Monday 17th March, 2014
Essential reading:
Other posts covering similar topics:
Other interesting links:
Do the rich get richer? An empirical analysis of the Bitcoin transaction networkAn Analysis of Anonymity in the Bitcoin System
0. Introduction
A while back in posts 16.3 and 16.4 I pointed out some of the generation addresses from sources of unknown bitcoin network hashes. My aim was not to somehow "out" smaller solominers but to attempt to find out if some of the already known hash sources might be trying to hide some of the blocks they solve in an effort to appear less threatening to the network. If some large pool was to hide some of the blocks it solves, then some miners would be losing income, and the pool could approach 50% of the network without anyone knowing.
A pool that was hiding some of its solved blocks would appear to have slightly poor luck over a long period. It is not hard to detect poor luck over a long period, but you wouldn't be looking for it without a reason. And even if you did, all you could say was that public hashrate contributor 'X' had statistically unlikely luck.
I wanted an indicator that was a little more clear than that; and if there was no proof tying the new sources of hashes to a pool, then I hoped to have enough information to identify some of the new hash contributors (as I did for last week for KNC) or set some bounties (as I did in posts 16.3 and 16.4).
1. Graph theory
Every day all of us use graph theoretic methods to search (Google's PageRank) and we have a complex although intuitive understanding of our local social networks. However as an area of study this was new to me, and after a six weeks of reading and analysis I'm only really starting to understand some of the basic concepts.
Luckily, visualisations will be quite sufficient and I'll try to make sure you'll understand them, as long as you have a reasonable understanding of bitcoin transactions.
2. Recent generation transactions to unknown addresses
In the graphs that follow, both addresses and transactions are nodes (or vertices). The reasons for this:
- If I had allowed only transactions to be nodes, it would become much harder to look for patterns in addresses, which are the data of interest;
- If I had made all the addresses nodes and the transactions edges I wouldn't be able to graph transactions involving multiple addresses since the nodes would have to share edges.
To start with, I only used data one transaction past the generation transaction, so on the graph below:
Generation transaction -> Output address/es
green red
or
Input address/es -> Normal transaction -> Output address/es
red blue red
or
Generation transaction -> Output address/es -> Normal transaction -> Output address/es
green red blue red
However, since some subgroups link some output addresses together, related clusters can become quite large - although no address is more than one transaction away from a generation transaction.
The data used for the graph in the chart below are all the unknown generation addresses since the start of the year. It's quite clear that even in this short time frame there are clusters of addresses which are related.
3. Smaller clusters in detail
The clusters shown below are the smallest clusters apart from the basic
green red
pair. Note that the relative intensity of the edges indicate the amount transacted to or from an address (see the legend below). None of these is more than 40 btc, so these clusters are probably not the ones we want, but are a good starting place for wrapping your head around the graph representation of bitcoin transactions.
3.1: 3 nodes (two generation transactions and one address) and two edges
This first cluster consists of a pair of generation transactions and one address:
Generation transaction ->
Output address
Generation transaction ->
3.2: 4 nodes (one generation and one normal transaction and two addresses)
This cluster is a little more interesting:
Generation transaction -> Output address <- Normal transaction <--> Output address
Why the double headed arrow? At the normal transaction change is sent back to the first address.
Here are three 5 node clusters:
1)
Generation transaction ->
Output address -> Normal transaction -> Output address
Generation transaction ->
2) and 3)
-> Output address
Generation transaction -> Output address -> Normal transaction
Generation transaction -> Output address -> Normal transaction
-> Output address
Similar to the 4 node cluster:
<--> Normal transaction -> Output address
Generation transaction -> Output address
<--> Normal transaction -> Output address
3.5: 8 nodes
The address being used to receive the generated block reward has had some bitcoin sent to it as well:
<- Output address
<- Normal transaction
-> Output address
Generation transaction -> Output address
-> Output address
-> Normal transaction
-> Output address
3.6: 105 nodes
This is a much simpler cluster
than it appears - someone generates a block reward, and then someone
send this address and many others a 1000 satoshi transaction. The
originating address does not appear as it is more than two transactions
removed from the unknown generation transaction.
Generation transaction -> Generation transaction output address
Generation transaction output address
Normal transaction ->
Multiple other addresses
3.7: 14 and 36 node clusters
These
clusters are more interesting and show a significant amount of
throughput. The 36 node cluster especially seems to gather most of
the block rewards to only two addresses. Although these clusters go
no-where in the first two steps from the generation transaction, it is
possible that they might join up with another cluster after three or
four steps.
4. Four steps from generation
As much as I would have liked to, I couldn't just look for all the clusters within four steps of an unknown generation address - there are far too many transactions for that. In fact, I was only able to add the third and fourth steps for all the addresses in the 14 and 36 node groups before I started to run out of RAM, with only the last at most 50 transactions included for each address. Even so, the graph of the entire data showed some interesting new clusters, with already identified clusters increasing in size:
The mostly red cluster on the left is new, the "eyeball" cluster is almost unchanged, and the very green cluster above it has become even greener - more generation transactions. This last cluster seems the most interesting, however all three deserve a closer look:
In this group of graphs, as well as the intensity of the edge relating to the amount sent to or from an address, the size of the address node relates to the amount that has been gathered there - it's possible that some amount of bitcoin would need to be centralised, rather than paid out.
We can rule out the 904 node graph almost immediately - there are only a few generation transactions. The complexity of the graph is a bit of a red herring, although it's interesting to follow the network and try to figure out what's happening. Some subnetworks are sending out amounts to large numbers of addresses, some are receiving bitcoin from large amounts of addresses. If I thought this might lead somewhere, I'd be thinking perhaps a dice game.
The "eyeball" with 189 nodes is beautifully symmetrical - many generation transactions to one address, which is then redistributed to many addresses. I'm honestly not sure what to make of this. Some of the addresses get double payments, but many others do not. Perhaps a small private pool? Investors? Money laundering? However, it doesn't appear to be gathering bitcoin to a central point, and although it might indeed be doing that after a couple of more transactions, the 501 node cluster seems like it could be a much a more interesting investment of time.
The 501 node clusters shows all the signs for which one would look: lots of (green) generation transactions, and large amounts of bitcoin being sent and received to and from addresses, and accumulating at other addresses.
5. The 501 node cluster
You'll want to open the full size image in another tab before going any further. It is interesting to realise that all this could have been accomplished using statistical analysis of the data, for example using PageRank or the hub score.
The addresses of interest are, from the top of the graph below to the bottom:
1AygL4v1PLL88MJpogPPem1YTyEjzX2VHC
17i9xfybvQz8PDQaJUXehnRAr3WUrxPsCM
19BpoEyRUbm6HhZ7M6ZPbpAj85sYWPnDnT
1HTM4TYSXF5yZKLpco6MTUUNfSBCiiwGsU
1KUcpMMSzQARb4otj5NgAeSdV2ZQJg2Dce
1K7znxRfkS8R1hcmyMvHDum1hAQreS4VQ4
The cluster around 1AygL4v1PLL88MJpogPPem1YTyEjzX2VHC seem only loosely connected with the main cluster, sending a portion of its coins to 17i9xfybvQz8PDQaJUXehnRAr3WUrxPsCM, which sends some of it's coins, along with many sent to it from other sources and all the many surrounding generation transactions, to both 1HTM4TYSXF5yZKLpco6MTUUNfSBCiiwGsU and 19BpoEyRUbm6HhZ7M6ZPbpAj85sYWPnDnT. In fact, most of the incoming transactions are to both addresses, sending 85% to the former and 15% to the latter, as in this transaction.
1KUcpMMSzQARb4otj5NgAeSdV2ZQJg2Dce seems to be the joining point for the 1HTM4TYSX... cluster and the 1K7znxRfkS8R1hcmyMvHDum1hAQreS4VQ4 cluster. As the dark edges show there has been a lot of bitcoin flowing to 1KUcpMMSz..., and in this graph much of the coinage has accumulated there too.
6. An ego-centric graph of 1KUcpMMSzQARb4otj5NgAeSdV2ZQJg2Dce
From the last graph I thought that I'd found the cluster's accumulator at 1KUcpMMSz..., so I created an ego graph of the address. An ego graph starts at a point and then adds connection, in this case both inward and outward. The size of the address node now relates to the amount of bitcoin that has been sent rather than accumulated.
Since this is an ego graph of 1KUcpMMSz..., the total amount of coins accumulated by the address can be calculated ... which is zero. All coins sent to the address are then sent elsewhere.
New interesting addresses, from top to bottom:
1CjPR7Z5ZSyWk6WtXvSFgkptmpoi4UM9BC
113UgfgpX1mBGm1Auak1zxmWXtRTZyuQCJ
13sS5HN1Uw492UCeKRnQEv93GC4EiHHupy
1CjPR7Z5ZSyWk6WtXvSFgkptmpoi4UM9BC is GHash.IO's generation address, 113UgfgpX1mBGm1Auak1zxmWXtRTZyuQCJ has received some payments from BTCGuild and 13sS5HN1Uw492UCeKRnQEv93GC4EiHHupy has been received payments from 1LyZ2QJDJDJ7Mf8caQb2uRLgBVqBF9GvH4, the 500TH mine collection address.
All this tell me is that 1KUcpMMSz... is probably not the direct owner of any new hashrate, but perhaps an investor in a number of different generators, either directly (owning some ASICs and running them at various pools) or indirectly (owning shares in a hosting farm or CEX stock). The sent taint of 1HTM4TYSX.... and 1K7znxRfkS... by 1KUcpMMSz... is very high though - most of the transactions from former two addresses go there.
7. Conclusion?
So far, the addresses I think worth following are, in order of importance:
1HTM4TYSXF5yZKLpco6MTUUNfSBCiiwGsU
1K7znxRfkS8R1hcmyMvHDum1hAQreS4VQ4
17i9xfybvQz8PDQaJUXehnRAr3WUrxPsCM
1AygL4v1PLL88MJpogPPem1YTyEjzX2VHC
I don't necessarily think they are together part of an organisation, but any or all of them might be relatable to a better known address. To do this you'd need to create ego graphs for each one, probably a couple of transactions deep, which I don't have time for at the moment.
I do think the connection between 1HTM4TYSX..., 1K7znxRfkS... and 1KUcpMMSz... is quite interesting. Even though both BTCGuild and GHash.IO send a fair amount of coin to 1KUcpMMSz..., the sent taint is low, much lower than for 1HTM4TYSX... and 1K7znxRfkS....
So the next step is to investigate these two addresses with ego graphs and see where they lead. I'll let you have a look first and if, before 24th March 2014, you can prove to my satisfaction that either or both of 1HTM4TYSX... and 1K7znxRfkS... are owned by some bitcoin related company, I'll reward you 0.1 BTC for one addresses or 0.2 BTC for both.
organofcorti.blogspot.com is a reader supported blog:
1QC2KE4GZ4SZ8AnpwVT483D2E97SLHTGCG
Thank you blockchain.info for the use of your data.
Find a typo or spelling error? Email me with the details at organofcorti@organofcorti.org and if you're the first to email me I'll pay you 0.008 btc per ten errors.
Please refer to the most recent blog post for current rates or rule changes.
I'm terrible at proofreading, so some of these posts may be worth quite a bit to the keen reader.
Exceptions:
- Errors in text repeated across multiple posts: I will only pay for the most recent errors rather every single occurrence.
- Errors in chart texts: Since I can't fix the chart texts (since I don't keep the data that generated them) I can't pay for them. Still, they would be nice to know about!
wouldnt it be interesting who is https://blockchain.info/taint/1KUcpMMSzQARb4otj5NgAeSdV2ZQJg2Dce ?
ReplyDeleteas alot addresses mentioned here are sending BTC to it,including 1K7znxRfkS8R1hcmyMvHDum1hAQreS4VQ4 (wich i belive is mining address on BTCGuild for the 500 Ths Project) 1HTM4TYSXF5yZKLpco6MTUUNfSBCiiwGsU
13sS5HN1Uw492UCeKRnQEv93GC4EiHHupy 1LyZ2QJDJDJ7Mf8caQb2uRLgBVqBF9GvH4 and so on.what is interesting i found 1KUcpMMSzQA in google cache from github: http://webcache.googleusercontent.com/search?q=cache:4VtzN3DR4pcJ:https://github.com/HelloBlock/node_bitcoin_api/blob/master/test/audit/samples/addresses.mainnet+&cd=20&hl=de&ct=clnk&gl=de&client=firefox-a and on Picostocks https://picostocks.com/users/view/1635 .but im not getting behind it
I'm certain 1KUcp... belongs to Megabigpower.com. It has been associated with mbp when they were signing blocks. 1KUcp has an association with the 500Thps miner (as you noticed) as does mpw, who runs their machines for them. Also, mbp has hashers on btcguild and ghash.io - and 1KUcp.... also has this relationship.
DeleteWhat do you think the mention in that cached search means?
that is a good question,also why would someone delete stuff he did put on github,as the whole repo is gone.
Deletehelloblock seems to be a new block explorer
http://helloblock.io/
the guys running it https://github.com/BitcoinMafia
also have a googlegroup https://groups.google.com/forum/#!forum/bitcoinhackers
so it could be a totally coincidence that 1KUcp.. is in that file,maybe got in there while they were testing this node_bitcoin_api thingy.but still very wierd.
i´ll have an eye on ur blog in case there are more addresses to look up,maybe next time im in time for a bounty :P