 In the last video we looked at cryptocurrency wallets and specifically on Coinbase we looked at a custodial Bitcoin wallet and then a locally installed Bitcoin wallet. We looked at the different private keys installed in seizing the wallet and how you can either seize a Bitcoin address or an entire wallet. If you haven't seen that video yet or the overview about blockchain, I recommend you go check them out first and then come back. In the cryptocurrency wallets video I talked only briefly about monitoring transactions or doing investigations on the blockchain and the reason for that is because I wanted to show some techniques that make transaction analysis a little bit easier. Last time I talked about blockchain.com slash explorer and if I have an address that I want to analyze, I can just paste it in there, hit enter, our address is BTC and it will bring up all of the transactions associated with that individual address. So you can see that here we have 143 transactions and the total amount of Bitcoin associated with that and then the individual transactions and all of the Bitcoin addresses that a certain amount of Bitcoin has been transferred to or from. This is an okay way to start, but what you'll notice is as I scroll down, there's a lot of transactions. There's a lot of associated wallets and it becomes a lot of information to try to parse through just on this website and there are a few different commercial tools out there that can help you with this. But one of the easiest ways that I found that you can do it for free is by using Maltigo Community Edition. They have the blockchain.info Bitcoin Analysis Transform. The Transform Hub will open up as soon as you open Maltigo. Make sure that the blockchain.info transform is installed and then you can do at least a basic analysis of Bitcoin transactions. So once you have this transform installed, go ahead and start a new investigation. A couple of different things from Bitcoin that we can start to investigate. So we have, for example, the Bitcoin block, Bitcoin address, Bitcoin transaction, cryptocurrency owner, if we know who that is, maybe an Ethereum address. The Bitcoin and Ethereum graphs are going to work in a very similar way. So we start with our Bitcoin address, drag that into our main graph as a default address. So you go ahead and double click that and then remove and then I'm going to paste in the address that I'm interested in investigating. This address is associated with the WannaCry malware. So now that I have a node created with our address that we're interested in, if I right click on the node, I have a bunch of different options available. I'm going to focus on only intelligence gathered from blockchain.com. If I want to see all the victims or estimate the number of victims that have actually paid out to the suspects, I can right click on the node, do a search for blockchain.com. And then that should filter to only the blockchain.com transforms. I'm going to do source addresses because I don't want to see just transactions. I want to see all of the addresses that has sent currency to this particular wallet. And then our graph is created. I have 12 entities selected and these are likely payouts from victims. If we trace those back, they probably go almost immediately back to some sort of exchange. We can do some statistics on those individual victims to see, you know, how much is an average victim being asked to pay. All we had to do was right click and then look for source addresses. And then we were able to identify potential victims. Now we already have an idea of victims. We can do that back tracing of transactions to try to trace it back to different exchanges. What you're probably interested in is where did the money go and who owns this individual wallet? Instead of looking for the source address, I can right click and then go to destination address. So if I click to destination addresses, Bitcoin was sent to several other addresses. And if I click on each of those, I can look at info and then go to view. And Multigo will provide a link directly to blockchain.com's Bitcoin Explorer. And then I can see how many transactions were in this and how much cryptocurrency was exchanged. So we can see nine Bitcoin is quite a lot. About $500,000 total was sent to and from this address. So here we have some money coming in. This is our address that we're interested in. And then it goes out to two different addresses. And notice that the majority of the money was sent out to this other address, ending in 856H. A lot less Bitcoin was sent to another address that could be just transaction fees or it could be a suspect splitting off some of their funds. So both of those addresses need to be investigated. But let's say that we're interested in, for example, this nine Bitcoin. So I'm looking at 856H. Let's say that out of all of these nodes that I've investigated, I know that this is where most of the cryptocurrency is being sent. The one that I'm interested in, I'm going to right click and then I'm going to get destination addresses again. And we should see our two addresses that we saw on blockchain.com. The 856H is the one that we're interested in because that's the nine Bitcoin that was sent out. So I'm going to go ahead and do the same thing again, two destination addresses. And then from there, we get a couple more transactions. So let's go ahead and go back to view. And then this has total received 32 Bitcoin, so a lot coming in. So over a million dollars, but probably not big enough to be some sort of exchange. So I can go in and investigate again, these four nodes. If I scroll out, you have the high level view of my graph. So we started with our cryptocurrency address. Let's say that these either are unknown or I'm not interested in them. But then I have this path where I've investigated. And these are the transactions that I'm actually interested in. So I can kind of trim off those branches and then just focus on the addresses that I'm really interested in that core of the money or all of the funds coming in or maybe where somebody's been victimized multiple times and they're using the same Bitcoin address. So I can start to build out these graphs that make it really easy to track where all this money is going. Whereas if we were just using blockchain.com, it's a little bit more difficult to visualize and much harder to keep track of all of your investigation. Maltigo and similar tools will build out the graph for you. And Maltigo is nice because that graph is interactive and you can start to trim off branches that aren't that interesting. Some commercial tools will basically do this for you, except they will do a little bit more analysis so that way they can try to pick out the most interesting flows or paths for you. But you can do exactly the same thing with Maltigo for all of the different blockchains. What I wanted to show you is that you can start with a Bitcoin address and then all of these Bitcoin addresses are associated by the transaction. If you've ever done financial investigations before, this should look really familiar to you because we would have exactly the same type of graph where we have, for example, bank accounts. A bank account where all of the proceeds of crime went into and then we would basically trace that through several different other accounts and we would investigate each of those individual accounts. At the end of this entire process, you're either going to get back to an exchange that way they can cash out or they're going to pay for some sort of service. Intelligence gathering becomes really important because we have to know, for example, which Bitcoin addresses are associated with individual services. So that's it for today. Thank you very much.