If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more. Please also consider subscribing to WIRED
Just over a decade ago, Bitcoin appeared to many of its adherents to be the crypto-anarchist holy grail: truly private digital cash for the internet.
Satoshi Nakamoto, the cryptocurrencyâs mysterious and unidentifiable inventor, had stated in an email introducing Bitcoin that âparticipants can be anonymous.â And the Silk Road dark-web drug market seemed like living proof of that potential, enabling the sale of hundreds of millions of dollars in illegal drugs and other contraband for bitcoin while flaunting its impunity from law enforcement.
This is the story of the revelation in late 2013 that Bitcoin was, in fact, the opposite of untraceableâthat its blockchain would actually allow researchers, tech companies, and law enforcement to trace and identify users with even more transparency than the existing financial system. That discovery would upend the world of cybercrime. Bitcoin tracing would, over the next few years, solve the mystery of the theft of a half-billion dollar stash of bitcoins from the worldâs first crypto exchange, help enable the biggest dark-web drug market takedown in history, lead to the arrest of hundreds of pedophiles around the world in the bust of the dark webâs largest child sexual abuse video site, and result in the first-, second-, and third-biggest law enforcement monetary seizures in the history of the US Justice Department.
That 180-degree flip in the worldâs understanding of cryptocurrencyâs privacy properties, and the epic game of cat-and-mouse that followed, is the larger saga that unfolds in the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, out this week in paperback.
All of it began when a young, puzzle-loving mathematician named Sarah Meiklejohn started to pull out traceable patterns in the apparent noise of Bitcoinâs blockchain. This excerpt from Tracers in the Dark reveals how Meiklejohn came to the discoveries that would launch that new era of crypto criminal justice.
In early 2013, the shelves of a windowless storage room in a building of the University of California, San Diego, began to fill up with strange, seemingly random objects. A Casio calculator. A pair of alpaca wool socks. A small stack of Magic: The Gathering cards. A Super Mario Bros. 3 cartridge for the original Nintendo. A plastic Guy Fawkes mask of the kind popularized by the hacker group Anonymous. An album by the classic rock band Boston on CD.
Periodically, the door would open, the light would turn on, and a petite, dark-haired graduate student named Sarah Meiklejohn would enter the room and add to the growing piles of miscellaneous artifacts. Then Meiklejohn would walk back out the door, down the hall, up the stairs, and into an office she shared with other graduate students at the UC San Diego computer science department. One wall of the room was almost entirely glass, and it looked out onto the sunbaked vista of Sorrento Valley and the rolling hills beyond. But Meiklejohnâs desk faced away from that expanse. She was wholly focused on the screen of her laptop, where she was quickly becoming one of the strangest, most hyperactive Bitcoin users in the world.
Meiklejohn had personally purchased every one of the dozens of items in the bizarre, growing collection in the UCSD closet using bitcoin, buying each one almost at random from a different vendor who accepted the cryptocurrency. And between those ecommerce orders and trips to the storage room, she was performing practically every other task that a person could carry out with bitcoin, all at once, like a kind of cryptocurrency fanatic having a manic episode.
She moved money into and out of 10 different bitcoin wallet services and converted dollars to bitcoins on more than two dozen exchanges such as Bitstamp, Mt. Gox, and Coinbase. She wagered those coins on 13 different online gambling services, with names like Satoshi Dice and Bitcoin Kamikaze. She contributed her computerâs mining power to 11 different mining âpools,â groups that collected usersâ computing power for mining bitcoins and then paid them a share of the profits. And, again and again, she moved bitcoins into and then out of accounts on the Silk Road, the first-ever dark-web drug market, without ever actually buying any drugs.
In all, Meiklejohn carried out 344 cryptocurrency transactions over the course of a few weeks. With each one, she carefully noted on a spreadsheet the amount, the Bitcoin address she had used for it, and then, after digging up the transaction on the Bitcoin blockchain and examining the public record of the payment, the address of the recipient or sender.
Meiklejohnâs hundreds of purchases, bets, and seemingly meaningless movements of money were not, in fact, signs of a psychotic break. Each was a tiny experiment, adding up to a study of a kind that had never been attempted before. After years of claims about Bitcoinâs anonymityâor lack thereofâmade by its users, its developers, and even its creator, Meiklejohn was finally putting its privacy properties to the test.
All of her meticulous, manual transactions were time-consuming and tedious. But Meiklejohn had time to kill: As she was carrying them out and recording the results, her computer was simultaneously running queries on a massive database stored on a server that she and her fellow UCSD researchers had set up, algorithms that sometimes took as long as 12 hours to spit out results. The database represented the entire Bitcoin blockchain, the roughly 16 million transactions that had occurred across the entire Bitcoin economy since its creation four years earlier. For weeks on end, Meiklejohn combed through those transactions while simultaneously tagging the vendors, services, markets, and other recipients on the other end of her hundreds of test transactions.
When she had started that process of probing the Bitcoin ecosystem, Meiklejohn had seen her work almost as anthropology: What were people doing with bitcoin? How many of them were saving the cryptocurrency versus spending it? But as her initial findings began to unfold, she had started to develop a much more specific goal, one that ran exactly counter to crypto-anarchistsâ idealized notion of bitcoin as the ultimate privacy-preserving currency of the dark web: She aimed to prove, beyond any doubt, that bitcoin transactions could very often be traced. Even when the people involved thought they were anonymous.
As Meiklejohn painstakingly fiddled with bitcoins and watched the digital trails they created, she found herself having flashbacks to a particular day, decades earlier, in her motherâs downtown Manhattan office. That morning, Meiklejohn and her mother had taken the subway together, all the way from their Upper West Side apartment near the American Museum of Natural History to the federal building at Foley Square, across from the cityâs intimidating, stone-columned courthouses.
Meiklejohn was still in elementary school, but it was take-your-daughter-to-work day, and Meiklejohnâs mother was a federal prosecutor. Over the years that followed, the elder Meiklejohn would make her career taking on contractors who were bilking the city government out of tax dollarsâbribing government staffers to choose overpriced school food or street-paving servicesâor else banks colluding to sell low-performing investments to the cityâs financiers. Many of her targets in those corruption probes would be sentenced to years in prison.
That day in the Justice Departmentâs New York office, Sarah Meiklejohn, not yet 10 years old, was put to work. She was assigned to comb through a pile of paper checks, searching for clues of a corrupt kickback scheme in one of her motherâs investigations.
It was that feeling, the drive to manually assemble tiny data points that built into a larger picture, that would give Meiklejohn a kind of déjà vu 20 years later as she studied the Bitcoin blockchain, even before she consciously knew what she was doing.
âSomewhere in the back of my mind was this idea,â says Meiklejohn, âthe idea of following the money.â
As a child, Meiklejohn loved puzzlesâthe more complex, the better. On road trips, in airports, or any other time the small-for-her-age, hyper-inquisitive girl needed to be distracted, her mother would hand her a book of puzzles. One of the first websites Meiklejohn remembers visiting on the nascent World Wide Web was a GeoCities page devoted to deciphering the Kryptos sculpture on the campus of the CIA, whose copper, ribbonlike surface contained four coded messages that even the cryptanalysts at Langley hadnât been able to crack. By the age of 14 she would finish the New York Times crossword puzzle every day of the week.
On a vacation to London, Meiklejohnâs family visited the British Museum, and Meiklejohn became fixated on the Rosetta stone, along with the broader notion of ancient languagesâthe remnants of entire culturesâthat could be deciphered if the puzzler simply found the right key. Soon she was reading about Linear A and Linear B, a pair of written scripts used by the Minoan civilization on Crete until roughly 1500 BC. Linear B had been deciphered only in the 1950s, thanks in large part to a classicist at Brooklyn College named Alice Kober who labored in obscurity over samples of the Bronze Age language for 20 years, writing her notes on 180,000 index cards.
Meiklejohn became so obsessed with Linear A and B that she persuaded a teacher at her middle school to organize an evening seminar on the subject (only she and one friend attended). More tantalizing than even the story of Alice Koberâs work on Linear B, for Meiklejohn, was the fact that no one had been able to decipher Linear A, even after a century of study. The best puzzles of all were the ones that had no answer keyâthe ones for which no one even knew if a solution existed.
When Meiklejohn started college at Brown in 2004, she discovered cryptography. This branch of computer science appealed directly to her puzzle addictionâwhat was an encryption system, after all, but another secret language demanding to be deciphered?
There was a maxim in cryptography, often referred to as Schneierâs law after the cryptographer Bruce Schneier. It asserted that anyone can develop an encryption system clever enough that they canât themselves think of a way to break it. Yet, like all the best conundrums and mysteries that had fascinated Meiklejohn since childhood, another person with a different way of approaching a cipher could look at that âunbreakableâ system and see a way to crack it and unspool a whole world of decrypted revelations.
Studying the science of ciphers, Meiklejohn began to recognize the importance of privacy and the need for surveillance-resistant communications. She was not quite a cypherpunk: The intellectual appeal of building and breaking codes drove her more than any ideological drive to defeat surveillance. But like many cryptographers, she nonetheless came to believe in the need for truly unbreakable encryption, technologies that could carve out a space for sensitive communicationsâwhether dissidents organizing against a repressive government or whistleblowers sharing secrets with journalistsâwhere no snoop could reach. She credited her intuitive acceptance of that principle to her years as a teenager who kept to herself, trying to maintain her own privacy in a Manhattan apartment, with a federal prosecutor for a mother.
Meiklejohn showed real talent as a cryptographer and soon became an undergraduate teaching assistant to Anna Lysyanskaya, a brilliant and highly accomplished computer scientist. Lysyanskaya had herself studied under the legendary Ron Rivest, whose name was represented by the R in the RSA algorithm that formed the basis for most modern encryption, used everywhere from web browsers to encrypted email to instant messaging protocols. RSA was one of the few fundamental encryption protocols that had not succumbed to Schneierâs law in more than 30 years.
Lysyanskaya was at the time working on a pre-Bitcoin cryptocurrency called eCash, first developed in the 1990s by David Chaum, a cryptographer whose groundbreaking work on anonymity systems had made possible technologies from VPNs to Tor. After finishing her undergraduate degree, Meiklejohn began a masterâs degree at Brown under Lysyanskayaâs wing, researching methods to make Chaumâs eCash, a truly anonymous payment system, more scalable and efficient.
The cryptocurrency scheme they were laboring to optimize was, Meiklejohn admits in hindsight, difficult to imagine working in practice. Unlike Bitcoin, it had a serious problem: An anonymous spender of eCash could essentially forge a coin and pass it off to an unsuspecting recipient. When that recipient deposited the coin at a kind of eCash bank, the bank could perform a check that would reveal the coin to be a forgery and the fraudsterâs anonymity protections could be stripped away to reveal the identity of the bad actor. But by then, the fraudster might have already run off with their ill-gotten goods.
Still, eCash had a unique advantage that made it a fascinating system to work on: The anonymity it offered was truly uncrackable. In fact, eCash was based on a mathematical technique called zero-knowledge proofs, which could establish the validity of a payment without the bank or recipient learning anything else at all about the spender or their money. That mathematical sleight of hand meant that eCash was provably secure. Schneierâs law did not apply: No amount of cleverness or computing power would ever be able to undo its anonymity.
When Meiklejohn first heard about Bitcoin in 2011, she had started her PhD studies at UCSD but was spending the summer as a researcher at Microsoft. A friend at the University of Washington had mentioned to her that there was a new digital payment system that people were using to buy drugs on sites like the Silk Road. Meiklejohn had moved on from her eCash studies by then; she was busy with other researchâsystems that would allow people to pay road tolls without revealing their personal movements, for instance, and a thermal camera technique that revealed PIN codes typed into an ATM by looking for heat remnants on the keypad. So, with heads-down focus, she filed Bitcoinâs existence away in her brain, barely considering it again for the next year.
Then, one day on a UCSD computer science department group hike in late 2012, a young UCSD research scientist named Kirill Levchenko suggested to Meiklejohn that perhaps they should start looking into this burgeoning Bitcoin phenomenon. Levchenko was fascinated, he explained as they trekked around the jagged landscape of the Anza Borrego Desert State Park, by Bitcoinâs unique proof-of-work system. That system demanded that anyone who wanted to mine the currency expend enormous computing resources performing calculationsâ essentially a vast, automated puzzle-solving competitionâwhose results were then copied into transactions on the blockchain. By then, ambitious bitcoiners were already developing custom mining microprocessors just for generating this strange new form of money, and Bitcoinâs ingenious system meant that any single bad actor who might want to write a false transaction into the blockchain would have to use a collection of computers that possessed more computational power than all those many thousands of miners. It was a brilliant approach that added up to a secure currency with no central authority.
Considering Bitcoinâs mechanics for the first time, Meiklejohn was intrigued. But when she got home from the hike and began poring over Satoshi Nakamotoâs Bitcoin white paper, it immediately became clear to her that Bitcoinâs trade-offs were the exact opposite of the eCash system she knew so well. Fraud was prevented not by a kind of after-the-fact forgery analysis carried out by a bank authority but with an instantaneous check of the blockchain, the unforgeable public record of who possessed every single bitcoin.
But that blockchain ledger system came at an enormous privacy cost: In Bitcoin, for good and for ill, everyone was a witness to every payment. Yes, identities behind those payments were obscured by pseudonymous addresses, long strings of between 26 and 35 characters. But to Meiklejohn, this seemed like an inherently dangerous sort of fig leaf to hide behind. Unlike eCash, whose privacy protections offered snoops no hint of revealing information to latch onto, Bitcoin offered an enormous collection of data to analyze. Who could say what sorts of patterns might give away users who thought they were cleverer than those watching them?
âYou could never prove anything about the privacy properties of this system,â Meiklejohn remembers thinking. âAnd so as a cryptographer, the natural question was, if you canât prove itâs private, then what attacks are possible? If you donât get privacy, what do you get?â
The temptation was more than Meiklejohn could resist. The blockchain, like a massive, undeciphered corpus of an ancient language, hid a wealth of secrets in plain view.
When Meiklejohn began digging into the blockchain in late 2012, she started with a very simple question: How many people were using bitcoin?
That number was much harder to pin down than it might seem. After downloading the entire blockchain onto a UCSD server and organizing it into a database that she could query, like a gargantuan, searchable spreadsheet, she could see that there were more than 12 million distinct Bitcoin addresses, among which there had been nearly 16 million transactions. But even amid all that activity, there were plenty of recognizable events in Bitcoinâs history visible to the naked eye. Spenders and recipients might have been hidden behind pseudonymous addresses, but some transactions were unmistakable, like distinctive pieces of furniture hidden under thin sheets in someoneâs attic.
She could see, for instance, the nearly 1 million bitcoins that were mined by Satoshi in the early days of the cryptocurrency, before others started using it, as well as the first transaction ever made when Satoshi sent 10 coins as a test to the early Bitcoin developer Hal Finney in January 2009. She spotted, too, the first payment with real value, when a programmer named Laszlo Hanyecz famously sold a friend two pizzas for 10,000 bitcoins in May 2010 (as of this writing worth hundreds of millions of dollars).
Plenty of other addresses and transactions had been recognized and widely discussed on forums like Bitcointalk, and Meiklejohn spent hours cutting and pasting long strings of characters into Google to see if someone had already claimed credit for an address or if other Bitcoin users had been gossiping about certain high-value transactions. By the time Meiklejohn began to look, anyone with enough interest and patience to wade through a sea of garbled addresses could see money transfers between mysterious parties just beneath the surface of the blockchainâs obfuscation that, even at the time, were often worth small fortunes.
Getting beyond that obfuscation, however, was the real challenge. Sure, Meiklejohn could see transactions between addresses. But the problem was drilling down further, definitively drawing a boundary around the bitcoin hoard of any single person or organization. A user could have as many addresses as they chose to create with one of the many wallet programs that managed their coinsâlike a bank that allows you to spread your wealth across as many accounts as you liked, creating new ones with a mouse click. Plenty of those programs even automatically generated new addresses every time the user received a bitcoin payment, adding to the confusion.
Still, Meiklejohn was sure that searching for patterns in the mess of transactions would allow her to untangle at least some of them. In Satoshi Nakamotoâs own original white paper, Meiklejohn recalled that he had briefly alluded to a technique that could be used to collapse some addresses into single identities. Often, a single bitcoin transaction has multiple âinputsâ from different addresses. If someone wants to pay a friend 10 bitcoins but holds those coins at two different addresses of five coins each, the spenderâs wallet software creates a single transaction that lists the two five-coin addresses as inputs and the address receiving 10 coins as the output. To make the payment possible, the payer would need to possess both of the so-called secret keys that allow the five coins at each address to be spent. That means anyone looking at the transaction on the blockchain can reasonably identify both of the input addresses as belonging to the same person or organization.
Satoshi had hinted at the privacy dangers this introduced. âSome linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner,â Satoshi wrote. âThe risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.â
So, as Meiklejohnâs first step, she simply tried the technique Satoshi had inadvertently suggestedâacross every bitcoin payment ever carried out. She scanned her blockchain database for every multi-input transaction, linking all of those double, triple, or even hundredfold inputs to single identities. The result immediately reduced the number of potential Bitcoin users from 12 million to date to around 5 million, slicing away more than half of the problem.
Only after that initial stepâpractically a freebieâdid Meiklejohn switch her brain into true puzzle-solving mode. Like a 20th-century archaeologist scanning hieroglyphics for identifiable words or phrases that might help to decipher a passage of text, she began to hunt through Bitcoinâs transactions for other clues that might reveal identifying information. Messing around with bitcoin walletsâmaking test payments to herself and her colleaguesâshe began to understand a quirk of the cryptocurrency. Many bitcoin wallets only allowed spenders to pay the entire amount of coins sitting at a certain address. Each address was like a piggy bank that has to be smashed open to spend the coins inside. Spend less than the whole amount in that piggy bank and the leftovers have to be stored in a newly created piggy bank.
This second piggy bank, in Bitcoinâs system, is called a âchangeâ address: When you pay someone 6 bitcoins from a 10-coin address, 6 coins go to their address. Your change, 4 coins, is stored at a new address, which your wallet software creates for you. The challenge, when looking at that transaction on the blockchain as a sleuthing observer, is that the recipientâs address and the change address are both simply listed as outputs, with no label to tell them apart.
But sometimes, Meiklejohn realized, spotting the difference between the change address and the recipient address was easy: If one address had been used before and the other hadnât, the second, totally fresh address could only be the change addressâa piggy bank that had materialized on the spot to receive leftover coins from the one that had just been shattered. And that meant these two piggy banksâthe spenderâs address and the change addressâmust belong to the same person.
Meiklejohn began to apply that change-making lens, looking for instances where she could link spenders and the remainders of their payments. She began to see how powerful the simple act of tracking bitcoin change could be: In instances where she couldnât distinguish a recipient address from a change address, she would be stuck at a fork in the road with no signposts. But if she could link change addresses to the addresses they had split off from, she could make her own signposts. She could follow the money despite its branching paths.
The result was that Meiklejohn could now link together entire chains of transactions that had previously been unlinked: A single sum of coins would move from change address to change address as the spender paid fractions of the total pile of coins in one small payment after another. The remainder of the pile might move to a fresh address with each payment, but those addresses must all represent the transactions of a single spender.
Sheâd come to refer to those chains of transactions as âpeeling chainsâ (or sometimes just âpeel chainsâ). She thought of them like someone peeling bills off a roll of dollar bills: Though the roll of bills might be put back in a different pocket after a bill was peeled off and spent, it was still fundamentally one wad of cash with a consistent owner. Following these peeling chains opened avenues to trace the digital moneyâs movements like never before.
Meiklejohn now had two clever techniques, both of which were capable of linking multiple Bitcoin addresses to a single person or organization, what she came to call âclustering.â What had initially looked like disparate addresses could now be connected into clusters that encompassed hundreds or, in some cases, even thousands of addresses.
Already, she was tracing bitcoins in ways that many of the cryptocurrencyâs users wouldnât have believed possible. But following coins didnât necessarily mean understanding who owned them. The identities behind those coins remained a mystery, and each of her clusters remained just as pseudonymous as the single, disconnected addresses had been originally. To put a name to those clusters, she began to realize, sheâd have to take a much more hands-on approach: not simply observing the artifacts of the Bitcoin economy after the fact like an archaeologist, but becoming a player in it herselfâin some cases, an undercover one.
Searching for guidance in her budding Bitcoin research, Meiklejohn turned to Stefan Savage, a UCSD professor who was on the other end of the spectrum from the deeply mathematical cryptography research Meiklejohn had spent years on. Savage was a hands-on, empirical researcher, more interested in real-world experiments with real-world results than abstractions. He had been one of the lead advisers of a now-legendary team of researchers who had first shown it was possible to hack a car over the internet, demonstrating to General Motors in 2011 that his team could remotely take over a Chevy Impalaâs steering and brakes via the cellular radio in its OnStar system, a shocking feat of hacker wizardry.
More recently, Savage had helped lead a group that included Kirill Levchenkoâthe scientist whoâd introduced Meiklejohn to Bitcoin on their desert hikeâworking on a massively ambitious project to track the spam email ecosystem. In that research, as with the earlier car-hacking breakthrough, Savageâs team hadnât been afraid to get their hands dirty: Theyâd collected hundreds of millions of web links in junk marketing emails, mostly ones intended to sell real and fake pharmaceuticals. Then, as Savage describes it, they acted out the role of âthe worldâs most gullible person,â using bots to click through on every one of those links to see where they led and spending more than $50,000 on the products the spammers were hawkingâall while working with a cooperative credit card issuer to trace the funds and see which banks ended up with the money.
Several of those shady banks were ultimately shut down as a result of the researchersâ tracing work. As another UCSD professor working on the project, Geoffrey Voelker, described it at the time, âOur secret weapon is shopping.â
So when Meiklejohn began talking over her Bitcoin tracking project with Savage, the two agreed she should take the same approach: She would manually identify Bitcoin addresses one by one by doing transactions with them herself, like a cop on the narcotics beat carrying out buy-and-busts.
Thatâs how Meiklejohn found herself in the early weeks of 2013 ordering coffee, cupcakes, trading cards, mugs, baseball hats, silver coins, socks, and a closetâs worth of other truly random objects from online vendors who accepted bitcoin; joining more than a dozen mining collectives; fiendishly gambling bitcoins at every online crypto casino she could find; and moving bitcoins into and out of accounts on practically every existing bitcoin exchangeâand the Silk Roadâagain and again.
The hundreds of addresses Meiklejohn identified and tagged manually with those 344 transactions represented only the tiniest fraction of the overall bitcoin landscape. But when she combined her address tagging with her chaining and clustering techniques, many of those tags suddenly identified not just a single address but an enormous cluster belonging to the same owner. With just a few hundred tags, she had put an identity to more than a million of Bitcoinâs once-pseudonymous addresses.
With just the 30 addresses she had identified by moving coins into and out of Mt. Gox, for instance, she could now link more than 500,000 addresses to the exchange. And based on just four deposits and seven withdrawals into wallets on the Silk Road, she was able to identify nearly 300,000 of the black marketâs addresses. This breakthrough didnât mean Meiklejohn could identify any actual users of the Silk Road by name, nor could she unmask, of course, the mysterious kingpin of that site, the ultra libertarian Dread Pirate Roberts. But it would directly contradict DPRâs claims to me that his Bitcoin âtumblerâ system could prevent observers from even seeing when users moved cryptocurrency into and out of their Silk Road accounts.
When Meiklejohn brought her results back to Savage, her adviser was impressed. But as they began to plan to publish a paper on her findings, he wanted a concrete demonstration for readers, not a bunch of arcane statistics. âWe need to show people,â Meiklejohn remembers him saying, âwhat these techniques can actually do.â
So Meiklejohn went a step further: She began to look for specific bitcoin transactions she could trackâparticularly criminal ones.
As Meiklejohn had trawled cryptocurrency forums for discussions of interesting addresses worth scrutinizing, one mysterious mountain of money in particular stood out: This single address had, over the course of 2012, accumulated 613,326 bitcoinsâ5 percent of all the coins in circulation. It represented around $7.5 million at the time, a figure nowhere near the billions it would represent today, but a heady sum nonetheless. Rumors among Bitcoin users suggested that the hoard was possibly a Silk Road wallet, or perhaps the result of an unrelated, notorious Bitcoin Ponzi scheme carried out by a user known as pirate@40.
Meiklejohn couldnât say which of the two rumors might be correct. But with her clustering techniques, she could now follow that giant sum of cryptocurrency. She saw that after conspicuously gathering at one address, the pile of money had been broken up in late 2012 and sent on forking paths around the blockchain. Meiklejohnâs understanding of peel chains meant she could now trace those sums of hundreds of thousands of bitcoins as they split, distinguishing the amount that remained in the control of the initial owner from the smaller sums that were peeled off in subsequent payments. Eventually, several of those peel chains led to exchanges like Mt. Gox and Bitstamp, where they seemed to be cashed out for traditional currency. For an academic researcher, this was a dead end. But anyone with the subpoena power of law enforcement, Meiklejohn realized, could very likely force those exchanges to hand over information about the accounts behind those transactions and solve the mystery of the $7.5 million stash.
Looking for more coins to hunt, Meiklejohn turned her focus to another sort of dirty money. Large-scale cryptocurrency heists were, in early 2013, a growing epidemic. After all, bitcoin was like cash or gold. Anyone who stole a Bitcoin addressâs secret key could empty out that address like a digital safe. Unlike with credit cards or other digital payment systems, there was no overseer who could stop or reverse the moneyâs movement. That had made every bitcoin business and its stash of crypto revenue a ripe target for hackers, especially if the holders of those funds made the mistake of storing their secret keys on internet-connected computersâthe equivalent of carrying six- or seven-figure sums of cash in their pockets while strolling through a dangerous neighborhood.
Meiklejohn found a thread on Bitcointalk that listed addresses of many of the biggest, most conspicuous crypto thefts in recent memory, and she began to follow the money. Looking at a robbery of 3,171 coins from an early bitcoin gambling site, she immediately found she could trace the stolen funds across no fewer than ten hops, from address to address, before different branches of the money were cashed out at exchanges. Another theft of 18,500 bitcoins from the exchange Bitcoinica similarly led her along a winding series of peel chains that ended at three other exchanges, where the robbers were no doubt cashing in their ill-gotten gains. Sitting in front of Meiklejohn, on her screen, was a bonanza of leads, each just waiting for any actual criminal investigator with a handful of subpoenas to follow them.
Now, when Meiklejohn showed Savage her results, he agreed: They were ready to publish.
In the final draft of the paper Meiklejohn and her coauthors put together, they definitively stated conclusionsâbased for the first time on solid, empirical evidenceâthat flew in the face of what many Bitcoin users believed at the time: Far from being untraceable, they wrote, the blockchain was an open book that could identify vast swaths of transactions between people, many of whom thought they were acting anonymously.
âEven our relatively small experiment demonstrates that this approach can shed considerable light on the structure of the Bitcoin economy, how it is used, and those organizations who are party to it,â the paper read. âWe demonstrate that an agency with subpoena power would be well placed to identify who is paying money to whom. Indeed, we argue that the increasing dominance of a small number of Bitcoin institutions (most notably services that perform currency exchange), coupled with the public nature of transactions and our ability to label monetary flows to major institutions, ultimately makes Bitcoin unattractive today for high-volume illicit use such as money laundering.â
Having set down those words, and blowing a gaping hole in the myth of Bitcoinâs inherent untraceability, Meiklejohn, Savage, and her other adviser Geoffrey Voelker started brainstorming a clever title. In an homage to the Wild West of the economy they were chroniclingâand her advisersâ mutual love of spaghetti Westernsâthey started with the phrase âA Fistful of Bitcoins,â an allusion to the 1960s Clint Eastwood classic A Fistful of Dollars. They settled on a subtitle that evoked both Eastwoodâs most famous cowboy vigilante and the world of shadowy figures their nascent techniques could unmask. When the UCSD paper hit the internet in August 2013, it was introduced with a description that, to those involved, had come to seem inevitable: âA Fistful of Bitcoins: Characterizing Payments Among Men with No Names.â
In the new era of cryptocurrency tracing that would follow Meiklejohnâs work, they wouldnât remain nameless for long.
Adapted from the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. Copyright © 2022 by Andy Greenberg.
Updated: 1/19/2024, 12:25pm EST: This story has been updated to better characterize that Meiklejohn was not the first researcher to work on blockchain analysis and user privacy. A footnote in Tracers in the Dark credits prior work, which did suggest a lack of anonymity in the Bitcoin blockchain but didnât go as far as Meiklejohnâs research.
Let us know what you think about this article. Submit a letter to the editor at [email protected].