Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The Devil Behind the Mirror: Tracking the Campaigns of Cryptocurrency Abuses on the Dark Web

Pengcheng Xia, Zhou Yu, Kailong Wang, Kai Ma, Shuo Chen, Xiapu Luo, Yajin Zhou, Lei Wu, Guangdong Bai

TL;DR

This work conducts a comprehensive, multi-dimensional analysis of cryptocurrency abuses on the dark web. It builds a large onion-site dataset and a fine-grained classifier to identify illicit sites, then extracts and scrutinizes blockchain addresses and transactions to map the illicit revenue landscape. By clustering addresses, emails, and identity signals, the authors uncover $66$ campaigns behind $1{,}396$ illicit onion sites, handling $272$ addresses and about $80.72$ BTC (88.9% of the illicit income) and linking several campaigns to surface-web activity. The study demonstrates strong correlations among illicit sites, reveals cross-network campaigns, and highlights a pathway for early detection of new illicit actors by connecting dark-web signals to surface-web indicators.

Abstract

The dark web has emerged as the state-of-the-art solution for enhanced anonymity. Just like a double-edged sword, it also inadvertently becomes the safety net and breeding ground for illicit activities. Among them, cryptocurrencies have been prevalently abused to receive illicit income while evading regulations. Despite the continuing efforts to combat illicit activities, there is still a lack of an in-depth understanding regarding the characteristics and dynamics of cryptocurrency abuses on the dark web. In this work, we conduct a multi-dimensional and systematic study to track cryptocurrency-related illicit activities and campaigns on the dark web. We first harvest a dataset of 4,923 cryptocurrency-related onion sites with over 130K pages. Then, we detect and extract the illicit blockchain transactions to characterize the cryptocurrency abuses, targeting features from single/clustered addresses and illicit campaigns. Throughout our study, we have identified 2,564 illicit sites with 1,189 illicit blockchain addresses, which account for 90.8 BTC in revenue. Based on their inner connections, we further identify 66 campaigns behind them. Our exploration suggests that illicit activities on the dark web have strong correlations, which can guide us to identify new illicit blockchain addresses and onions, and raise alarms at the early stage of their deployment.

The Devil Behind the Mirror: Tracking the Campaigns of Cryptocurrency Abuses on the Dark Web

TL;DR

This work conducts a comprehensive, multi-dimensional analysis of cryptocurrency abuses on the dark web. It builds a large onion-site dataset and a fine-grained classifier to identify illicit sites, then extracts and scrutinizes blockchain addresses and transactions to map the illicit revenue landscape. By clustering addresses, emails, and identity signals, the authors uncover campaigns behind illicit onion sites, handling addresses and about BTC (88.9% of the illicit income) and linking several campaigns to surface-web activity. The study demonstrates strong correlations among illicit sites, reveals cross-network campaigns, and highlights a pathway for early detection of new illicit actors by connecting dark-web signals to surface-web indicators.

Abstract

The dark web has emerged as the state-of-the-art solution for enhanced anonymity. Just like a double-edged sword, it also inadvertently becomes the safety net and breeding ground for illicit activities. Among them, cryptocurrencies have been prevalently abused to receive illicit income while evading regulations. Despite the continuing efforts to combat illicit activities, there is still a lack of an in-depth understanding regarding the characteristics and dynamics of cryptocurrency abuses on the dark web. In this work, we conduct a multi-dimensional and systematic study to track cryptocurrency-related illicit activities and campaigns on the dark web. We first harvest a dataset of 4,923 cryptocurrency-related onion sites with over 130K pages. Then, we detect and extract the illicit blockchain transactions to characterize the cryptocurrency abuses, targeting features from single/clustered addresses and illicit campaigns. Throughout our study, we have identified 2,564 illicit sites with 1,189 illicit blockchain addresses, which account for 90.8 BTC in revenue. Based on their inner connections, we further identify 66 campaigns behind them. Our exploration suggests that illicit activities on the dark web have strong correlations, which can guide us to identify new illicit blockchain addresses and onions, and raise alarms at the early stage of their deployment.
Paper Structure (60 sections, 3 equations, 4 figures, 9 tables)

This paper contains 60 sections, 3 equations, 4 figures, 9 tables.

Table of Contents

  1. Introduction
  2. Backgrounds
  3. The Dark Web
  4. The Onion Services
  5. Cryptocurrency
  6. Tracking Cryptocurrency Abuses on the Dark Web
  7. Approach Overview
  8. Collecting Onion Sites
  9. Extracting Identifier Addresses from Collected Onions
  10. Extracting Blockchain Addresses
  11. Extracting Email Addresses
  12. Identifying and Classifying Illicit Onion Sites
  13. Build a Ground Truth Dataset.
  14. Classify Highly Similar Sites.
  15. TF-IDF Based Classification.
  16. ...and 45 more sections

Figures (4)

  • Figure 1: The Overall Workflow of Tracking Cryptocurrency Abuses on the Dark Web.
  • Figure 2: The Screenshots of Two Sites on the Surface Web.
  • Figure 3: The Income and Active Periods of Illicit Addresses.
  • Figure 4: The Clusters of Onion Sites.