here is a recent outgoing transaction to Binance from d6E1:

Here is a recent outgoing transaction to Binance from 3R3r:

• Here is a recent outgoing transaction to Binance from hEe9:

• As you can see, there is a relationship of funds from these two dark web onion sites, to the Ndpe address on the blockchain. Since we have established that these two dark web onion sites are ran by the same owner, it is likely the person is using a single tumbler or exchange. There is also an ongoing financial relationship between the Ndpe address, and other addresses in the same wallet, and Binance’s address ending in bu1s.

---

Where Open-Source Methods Stop

While open-source tools and methods can provide valuable insights into activities on the dark web and the blockchain, they have their limitations. At a certain point, further investigation requires more than just publicly available information. This is where law enforcement agencies, regulatory bodies, and cryptocurrency exchanges play a critical role. These entities have access to private data and the ability to work with legal authorities to trace and uncover the registration details of accounts linked to illicit activities on the dark web.

Conclusion and Insights

This case study demonstrates how open-source intelligence (OSINT) and blockchain forensics can help uncover illicit activities on the dark web. By linking dark web sites to cryptocurrency addresses and tracing the flow of funds, investigators can uncover relationships between seemingly unrelated sites and services. However, the involvement of privacy-enhancing technologies like mixing services and the need for private data access underlines the importance of collaboration between law enforcement and cryptocurrency exchanges for comprehensive investigations.

This investigation showcases the potential of blockchain analysis for tracking illegal activities, but also highlights the challenges of dealing with privacy-enhancing technologies and the need for further cooperation between public and private entities in cybersecurity investigations.

Contributing

Contributions are welcome! To contribute, fork the repository and submit a pull request with your improvements.

1. Fork the repository.
2. Create a new branch (git checkout -b feature-branch).
3. Commit your changes (git commit -am 'Add new feature').
4. Push to the branch (git push origin feature-branch).
5. Create a new Pull Request.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Contact

For any questions or feedback, please contact E-Mail Me

GITHUB STATS