Understanding Blockchain Technology
Blockchain is a distributed ledger technology that forms the foundation of cryptocurrencies. Understanding its structure is essential for tracing cryptocurrency transactions and conducting effective investigations.
What is a Blockchain?
A blockchain is a chain of blocks, where each block contains a batch of transactions. Each block is cryptographically linked to the previous block through its hash, creating an immutable chain of records.
Key Blockchain Concepts
Distributed Ledger
No central authority controls the blockchain. Copies are maintained by thousands of nodes worldwide, making tampering practically impossible.
Immutability
Once recorded, transactions cannot be altered or deleted. This creates a permanent audit trail crucial for investigations.
Transparency
All transactions are publicly visible on the blockchain. Anyone can verify any transaction using block explorers.
Consensus Mechanism
Nodes agree on valid transactions through protocols like Proof of Work (Bitcoin) or Proof of Stake (Ethereum 2.0).
Blockchain Components
| Component | Description | Investigation Relevance |
|---|---|---|
| Block Header | Contains metadata: timestamp, previous block hash, merkle root, nonce | Timestamp helps establish timeline of transactions |
| Transaction Hash (TXID) | Unique identifier for each transaction | Primary tracking identifier for tracing funds |
| Input/Output | Source and destination addresses in a transaction | Maps fund flow between addresses |
| Block Height | Position of block in the chain | Confirms how many blocks have passed since transaction (confirmations) |
Bitcoin: The First Cryptocurrency
Bitcoin, created in 2009 by the pseudonymous Satoshi Nakamoto, is the first and most widely recognized cryptocurrency. Understanding its structure is fundamental for crypto investigations.
Bitcoin Technical Overview
- Network: Peer-to-peer, no central server
- Consensus: Proof of Work (mining)
- Block Time: Approximately 10 minutes
- Block Size: 1-4 MB (with SegWit)
- Total Supply: 21 million BTC maximum
- Smallest Unit: 1 Satoshi = 0.00000001 BTC
Bitcoin Address Formats
Legacy (P2PKH) - Starts with "1"
Example: 1BvBMSEYstWetqTFn5Au4m4GFg7xJaNVN2
SegWit (P2SH-P2WPKH) - Starts with "3"
Example: 3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Native SegWit (Bech32) - Starts with "bc1"
Example: bc1qar0srrr7xfkvy5l643lydnw9re59gtzzwf5mdq
Taproot (P2TR) - Starts with "bc1p"
Example: bc1p5d7rjq7g6rdk2yhzks9smlaqtedr4dekq08ge8ztwac72sfr9rusxg3297
The address format can provide clues. Legacy addresses (starting with 1) are older. Native SegWit (bc1q) indicates more sophisticated users. Address reuse patterns and address types help in clustering analysis.
Bitcoin Transaction Structure
A Bitcoin transaction consists of:
- Inputs: References to previous transactions (UTXOs) being spent
- Outputs: New addresses receiving funds and amounts
- Fee: Difference between inputs and outputs (goes to miners)
- Signature: Cryptographic proof of authorization
Ethereum and Smart Contracts
Ethereum extends blockchain beyond simple value transfer by enabling programmable transactions through smart contracts.
Ethereum vs Bitcoin
| Feature | Bitcoin | Ethereum |
|---|---|---|
| Primary Purpose | Digital currency / Store of value | Decentralized computing platform |
| Block Time | ~10 minutes | ~12 seconds |
| Consensus | Proof of Work | Proof of Stake (since 2022) |
| Smart Contracts | Limited scripting | Turing-complete |
| Native Currency | BTC | ETH (Ether) |
| Address Format | Various (see above) | 0x followed by 40 hex characters |
Ethereum Address Format
Ethereum Address (42 characters):
0x742d35Cc6634C0532925a3b844Bc9e7595f5CB6b
Components:
- Prefix: 0x (indicates hexadecimal)
- Address: 40 hexadecimal characters (20 bytes)
- Derived from: Last 20 bytes of Keccak-256 hash of public key
Smart Contracts and Tokens
Smart contracts enable creation of tokens on Ethereum (ERC-20, ERC-721 NFTs). Understanding these is important because:
- ERC-20 Tokens: Most "altcoins" like USDT, USDC, LINK exist as Ethereum tokens - tracked separately from ETH
- Token Transfers: Show in transaction data field, not in value - requires decoding
- DeFi Interactions: Complex transactions involving multiple contracts, swaps, loans
- NFTs (ERC-721): Unique tokens used for digital art, gaming - have value and can be traced
Cryptocurrency Wallets
A cryptocurrency wallet doesn't store cryptocurrency - it stores the private keys that control addresses on the blockchain. Understanding wallet types is crucial for investigation strategy.
Wallet Types by Custody
Custodial Wallets
Third party (exchange) holds private keys. User has account access but not direct blockchain control. KYC data typically available.
Non-Custodial Wallets
User controls private keys directly. No intermediary, no KYC. Harder to investigate but keys may be found on devices.
Wallet Types by Storage
| Type | Description | Investigation Approach |
|---|---|---|
| Hot Wallets | Connected to internet (mobile apps, browser extensions, exchange wallets) | App data on device, transaction history, backup phrases |
| Cold Wallets | Offline storage (paper wallets, offline computers) | Physical search for paper backups, encrypted files |
| Hardware Wallets | Dedicated devices (Ledger, Trezor) - keys never leave device | Device seizure, PIN recovery, companion app data |
Seed Phrases (Recovery Phrases)
Most wallets use a 12 or 24-word seed phrase (BIP-39 mnemonic) that can regenerate all addresses and keys:
abandon abandon abandon abandon abandon abandon
abandon abandon abandon abandon abandon about
This seed phrase:
- Generates deterministic hierarchy of addresses
- Anyone with these words has COMPLETE control of all funds
- Should NEVER be stored digitally (but often is)
Investigation value:
- Finding seed phrase = access to all associated wallets
- Check notes apps, cloud storage, photos, documents
Seed phrases are the most valuable evidence in crypto cases. They're often stored in notes apps, screenshots, cloud backups, or written on paper. A single seed phrase can provide access to millions in cryptocurrency.
Cryptocurrency Exchanges
Exchanges are platforms where users buy, sell, and trade cryptocurrencies. They're key points for investigation as they often have KYC data.
Types of Exchanges
Centralized Exchanges (CEX)
Traditional exchanges with KYC requirements. Examples: Binance, WazirX, CoinDCX. Have customer data and can freeze accounts.
Decentralized Exchanges (DEX)
Peer-to-peer trading via smart contracts. No KYC, no central operator. Examples: Uniswap, PancakeSwap. Limited investigation data.
Peer-to-Peer (P2P) Platforms
Direct trading between users, often with escrow. Examples: LocalBitcoins, Paxful. Some KYC, user chat logs available.
Major Exchanges Operating in India
| Exchange | Type | KYC Level | Cooperation |
|---|---|---|---|
| WazirX | CEX (India-based) | Mandatory Aadhaar/PAN | Generally cooperative with Indian LEA |
| CoinDCX | CEX (India-based) | Mandatory KYC | Cooperative with proper process |
| Binance | CEX (International) | Tiered KYC | Requires proper legal process |
| ZebPay | CEX (India-based) | Mandatory KYC | Cooperative |
Public Key Cryptography
Understanding the cryptographic foundation helps investigators understand what's possible and impossible in crypto investigation.
Key Pairs in Cryptocurrency
PRIVATE KEY (Secret - 256-bit number)
|
| (Elliptic Curve Multiplication - One-way function)
v
PUBLIC KEY (Can be shared)
|
| (Hashing - One-way function)
v
ADDRESS (Public identifier on blockchain)
Key Points:
- Private Key -> Public Key: Easy (mathematical operation)
- Public Key -> Private Key: IMPOSSIBLE (no known method)
- Anyone can verify signatures with public key
- Only private key holder can create valid signatures
Transaction Signing
When a transaction is created:
- Transaction details are hashed
- Private key signs the hash, creating a digital signature
- Network verifies signature using public key
- Valid signature proves authorization without revealing private key
Without the private key, it's mathematically impossible to move funds. Cryptocurrency cannot be "hacked" by breaking encryption. Funds are stolen through: obtaining private keys/seed phrases, social engineering, exchange hacks, or malware capturing keys.
Relevance to Investigation
Why Blockchain is Investigator-Friendly
- Permanent Record: Every transaction ever made is recorded forever
- Public Transparency: Anyone can view any transaction on block explorers
- Traceable: Fund flow can be traced through multiple hops
- Timestamped: Block timestamps provide timeline evidence
- Immutable: Records cannot be altered or deleted
Key Investigation Resources
| Resource | Purpose | URL |
|---|---|---|
| Blockchain.com Explorer | Bitcoin transaction lookup | blockchain.com/explorer |
| Etherscan | Ethereum transaction/token tracking | etherscan.io |
| Blockchair | Multi-chain explorer | blockchair.com |
| Wallet Explorer | Bitcoin address clustering | walletexplorer.com |
The Cryptocurrency Address Analyzer tool available in this course allows you to input Bitcoin and Ethereum addresses to view transaction history, balance information, and basic pattern analysis. Practice with the tool to build proficiency in blockchain analysis.
- Blockchain is a distributed, immutable ledger - every transaction is recorded permanently and publicly viewable
- Bitcoin addresses have different formats (Legacy 1..., SegWit 3..., Bech32 bc1q...) - format indicates user sophistication
- Ethereum uses 0x prefix with 40 hex characters and supports smart contracts and tokens (ERC-20, NFTs)
- Wallet types matter: Custodial wallets (exchanges) have KYC data; Non-custodial require device forensics
- Seed phrases (12/24 words) are critical evidence - provide complete wallet access
- Centralized exchanges have KYC and can cooperate; DEXs have minimal investigation data
- Public key cryptography makes "hacking" crypto impossible - theft requires obtaining private keys through other means
- Block explorers provide free access to all transaction data - blockchain analysis is accessible to all investigators