Bitcoin offers privacy -- as long as you don't cash out or spend it

Most users do not use sophisticated methods that would more deeply mask their transactions

On the surface, Bitcoin seems to be a great way to hide cash. Actually, it's a terrible way to launder money.

That's the conclusion of a new academic study that analyzed Bitcoin's blockchain, or the public ledger that records bitcoin transactions. The ledger shows how bitcoins move from one person to another, represented by 34-character alphanumeric addresses.

It's a sea of numbers without names. But researchers from the University of California at San Diego and George Mason University found it is a lot harder to convert bitcoins to cash -- or spend the bitcoins with a service -- and stay anonymous due to the ledger.

Most bitcoin users interact with a service to buy or sell the virtual currency. These days, most of those services want to know exactly who they're dealing with, especially as regulators around the world take an increasing interest in bitcoin.

Using special algorithms, the researchers were able to associate large numbers of seemingly anonymous bitcoins addresses with certain major services such as exchanges and payment processors, said Sarah Meiklejohn, a doctoral candidate in computer science at UC San Diego, who assisted in the research.

By analyzing those transactions, they found it is possible to somewhat deanonymize bitcoin users, opening up avenues through which investigators could reveal the people behind them.

For example, they linked more than 500,000 Bitcoin addresses with Mt. Gox, a popular exchange in Japan where users buy and sell bitcoins. Mt. Gox requires identification from its users, often including a scan of their passport. It wouldn't make sense for a hacker to cash out a large number of bitcoins there.

"We haven't uncovered the identity of the thief, but we've paved the way for law enforcement or an agency with subpoena power to do exactly that," Meiklejohn said.

The researchers analyzed details from bitcoin thefts. While there are sophisticated methods that can be used to cloud whether a bitcoin is indeed still held by a thief, many thieves became lazy after initially moving stolen funds around, Meiklejohn said.

"Maybe thieves and other criminals in the future are going to become a lot more sophisticated, but I think so far, people have not been particularly careful," she said.

Many bitcoin thefts have remained frozen: The victim saw what address their funds went to, but the funds have never moved, perhaps because the hacker is still mulling how to convert the virtual currency to cash or goods without being noticed.

Average bitcoin users appear to be unaware at how quickly their bitcoin spending could be linked back to them. The Silk Road, an online marketplace of mostly illicit goods, only accepts bitcoin.

"We saw a lot of people deposit into Silk Road directly from their Mt. Gox address," Meiklejohn said. In those cases, law enforcement would have minimal work to obtain the name of a user if they presented a legal order to Mt. Gox.

Money laundering is not impossible, but it is not particularly attractive with bitcoin. "It seems like an offshore account at this point would be a lot easier," she said.

Still, as long as bitcoin users are willing to take certain cumbersome steps, such as generating new bitcoin addresses for every transaction, staying off the exchanges and using other evasion techniques such as repeatedly forwarding funds, Bitcoin retains its privacy strengths.

"I do think inherently Bitcoin can provide you with a huge amount of anonymity, but the argument here is you have to work for it," Meiklejohn said. But most patterns of bitcoin use "indicate most users are falling short."

Meiklejohn co-authored the paper with Marjori Pomarole, Grant Jordan, Kirill Levchenko, Damon McCoy, Geoffrey M. Voelker and Stefan Savage.

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesMt. GoxsecurityUniversity of CaliforniaSan DiegoGeorge Mason Universityinternet

More about indeed

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts