In the battle to link real world criminals to anonymous bitcoin transactions, Chainalysis has found an edge: a block explorer website that scrapes visitors’ internet protocol (IP) addresses.
According to recently leaked documents that were reviewed, Chainalysis, the largest blockchain tracing firms, owns and operates walletexplorer.com. Like other block explorers, the service lets anyone view the history of public cryptocurrency wallet addresses. The company figures that bad actors would use its site to check transactions without fear of “leaving a ‘footprint’” on crypto exchanges, the documents said.
But where the exchanges – and presumably most block explorers – have no eyes, the company has set its sights. According to the documents , Chainanalysis “‘scrapes’ the IP addresses of suspicious” users that fall into the walletexplorer.com honeypot.
Chainalysis leaked document
The document is in Italian and it says:
“Using this dataset we were able to provide law enforcement with meaningful leads related to the IP data associated with an address,”
“It is also possible to conduct a reverse lookup on any known IP address to identify other BTC addresses.”
In doing this,it has weaponized an unassuming website without disclosing its ties to the website. The company has never publicly associated itself with walletexplorer.com. Although there is a note at the bottom of the site’s homepage which says its “author” works at Chainalysis. The website was created in 2014, according to site registration documents.
A company spokesperson has declined to comment on this.
The documents, are from an undated presentation made to Italian police investigating the dark web, and they appeared late Monday on DarkLeaks, which is itself a dark web site only accessible through anonymizing Tor. We have verified the documents’ authenticity.
The slide deck shines light on the range of tools that Chainalysis uses to assist law enforcement in nabbing illicit actors. The Company is known for parsing publicly available transaction data rather than using subterfuge.
According to the leaked slides, this honeypot works. Chainalysis cited a June 2020 case in which walletexplorer.com nabbed a ransomware suspect’s IP address – hours after they were suspected of deposited funds through the OTC desk of cryptocurrency exchange Huobi.