A Bayesian Approach to Identify Bitcoin Users

Peter L. Juhasz1,2 Jozsef Steger1 Daniel Kondor1,3 Gabor Vattay1

peter.laszlo.juhasz@ericsson.com steger@complex.elte.hu dkondor@mit.edu vattay@complex.elte.hu

1 Department of Physics of Complex Systems, Eotvos Lorand University, Budapest, Hungary

2 Business Unit IT & Cloud Products, Ericsson Telecommunications Hungary, Budapest, Hungary

3 SENSEable City Laboratory, Massachusetts Institute of Technology, Cambridge MA, USA

Abstract

Bitcoin is a digital currency and electronic paymentsystem operating over a peer-to-peer network on theInternet. One of its most important properties is thehigh level of anonymity it provides for its users. Theusers are identified by their Bitcoin addresses, whichare random strings in the public records of transac-tions, the blockchain. When a user initiates a Bitcoin-transaction, his Bitcoin client program relays messagesto other clients through the Bitcoin network. Monitor-ing the propagation of these messages and analyzingthem carefully reveal hidden relations. In this paper,we develop a mathematical model using a probabilis-tic approach to link Bitcoin addresses and transactionsto the originator IP address. To utilize our model,we carried out experiments by installing more thana hundred modified Bitcoin clients distributed in thenetwork to observe as many messages as possible. Dur-ing a two month observation period we were able toidentify several thousand Bitcoin clients and bind theirtransactions to geographical locations.

1 Introduction

Bitcoin is the first widely used digital currency, de-veloped by Satoshi Nakamoto after the beginning ofthe financial crisis in 2009 [1]. A distinctive feature ofBitcoin is that there is no central authority overseeingtransactions, users are connected via a peer-to-peernetwork where they announce any transaction theywish to make. Transactions can then be validated byanyone using the publicly available list of transactions,the blockchain, which is in turn generated in a proof-of-work system. Cheating (e.g. including invalid transac-tions in the blockchain) thus would require one entityto control more than 50% of the computing power thatusers dedicate to generating the blockchain. In accor-dance with the decentralized nature of the system, thespecifications of the network protocol is publicly avail-able, while several open-source client programs imple-menting the protocol exist [2].

One of the key characteristics of Bitcoin is the highamount of anonymity it provides for its users [3]. Al-though one can learn the details of the transactionsvia the blockchain, it is still unknown who the usersinitiating those transactions are. This is possible since

as there is no authority overseeing the functioning ofthe system, users do not need to provide any form ofidentification to join; anyone with an Internet connec-tion can download a client program, which then allowsthem to generate any number of Bitcoin addresses thatthey can use in the transactions to send or receive Bit-coins. This results in that the identity of Bitcoin usersis only revealed if they publish their Bitcoin addressor this information is intercepted in some way outsidethe Bitcoin system. While anonymity is not amongthe main design goals of the Bitcoin system [3], Bit-coin is widely considered a highly anonymous way ofperforming financial transactions and is often utilizedfor illegal uncontrolled payments [4], along legal useswhere the involved parties do not wish to disclose theiridentities to controlling entities in the traditional fi-nancial system, e.g. banks or governments.

In the paper, we present a probabilistic model basedon the information propagating over the Bitcoin net-work, which gives the possibility of identifying theusers initiating the transactions. In this case, identi-fication means binding the transactions to the IP ad-dresses where they were created.

The basic idea consists of two main steps. First, theprobability is determined for each transaction that aspecific client (identified by its IP address) created it.Assuming that the creator of the transaction controlsthe Bitcoin addresses from which money is sent in it,this step then results in possible IP address – Bitcoinaddress pairings. Next the most likely Bitcoin address– client pairings are identified by combining the prob-abilities in the list of pairings compiled in the previousstep. This is further elaborated by grouping Bitcoinaddresses that belong to the same user with high prob-ability based on the transaction network. Finally, thegeographical localization of the IP addresses opens thedoor for a large scale analysis of the distribution andflow of Bitcoin.

The following sections of the paper are structured asfollows. Section 2 discusses the relevant characteristicsof Bitcoin and provides the necessary background forthe further sections. In section 3, the mathematicalmodel used for the deanonymization is explained. Thedata collection is described in section 4. Section 5presents the results of the application of the model.Finally the method described in this study is comparedto the related works of the topic in section 6.

1

arX

iv:1

612.

0674

7v3

[st

at.A

P] 2

2 D

ec 2

016

2 The Main Characteristics ofBitcoin

In order to use Bitcoin one has to connect to the Bit-coin network using an open-source client program [2].In this work, we concentrate on the Bitcoin Coreclient [2], whose source code we inspected and mod-ified for the purpose of data collection. By de-fault, this client establishes eight connections to otherclients. If there is a link between two clients, theyare connected. Clients exchange information of differ-ent types, e.g. the transactions they know about, theirstate, cryptographic signatures and others through thenetwork. This is necessary for the validation of thetransactions as it is done by the entire network.

In case of Bitcoin transactions, Bitcoin addressesplay similar role as the bank account numbers in reg-ular currency transactions. However, there are twomajor differences:

• each user may have as many Bitcoin addresses asthey would like to

• and multiple source and destination Bitcoin ad-dresses can be involved in a single transaction.

In case of the Bitcoin Core client program, when auser initiates a transaction, the client program (theoriginator) immediately broadcasts this fact to theconnected clients with 1/4 probability. With a prob-ability of 3/4, the originator sends the message to arandomly chosen connected client in every 100ms timeinterval until all connected clients are informed. Thismethod is referred to as trickling, and its goal is tohide the source of the transaction. We expect thatother types of clients employ similar mechanisms toprotect the privacy of the users.

The connected clients use the same algorithm torelay the message further, until finally it spreadsthroughout the entire network. As a consequence anarbitrarily chosen client is not necessarily directly in-formed about the transaction by the originator. (Fig-ure 1)

As no state, bank, institute or organization controlsor ensures the validity of Bitcoin transactions, crypto-graphic methods are used by the whole Bitcoin com-munity for this purpose. The security of Bitcoin isbased on the blockchain. In this study the source Bit-coin addresses, the destination Bitcoin addresses, thetimestamps and the transferred volume of Bitcoin isextracted from the blockchain for each transaction.

If the owners of the Bitcoin addresses were known,the blockchain would reveal all of the transactions ofeach Bitcoin user. As the anonymity is among themost important requirements of a currency, the inven-tors of Bitcoin did their best to preserve it.

3 A Bayesian Method for theIdentification of Bitcoin Users

In this section probabilities are assigned to the distinctIP address and user pairings, which consists of three

SI

I

I

I

I

II

II

IIII

II

II

II

II

IIII

II

Figure 1: A new transaction is initiated by the client”S”. At first it informs the clients denoted by ”I” (theyare informed directly from the originator). Then, theseclients relay the transaction further – among possiblyother I type clients – to the ones denoted by ”II”.

main steps.Let us review the main steps needed to obtain the

result. The process is illustrated in Figure 2.

Identify

the Transactions’

Possible Originator

IP Addresses

Group Bitcoin

Addresses

Assign

IP Addresses

to Users

Blockchain

Figure 2: Main Steps

First, the propagating messages are observed andrecorded by several monitoring clients in order to coveras great part of the network as possible. We have cho-sen those clients from the senders, which relay informa-tion about a specific transaction in the first time seg-ment. They are the possible originators of the trans-action. After some theoretical considerations, proba-bilities are assigned to the clients that show the prob-ability of the clients being the originator.

Next, the blockchain is used to group the Bitcoinaddresses owned by the same user. blockchain also en-ables to calculate the balances of the users for furtheranalysis.

Last, by having possibly several transactions of

2

the same Bitcoin address and the grouping of Bit-coin addresses by user allows us to combine mea-surements from multiple transactions to identify userswith higher confidence. By combining the probabili-ties from the first step, the users (and their balances)are paired with the clients that are most likely the orig-inators of their transactions. The clients can be geo-graphically localized through their IP addresses, whichallows the determination of the geographical distribu-tion and flow of Bitcoin.

Step 1: Individual Probabilities

Let us consider a single transaction observed by onemonitoring client.

A monitoring client connected to the originator doesnot necessarily receive the message from the originatorfirst, because in some cases it can be relayed fasterthrough a mediator client (Figure 3).

Orig Mon

Med

trickling

late

tric

klin

gea

rly

broadcast

fast

Figure 3: The message can be routed faster fromthe originator (Orig) to the monitoring client (Mon)through a mediator (Med) in the shown scenario.

The question is how long the monitoring client hasto wait after receiving the message first until receivingit directly from the originator. If the delay of the net-work is negligible, then the traversal of the broadcastmessages is also negligible. With this approximation,in the worst case the monitoring client can receive themessage through a mediator immediately, right afterthe transaction is created. Clients are trickled every100 ms, so if c clients are connected to the originatorone of them has to wait c/10 seconds from first hearingthe message until it surely receives it from the origina-tor. We call this time interval the first time segmentof the transaction and denote it by t1.

If the originator has no more than 20 connections, itinforms every connected client in at most two secondsfrom the monitoring client first receiving the message,i.e. t1 = 2s. Assuming that the network is random1,and the total number of active clients is approximately50 000, the vast majority (more than 92%) of clientshave less than 20 connections. Considering the ne-glected propagation delay of the network as well, whichcauses more latency for indirect propagation, we con-clude that even in the case of a fast indirect transmis-sion (i.e. the case illustrated in Figure 3), the client isvery likely to receive the message from the originatorat most t1 = 2s after first receiving the message from a

1This is an approximation as there are clients that do notallow incoming connections. These clients have only 8 outgoingconnections established when they entered the network.

relay. See Appendix A for more detailed calculations.We then proceed with the assumption that connectedclients that do not belong to this first time segmentare not the creators of the transaction.

The previous reasoning was assuming that the mon-itoring client is connected to the originator, but in re-ality this is not known.

From the perspective of a monitoring client, theother Bitcoin clients can be classified to sets basedon each transaction according to Figure 4. Some ofthe Bitcoin clients relay the message to it in the firsttime segment. This constitutes a subset of the Bitcoinclients to which the monitoring client is connected toat the time of the transaction. Only active Bitcoinclients are connected to the network, but not all of theclients are working at the examined moment.

Before the transaction, no information is known,thus the best estimate we can make is that each Bit-coin client has equal probability of being the originatorof the transaction, resulting in a uniform probabilitydistribution among the active clients (left side of Fig-ure 4). After the transaction, each Bitcoin client in thefirst time segment can be either the real originator ofthe transaction or a client relaying it (via several hops).Furthermore, the real originator can also be among therest of the network, not connected to our monitoringclient. On the other hand, based on the previous argu-ments, we presume that clients that did not relay thetransaction in the first time segment are certainly notthe originators of the transaction. Thus, the probabil-ity of the first time segment clients increases while theconnected clients not belonging to the first time seg-ment will have zero probability (right side of Figure 4).Still nothing is known about the clients not connectedto the monitoring client, therefore their probabilitieswill not change. Also, clients belonging to the samesubsets can not be distinguished.

Let us calculate the probabilities of being the orig-inator for clients in each set. The Roman font typenotations of Figure 4 are used for the sets. The num-ber of elements in the sets is denoted by | · |. Further-more, calligraphic notations are used for the followingevents: C denotes that the monitoring client is con-nected to the originator of the transaction, O denotesthat the originator relays the message in the first timesegment to the monitoring client and F means that arandomly chosen client from the first time segment isactually the originator of the transaction.

P (C) =|C||A|

as inactive clients can not be the originator of thetransaction. If the monitoring client is connected tothe originator, then it is going to inform the monitor-ing client in the first time segment. At this time all ofthe first time segment clients have the same probabil-ity of being the originator.

P (O|C) = 1 P (F|C) =1

|F |

3

All Bitcoin Clients

Activ e C lients (A

)

Co

nn

e c t e d C l i e nt s

(C

)

First TimeSegment

Clients (F)

(a) Before Transaction

All Bitcoin Clients

Activ e C lients (A

)C

on

ne c t e d C l i e n

t s(

C)

First TimeSegment

Clients (F)

(b) After Transaction

Figure 4: Relation of the different sets of clients. The darker the subset is, the higher the probability of a clientin that subset is the originator of the transaction.

Let us apply the law of total probability for P (F).

P (F) = P (F|C) · P (C) + P(F|C)· P(C)

=|C||A| |F |

where it was exploited that a client can not send anymessages in the first time segment if it is not at allconnected to the monitoring client: P

(F|C)

= 0.The above formula gives the probability assigned to

the first time segment clients. The connected clientsnot belonging to the first time segment have zero prob-ability. The rest of the active clients has the same1/ |A| probability. We note that these probabilitiesstill sum up to 1.

So far only one monitoring client was considered.If there are more monitoring clients the above men-tioned sets are defined separately for each of them, andthen the union of the corresponding sets is determined,i.e. F (txi) = ∪Nj=1Fj(txi) and C(txi) = ∪Nj=1Cj(txi)for N monitoring clients, where the subscripts denotethe corresponding sets as observed for transaction txiby the jth monitoring client. Using this method, mon-itoring Bitcoin clients do not need to be synchronizedin time. If time synchronization among monitoringclients was achieved, we could further limit the F setof first time segment clients to those that broadcastthe transaction in t1 time after any of our monitoringclients first received the transaction. In our experi-ments, achieving reliable time synchronization was notpossible, so the union of sets was used as described.We note that the set of active clients at a given time(A) is not straightforward to estimate even with a largenumber of monitoring clients. To do that, we wouldneed to perform an active network discovery over thepeer-to-peer network of Bitcoin clients. Instead of im-plementing this functionality ourselves, we relied onthe Bitnodes.io database [13], which provides the es-timated number of active Bitcoin clients as a function

of time (i.e. |A|). The actual set is not required for thecalculations, only the size of the set at the time of thetransactions is considered.

Step 2: Grouping the Transactions Belongingto the Same User

The next task is to group the Bitcoin addresses accord-ing to the users they are owned by. After this, everytransaction can be assigned to the users by looking atthe source Bitcoin addresses of the transaction.

It is known, that Bitcoin addresses appearing on theinput side of the same transaction belong to the sameuser [6, 7, 8, 9]. This can be used for grouping individ-ual Bitcoin addresses. The process is demonstrated inFigure 5. The left side of the figure shows the transac-tions and the input Bitcoin addresses where the Bit-coins are sent from. These Bitcoin addresses belongto the same user. When a Bitcoin address appears indifferent transactions (marked red and bold), all Bit-coin addresses can be merged and assigned to the sameuser.

The transactions belong to the user that owns itsinput Bitcoin address(es).

Step 3: Combining Probabilities – Naive BayesClassification

From the message propagation it can be determinedhow likely the clients are the originators of the trans-actions. So far we considered the transactions inde-pendently from each other.

According to our assumptions, the transactions be-longing to a single user were created by a few origina-tor clients. This means that these transactions provideprobabilities for the same set of originator clients. Theoriginator clients can be identified more efficiently by

4

Transaction 11BsWmvFJ4oqgVVvs1cFE1BdVGd582jsQYBeLYqtg

16LAiE7S3pfA53U5E

1M6xUmHyKpvWtcusg4k3

Transaction 216LAiE7S3pfA53U5E19dqKRxDpsfRmQnRAd22

1C3xKJaMG1C2yQXfmfG

Transaction 31Nw39NH5eRRtmqcPwRTc1EMcpdDbY6W53mDWou

1DbD7zFjYSQRiATc8dHx

User 11BsWmvFJ4oqgVVvs1cFE1BdVGd582jsQYBeLYqtg

16LAiE7S3pfA53U5E1M6xUmHyKpvWtcusg4k319dqKRxDpsfRmQnRAd22

1C3xKJaMG1C2yQXfmfG

User 21Nw39NH5eRRtmqcPwRTc1EMcpdDbY6W53mDWou

1DbD7zFjYSQRiATc8dHx

Figure 5: Grouping of Bitcoin addresses: the left side shows three transactions and the input Bitcoin addressesof these transactions, while the right side indicates how these Bitcoin addresses are grouped.

combining the probabilities belonging to these transac-tions, thus obtaining a more decisive result. This canbe calculated by the naive Bayes classifier method [5].Table 1 shows the transactions (denoted by tx) cre-

Table 1: The transactions of a single user (tx) assignprobabilities to the clients (IP addresses), which showsthe likelihood that the client is the originator of thetransaction. P (IPi|txj) denotes the probability thatIPi address created the txk transaction

IP1 · · · IPi · · · IPntx1 P (IP1|tx1) P (IPi|tx1) P (IPn|tx1)tx2 P (IP1|tx2) P (IPi|tx2) P (IPn|tx2)· · ·txj P (IP1|txj) P (IPi|txj) P (IPn|txj)· · ·txm P (IP1|txm) P (IPi|txm) P (IPn|txm)

ated by a single user. The transactions assign prob-abilities to the clients (IP addresses), which indicatesthe likelihood that the client is the originator of thetransaction.

If the ratio of the connected clients is small, the in-dividual probabilities in the table are also low. Theprobabilities of an IP address related to the differenttransactions can be combined by the naive Bayes clas-sification, resulting a row of combined probabilities.

This shows how likely the IP addresses belong to theexamined user.

The IP addresses will be divided into two classes, tothe ”originator” and the ”non-originator” classes. Foreach transaction, there can be at most one IP addressin the originator class. On the other hand, as a usercan use multiple IP addresses to create Bitcoin trans-actions, after combining multiple transactions, morethan one IP address can be in the originator class inthe final result.

It is assumed that the Bitcoin users can be iden-tified by a limited number of IP addresses they usewhen connected to the Bitcoin network. This involvesthat the users do not use TOR (“The Onion Router”),proxy servers or other similar systems hiding theirIP addresses. If this does not hold, the probabilitieswould be distributed among the IP addresses. Note,that the invalidity of this assumption does not resultin false IP address, user pairings: only those users willbe identified whom the assumption holds for.

The naive Bayes classification can only be appliedif the transactions provide conditionally independentprobabilities. Otherwise the dependencies between thetransactions should be determined [10].

By the application of the naive Bayes classifier (seeAppendix B for the detailed derivation), the combinedprobability of an IP address (IPi) belonging to the Cooriginator class is given by

P (IPi ∈ Co|tx) =1

1 + exp

[(1−m) ln

(|A| − 1

)+

m∑k=1

ln(

1P(IPi∈Co|txk)

− 1)]

where tx denotes the vector of all considered trans-actions, |A| is the average of the total number of active

clients through the transactions2 and m is the numberof transactions.

2The |A| number of active clients varies through the trans-

actions as they occur in different times. Thus, the |A| averageof the different |A| values is used as it is suggested in [11].

5

4 Data Collection

During the data collection campaign, modified Bitcoinclients were connected to the network. As the programcode is open-source, it was straightforward to imple-ment a monitoring client.

The tx type messages are part of the Bitcoin com-munication protocol and they contain information re-garding a transaction. These messages identified by a128-bit hash code are observed and recorded.

The Bitcoin addresses, the amount of Bitcoin sentand other information of interest can be looked up inthe blockchain according to the hash code. When re-ceiving a tx message, the monitoring client recordedthe IP address of the sender client, the time of recep-tion and the transaction’s hash identifier.

In order to monitor as large part of the Bitcoin net-work as possible, the modified Bitcoin clients were in-stalled simultaneously to 169 computers located at dif-ferent parts of the world, and all of these were record-ing the observed traffic during the campaign. Bitcoinclients behind firewalls usually do not allow incomingconnections, i.e. our monitoring clients can not estab-lish connections to them. By using a large number ofmonitoring clients it is more likely, that the Bitcoinclients behind firewalls initiate connections to some ofour monitoring clients when they enter the network.The monitoring clients were installed on computersthat are part of PlanetLab, a system maintained fornetwork communication research. [12]

The data collection campaign took slightlymore than two months between 10/14/2013 and12/20/2013. During this period 300 million recordswere obtained, in which 4 155 387 transactions and124 498 IP-addresses were identified. The collecteddata was imported into an SQL database server.

To calculate the probabilities described above, thetotal number of active clients need to be determined.From the Bitnodes.io database [13] one can look up thenumber of active IP addresses of the Bitcoin clients asa function of time.

5 Results

When calculating the combined probability of each IPaddress belonging to the specific user, the questionarises when should a pairing be accepted? As morethan one IP address can be used by each user and oneIP address can be used by several users, no restric-tion is made of this kind. A pairing is accepted, if itsprobability is higher than 0.5. This means that the IPaddress of interest has at least 0.5 probability of beingused by the user.

As a result, 22 363 users could be identified, andaltogether 1 797 IP addresses were assigned to them.

The imbalance is caused by three outstanding IPaddresses to which 20 680 users are assigned. TheseIP addresses probably belong to Bitcoin wallet ser-vices, which can be used for creating transactions on awebsite without using a private computer. Note thatthe incomplete grouping of Bitcoin addresses can also

result in an IP address being associated with severalgroups of Bitcoin addresses. These groups actually be-long to the same user, but they could not be connectedin the grouping algorithm.

For the remainder data, 1.07 IP addresses belongto one user on average. This is due to the fact thata user can use multiple IP addresses when connectingto the Bitcoin network. The maximum number of IPaddresses identified as belonging to a single user is 11.

Calculating the Balances

Examining the blockchain data alone allows to investi-gate the time evolution of user balances before, duringand after the data collection campaign.

Figure 6 shows the total balance of all identifiedusers versus time. The time interval in which thedata collection was taking place is marked by a shadedarea. Before data collection, the amount of Bitcoinowned by the identified users is increasing. This isdue to the fact that some of the identified Bitcoin ad-dresses were created before the beginning of the mea-surement campaign. After the measurement, some ofthe identified Bitcoin addresses were not used any-more, and other new unidentified Bitcoin addressestook over their place. The steep drop during the mea-surement is probably due to the significant increase ofexchange rate in this time interval, which inspired theusers to sell their Bitcoins for traditional currencies.We found a significant, −0.91 linear correlation coef-ficient between the total amount of Bitcoin owned bythe identified users and the exchange rate during themeasurement period.

The total number of Bitcoins in use is constantlyincreasing as time goes by. At the time of the mea-surement ∼ 13 500 000 Bitcoins were in circulation.The amount of Bitcoins owned by the identified usersreached a maximum of 432 666 on 10/25/2013, whichcorresponds to ∼ 3.2% of the total amount of Bitcoins.We believe that this ratio is a statistically representa-tive sample, if the data is collected with random sam-pling. However, systematic differences could have af-fected the data collection as users in different parts ofthe world, with different intentions and technical back-grounds were possibly operating differently in the net-work. The users could be protected by firewalls thusbanning incoming connections, and they could also ob-scure their operation by using VPN, proxy service orTOR.

Geographical Distribution of Bitcoin and theCash Flow

The location of IP addresses can be determined frompublicly available databases such as MaxMind [14],which contains approximate locations of the IP ad-dresses. If the Bitcoin users use additional tools tohide their IP addresses, or if the IP addresses are lo-cated at other positions than they are registered to, thedatabase gives false location results. However, theseinaccuracies are not relevant in the vast majority ofthe cases.

6

2013/01 2013/07 2014/01 2014/070

1

2

3

4

·105

(a) Bitcoin Owned by the Identified Clients (BTC)

2013/01 2013/07 2014/01 2014/070

200

400

600

800

1,000

1,200

(b) Exchange Rate of Bitcoin (USD)

Figure 6: Balances of Bitcoin users identified in our study and the Bitcoin exchange rate. The shaded areacorresponds to our data collection period.

Figure 7 shows the distribution of the identified Bit-coin clients. The coloring represents the logarithmicvalue of the density. The identified Bitcoin clients aremostly located on the more developed regions of theworld. Note that in some countries, such as Russia orChina, the Internet is regulated, therefore some inter-ference of the connected clients (and their messages)can occur.

By the localization of the IP addresses, the geo-graphical distribution of Bitcoin can also be deter-mined (Figure 8). This figure only shows the distri-bution of the Bitcoins that are owned by the iden-tified clients; the coloring is logarithmic. The snap-shot belongs to the end of the data collection period,12/20/2013.

The analysis detailed in Section 3 results in a dataset of transactions and identified originators. It isworth to examine if some originator addresses can bemapped to receiver Bitcoin addresses as well. Thereare 44 561 transactions in which both sides could befound, and altogether 190 819 Bitcoins were trans-ferred in the identified transactions. In these trans-actions 6 266 users appear as senders and 5 118 appearas receivers.

The transactions are visualized on a world map(Figure 9). The thickness, opacity and saturationof the arrows express the amount of Bitcoin trans-ferred in the related transaction. The time course ofthe transactions is demonstrated on a video (transac-tions video.avi) that can be found among the supple-mentary materials.

Let us have a look at the flow of Bitcoin between thedifferent countries, which is illustrated in Figure 10.As the vast majority of the identified Bitcoin transac-tions belongs to a few countries, only the top ten mostsignificant ones are shown in the figure. 87.5% of theBitcoins in our dataset were transferred between thesecountries.

Figure 10: The Flow of Bitcoin Between Countries

The different countries are indicated by arcs on theperimeter of the figure. The colors of the links areidentical with the color of the country where the Bit-coins were sent from. Most of the Bitcoins (more than25.4% of the total amount) are transacted internallyin the United States. There are several interestingconnections: the second largest flow is between Ger-many and Argentina (25 508 Bitcoins, 13.4% of thetotal amount), and there is a significant Bitcoin flowbetween China and the Netherlands as well.

6 Related Work

There have been several works discussing theanonymity concerns of Bitcoin. All of them show that

7

Figure 7: Distribution of the Identified Bitcoin Clients (1/100 km2)

Figure 8: Distribution of Bitcoin Owned by the Identified Clients on 12/20/2013 (1/100 km2)

Figure 9: The Flow of Bitcoin

8

the statistical processing of a huge amount of seem-ingly insignificant information can take the attackercloser to reveal the identity of people using Bitcoin.

Elli Androulaki, et al. [7] evaluated the privacy ofBitcoin by analyzing the system using a simulator.After grouping Bitcoin addresses they used behavior-based clustering techniques (K-Means and Hierarchi-cal Agglomerative Clustering algorithms) to bind theBitcoin addresses to real users.

Fergal Reid and Martin Harrigan [8] used mainlyoffline data processing of the blockchain to analyzethe transaction graph. They identified its clusters andcomponents, and analyzed the degree distribution ofthe user network.

It was also shown that the analysis of publicly avail-able data from social websites and forums can alsoreveal the Bitcoin addresses of some users. [8, 15]

A. Biryukov, D. Khovratovich and I. Pustogarovprovided a method which connects the users to IPaddresses [16]. They connected to all publicly avail-able Bitcoin nodes (servers) and listened the messagesthey were relaying. Targeting clients that do not ac-cept incoming connections, they established connec-tions to as many servers (Bitcoin clients that acceptincoming connections) as possible. They used Bit-coin’s peer discovery mechanism to link transactions totheir originators: the servers that broadcast the newlyconnected clients’ IP addresses were the same set ofservers which first relayed their transactions. The dif-ficulty of this method is that a lot of connections haveto be established to reach good results as the num-ber of the servers increases. On the other hand itpromises results for Bitcoin clients which monitoringnodes cannot directly connect to (e.g. because theyare protected by firewalls and connect to a limited).In contrast, our methodology requires direct connec-tions to the originators and we thrive to achieve thisby running a lot of Bitcoin clients accepting a largenumber of incoming connections. While they use afixed number of message relays to infer the local net-work of the originator, we use a short initial time spanfor message broadcasts to infer the actual originator.A further main difference in our methodology is com-bining information from many transactions and link-ing addresses based on the blockchain to provide moretransactions per Bitcoin user in that step. Our proba-bilistic approach could be combined with the method-ology in [16] in order to identify the “hidden” Bitcoinnodes with higher probability. This gives the possibil-ity of linking Bitcoin address groups belonging to thesame user as grouping the Bitcoin addresses was onlypartly achieved based on the transaction history in theblockchain.

Philip Koshy et al. also monitored the messagesabout the transactions and they classified the trans-actions to distinct relay patterns [9]. After applyingheuristics to determine the possible owner IP addressesof the transaction, they computed simple aggregatestatistics to filter out the correct Bitcoin address - IPaddress pairings for both in- and output addresses.

Basically the following common methods are used

to reveal the identities of Bitcoin users:

1. analyzing transactions with multiple input andgroup the input Bitcoin addresses of the sametransactions;

2. analysis of Bitcoin flow in the transaction graph,usage of clustering techniques;

3. analysis of propagating network-layer informationto bind their content to the users,

4. and finally using publicly available information(e.g., in forums) to connect Bitcoin addresses toidentities.

The methodology presented in our work belongs to the1 and 3 types of approaches, mainly based on statisti-cal processing of network propagation properties.

7 Conclusions

In this paper we examined the problem of user iden-tification in the Bitcoin network. While Bitcoin pro-vides a significant level of anonymity as Bitcoin ad-dresses can be generated freely and without providingany form of personal identification, the requirement toannounce new transactions on the peer to peer networkopens up the possibility of linking Bitcoin addresses tothe IP addresses of clients. Our main goal was evalu-ating the feasibility of this procedure.

A modified Bitcoin client program was installed onover a hundred computers, which recorded the propa-gating messages on the network that announced newtransactions. Based on the information propagationproperties of these messages, we developed a mathe-matical model using naive Bayes classifier method toassign Bitcoin addresses to the clients that most prob-ably control them. As a result Bitcoin address – IPaddress mappings were identified. Through the IP ad-dresses of the clients we could determine their geo-graphical location, which enabled the spatial analysisof distribution and flow of Bitcoin.

The method is cheap in terms of resources, the usedalgorithms are relatively easy to implement and can becombined with other Bitcoin-transaction related infor-mation.

All monitoring clients behaved as regular Bitcoinclients during the measurement. Although they didnot generate any transactions, the source code canbe modified to do so if a better concealment is re-quired. Furthermore, the monitoring clients do notneed to be connected to other Bitcoin users in any de-tectable way, making it virtually impossible to revealtheir monitoring activity. This raises the question ifthe Bitcoin network might already be monitored by asimilar methodology. It can be implied that Bitcoinusers should take further steps to adequately disguisetheir real IP addresses and preserve their anonymity.

9

Acknowledgements

This work has been accomplished at the Departmentof Physics of Complex Systems, Eotvos Lorand Uni-versity.

We thank the PlanetLab community [12] that theservers of their network could be used for the datacollection.

We are also grateful to MaxMind [14] for thedatabase that could be used for the localization of theIP addresses.

Additional Information

Author contributions PJ analyzed the data, de-rived the statistical formulation and drafted themanuscript. JS performed data collection, helped inderiving the statistical formulation and helped writ-ing the manuscript. DK provided software for datacollection, helped with the data collection and helpedwrite the manuscript. GV participated in designingthe study. All authors have read the final manuscriptand approved it for publication.

Data availability All data collected during thestudy is made publicly available.

Ethics statement All data used in the analysis ismade publicly available by the Bitcoin users as it isrequired by the Bitcoin protocol. Collecting data onthe level of network traffic allows linking Bitcoin ad-dresses to the IP addresses of Bitcoin users. No otherpersonally identifiable information beside IP addresswas collected about users, and no attempt was madeto link IP addresses to actual people beside establish-ing coarse-grained geographic location. In the shareddata, IP addresses were replaced with identifiers toprevent connecting the transactions with individualsbased on other IP address related information.

Competing interests The authors declare thatthey have no competing interests.

References

[1] Nakamoto, Satoshi. ”Bitcoin: A peer-to-peer elec-tronic cash system.” (2008).

[2] Bitcoin Core, GitHub repository,”https://github.com/bitcoin/bitcoin” (2013).

[3] Bitcoin Wiki,”https://en.bitcoin.it/wiki/Anonymity”.

[4] Christin, Nicolas. ”Traveling the Silk Road: A mea-surement analysis of a large anonymous online mar-ketplace.” Proceedings of the 22nd international con-ference on World Wide Web. ACM, 2013.

[5] Lewis, David D. ”Naive (Bayes) at forty: The inde-pendence assumption in information retrieval.” Euro-pean conference on machine learning. Springer BerlinHeidelberg, 1998.

[6] Ron, Dorit, and Adi Shamir. ”Quantitative analysisof the full bitcoin transaction graph.” InternationalConference on Financial Cryptography and Data Se-curity. Springer Berlin Heidelberg, 2013.

[7] Androulaki, Elli, et al. ”Evaluating user privacyin bitcoin.” International Conference on FinancialCryptography and Data Security. Springer Berlin Hei-delberg, 2013.

[8] Reid, Fergal, and Martin Harrigan. ”An analysis ofanonymity in the bitcoin system.” Security and pri-vacy in social networks. Springer New York, 2013.197-223.

[9] Koshy, Philip, Diana Koshy, and Patrick McDaniel.”An analysis of anonymity in bitcoin using p2p net-work traffic.” International Conference on FinancialCryptography and Data Security. Springer Berlin Hei-delberg, 2014.

[10] Rish, Irina, Joseph Hellerstein, and JayramThathachar. ”An analysis of data characteristics thataffect naive Bayes performance.” IBM TJ Watson Re-search Center 30 (2001).

[11] Figueiredo, Mario AT. ”Lecture notes on Bayesianestimation and classification.” Instituto deTelecomunicacoes-Instituto Superior Tecnico (2004):60.

[12] Chun, Brent, et al. ”Planetlab: an overlay testbedfor broad-coverage services.” ACM SIGCOMM Com-puter Communication Review 33.3 (2003): 3-12.

[13] Bitnodes.io, ”https://getaddr.bitnodes.io”

[14] MaxMind, ”http://www.maxmind.com/”

[15] Gross, Ralph, and Alessandro Acquisti. ”Informationrevelation and privacy in online social networks.” Pro-ceedings of the 2005 ACM workshop on Privacy in theelectronic society. ACM, 2005.

[16] Biryukov, Alex, Dmitry Khovratovich, and Ivan Pus-togarov. ”Deanonymisation of clients in Bitcoin P2Pnetwork.” Proceedings of the 2014 ACM SIGSACConference on Computer and Communications Secu-rity. ACM, 2014.

10

Appendix A Degree Distribution

Let us determine the degree distribution of the Bitcoin clients f (c). The total number of activeclients is considered to be constant N . The transient effects of the network formation are ne-glected as these effects cancel out with the constant connection and disconnection of the clientsto the network.

The distribution of the incoming connections has to be determined. When connecting to thenetwork, each client connects to cout = 8 randomly chosen clients. The probability that a specificclient establishes a connection to another one is cout/ (N − 1) ≈ cout/N . The number of incomingconnections has a binomial distribution, which can be approximated by a normal distribution:

P (cin = k) =

(N

k

)(coutN

)k (1− cout

N

)N−k≈

≈ 1√2πN cout

N

(1− cout

N

)exp

[−

(k −N cout

N

)22N cout

N

(1− cout

N

)]

fcin (x) =1√

2πcout(1− cout

N

)exp

[− (x− cout)2

2cout(1− cout

N

)]

where cin is the number of incoming connections. This expression only describes the distributionof the incoming connections. The cout number of outgoing connections has to be added to thisformula to obtain the distribution of the total number of connections, so the density functionmust be shifted to the right by cout: if c ≥ cout,

fc (x) =1√

2πcout(1− cout

N

)exp

[− (x− 2cout)

2

2cout(1− cout

N

)]

This gives the total degree distribution of the clients, which is illustrated in Figure 11. If cout = 8and N = 50 000, more than 92% of the clients has no more than 20 connections.

10 15 20 25 30

0

0.1

0.2

0.3

0.4

Degree

Rat

ioof

Clien

ts

Figure 11: Degree Distribution of Bitcoin clients

11

Appendix B Derivation of Naive Bayes Classifier Method

The model classifies the clients into the originator and non-originator classes (Co and Cn respec-tively) based on their IP addresses and by considering m transactions. Transactions are denotedby tx = {txi}, (i ∈ [1; m]).

Consider a single IP address, and let us examine the probabilities that the different transactionsassign to it. Using the Bayes theorem the probability of belonging to the originator class is

P (IPi ∈ Co|tx) =P (IPi ∈ Co)

P (tx)P (tx|IPi ∈ Co)

where P (IPi ∈ Co) is the frequency of Co class (a priori probability). By assuming that theprobabilities P (tx|IPi ∈ Co) are conditionally independent, the expression can be simplified.

P (IPi ∈ Co|tx) =P (IPi ∈ Co)

P (tx)

m∏i=1

P (txi|IPi ∈ Co)

Bayes theorem can be applied again to the factors in the product.

P (IPi ∈ Co|tx) =P (IPi ∈ Co)

P (tx)

m∏i=1

P (IPi ∈ Co|txi)P (txi)

P (IPi ∈ Co)=

m∏i=1

P (txi)

P (tx)︸ ︷︷ ︸const

·

m∏i=1

P (IPi ∈ Co|txi)

P (IPi ∈ Co)m−1

The first factor is constant (depends only on the data), and it can be eliminated by the normal-ization of the probabilities. As P (IPi ∈ Co|tx) + P (IPi ∈ Cn|tx) = 1 is valid,

P (IPi ∈ Co|tx) =1

m∏i=1

P(IPi∈Co|txi)

P(IPi∈Co)m−1 +

m∏i=1

P(IPi∈Cn|txi)

P(IPi∈Cn)m−1︸ ︷︷ ︸

const

·

m∏i=1

P (IPi ∈ Co|txi)

P (IPi ∈ Co)m−1=

=1

m∏i=1

P(IPi∈Co|txi)

P(IPi∈Co)m−1 +

m∏i=1

(1−P(IPi∈Co|txi))

(1−P(IPi∈Co))m−1

·

m∏i=1

P (IPi ∈ Co|txi)

P (IPi ∈ Co)m−1

The expression can be simplified further.

P (IPi ∈ Co|tx) =

m∏k=1

P(IPi∈Co|txk)

P(IPi∈Co)m−1

m∏k=1

P(IPi∈Co|txk)

P(IPi∈Co)m−1 +

m∏k=1

(1−P(IPi∈Co|txk))

(1−P(IPi∈Co))m−1

=

=1

1 + P(IPi∈Co)m−1

(1−P(IPi∈Co))m−1 ·

m∏k=1

(1−P(IPi∈Co|txk))

m∏k=1

P(IPi∈Co|txk)

P (IPi ∈ Co) is the initial frequency of occurrence of the clients in the Co class, which is 1/ |A|.Although a Bitcoin client can use multiple IP addresses in the network, it is assumed that the1/ |A| value is a good approximation for the initial frequency in the vast majority of the cases.The total number of active clients varies with time in the scale of all considered transactions.

12

Thus, the |A| average of the different |A| values is used as suggested in [11].

P (IPi ∈ Co|tx) =1

1 +

(1

|A|1− 1

|A|

)m−1·m∏k=1

(1

P(IPi∈Co|txk)− 1) =

=1

1 +(|A| − 1

)1−m·m∏k=1

(1

P(IPi∈Co|txk)− 1) ,

This formula brings in a technical problem. Huge numbers are multiplied together in theproduct, which become significantly biased in regular number representations by rounding andmay result in overflow. To relax this problem, the second term of the denominator is written inan exponential form.

P (IPi ∈ Co|tx) =1

1 + eξ,

ξ = (1−m) ln(|A| − 1

)+

m∑k=1

ln

(1

P (IPi ∈ Co|txk)− 1

).

This results in the following practical formula.

P (IPi ∈ Co|tx) =1

1 + exp

[(1−m) ln

(|A| − 1

)+

m∑k=1

ln(

1P(IPi∈Co|txk)

− 1)]

This formula enables us to combine the probabilities assigned to the IP addresses by thetransactions.

13