Leaked documents on the dark web show Chainalysis uses blockchain browser to record IP to aid law enforcement

A Chainalysis presentation leaked by DarkLeaks shows Chainalysis touting its use of an affiliated blockchain browser as a means of collecting IP information to assist police investigations. DarkLeaks is a dark web site that can only be accessed through anonymous browsers such as Tor, and CoinDesk has verified the authenticity of the document.

According to the leaked documents, Chainalysis, the largest blockchain tracking company, owns and operates walletexplorer.com. like other block browsers, the service allows anyone to view the history of public cryptocurrency wallet addresses. Chainalysis believes that malicious attackers will use its site to check transactions without fear of "leaving a footprint" on cryptocurrency exchanges, the paper said.

The presentation, purportedly from Italian law enforcement, states that the company uses WalletExplorer.com to collect useful IP information about cryptocurrency users who visit the site.

"Using this dataset, we are able to provide law enforcement with meaningful clues to IP data related to relevant cryptocurrency addresses. It is also possible to perform reverse lookups on any known IP addresses to identify additional BTC addresses. It can also collect data from data form addresses that have not yet passed through the blockchain - i.e. BTC addresses provided as part of a kidnapping or life-threatening investigation - if the suspect checks their address."

There is no date for a demo yet, nor is there a time frame for creating the material. The initial leak involved a cache of files allegedly obtained from the dark web team of the Italian Financial Authority's Nucleo Speciale Frodi Tecnologiche.

The leaked material suggests that the presentation was an integral part of an investigation into the Berlusconi Market. Berlusconi Market is a dark web marketplace that Italian authorities took down in 2019.

Chainalysis cites a case from June 2020 in which walletexplorer.com intercepted the IP addresses of ransomware suspects - hours after they allegedly deposited funds through the over-the-counter (OTC) platform of cryptocurrency exchange FireCoin.

The documents also show that Chainalysis believed it could track transactions in Monroe Currency (XMR), considered by many to be the cryptocurrency with the strongest privacy defenses.

"In the cases that Chainalysis has worked with law enforcement on, we were able to provide usable leads in approximately 65 percent of the cases involving monero (monocurrency)," The paper said.

Chainalysis declined to comment or confirm its authenticity.

While Chainalysis does not advertise, the site itself creates a link between its developer, Aleš Janda, and the analytics firm, which has long stirred controversy in some quarters of the crypto community. Janda joined Chainalysis in 2015 as a developer and researcher, according to LinkedIn, and a note posted at the bottom of WalletExplorer.com advertises the blockchain analytics service.

Snapshots archived by The Wayback Machine indicate that text referring to Chainalysis went live back in January 2016.

Janda's work with the company is also discussed on the explorer's info page: "The name database has not been updated since 2016 (except for some very rare cases), so it's been a long time now. The reason for this is that I created WalletExplorer and its database in my free time. Then I joined Chainalysis.com, which is basically this same product (but more advanced) and I get paid for discovering names. Although I am paid for this, I cannot disclose the names publicly. If you would like data with updated names, please ask Chainalysis."

However, the site's content makes no mention of its use as part of Chainalysis' services, let alone its supposed contribution to police law enforcement investigations.

Chainalysis is the largest of the major blockchain analytics companies that government clients turn to to help track nodes. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) is one such partner: it applied for a license in early 2021 to use Chainalysis' "Rumker" technology to sanction cryptocurrency participants. The U.S. Treasury Department announced sanctions against a Russia-based cryptocurrency exchange, blacklisting the wallet address that Chainalysis helped identify.

The full leaked document is available at: