Wednesday, May 13, 2015

Millions, Billions, or Trillions?

21 Inc. is the current highest raising Bitcoin startup in the market.  But they weren't always "21" because they started out as 21E6, an allusion to the theoretical maximum number of bitcoins from block rewards.  Why did they drop the geeky calculator reference to millions?  My theory is that it has to do with the fact they aren't slinging bitcoins, but instead millibits.  So 21E9 was briefly on the table.  But then the VCs caught the vision and realized that one day they would just be slinging bits. And since a bit is on thousandth of a millibit then the name would be a palandromesque 21E12, except I think that many people in bitcoin aren't that good with math and flip signs in strange places, resulting in one thousand bits being a millibit.  So I think at this point the marketing people stepped in and realized that some people interested in bitcoin like to gamble (I mean look at how many clones Satoshi Dice spawned!) so they just went with a gambling reference and went with 21.  However the motto of "Bitcoin, but with IoT and blackjack!" didn't make it past the nerd culture test because it didn't have the right hook.

CoinDesk Reveals Real Data on 21

While the previous paragraph was entirely satirical CoinDesk did get some real news on 21 via a video that was leaked to them.  I won't go over the details of that article and would reccomend you go there to read the news (if you haven't done so already).  But embedded in there was a gem:  three addresses used in demos posted by 21E6: 1M9ZeS...9x6z1hs2xK...Fryy, and 1MaQHC..sd1d.  With these three addresses we can ferret out a little bit more information from the blockchain.
Addresses from CoinDesk Article [numisgraph]
The addresses show two very important trails we can follow.  First, the privacy sin of a self-spending address is exposed from all three addresses.  Second, we see the first of several large sweeps, revealing control of other transaction chains.

Self Spending Wallet 1A8x13

Whenever I give a public talk I make it clear that re-using addresses is the first and greatest privacy sin.  If you want privacy don't reuse your addresses.  And if you send your change to the same address you are spending it from, you make analysis such as this absolute child's play.  I have no idea why they chose to us a self spending wallet, but this is a major privacy faux pas.

Peeling Chain of 18Ax13 wallet [numisgraph]
This wallet was seeded twice from CoinBase (not 21's mining pool).  Those are the orange transactions.  The peeling chain formed by the wallet feeds into one of four sweeping transactions where we can, via input clustering, presume the contents of other participant peeling chains in the demos.  Those are the purple transactions.  The yellow transactions are the peeling transactions and the one lone green transaction represents some unspent bitcoins that survived the many VC pitches.

4 large sweeps, one unswept chain

From the other related links, I have identified 5 large peeling chains that fed into this cluster of demos. You can download the fully expanded graph [png][numisgraph] or the graph with the sweeping transactions removed [png][numisgrpah].  These images are too large for me to link into this blogpost with a straight face.

From this we can see that there were about 5 wallets used to perform the various demos, as well as payments directly from CoinBase in some of the demos.  Three of the wallets were funded from CoinBase and two of the wallets were funded from two of the sweeps transactions that were previously identified.  One of the peeling chains has not been swept, so it is only presumed it was used either in a demo or as part of a QA process right before everyone took the week off for thanksgiving.

These sweep transactions do not, in my opinion, represent multiple wallets on the back end.  There are shared addresses between the first and second sweep transaction, and since some of the chains were feed off of these two sweeps it leads me to believe they were recycling bitcoins to be used for the demos, and the third and fourth wallet sweep are from the same wallet.  One of the final sweeps actually returned bitcoins to CoinBase as well.

The transactions also tended to clump together in time.  However I am hesitant to draw any conclusions about how many VC pitches they did from this demo.  Having been in that game before I know that the demo is practiced many times before the first meeting.  The video was also showing a canned demonstration of sorts, so the early October clusters were likely the result of multiple practice sessions.  And then, when you consider that live demos for pitch meetings can go way off the rails and spawn multiple due diligence meetings then this presumptive analysis without other data (like an executive's travel itinerary) quickly becomes worthless.  That being said if I had to go to two or more hands to count the number of VCs they demoed to (not total number of demos, total entities pitched to) then I would be surprised.

Good and Bad OpSec

These transactions show some good and bad OpSec practices on the part 21 Inc.  The only real groaner was the re-use of the same address on one of their peel chains.  This raised the confidence level that all those sweeps that linked in the other chains really were related to the same set of demos.  I also read in the article that each chip was going to come with a hard coded address.  I hope they reconsider that and go to an address seed or it's referring to some other internal identifier used by 21 Inc. instead of a literal bitcoin address that will show up on the blockchain.  Otherwise we will get side channel attacks opening up by looking at address usage to determine when people are on vacation or other such shenanigans.

OpSec that was neither good nor bad was the peeling chains and sweeping transactions.  At this level and with that much transaction volumes there really aren't many good options to conceal these movements.  These small TXs would still stick out in a coin tumble and allow for some (by hand) input correlation.  And by then the TX fees of a more "professional" service would wipe out the value (we are talking about less than $100 USD here), and similarly the structuring of the TXs would wipe out value in the TX fees.  But really what's going to help is more volume and diversity in the services.  You won't see that in a demo at a VC pitch, so this is truly unavoidable.  Posting the TXIDs in a video (no matter how private) is really what caused this leakage to happen.

But the best OpSec goes to the sourcing of their bitcoins for the demo.  I was hoping that they would be using bitcoins they mined themselves, and hence I could send some confirmation data to Neighborhood Pool Watch.  But instead they used a very predictable source of coins: CoinBase.  For all we know they are selling all of their mined coins through CoinBase.  If your source of funds is legal they are one of the best venues to tumble bitcoins strictly based on their volume and legal recognition.

If you have any investigations of your own on the blockchain that you would like help with on a paid confidential basis, or would like to learn more about the software I use to help generate these blog posts, or would just like to learn more about bitcoin blockchain forensics please feel free to mail me at or at