Columbia Journalism Review: “In November, Reuters published a special investigative feature headlined, “How an Indian startup hacked the world.”
JUST OVER A decade ago, Bitcoinappeared to many of its adherents to be the crypto-anarchist holy grail: truly private digital cash for the internet.
Satoshi Nakamoto, the cryptocurrency’s mysterious and unidentifiable inventor, had stated in an email introducing Bitcoin that “participants can be anonymous.” And the Silk Road dark-web drug market seemed like living proof of that potential, enabling the sale of hundreds of millions of dollars in illegal drugs and other contraband for bitcoin while flaunting its impunity from law enforcement.
This is the story of the revelation in late 2013 that Bitcoin was, in fact, theopposite of untraceable—that its blockchain would actually allow researchers, tech companies, and law enforcement to trace and identify users with even more transparency than the existing financial system. That discovery would upend the world of cybercrime. Bitcoin tracing would, over the next few years, solve the mystery of the theft of a half-billion dollar stash of bitcoins from the world’s first crypto exchange, help enable the biggest dark-web drug market takedown in history, lead to the arrest of hundreds of pedophiles around the world in the bust of the dark web’s largest child sexual abuse video site, and result in the first-, second-, and third-biggest law enforcement monetary seizures in the history of the US Justice Department.
That 180-degree flip in the world’s understanding of cryptocurrency’s privacy properties, and the epic game of cat-and-mouse that followed, is the larger saga that unfolds in the bookTracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency, out this week in paperback.
All of it began with the work of a young, puzzle-loving mathematician named Sarah Meiklejohn, the first researcher to pull out traceable patterns in the apparent noise of Bitcoin’s blockchain. This excerpt fromTracers in the Dark reveals how Meiklejohn came to the discoveries that would launch that new era of crypto criminal justice.
IN EARLY 2013, the shelves of a windowless storage room in a building of the University of California, San Diego, began to fill up with strange, seemingly random objects. A Casio calculator. A pair of alpaca wool socks. A small stack of Magic: The Gathering cards. A Super Mario Bros. 3 cartridge for the original Nintendo. A plastic Guy Fawkes mask of the kind popularized by the hacker group Anonymous. An album by the classic rock band Boston on CD.
Periodically, the door would open, the light would turn on, and a petite, dark-haired graduate student named Sarah Meiklejohn would enter the room and add to the growing piles of miscellaneous artifacts. Then Meiklejohn would walk back out the door, down the hall, up the stairs, and into an office she shared with other graduate students at the UC San Diego computer science department. One wall of the room was almost entirely glass, and it looked out onto the sunbaked vista of Sorrento Valley and the rolling hills beyond. But Meiklejohn’s desk faced away from that expanse. She was wholly focused on the screen of her laptop, where she was quickly becoming one of the strangest, most hyperactive Bitcoin users in the world.
Meiklejohn had personally purchased every one of the dozens of items in the bizarre, growing collection in the UCSD closet using bitcoin, buying each one almost at random from a different vendor who accepted the cryptocurrency. And between those ecommerce orders and trips to the storage room, she was performing practically every other task that a person could carry out with bitcoin, all at once, like a kind of cryptocurrency fanatic having a manic episode.
She moved money into and out of 10 different bitcoin wallet services and converted dollars to bitcoins on more than two dozen exchanges such as Bitstamp, Mt. Gox, and Coinbase. She wagered those coins on 13 different online gambling services, with names like Satoshi Dice and Bitcoin Kamikaze. She contributed her computer’s mining power to 11 different mining “pools,” groups that collected users’ computing power for mining bitcoins and then paid them a share of the profits. And, again and again, she moved bitcoins into and then out of accounts on the Silk Road, the first-ever dark-web drug market, without ever actually buying any drugs.
In all, Meiklejohn carried out 344 cryptocurrency transactions over the course of a few weeks. With each one, she carefully noted on a spreadsheet the amount, the Bitcoin address she had used for it, and then, after digging up the transaction on the Bitcoin blockchain and examining the public record of the payment, the address of the recipient or sender.
Meiklejohn’s hundreds of purchases, bets, and seemingly meaningless movements of money were not, in fact, signs of a psychotic break. Each was a tiny experiment, adding up to a study of a kind that had never been attempted before. After years of claims about Bitcoin’s anonymity—or lack thereof—made by its users, its developers, and even its creator, Meiklejohn was finally putting its privacy properties to the test.m
All of her meticulous, manual transactions were time-consuming and tedious. But Meiklejohn had time to kill: As she was carrying them out and recording the results, her computer was simultaneously running queries on a massive database stored on a server that she and her fellow UCSD researchers had set up, algorithms that sometimes took as long as 12 hours to spit out results. The database represented the entire Bitcoin blockchain, the roughly 16 million transactions that had occurred across the entire Bitcoin economy since its creation four years earlier. For weeks on end, Meiklejohn combed through those transactions while simultaneously tagging the vendors, services, markets, and other recipients on the other end of her hundreds of test transactions.
When she had started that process of probing the Bitcoin ecosystem, Meiklejohn had seen her work almost as anthropology: What were people doing with bitcoin? How many of them were saving the cryptocurrency versus spending it? But as her initial findings began to unfold, she had started to develop a much more specific goal, one that ran exactly counter to crypto-anarchists’ idealized notion of bitcoin as the ultimate privacy-preserving currency of the dark web: She aimed to prove, beyond any doubt, that bitcoin transactions could very often be traced. Even when the people involved thought they were anonymous.
AS MEIKLEJOHN PAINSTAKINGLYfiddled with bitcoins and watched the digital trails they created, she found herself having flashbacks to a particular day, decades earlier, in her mother’s downtown Manhattan office. That morning, Meiklejohn and her mother had taken the subway together, all the way from their Upper West Side apartment near the American Museum of Natural History to the federal building at Foley Square, across from the city’s intimidating, stone-columned courthouses.
Meiklejohn was still in elementary school, but it was take-your-daughter-to-work day, and Meiklejohn’s mother was a federal prosecutor. Over the years that followed, the elder Meiklejohn would make her career taking on contractors who were bilking the city government out of tax dollars—bribing government staffers to choose overpriced school food or street-paving services—or else banks colluding to sell low-performing investments to the city’s financiers. Many of her targets in those corruption probes would be sentenced to years in prison.
That day in the Justice Department’s New York office, Sarah Meiklejohn, not yet 10 years old, was put to work. She was assigned to comb through a pile of paper checks, searching for clues of a corrupt kickback scheme in one of her mother’s investigations.
It was that feeling, the drive to manually assemble tiny data points that built into a larger picture, that would give Meiklejohn a kind of déjà vu 20 years later as she studied the Bitcoin blockchain, even before she consciously knew what she was doing.
“Somewhere in the back of my mind was this idea,” says Meiklejohn, “the idea of following the money.”
As a child, Meiklejohn loved puzzles—the more complex, the better. On road trips, in airports, or any other time the small-for-her-age, hyper-inquisitive girl needed to be distracted, her mother would hand her a book of puzzles. One of the first websites Meiklejohn remembers visiting on the nascent World Wide Web was a GeoCities page devoted to deciphering the Kryptossculpture on the campus of the CIA, whose copper, ribbonlike surface contained four coded messages that even the cryptanalysts at Langley hadn’t been able to crack. By the age of 14 she would finish the New York Timescrossword puzzle every day of the week.
On a vacation to London, Meiklejohn’s family visited the British Museum, and Meiklejohn became fixated on the Rosetta stone, along with the broader notion of ancient languages—the remnants of entire cultures—that could be deciphered if the puzzler simply found the right key. Soon she was reading about Linear A and Linear B, a pair of written scripts used by the Minoan civilization on Crete until roughly 1500 BC. Linear B had been deciphered only in the 1950s, thanks in large part to a classicist at Brooklyn College named Alice Kober who labored in obscurity over samples of the Bronze Age language for 20 years, writing her notes on 180,000 index cards.
Meiklejohn became so obsessed with Linear A and B that she persuaded a teacher at her middle school to organize an evening seminar on the subject (only she and one friend attended). More tantalizing than even the story of Alice Kober’s work on Linear B, for Meiklejohn, was the fact that no one had been able to decipher Linear A, even after a century of study. The best puzzles of all were the ones that had no answer key—the ones for which no one even knew if a solution existed.
When Meiklejohn started college at Brown in 2004, she discovered cryptography. This branch of computer science appealed directly to her puzzle addiction—what was an encryption system, after all, but another secret language demanding to be deciphered?
There was a maxim in cryptography, often referred to as Schneier’s law after the cryptographer Bruce Schneier. It asserted that anyone can develop an encryption system clever enough that they can’t themselves think of a way to break it. Yet, like all the best conundrums and mysteries that had fascinated Meiklejohn since childhood, another person with a different way of approaching a cipher could look at that “unbreakable” system and see a way to crack it and unspool a whole world of decrypted revelations.
Studying the science of ciphers, Meiklejohn began to recognize the importance of privacy and the need for surveillance-resistant communications. She was not quite a cypherpunk: The intellectual appeal of building and breaking codes drove her more than any ideological drive to defeat surveillance. But like many cryptographers, she nonetheless came to believe in the need for truly unbreakable encryption, technologies that could carve out a space for sensitive communications—whether dissidents organizing against a repressive government or whistleblowers sharing secrets with journalists—where no snoop could reach. She credited her intuitive acceptance of that principle to her years as a teenager who kept to herself, trying to maintain her own privacy in a Manhattan apartment, with a federal prosecutor for a mother.
MEIKLEJOHN SHOWED REAL talent as a cryptographer and soon became an undergraduate teaching assistant to Anna Lysyanskaya, a brilliant and highly accomplished computer scientist. Lysyanskaya had herself studied under the legendary Ron Rivest, whose name was represented by the R in the RSA algorithm that formed the basis for most modern encryption, used everywhere from web browsers to encrypted email to instant messaging protocols. RSA was one of the few fundamental encryption protocols that had not succumbed to Schneier’s law in more than 30 years.
Lysyanskaya was at the time working on a pre-Bitcoin cryptocurrency called eCash, first developed in the 1990s by David Chaum, a cryptographer whose groundbreaking work on anonymity systems had made possible technologies from VPNs to Tor. After finishing her undergraduate degree, Meiklejohn began a master’s degree at Brown under Lysyanskaya’s wing, researching methods to make Chaum’s eCash, a truly anonymous payment system, more scalable and efficient.
The cryptocurrency scheme they were laboring to optimize was, Meiklejohn admits in hindsight, difficult to imagine working in practice. Unlike Bitcoin, it had a serious problem: An anonymous spender of eCash could essentially forge a coin and pass it off to an unsuspecting recipient. When that recipient deposited the coin at a kind of eCash bank, the bank could perform a check that would reveal the coin to be a forgery and the fraudster’s anonymity protections could be stripped away to reveal the identity of the bad actor. But by then, the fraudster might have already run off with their ill-gotten goods.
Still, eCash had a unique advantage that made it a fascinating system to work on: The anonymity it offered was truly uncrackable. In fact, eCash was based on a mathematical technique called zero-knowledge proofs, which could establish the validity of a payment without the bank or recipient learning anything else at all about the spender or their money. That mathematical sleight of hand meant that eCash was provably secure. Schneier’s law did not apply: No amount of cleverness or computing power would ever be able to undo its anonymity.
When Meiklejohn first heard about Bitcoin in 2011, she had started her PhD studies at UCSD but was spending the summer as a researcher at Microsoft. A friend at the University of Washington had mentioned to her that there was a new digital payment system that people were using to buy drugs on sites like the Silk Road. Meiklejohn had moved on from her eCash studies by then; she was busy with other research—systems that would allow people to pay road tolls without revealing their personal movements, for instance, and a thermal camera technique that revealed PIN codes typed into an ATM by looking for heat remnants on the keypad. So, with heads-down focus, she filed Bitcoin’s existence away in her brain, barely considering it again for the next year.
Then, one day on a UCSD computer science department group hike in late 2012, a young UCSD research scientist named Kirill Levchenko suggested to Meiklejohn that perhaps they should start looking into this burgeoning Bitcoin phenomenon. Levchenko was fascinated, he explained as they trekked around the jagged landscape of the Anza Borrego Desert State Park, by Bitcoin’s unique proof-of-work system. That system demanded that anyone who wanted to mine the currency expend enormous computing resources performing calculations— essentially a vast, automated puzzle-solving competition—whose results were then copied into transactions on the blockchain. By then, ambitious bitcoiners were already developing custom mining microprocessors just for generating this strange new form of money, and Bitcoin’s ingenious system meant that any single bad actor who might want to write a false transaction into the blockchain would have to use a collection of computers that possessed more computational power than all those many thousands of miners. It was a brilliant approach that added up to a secure currency with no central authority.
Considering Bitcoin’s mechanics for the first time, Meiklejohn was intrigued. But when she got home from the hike and began poring over Satoshi Nakamoto’s Bitcoin white paper, it immediately became clear to her that Bitcoin’s trade-offs were the exact opposite of the eCash system she knew so well. Fraud was prevented not by a kind of after-the-fact forgery analysis carried out by a bank authority but with an instantaneous check of the blockchain, the unforgeable public record of who possessed every single bitcoin.
But that blockchain ledger system came at an enormous privacy cost: In Bitcoin, for good and for ill, everyone was a witness to every payment. Yes, identities behind those payments were obscured by pseudonymous addresses, long strings of between 26 and 35 characters. But to Meiklejohn, this seemed like an inherently dangerous sort of fig leaf to hide behind. Unlike eCash, whose privacy protections offered snoops no hint of revealing information to latch onto, Bitcoin offered an enormous collection of data to analyze. Who could say what sorts of patterns might give away users who thought they were cleverer than those watching them?
“You could never prove anything about the privacy properties of this system,” Meiklejohn remembers thinking. “And so as a cryptographer, the natural question was, if you can’t prove it’s private, then what attacks are possible? If you don’t get privacy, what do you get?”
The temptation was more than Meiklejohn could resist. The blockchain, like a massive, undeciphered corpus of an ancient language, hid a wealth of secrets in plain view.
WHEN MEIKLEJOHN BEGAN digging into the blockchain in late 2012, she started with a very simple question: How many people were using bitcoin?
That number was much harder to pin down than it might seem. After downloading the entire blockchain onto a UCSD server and organizing it into a database that she could query, like a gargantuan, searchable spreadsheet, she could see that there were more than 12 million distinct Bitcoin addresses, among which there had been nearly 16 million transactions. But even amid all that activity, there were plenty of recognizable events in Bitcoin’s history visible to the naked eye. Spenders and recipients might have been hidden behind pseudonymous addresses, but some transactions were unmistakable, like distinctive pieces of furniture hidden under thin sheets in someone’s attic.
She could see, for instance, the nearly 1 million bitcoins that were mined by Satoshi in the early days of the cryptocurrency, before others started using it, as well as the first transaction ever made when Satoshi sent 10 coins as a test to the early Bitcoin developer Hal Finney in January 2009. She spotted, too, the first payment with real value, when a programmer named Laszlo Hanyecz famously sold a friend two pizzas for 10,000 bitcoins in May 2010 (as of this writing worth hundreds of millions of dollars).
Plenty of other addresses and transactions had been recognized and widely discussed on forums like Bitcointalk, and Meiklejohn spent hours cutting and pasting long strings of characters into Google to see if someone had already claimed credit for an address or if other Bitcoin users had been gossiping about certain high-value transactions. By the time Meiklejohn began to look, anyone with enough interest and patience to wade through a sea of garbled addresses could see money transfers between mysterious parties just beneath the surface of the blockchain’s obfuscation that, even at the time, were often worth small fortunes.
Getting beyond that obfuscation, however, was the real challenge. Sure, Meiklejohn could see transactions between addresses. But the problem was drilling down further, definitively drawing a boundary around the bitcoin hoard of any single person or organization. A user could have as many addresses as they chose to create with one of the many wallet programs that managed their coins—like a bank that allows you to spread your wealth across as many accounts as you liked, creating new ones with a mouse click. Plenty of those programs even automatically generated new addresses every time the user received a bitcoin payment, adding to the confusion.
Still, Meiklejohn was sure that searching for patterns in the mess of transactions would allow her to untangle at least some of them. In Satoshi Nakamoto’s own original white paper, Meiklejohn recalled that he had briefly alluded to a technique that could be used to collapse some addresses into single identities. Often, a single bitcoin transaction has multiple “inputs” from different addresses. If someone wants to pay a friend 10 bitcoins but holds those coins at two different addresses of five coins each, the spender’s wallet software creates a single transaction that lists the two five-coin addresses as inputs and the address receiving 10 coins as the output. To make the payment possible, the payer would need to possess both of the so-called secret keys that allow the five coins at each address to be spent. That means anyone looking at the transaction on the blockchain can reasonably identify both of the input addresses as belonging to the same person or organization.
Satoshi had hinted at the privacy dangers this introduced. “Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner,” Satoshi wrote. “The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.”
So, as Meiklejohn’s first step, she simply tried the technique Satoshi had inadvertently suggested—across every bitcoin payment ever carried out. She scanned her blockchain database for every multi-input transaction, linking all of those double, triple, or even hundredfold inputs to single identities. The result immediately reduced the number of potential Bitcoin users from 12 million to date to around 5 million, slicing away more than half of the problem.
Only after that initial step—practically a freebie—did Meiklejohn switch her brain into true puzzle-solving mode. Like a 20th-century archaeologist scanning hieroglyphics for identifiable words or phrases that might help to decipher a passage of text, she began to hunt through Bitcoin’s transactions for other clues that might reveal identifying information. Messing around with bitcoin wallets—making test payments to herself and her colleagues—she began to understand a quirk of the cryptocurrency. Many bitcoin wallets only allowed spenders to pay the entire amount of coins sitting at a certain address. Each address was like a piggy bank that has to be smashed open to spend the coins inside. Spend less than the whole amount in that piggy bank and the leftovers have to be stored in a newly created piggy bank.
This second piggy bank, in Bitcoin’s system, is called a “change” address: When you pay someone 6 bitcoins from a 10-coin address, 6 coins go to their address. Your change, 4 coins, is stored at a new address, which your wallet software creates for you. The challenge, when looking at that transaction on the blockchain as a sleuthing observer, is that the recipient’s address and the change address are both simply listed as outputs, with no label to tell them apart.
But sometimes, Meiklejohn realized, spotting the difference between the change address and the recipient address was easy: If one address had been used before and the other hadn’t, the second, totally fresh address could only be the change address—a piggy bank that had materialized on the spot to receive leftover coins from the one that had just been shattered. And that meant these two piggy banks—the spender’s address and the change address—must belong to the same person.
Meiklejohn began to apply that change-making lens, looking for instances where she could link spenders and the remainders of their payments. She began to see how powerful the simple act of tracking bitcoin change could be: In instances where she couldn’t distinguish a recipient address from a change address, she would be stuck at a fork in the road with no signposts. But if she could link change addresses to the addresses they had split off from, she could make her own signposts. She could follow the money despite its branching paths.
The result was that Meiklejohn could now link together entire chains of transactions that had previously been unlinked: A single sum of coins would move from change address to change address as the spender paid fractions of the total pile of coins in one small payment after another. The remainder of the pile might move to a fresh address with each payment, but those addresses must all represent the transactions of a single spender.
She’d come to refer to those chains of transactions as “peeling chains” (or sometimes just “peel chains”). She thought of them like someone peeling bills off a roll of dollar bills: Though the roll of bills might be put back in a different pocket after a bill was peeled off and spent, it was still fundamentally one wad of cash with a consistent owner. Following these peeling chains opened avenues to trace the digital money’s movements like never before.
Meiklejohn now had two clever techniques, both of which were capable of linking multiple Bitcoin addresses to a single person or organization, what she came to call “clustering.” What had initially looked like disparate addresses could now be connected into clusters that encompassed hundreds or, in some cases, even thousands of addresses.
Already, she was tracing bitcoins in ways that many of the cryptocurrency’s users wouldn’t have believed possible. But following coins didn’t necessarily mean understanding who owned them. The identities behind those coins remained a mystery, and each of her clusters remained just as pseudonymous as the single, disconnected addresses had been originally. To put a name to those clusters, she began to realize, she’d have to take a much more hands-on approach: not simply observing the artifacts of the Bitcoin economy after the fact like an archaeologist, but becoming a player in it herself—in some cases, an undercover one.
SEARCHING FOR GUIDANCE in her budding Bitcoin research, Meiklejohn turned to Stefan Savage, a UCSD professor who was on the other end of the spectrum from the deeply mathematical cryptography research Meiklejohn had spent years on. Savage was a hands-on, empirical researcher, more interested in real-world experiments with real-world results than abstractions. He had been one of the lead advisers of a now-legendary team of researchers who had first shown it was possible to hack a car over the internet, demonstrating to General Motors in 2011 that his team could remotely take over a Chevy Impala’s steering and brakes via the cellular radio in its OnStar system, a shocking feat of hacker wizardry.
More recently, Savage had helped lead a group that included Kirill Levchenko—the scientist who’d introduced Meiklejohn to Bitcoin on their desert hike—working on a massively ambitious project to track the spam email ecosystem. In that research, as with the earlier car-hacking breakthrough, Savage’s team hadn’t been afraid to get their hands dirty: They’d collected hundreds of millions of web links in junk marketing emails, mostly ones intended to sell real and fake pharmaceuticals. Then, as Savage describes it, they acted out the role of “the world’s most gullible person,” using bots to click through on every one of those links to see where they led and spending more than $50,000 on the products the spammers were hawking—all while working with a cooperative credit card issuer to trace the funds and see which banks ended up with the money.
Several of those shady banks were ultimately shut down as a result of the researchers’ tracing work. As another UCSD professor working on the project, Geoffrey Voelker, described it at the time, “Our secret weapon is shopping.”
So when Meiklejohn began talking over her Bitcoin tracking project with Savage, the two agreed she should take the same approach: She would manually identify Bitcoin addresses one by one by doing transactions with them herself, like a cop on the narcotics beat carrying out buy-and-busts.
That’s how Meiklejohn found herself in the early weeks of 2013 ordering coffee, cupcakes, trading cards, mugs, baseball hats, silver coins, socks, and a closet’s worth of other truly random objects from online vendors who accepted bitcoin; joining more than a dozen mining collectives; fiendishly gambling bitcoins at every online crypto casino she could find; and moving bitcoins into and out of accounts on practically every existing bitcoin exchange—and the Silk Road—again and again.
The hundreds of addresses Meiklejohn identified and tagged manually with those 344 transactions represented only the tiniest fraction of the overall bitcoin landscape. But when she combined her address tagging with her chaining and clustering techniques, many of those tags suddenly identified not just a single address but an enormous cluster belonging to the same owner. With just a few hundred tags, she had put an identity to more than a million of Bitcoin’s once-pseudonymous addresses.
With just the 30 addresses she had identified by moving coins into and out of Mt. Gox, for instance, she could now link more than 500,000 addresses to the exchange. And based on just four deposits and seven withdrawals into wallets on the Silk Road, she was able to identify nearly 300,000 of the black market’s addresses. This breakthrough didn’t mean Meiklejohn could identify any actual users of the Silk Road by name, nor could she unmask, of course, the mysterious kingpin of that site, the ultra libertarian Dread Pirate Roberts. But it would directly contradict DPR’s claims to me that his Bitcoin “tumbler” system could prevent observers from even seeing when users moved cryptocurrency into and out of their Silk Road accounts.
When Meiklejohn brought her results back to Savage, her adviser was impressed. But as they began to plan to publish a paper on her findings, he wanted a concrete demonstration for readers, not a bunch of arcane statistics. “We need to show people,” Meiklejohn remembers him saying, “what these techniques can actually do.”
So Meiklejohn went a step further: She began to look for specific bitcoin transactions she could track—particularly criminal ones.
AS MEIKLEJOHN HAD trawled cryptocurrency forums for discussions of interesting addresses worth scrutinizing, one mysterious mountain of money in particular stood out: This single address had, over the course of 2012, accumulated 613,326 bitcoins—5 percent of all the coins in circulation. It represented around $7.5 million at the time, a figure nowhere near the billions it would represent today, but a heady sum nonetheless. Rumors among Bitcoin users suggested that the hoard was possibly a Silk Road wallet, or perhaps the result of an unrelated, notorious Bitcoin Ponzi scheme carried out by a user known as pirate@40.
Meiklejohn couldn’t say which of the two rumors might be correct. But with her clustering techniques, she could now follow that giant sum of cryptocurrency. She saw that after conspicuously gathering at one address, the pile of money had been broken up in late 2012 and sent on forking paths around the blockchain. Meiklejohn’s understanding of peel chains meant she could now trace those sums of hundreds of thousands of bitcoins as they split, distinguishing the amount that remained in the control of the initial owner from the smaller sums that were peeled off in subsequent payments. Eventually, several of those peel chains led to exchanges like Mt. Gox and Bitstamp, where they seemed to be cashed out for traditional currency. For an academic researcher, this was a dead end. But anyone with the subpoena power of law enforcement, Meiklejohn realized, could very likely force those exchanges to hand over information about the accounts behind those transactions and solve the mystery of the $7.5 million stash.
Looking for more coins to hunt, Meiklejohn turned her focus to another sort of dirty money. Large-scale cryptocurrency heists were, in early 2013, a growing epidemic. After all, bitcoin was like cash or gold. Anyone who stole a Bitcoin address’s secret key could empty out that address like a digital safe. Unlike with credit cards or other digital payment systems, there was no overseer who could stop or reverse the money’s movement. That had made every bitcoin business and its stash of crypto revenue a ripe target for hackers, especially if the holders of those funds made the mistake of storing their secret keys on internet-connected computers—the equivalent of carrying six- or seven-figure sums of cash in their pockets while strolling through a dangerous neighborhood.
Meiklejohn found a thread on Bitcointalk that listed addresses of many of the biggest, most conspicuous crypto thefts in recent memory, and she began to follow the money. Looking at a robbery of 3,171 coins from an early bitcoin gambling site, she immediately found she could trace the stolen funds across no fewer than ten hops, from address to address, before different branches of the money were cashed out at exchanges. Another theft of 18,500 bitcoins from the exchange Bitcoinica similarly led her along a winding series of peel chains that ended at three other exchanges, where the robbers were no doubt cashing in their ill-gotten gains. Sitting in front of Meiklejohn, on her screen, was a bonanza of leads, each just waiting for any actual criminal investigator with a handful of subpoenas to follow them.
Now, when Meiklejohn showed Savage her results, he agreed: They were ready to publish.
In the final draft of the paper Meiklejohn and her coauthors put together, they definitively stated conclusions—based for the first time on solid, empirical evidence—that flew in the face of what many Bitcoin users believed at the time: Far from being untraceable, they wrote, the blockchain was an open book that could identify vast swaths of transactions between people, many of whom thought they were acting anonymously.
“Even our relatively small experiment demonstrates that this approach can shed considerable light on the structure of the Bitcoin economy, how it is used, and those organizations who are party to it,” the paper read. “We demonstrate that an agency with subpoena power would be well placed to identify who is paying money to whom. Indeed, we argue that the increasing dominance of a small number of Bitcoin institutions (most notably services that perform currency exchange), coupled with the public nature of transactions and our ability to label monetary flows to major institutions, ultimately makes Bitcoin unattractive today for high-volume illicit use such as money laundering
Having set down those words, and blowing a gaping hole in the myth of Bitcoin’s inherent untraceability, Meiklejohn, Savage, and her other adviser Geoffrey Voelker started brainstorming a clever title. In an homage to the Wild West of the economy they were chronicling—and her advisers’ mutual love of spaghetti Westerns—they started with the phrase “A Fistful of Bitcoins,” an allusion to the 1960s Clint Eastwood classic A Fistful of Dollars. They settled on a subtitle that evoked both Eastwood’s most famous cowboy vigilante and the world of shadowy figures their nascent techniques could unmask. When the UCSD paper hit the internet in August 2013, it was introduced with a description that, to those involved, had come to seem inevitable: “A Fistful of Bitcoins: Characterizing Payments Among Men with No Names.”
In the new era of cryptocurrency tracing that would follow Meiklejohn’s work, they wouldn’t remain nameless for long.
Adapted from the book Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency. Copyright © 2022 by Andy Greenberg.