Detecting Suspicious Activity on the Bitcoin Blockchain

It is a globally accepted belief that financial crimes such as money laundering, fraud and the financing of terrorism are societal evils warranting enormous preventative and investigative efforts.  Such a belief has been translated into a corpus of guidelines, principles, statutes and implementing regulations around most of planet Earth known as anti-money laundering (AML) and countering the financing of terrorism (CFT) or AML/CFT.

Generally speaking, AML/CFT regulations are intended to deter criminal activity before it happens, and to detect it when it has happened.  Because doing this on their own would be an impossibly gargantuan task, governments issue regulations whereby they deputize financial intermediaries as crime fighters on behalf of the public.  Each and every financial service provider categorized by law as an “obligated subject” is thus mandated to implement processes, procedures and controls aimed primarily at warding off criminals and, if they manage to penetrate the financial institution, identify them, report them, and ideally stop them in their tracks.

The primary crime deterrent is the obligation to identify customers and beneficial owners, a process known as customer due diligence (CDD) or Know Your Customer (KYC).  The hypothesis goes: by forcing asset owners and all participants in a transaction to disclose their identity, bad actors will refrain from even attempting to penetrate the system.  Another important set of obligations are the detection, investigation and reporting of suspicious activity.  Financial institutions then need to develop expertise in and deploy processes and technologies to be able to fulfill these obligations.

“KYT,” the new acronym in the AML toolkit

In the pre-blockchain era, regulated financial institutions could only perform intra-company transactional analyses, and had to share information via analog or documentary methods. The open nature of public blockchain-based ledgers such as Bitcoin’s has enabled enhanced transactional analyses that transcend organizations, industries and jurisdictional borders.  For the first time, it is now possible to analyze transactions and flows of funds in an unprecedented way, adding another acronym and set of procedures to the AML/CFT toolkit, namely, KYT (Know Your Transaction) or KYFF (Know Your Funds Flow).

At a high level, two approaches to detecting suspicious activity are possible: deanonymization and anomaly detection.  The former consists of linking identity-less addresses and transactions on the blockchain to real-world bad actors.  This is done by means of crawling or scraping the web for identifiers and then building lookup tables.  The latter consists of identifying patterns of activity associated with known suspicious cases, what is known as supervised learning, or simply providing statistics about the activity and measuring deviations from a threshold, what is known as unsupervised learning.  Some of these techniques are already widely used in traditional financial services, especially those that focus on volume, frequency and velocity.  Not all anomalies are indicative of illicit activity, however.  The goal is to detect transactions that are both anomalous and suspicious, and therefore reportable.

Identifying and understanding past suspicious activity, however, is not enough.  The holy grail of analytics is being able to predict and anticipate future behaviors.  Thanks to recent advances in artificial intelligence (AI) at scale in many fields, from fraud in financial services to cybersecurity and astrophysics, the ability to discover and predict novel, anomalous and suspicious events and behaviors has become increasingly possible and accurate.  These AI techniques include traditional approaches such as one-class SVM, Mahalanobis distance, K-means clustering, and newer ones such as deep learning and graph-based pattern recognition.

A glimpse into the future

Data scientists at Skry use proprietary techniques to map the Bitcoin transaction graph (the entire blockchain transaction history), and to extract, transform, scale, normalize and select specific features to build predictive models.  The result of this enormously complex process is a predictive risk score that lies at the heart of Spectrum, our first technology solution created to address the transaction monitoring challenges facing financial institutions operating with Bitcoin.

Scores are both an art and a science that require constant refining (i.e., “learning”), and they are important because they are shortcuts for decision-making: with them analysts are able to quickly assess transactions at the customer onboarding stage, and establish the legitimacy of the source of incoming funds.  As non-trivial and useful as scoring is, it is far from being the only feature in a good financial risk management product.

It is widely known that Bitcoin’s blockchain is missing two sets of data that are expected, and even required, for financial institutions and law enforcement to assess risk and fulfill their investigative and reporting duties: the identity and geography of the transaction participants.  The open nature of public ledgers justifies the exclusion of such confidential data.  This, however, does not relieve organizations from the obligation to obtain identity and location data from other sources.

Here’s the challenge: financial crime detection requires systems that are able to ingest and fuse multiple varieties of data from a multitude of sources, both public and private.  All in a privacy-preserving way.  In a future in which legacy data stores will coexist with public, private and hybrid blockchains, the optimal solutions will be those that are able to build and optimize algorithms for detection and prediction of financial crime by combining data from any source and delivering actionable insights at the right time and in the right manner.

Special thanks to Masoud Nikravesh for help with this article.