
Tracing stolen Bitcoin, using a precedent from 1816 - seagullz
https://www.lightbluetouchpaper.org/2018/03/26/tracing-stolen-bitcoin/
======
MithrilTuxedo
Their example is a wallet with 10 bitcoin, 3 were stolen.

* poison: all BTC is the wallet is considered stolen, and all BTC in every wallet the BTC moves through from there is considered stolen

* haircut: BTC in the wallet is considered 30% stolen, and it's diluted as the money moves through other wallets

* FIFO (their solution): the first 3 BTC transferred from the wallet is considered stolen

But, the principle given in the paper is "nobody can give what isn’t theirs".
Why isn't it the _last_ 3 BTC transferred from the wallet that's considered
stolen? The wallet had 7 legitimately acquired BTC to spend, so why isn't
spending beyond that 7 what's tracked?

Someone could have a wallet or bank account (from the 1816 example) and not
know stolen amounts were given to them. The first amount they spend should be
considered legitimate.

~~~
maxerickson
The FIFO method doesn't track the first 3 BTC, it depends on what the first
transfer into the wallet was.

If the first transfer in was 3 tainted BTC, it taints the first 3 out. If the
first transfer in was 2 clean BTC and the second transfer in was 3 tainted
BTC, it taints the 3rd, 4th and 5th BTC transferred out.

They don't seem to really have a way of measuring where the illicit value
actually goes, so the comparison is just hand waving (in terms of forensics
that's what tainting is for anyway, enumerating the accounts to consider;
enumerating less accounts isn't necessarily an advantage).

------
CryptoPunk
This is not a technological solution. It's an attempt to create a legal
convention of applying a particular form of centralized blacklisting.

The power of this method is directly proportional to how widely it's adopted.

And the reference to a precedent gives a false sense of legal legitimacy to
this form of blacklisting. The decision referenced dealt with creditor claims
to a shared asset.

The relevant legal precedent is from 1749. That's when a court sided with the
Royal Bank of Scotland in its legal challenge to a request for a blacklist for
notes used in crime. The RBS argument was that making money responsible for
the acts of its previous holders would "render the Notes absolutely useless":

[https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2260952](https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2260952)

For hundreds of years, that has been the legal treatment of cash, which has
facilitated commerce, by making cash _fungible_.

Jurisdictions around the world have been steadily degrading the principle of
fungibility over the last 40 years to institute a mass surveillance system to
stop the drug trade, money laundering and income tax evasion (it's worth
noting the income tax didn't exist in 1749).

The result is concentrated power structures accumulating ever greater
bureaucratic control over the traditional financial system.

~~~
cinquemb
Well it seems like even the actors who influence the G20 finance minister
talking heads[0] cant even agree on what to do, except for asserting that
somehow they will need to be in charge.

I think that concentrated power structures (that exist today or evolve in
time) that can exploit this environment will win in the long run, but it won't
necessarily be in any particular nation states interest.

[0]
[https://www.euromoney.com/article/b17jt5vnb3fn3m/g20-ministe...](https://www.euromoney.com/article/b17jt5vnb3fn3m/g20-ministers-
wrestle-with-cryptocurrency-oversight)

~~~
CryptoPunk
Any centralization of a sector of an economy needs to be politically
coordinated so the fact that the G20 heads don't agree on a plan is promising.
I think it's possible some of finance ministers of the G20 members like the
disruptive potential of cryptocurrency.

------
tudorconstantin
With BTC you can have multi input multi output transactions: in the same tx
you can spend 2 legit BTCs and 2 stolen BTCs and send those to 8 addresses,
each getting 0.5 BTCs.

Which of those resulting addresses contain tainted BTCs and which contain the
clean ones?

A transaction such as the above would make it clear that the thief has control
over the whole stolen wallet, but that's it. It doesn't mean that the
recipient's addresses are thief's addresses, even though they could be. And we
can't consider all of the end addresses as tainted, because what happens when
the thief sends some of these to the address holding the silk road BTCs
confiscated by the feds? Will they arrest themselves?

~~~
gojomo
There’s still a ‘native ordering’ of the inputs and outputs, so this FIFO
process will still be able to ‘taint’ a specific deterministic set of the
value-units, across one or more of the outputs.

Whether that’s a fair allocation of the taint is a separate issue. They have a
case, in some jurisdictions based on that precedent, that the law would
support their allocation, and further that this treatment has other
efficiencies.

It’s sometimes the case that laws are construed to be predictable, and easy-
to-apply, rather than maximally ‘fair’ according to deeper subjective case-by-
case analysis.

~~~
tudorconstantin
Indeed, there is an ordering, but that's decided exclusively by the creator of
the transaction, so he could easily manipulate the future tainted addresses.

The FIFO (or LIFO for that matter) rule seems like an arbitrary chosen one
which could easily be overcome: the thief can put the stolen funds in an
address and only use those when the atomic swap protocol between chains is
created, for example. Or exchange those funds on decentralized exchanges, or
sell on localbitcoins.

This is an example of a transaction with multiple inputs, multiple outputs:
[https://blockchain.info/tx/1952ae67f75707e8a357cb40cc4e2123c...](https://blockchain.info/tx/1952ae67f75707e8a357cb40cc4e2123c7e4d1310ce805c62469a778d2dc595d)

The creator of such transactions can manipulate the order in both inputs and
outputs.

~~~
gojomo
Yes, the possessor can control where the ‘taint’ goes by their spending
choices, just like someone with stolen property can choose who to give/sell it
to.

The point of this FIFO method isn’t exclusively — or even primarily — to
outwit thieves. Rather, it’s just to have a tractable (and legally-based) rule
for deciding which balances, arbitrarily later, can be deemed ‘the stolen
amount’.

------
Rychard
This seems like precisely the thing that a mixer service exists to defeat. I'd
be curious to see how effective the approach is after the coins pass through
such a service.

Personally, I remain unconvinced that coins could be reliably traced through
an "ideal" mixer service that moves a large number of coins between a large
number of addresses via a large number of transactions.

Edit: A further requirement would be that the service would have to involve a
large number of "legitimate" coins. This does disregard the possibility that
the so-called legitimate coins would be considered illegitimate simply by
association with said service.

That said, perhaps the difficulty lies in actually meeting such requirements.

~~~
pjc50
Mixer services exist to facilitate money laundering and the transfer of stolen
propery, so they are perpetually at risk of being shut down.

~~~
kolinko
They also facilitate privacy.

I never used crypto for illegal purposes, but I still don’t wish for people
who receive coins from me to know the state of my main accounts.

------
tomc1985
So basically you just assume the first coins out of a freshly-blacklisted
wallet are stolen?

Does that accurately model human behavior? Will it continue to once said
humans learn of that technique?

~~~
stjohnswarts
It seems that if you can just blacklist coins, and since eventually bitcoin
will be all mined out (for all practical purposes) that eventually all
bitcoins would become tainted since humanity will always have crime and money
laundering. Am I missing something here? I'm sure gold was used for all sorts
of nefarious uses but nothing stops that "bad gold" from going back into the
gold monetary system. This just seems like a bad idea all the way around.

------
shkkmo
The problem with this method, is it gives bad actors complete control over how
and where the "bad" coins go just by doing some structured transactions.

~~~
tantalor
1\. borrow n coins

2\. deposit n stolen coins

3\. withdraw n coins (clear)

4\. settle loan with tainted coins

~~~
ogoffart
Also:

1\. steal n coins from Bob

2\. steal n coins from Alice

3\. move these 2*n coins to the same addresse.

4\. give n coins to Charlie: these are stolen from both Alice and Bob.

5\. the remaining n coins are clean.

~~~
rocqua
Nope, after step 3, the first 2*n coins coming out of that address are
tainted.

~~~
ogoffart
Only if they are tainted with the same "tag". What if one of the theft is only
recognized in one jurisdiction? What if Alice and Bob separatly track their
coins?

~~~
rocqua
So, say Alice her money was transferred first, and bob's money second.

Then, after you've spend N coins, anyone looking for bob's coins sees you no
longer have them. Anyone looking for Alice's coins sees they are still with
you. This is because it is FIFO, so the outgoing transaction is only spending
from Bob's coins.

------
nmca
I found the computerphile video odd, for reason's I hope I can elucidate
below:

1) It seemed to suggest that the increased precision given by this approach is
somehow surprising. It totally isn't? I mean, the difference between taint-all
(poison) and this approach is in the branching factor, you don't have to run
the experiment to see the outcome?

2) The choice of FIFO is very weird ( _I_ don't really care about the case
law.) For a given branching factor, surely there are numerous schemes that
could be considered, and they don't seem to discuss the merits of any others.
Off the top of my head LIFO seems to correspond much more naturally to
intuition, but I think there is a better answer than that. If a untainted
priority scheme was used, whereby tainted coins were always spent last from a
given balance, then this would have the effect of keeping the taint as close
as possible to the original thief, and separates the bizarre relationship
between cash-flow and culpability that FIFO introduces.

------
maxerickson
This is an interesting discussion of the precedent:

[http://thestudentlawyer.com/2012/04/17/a-critique-of-the-
rul...](http://thestudentlawyer.com/2012/04/17/a-critique-of-the-rule-in-
claytons-case/)

In the case, the funds transferred out of the account were treated as
"dissipated" and thus unrecoverable. The case was about deciding between
claims from innocent parties for money remaining in a mixed bank account,
which is quite a different activity than tracing the flow of the stolen value.

------
gesman
I think the better method would be FBIFO (no pun intended)

FBIFO = first bad coin in - first out. Presumption is that bad coins are urged
to be laundered first. So even if good and bad are mixing in - the bad ones
ought to be first out

------
dogma1138
What happens if the bad actor desides to spend some amount of the stolen
currency to taint random wallets?

~~~
rocqua
Those wallets spend the money, perhaps by burning it, and immediately become
untainted. I think this is why FIFO is a better system that LIFO.

~~~
dogma1138
But if they are tainted on what can they spend that money?

Say I have 10 BTC you transfer me 3 stolen ones I want to clean my wallet
where do I transfer those 3 BTC and what happens to that wallet?

What happens when you don’t actually notice that it happened and try to
purchase and item with your BTC? Do you get declined by the merchant because
some % of that was tainted? If so how do you get that translation reversed?

~~~
rocqua
If you get those 3 stolen coins, and don't want them. The easiest is to just
transfer them to a burn-address. If you fear people are ever going to demand
it back, either try to transfer it back, or transfer it to a separate holding
wallet. Authorities might also set up a special address for collecting these
kinds of coins.

This makes me think, what happens to fees? Suppose I take those 3 BTC and
'burn' it by creating a chain of 100 transactions, each with a fee of 10%? At
the end, all of the stolen coins have evaporated into fees. Are those fees
tainted?

If not, miners could try to white-wash coins this way.

------
lmeyerov
When first using Graphistry to analyze cryptocurrency transactions, a couple
years ago, we did a cool mix of temporal (vs 1816) + poisoning. Full taint
analysis... except only consider tainted after the first tainted transaction
date. We loaded the full blockchain into memory and then ran this on the Silk
Road bust. Real-time, pretty cool!

It worked quite nicely, and we quickly reproduced what showed up in court...
and with some fun extras. Combining the temporal (NOT 1816) and taint approach
was a good way to trace the incident. Superimposing on regular (atemporal)
taint analysis gives a broader view of the crime network beyond the individual
incident.

As folks are noting here, tumblers and exchanges still make this a mess, even
for 1816. They can go off-chain. However, those are generally where
governments want to intervene anyways. Either way, we traced the full
incidents, including how the silk road was moving money around, with our
approach.

If you're into this kind of thing, professionally or for fun, let us know!
Wouldn't be hard to repeat with more specific variants of 1816.

------
jacquesm
That's interesting, but it will still rely on some method of enforcement to do
something about it, the entire point of bitcoins existence seems to be to make
that harder.

~~~
rocqua
The obvious place for enforcement is exchange to fiat. In the end, one might
expect these tainted coins lose their value w.r.t. clean coins.

After all, some people will only accept coins that can be exchanged for fiat,
and everyone prefers coins that everyone else will accept.

------
AlexCoventry
> the results are impressive, with a massive improvement in precision

I'd be grateful if someone who's watched the video could explain what they're
measuring, here.

~~~
pdkl95
The previous method ("haircut" tainting) - wheretransactions from a wallet
with "bad" bitcoins are marked as "X% tainted" where X := (#bad_coins /
#total_coins) - quickly marked all the active bitcoins on the recent
blockchain as ~10% tainted.

With the new FIFO method, the tainting doesn't dilute as quickly. The give an
example of a "theft of about 1000 bitcoins in 2014 and trace it forward to
2016", poison tainting and haircut tainting affect ~1.5 million addresses.
With FIFO tainting, only 11,000 addresses are affected.

~~~
mannykannot
This 'solves' the problem of dilution, but it does not address the issue of
following the flow of tainted crypto-cash, because the root cause of that
problem is that bitcoin do not have identities (they are bosons, not
fermions?) This 'solution' is just one of several similar possible schemes
that arbitrarily assign a provenance to each atomic unit of the currency, and
is not fundamentally more sound than any other.

Any scheme like this is pointless without a mechanism to sanction the use of
'bad' bitcoin, and belongs in the realm of cryptocurrency regulation, not
blockchain mechanics. A scheme something like this does exist for banknotes,
in that if you are found to have a counterfeit bill, it will be confiscated.
The only reason this does not have a stifling effect on the use of paper money
is that the probability of this happening to you is slight.

------
legohead
I steal 100 bitcoins. I then transfer a satoshi to as many legit bitcoin
addresses I can find. Now any transaction those addresses make will be
illegal?

~~~
wmf
No, any money in those addresses that was there before your dirty satoshi
would still be considered clean. That's one of the claimed advantages of their
technique.

~~~
legohead
I get that, but the first transaction they make is considered dirty. So
everyone I transfered to is going to make an illegal transaction first thing
they do...

------
ikeboy
So if 2 good coins and 2 bad coins go into a UTXO, then that's split to a 3
coin and a 1 coin output, is the 1 coin tainted?

~~~
UncleEntity
Depends on which one is listed first.

    
    
      3 coin wallet containing 2 tainted coins and 1 clean coin
      1 tainted coin and 3 coin wallet containing 1 tainted coin

------
tigershark
If you want to get rich buying bitcoins you shouldn’t complain if you lose all
your money. We usually say “no pain no gain”, right?

