Tools for the Investigation of Transactions in Underground Markets

TITANIUM has researched, developed, deployed, and validated novel data-driven techniques and solutions designed to support Law Enforcement Agencies (LEAs) charged with investigating criminal or terrorist activities involving virtual currencies and/or underground markets in the darknet.

The need for such solutions becomes evident when regarding the skyrocketing number and diversity of criminal and terrorist activities and threats that rely on the pseudo-anonymous nature of virtual currencies and the secrecy of underground markets, which are offered as hidden services via darknets. The dark web offers specialized underground markets for buying weapons for terrorist purposes and virtual currencies play a major role in such affairs. Virtual currencies that can be exchanged for real money or other virtual currencies are vulnerable to money laundering and terrorist financing abuse. Theft of virtual currencies based on hacking- or insider-attacks has occurred frequently, and in new types of cybercrime like "ransomware" and "sextortion", victims are urged to pay criminals using virtual currencies.

TITANIUM provided law enforcement officers with better tools to improve their investigation capabilities and help solve crimes more rapidly, which in turn reduces societal distress, investigative costs and the impact on victims and their relatives.

The objectives of the project were: to analyse legal and ethical requirements and define guidelines for all results in order to store and process data, information, and knowledge involved in criminal investigations without compromising citizen privacy; to analyse technical characteristics of typical and emerging forms of Internet Organized Crime and Terrorism (IOCT) activities; to develop tools for automated multi-modal data collection from diverse sources; to provide novel algorithmic methods and forensic tools for automated analysis; to deploy, test and validate these tools in operational environments; and to provide training to improve the capabilities of LEAs across Europe with respect to darknet and virtual currency investigations.

Work in TITANIUM concentrated on the development of tools that fulfill the LEA requirements as well as the legal and ethical guidelines defined during the first project year. The resulting Toolset consists of six tools: the Ephemeral Monitor, the Deception Director, the Wallet Investigator, the Blockchain Investigator, Cointel and GraphSense.

The Ephemeral Monitor provides a presentation of micro-economic aspects of dark web marketplaces, including geographic distribution of advertisements, quantities and other commercial aspects of dark web marketplaces. The Deception Director supports investigations by building scenarios to obtain extra information about a suspect and help with its de-anonymization. The Wallet Investigator is a command-line tool that can secure evidence about cryptocurrency wallets from captured filesystem-based artifacts such as databases and configuration files.

The remaining tools are all cryptocurrency forensics tools that focus on different user groups and use cases. The Blockchain Investigator is a desktop application that focuses on the transaction view of cryptocurrencies, allowing offline analysis and graphically displaying transactions over time. Cointel is web application targeting users that are new to cryptocurrency investigations. GraphSense is an open source platform that provides a web-based search interface that currently supports Bitcoin, Bitcoin Cash, Litecoin, and Zcash. GraphSense is also based on an architecture tailored for researchers that enables customized large-scale analysis of entire blockchain ledgers. In contrast to the Blockchain Investigator, both Cointel and GraphSense focus on the view of addresses and entities and the monetary flows between them, rather than on individual transactions.

The Toolset in turn relied on numerous other project results; for example, the Ephemeral Monitor relies on adaptive scrapers and crawlers that gather data from darknet marketplaces. Various tools made use of new algorithms for de-anonymizing Zcash transactions and data extracted from cross-ledger mixing services. The Kriptosare service provided a means of categorizing virtual currency address clusters based on machine learning models. The Toolset was evaluated and validated in an operational environment through two sets of Field Labs, in which over one hundred law enforcement investigators have participated.

The project results are not limited to software tools. In addition to more than twenty scientific publications, the project has also produced important reports on the characteristics and developments of IOCT and a legal and ethical analysis of darknet/cryptocurrency investigations in general and the TITANIUM Toolset specifically.

The TITANIUM Toolset provides improved investigation capabilities for LEAs in virtual currency and darknet market analytics compared to simple methods presently used by many investigators. These low-cost and open source tools developed in the context of TITANIUM can compete with commercial tools in terms of total costs of ownership, and can therefore be provided to more investigators, leading to improved capabilities, more rapid and less expensive investigations for Europe as a whole, if not in every specific case. TITANIUM has also impacted European technological autonomy, with tools that are developed, maintained and hosted in Europe by European SMEs, which also strengthens European innovation and competitiveness.

The tools developed in the context of TITANIUM have made an impact on the prevention of terrorist endeavors in Europe. The Ephemeral monitor allows investigators to monitor darknet markets where the purchase of weapons or other illicit goods and services by terrorist organisations may take place. The cryptocurrency forensics tools allow the tracing of transactions in these markets across ledgers and to exchanges, as well as payments through online donation campaigns. The Deception Director provides a means for infiltrating and extracting additional information from identified online terrorist networks.

TITANIUM results support the identification and understanding of criminal activities. The project monitored and analysed ongoing developments in global IOCT using open source intelligence and input from the project’s network of LEA stakeholders and reported these results in deliverables and scientific publications. Algorithms were developed that allow experts to analyse money laundering across multiple ledgers using ShapeShift, and to analyse cryptocurrency-related cybercrimes such as ransomware and sextortion. Anomaly detection algorithms were developed in order to discover new patterns of criminal behaviour such as fake ICOs. The cryptocurrency forensics tools provide detailed views of cryptocurrency transactions across multiple ledgers. The Ephemeral Monitor allows investigators to monitor aggregate trends in underground markets.

The project has, in collaboration with the INTERPOL Darknet and Cryptocurrency Working group, proposed new global standards for the exchange of information used in forensic investigations. A first version of the developed taxonomies have been published in a human readable form and provided in various machine readable formats. In this way, the TITANIUM project laid an important cornerstone for global collaboration and data exchange.