Peter Andrei Bunao's Blog
Blockchain Forensics: Mass Acquisition of Crypto Wallet Balances

Blockchain Forensics: Mass Acquisition of Crypto Wallet Balances

Peter Andrei Bunao's photo
Peter Andrei Bunao
·

3 min read

Table of contents

Introduction

When I was an intern at Ernst & Young (EY) as a Digital Forensic Investigator, I had no idea that I would encounter blockchain forensics. EY Singapore had its first crypto case and the client gave us more than 100,000 crypto wallet addresses to check for its balances for validation. There wasn't anyone who was that familiar with blockchain but I kinda do hence I volunteered to take on the task as I wanted to contribute to our team.

There were no straightforward guides on the internet at the time and I searched for hours. I have managed to find a forum that talked about a blockchain snapshot of Bitcoin which contains all the Bitcoin wallet addresses that have balances. I thought to myself "Oh I could just use the TSV file and compare it to the addresses given to us by the client".

This is my first blog and I hope that this can help you out.

To get started

  • Text file containing the Crypto Addresses

  • Linux OS

  • Bash/Python scripting

Step 1: Booting Kali Linux

Feel free to use other Linux OS (Ubuntu, Mint, Arch, etc). Create a folder called "Balances".

Kali Linux Command In Terminal 2022 - Amolblog

Step 2: Accessing the TSV file

Proceed to this link http://addresses.loyce.club/. Click on the second tab "All Addresses With Balances". On the left side right-click the "LATEST" button and copy the link address or the example below.

Alternatively, you can use the Blockchair TSV dump through this link https://gz.blockchair.com/bitcoin/addresses/. However, the download speed of Blockchair is 10 kB/s.

Link Example: addresses.loyce.club/blockchair_bitcoin_add..

Step 3: Storing the Wallet Addresses into a text file

These are some Bitcoin Addresses that you can use to test for acquiring the balances. Store it into a text file and you can name it as btcmylist.txt.

16ftSEQ4ctQFDtVZiUBusQUjRrGhM3JYwe
3D2oetdNuZUqQHPJmcMDDHYoqkyNVsFk9r
16rCmCmbuWDhPjWTrpQGaU3EPdZF7MTdUk
3Cbq7aT1tY8kMxWLbitaG7yT6bPbKChq64
3Nxwenay9Z8Lc9JBiywExpnEFiLp6Afp8v
183hmJGRuTEi2YDCWy5iozY8rZtFwVgahM
1FeexV6bAHb8ybZjqQMjJrcCrHGW9sb6uF
18rnfoQgGo1HqvVQaAN4QnxjYE7Sez9eca
1HQ3Go3ggs8pFnXuHVHRytPCq5fGG8Hbhx
1PnMfRF2enSZnR6JSexxBHuQnxG8Vo5FVK

Step 4: Running the Linux Command + Python code

Copy the command below and paste it into your terminal. Change the date accordingly "December_03_2022" to the current date.

wget http://addresses.loyce.club/blockchair_bitcoin_addresses_and_balance_December_03_2022.tsv.gz -O - | gunzip -c > December_03_2022_btcbalance.txt && join <(sort December_03_2022_btcbalance.txt) <(sort "/Desktop/Balances/btcmylist.txt) > December_03_2022_checkedbalance.txt

View the output in the terminal using the command below.

cat December_03_2022_checkedbalance.txt

As you can see the balances are not in Bitcoin format rather they are in Satoshis. To convert the Satoshis to Bitcoin, you have to divide it by 100,000,000.

To make things easier I created a Python script which does that for you :) and store it in a CSV file. Though, you have to alter the code by changing the directory '/Desktop/Balances/' to your directory.

import os
import datetime
import pandas as pd

date = datetime.datetime.now()
today = date.strftime("%B_%d_%Y") 
print(today)
os.chdir('/Desktop/Balances/'+(today)) ### Change this

df = pd.read_csv((today)+"_checkedbalance.txt", delim_whitespace=True)
df.columns = ['Address', today]

Wallet_Balance=(df.loc[:,today])

Balance_storage=[]
for balance in Wallet_Balance:
    new_balance = int(balance)/100000000
    Balance_storage.append(new_balance)

df.loc[:,today] = Balance_storage
df.to_csv((today)+"_checkedBTCbalance.csv", index=None)

Run the Python script and you shall see the output file by typing 'ls'. Voila!

This is how the final output looks like which is in CSV format.

Step 5: Crosschecking the Balances

Go to https://blockchair.com/. I will take the first crypto wallet address to crosscheck on the website. As you can see the balance in the CSV file tallies with the one on the website.

Conclusion

Pretty easy right? It took me around 5 minutes to acquire the balances! Oh by the way, if you would like to check the balances of Ethereum you can use this link https://gz.blockchair.com/ethereum/addresses/ and replicate the steps above with a little tweaking to the name and the conversion of Wei to Eth in the Python code. This guide is meant for people who might be stuck in the future figuring out how to acquire the balances of such a scale. Thank you!

BlockchainWeb3#cybersecurityLinuxPython