Tracing stolen bitcoin

A new Computerphile video explains how we’ve worked out a much better way to track stolen bitcoin. Previous attempts to do this had got entangled in the problem of dealing with transactions that split bitcoin into change, or that consolidate smaller sums into larger ones, and with mining fees. The answer comes from an unexpected direction: a legal precedent in 1816. We discussed the technical details last week at the Security Protools Workshop; a preprint of our paper is here.

Previous attempts to track tainted coins had used either the “poison” or the “haircut” method. Suppose I open a new address and pay into it three stolen bitcoin followed by seven freshly-mined ones. Then under poison, the output is ten stolen bitcoin, while under haircut it’s ten bitcoin that are marked 30% stolen. After thousands of blocks, poison tainting will blacklist millions of addresses, while with haircut the taint gets diffused, so neither is very effective at tracking stolen property. Bitcoin due-diligence services supplant haircut taint tracking with AI/ML, but the results are still not satisfactory.

We discovered that, back in 1816, the High Court had to tackle this problem in Clayton’s case, which involved the assets and liabilities of a bank that had gone bust. The court ruled that money must be tracked through accounts on the basis of first-in, first out (FIFO); the first penny into an account goes to satisfy the first withdrawal, and so on.

Ilia Shumailov has written software that applies FIFO tainting to the blockchain and the results are impressive, with a massive improvement in precision. What’s more, FIFO taint tracking is lossless, unlike haircut; so in addition to tracking a stolen coin forward to find where it’s gone, you can start with any UTXO and trace it backwards to see its entire ancestry. It’s not just good law; it’s good computer science too.

We plan to make this software public, so that everybody can use it and everybody can see where the bad bitcoins are going.

I’m giving a further talk on Tuesday at a financial-risk conference in Paris.

10 thoughts on “Tracing stolen bitcoin

  1. Similar to the problems with jurisdictions differing on whether a transaction was criminal, what if some jurisdictions have precedent, or decide, that the relevant principle is LIFO?

    That would seem to accord more closely to how people think about the balance in a bank account: if I have savings of £500 at the start of the month, get paid £1000 salary and pay out £1000 in bills and withdrawals over the month, that £500 I have at the end of the month feels a lot like the same £500 I had at the start.

  2. At the risk of making a fool of myself in public, I note that on p.8 you say that it is unlikely that governments would declare the blockchain constitutive of bitcoin ownership, and justify that by pointing to the DVLA’s register of motor vehicles being not a register of ownership but merely of responsible keepers. This is true neither of all registries of motor vehicles (the Massachusetts RMV, for instance, issues titles, which are proofs of ownership) nor of all UK government registries (the Land Registry, for example, registers ownership). You may be right that HMG would never recognise the blockchain’s power to confer ownership, but adducing the (arguably odd) status of the DVLA’s register of keepers seems a less-than-convincing way of showing it.

  3. The “rule” in Clayton’s case is in fact only a presumption applicable to a running current account between two parties, which yields to evidence that some other rule was intended. It doesn’t apply where a fiduciary mixes trust money in an account with his own money – in that case the fiduciary is treated as withdrawing his own money before the trust money. And it doesn’t apply where it would be unjust in practice, as in the case of Commerzbank Aktiengesellschaft v IMB Morgan plc and others [2004] EWHC 2771 (Ch).

    It seems doubtful that software can readily embody this flexible and discretionary “rule” (quite apart from the question of whether jurisdictions outside England approach the matter in the same way).

  4. I second Nicholas Bohm’s call for caution. Equitable tracing is fiendishly complex and it’s not even clear what its underlying basis is.

    Ultimately the reason for Clayton’s Case and all the other rules of tracing through mixtures is because the property traced is not uniquely identifiable. One part of a bank balance is the same as any other. In fact, you don’t have ‘money at the bank’ – the bank owes you a debt. There have to be rules – quite arbitrary ones in the case of FIFO and proportionate interest – to match inputs to outputs.

    I don’t know enough about bitcoin to know how uniquely identifiable each coin is – presumably it is from its private key, but there may be complications in obtaining that.

    If bitcoin is considered uniquely identifiable, then none of those tracing rules will apply because the reason for them is not engaged. Instead the law says follow the identifiable coins which can be unmixed and attributed to good and bad sources.

    If identification is difficult, it’s possible arbitrary rules to identify tainted coins would be adopted, but one would hope for some serious consideration of whether they are right for the job. Clayton’s Case is often more observed in breach (e.g. Barlow Clowes International Ltd v Vaughan [1992] 4 All ER 22 (CA)). The North Americans have another method, too.

  5. In addition to Nicholas Bohm’s comment, there are many open questions regarding the application of both, “clayton’s case” and the “nemo dat rule”:

    1. Clayton’s case was concerned with debts in the bank money system. Cryptocurrency systems operate in a totally different way. So why should “Clayton’s case” be applied on blacklisting cryptocurrencies?

    2. Clayton’s case cannot be applied (easily) in other legal systems. For example, the jurisdiction in Germany operates with a total contamination policy when dealing with money laundering cases in the bank money system. So how could clayton’s case serve as a template for international regulation?

    3. The nemo dat rule’s meaning varies in different legal systems. For example, in Germany there is still an exception for public auctions. So why and how could the nemo dat rule serve as a template for an international regulation?

    Moreover, the paper gives rise to a preliminary question:

    The nemo dat rule could only be applied, if cryptocurrency units are considered as some kind of “property”. See: Fairfield, BitProperty,

    It should also be mentioned that FIFO is a senority model. The implementation of a blacklisting system with a FIFO policy would probably lead to a change in the Bitcoin user’s mentality and behaviour: The structure of a Bitcoin transaction will probably be a subject for negotiations between payer and recipient, see: Moeser/Boehme/Breuker, Towards Risk Scoring of Bitcoin Transactions,

    Last but not least, the outcome of the research project BITCRIME deals with many legal aspects of a blacklisting system for cryptocurrency systems, see:

  6. The idea of ‘FIFO tainting’ is just a reinvention of ‘colored coins’, which were first described in 2012:

    But the idea that taint is passed with coins seems to fly in the face of the idea of ‘digital cash’. Real cash works precisely _because_ it is not considered ‘tainted’ when obtained lawfully though its history might be unlawful.

    You acknowledge this when you talk about getting 10 pound note in change, although you allude to the notion of a holder in due course for value (though you use the phrase “good faith for value”, which I can’t find reference to outside of bankruptcy law), but this concept does not apply in any way to cash. It it a rule for dealing with stolen checks/bonds/debt instruments.

    For cash, the rule is much stronger: “if your own receipt of it was legitimate, it is yours and untainted, period.” I am having trouble even finding a name for this rule, or modern citations — it seems to have been around for a very long time. Here’s a citation from 1879:,+merchandise,+and+cattle%22&source=bl&ots=5mU5TYArqR&sig=DDaHqdWMINyH0-DwuWrYa6kKjt0&hl=en&sa=X&ved=0ahUKEwiotIrTu5XaAhVB-GMKHVisBRsQ6AEIKTAA#v=onepage&q=%22such%20is%20the%20law%20with%20regard%20to%20all%20kinds%20of%20goods%2C%20merchandise%2C%20and%20cattle%22&f=false

    And here’s a 2013 paper citing a case from 1749:

    The rule for cash has always been that one does not need to inquire into the history of cash legally received — that’s what makes it cash. It therefore puzzles me that, thought you acknowledge that cash received in change in a legitimate transaction is not tainted in any way, that you veer sharply away from giving Bitcoin the same status, but insist that we should instead step up complicated taint-tracking schemes that follow the entire history of a coin. The clear alternative seems to be the same system we have now for cash: When a bank or other regulated institution receives it, it must inquire into the immediate previous owner’s possession of it, but the distant prior history is not important, nor does an individual legitimate recipient have to worry that their money is somehow “tainted” by its past. You acknowledge that many people desire this status for Bitcoin but you don’t seem to provide an argument for why it’s undesirable.

    You then go even further, to say “Cryptocurrencies such as Monero and Zcash might forever be incapable of being treated as money, because of their built-in laundromats. There, a default assumption of bad faith seems prudent.” But the whole _point_ of treating a digital currency as cash is to give it the same properties as the cash we have in our wallets, which also can’t be traced. Why assume bad faith in the use of Monero unless you would also assume it in the use of a five-pound (or five-dollar) note? Perhaps you would, but in that case I don’t think this is a useful exercise. Do you see the lack of taint-tracking in cash banknotes as an undesirable bug to be stomped out?

  7. This analysis assumes only one or two inputs in every transaction, to allow a small number of possible traceback paths for any UTXO

    You can not trace any UTXO back to its origin if there is just one multi-input transaction in the path. With two or more multi-input transactions, the number of paths becomes hundreds or thousands

    Learn how Bitcoin transactions are constructed before pretending to indulge in academic research

    Learn about the mathematics of permutations


  8. There’s now a nice article in Wired. In it a Texas law professor mentions yet another tracing mechanism: in “Jessel’s Bag” a court takes money from guilty parties before innocent ones. This appears to refer to the same case in 1880 to which Nick Bohm referred above, namely that when A holds money as a trustee for B, B should be repaid first. I imagine that the amount of bitcoin held in trust is relatively small and in any case it appears that the 1880 case was overturned in 2001; apparently the victim now has some choice about where and how to claim their money.

    FIFO tracing will be the way to get the underlying evidence on which such a claim, or a case, would be argued. It is efficient, precise and reversible. Of course some bitcoins have multiple ancestors thanks to multi-input transactions; we wrote the software to deal with this.

    The fact remains that bitcoin is not cash. It is not fungible however much its holders and advocates might wish it to be. It could be made cash by law but no government has cared to do that. This has led people to invent Zcash, Monero etc. Perhaps our software will cause their value to increase compared with bitcoin; or perhaps governments will ban them as a conspiracy to obstruct justice. Time will tell.

    1. Hi Ross, this seems very interesting. When are you planning to release the software, and will you also be releasing the source code? I would be very interested to see how you implement all this (I’m a PhD researcher in financial applications of cryptos).

Leave a Reply

Your email address will not be published. Required fields are marked *