Skip to main content

Tools for the Investigation of Transactions in Underground Markets

Periodic Reporting for period 1 - TITANIUM (Tools for the Investigation of Transactions in Underground Markets)

Reporting period: 2017-05-01 to 2018-10-31

"TITANIUM will research, develop, deploy, and validate novel data-driven techniques and solutions designed to support Law Enforcement Agencies (LEAs) charged with investigating criminal or terrorist activities involving virtual currencies and/or underground markets in the darknet.

The need for such solutions becomes evident when regarding the skyrocketing number and diversity of criminal and terrorist activities and threats that rely on the pseudo-anonymous nature of virtual currencies and the secrecy of underground markets (e.g. DreamMarket), which are offered as hidden services via darknets (such as TOR, Freenet, or I2P). For example, law enforcement investigations increasingly concentrate on ransomware attacks that demand that users pay a ransom in Bitcoin. A similar trend can be observed in extortion cases where virtual currencies are extorted with the threat of sabotage. In underground markets virtual currencies facilitate trafficking of illicit goods, data, and services. Convertible virtual currencies that can be exchanged for real money or other virtual currencies are potentially vulnerable to money laundering and terrorist financing abuse. Theft of virtual currencies based on hacking- or insider-attacks has occurred frequently. In ""ransomware"" cases, people are urged to pay the ransom using virtual currencies. Finally, the dark web offers specialized underground markets for buying weapons for terrorist purposes and virtual currencies play a major role in such affairs. In general, such as activities are referred to as Internet Organized Crime and Terrorism (IOCT).

These activities clearly show that virtual currencies and darknet markets offer criminals a reliable and secret ecosystem for conducting illegitimate business transactions. This is also a key finding of the Europol 2015 Internet Organized Crime Threat Assessment, which reports that “Bitcoin is beginning to feature heavily in many EU law enforcement investigations, accounting for over 40% of all identified criminal-to-criminal payments” and predicts that “virtual currencies such as Bitcoin establish themselves as single common currency for cybercriminals.""

The expected result of TITANIUM is a set of “technology readiness level 6” (TRL 6) services and forensic tools, which operate within a privacy and data protection environment that is configurable to local legal requirements, and can be used by investigators for (i) monitoring virtual currency and darknet market ecosystems for trends and possible threats, (ii) tracking and tracing virtual currency transactions across ledgers, and (iii) generating court-proof evidence reports based on reproducible and legally compliant analytical procedures.

The tools are versatile enough to support a large number of “volume crime” investigations throughout Europe and, at the same time, enable coordinated actions against the international cybercriminal infrastructure with the aim of bringing their backers to justice. Forensic tools will be developed in an agile fashion in close collaboration with associated LEAs, which directly include five full and ten associated LEA partners, and indirectly include the extensive international law enforcement networks of Interpol and Europol. Tools will be deployed and tested in national Field Labs, which allow for continuous evaluation and validation of practical applicability as well as maintenance of legal and ethical compliance.
In general, work in the first eighteen project months has been carried out in two phases: first, the initial stakeholder requirements and the legal, ethical, and technical analysis of the project approach, and second, the initial development of tools and techniques to be tested in the Law Enforcement Agency (LEA) stakeholder Field Labs.

The first phase ended at the end of the first project year. During this year the LEA requirements were gathered and analyzed by the project Stakeholder Manager and distributed to the project developers as a classified Deliverable. The project legal and ethics experts defined the conditions for carrying out the project research in a manner conforming with European data protection and privacy issues, through, for example, a report describing the legal, societal and ethical issues raised by the TITANIUM design and development plan and recommended solutions for addressing these issues. Interpol provided a report on their legal framework for data processing and how this could be applied to data sharing issues within the project and with external LEAs. Domain experts authored a report on technical trends in IOCT, and the methodology for evaluating the Field Labs was defined.

In the context of project dissemination, during the first year the project's dissemination targets were fixed and reported on, the project website and social media presence were launched, and numerous press releases were distributed. In addition, partners have participated in and presented the project at numerous international workshops and other events. During this period, the project coordinator authored the project handbook and Data Management Plan.

During the second project phase, work was concentrated on the development of tools that fulfill the LEA requirements as well as the legal and ethical guidelines defined during the first project year. Hackathons were organized in order to facilitate communication between developers in different work packages and also between developers and stakeholders. This agile development approach also led to the authoring and release of and updated LEA technical requirements document.
Automated collection of multi-modal data from Darknet markets has results in updated crawling and scraping tools. Improvements on the state-of-the-art include privacy-preserving scrapers that focus on data minimization and anonymization. Additional work has been invested in the automatic resolution of ”Captcha” blockers, which will allow the scope of crawler to extend from collecting data from Darknet fora to collection from Darknet markets directly. There has also been progress towards forensic investigation of seized devices.

Novel methods and algorithmic methods and forensic tools for the automated analysis of virtual currencies have been best demonstrated in an number of scientific publications. Progress beyond the state of the art includes an analysis of the immutability of Smart Contract in Ethereum, a review of the Bitcoin Ransomware ecosystem, an study of the anonymity properties of Zcash, and an analysis of cross-ledger transactions through services such as Changley and Shapeshift. The most recent release of GraphSense, the most advanced open source virtual currency analytics platform, allows for the first time the analysis of multiple virtual currencies with the same platform: Bitcoin, Bitcoin Cash, and Litecoin.

Project-wide standards for the generation of court-proof evidence are under development (and have also been submitted as a scientific publication) and will be incorporated in tools during the second project period.

The expected impacts of TITANIUM are improved investigation capabilities for LEAs in virtual currency and darknet market analytics. As a result, crimes will be solved more rapidly and societal distress, impact on victims, and investigative costs will be reduced. The project will allow European SMEs to develop cutting edge tools, to access LEA markets, and to strengthen European innovation and competitiveness.
Abstract Project Representation
Project Logo