Tracking a Bitcoin wallet related to sexortation

Euler Neto
3 min readJul 13, 2021

It was just one more day reading my emails, then I decided to take a look in the spam folder to see if there could have something interesting to analyze. So, I saw this message:

Spam message

Wow! It seems that I’m being a victim of sexortation. What can I do if I even know who sent me this threat? Well, I will take a look at the e-mail header to see at least from where this e-mail came from.

Info from IP2Location’s E-mail tracer

So the person who’s trying to blackmail me is senting the e-mail with an IP from Greece. Let’s see if we can find something related to this IP.

Info from OTX Alienvault

Well, looking at OTX we saw that there’s no malicious record related to this IP. But in the screenshot of the email I already gave a hint of what we can verify next. Let’s see what we can find about this Bitcoin wallet.

Bitcoin Abuse Database from the wallet in the email message

In Bitcoin Abuse Database this wallet has 198 reports related to malicious activity (at the time this text was written). Now we know that this wallet is suspect, so what about the transactions involving it?

If we look this wallet in, we can see that there’re 24 transactions involving this wallet. So will we check each wallet in Abuse Database?

This is why I made a tool called DarkBitCoinGraph. With this tool we can list the other wallets that made transaction with a specific wallet and has an abuse report.

Executing DarkBitcoinGraph

Using the tool we could find that the wallet involved in the email message made some transaction with another wallet with abuse report: 17A16QmavnUfCW11DAApiJxp7ARnxN5pGX. This wallet made 436.476 (!!!) transactions but with the tool we can view only the wallets with abuse report that made one of these transactions. Now we found one more wallet: 12cgpFdJViXbwHbhrA3TuW1EGnL25Zqc3P. This wallet made 115.723 (!!!) transactions and among these transactions the only that have abuse report is the two previous wallets.

With these informations that we gathered, we can combine it with OSINTCombine (this was unintentional. :D) tool and generate a graph.

Saved image from OSINTCombine tool

Also, if we look the abuse reports of the other wallets we can found the information that they are involved in darknet activity and credit card scum.

That’s it! For me it was great because this was the first time that I used my own tool since the video that I made to send to OSINT Dojo. Hope that this tool can be useful in cases that you are dealing with scenarios with limited resources and is unable to use tools like Maltego. The tool is the first stages of development but I appreciate any feedback.