How to Use Bitquery to Follow the Money in Tornado Cash

We've previously discussed the appeal of Tornado Cash, despite US sanctions. For newcomers, let's explore how it works using Alice as an example:

• Alice wants to transact anonymously. She's tried different methods without success. She discovers Tornado Cash for more privacy.
• Alice decides to anonymize her funds with Tornado Cash. She picks an anonymity set - a pool of funds with choices like 0.1 ETH, 1 ETH, 10 ETH, or 100 ETH. Imagine she opts for 1 ETH.
• She deposits 1 ETH into the mixing pool. Tornado uses an incremental Merkle Tree to hide the transaction's origin. A note is created representing her share in the pool.
• To withdraw, Alice uses the note (a ZK proof) as a secret "handshake" with the pool, proving her participation anonymously.
• Alice can use relayers to submit the note for her, adding another layer of anonymity.
• Once she proves her participation with the "handshake," the Tornado smart contract sends the funds to a new address.

In this blog, we will go one step further and learn how to track money that was deposited or withdrawn from tornado cash wallets.

Initial Deposit

To identify the initial deposit, you can start by looking for transactions where funds are sent to a Tornado Cash smart contract. This indicates the beginning of the mixing process. Additionally, you can check for distinctive deposit amounts that stand out. Even though Tornado Cash supports multiple denominations, specific amounts may repeat. For instance, if you notice multiple deposits in denominations of "10, 10, 10 and 1, 1, 1," the total deposit amount would be 33. For this blog, we retrieve all the latest deposits made to the ETH 10 Tornado Cash address.

Withdrawal Transactions

Monitor withdrawal transactions: Track transactions from Tornado Cash smart contracts to user addresses. Note the amounts and addresses involved.

Observe withdrawal patterns: Analyze withdrawal transactions for recurring patterns, such as specific amounts, withdrawal frequencies, or common destinations. If the amount is the same (or a little bit less due to relayer fees) it is possible these transactions are connected. If the deposit and withdrawal is around the same time and amounts match, these transactions could be connected.

So we will get all withdraw calls made to ETH 10 and ETH 0.1 contracts.

Timestamp Analysis

Analyze transaction timestamps: Consider the timing of transactions. Clusters of deposits or withdrawals around the same time may indicate related activities.

After getting the latest activity on Tornado Cash Wallets, at the time of writing, we observe the following:

• Daily Transaction Activity

Some days show higher transaction volumes, such as March 23 and March 27 with 8 transactions each, indicating potential clusters of activity.

Most days have fewer transactions, often just 1 or 2.

• Hourly Transaction Activity:

On March 23, there are multiple transactions throughout the day, particularly at 10:00 and 14:00, with 2 transactions each hour.

This kind of clustering at specific hours might be indicative of patterns or scheduled activities, especially on days with higher total volumes.

Relayer Transactions

Examine transactions involving relayers: Sometimes relayers are used, if that is the case, look for patterns in the relayer's interactions with Tornado Cash.

Check for Reused Addresses

Reusing addresses can compromise privacy or unintentionally reveal the user's identity. Analyze addresses that appear in multiple transactions to uncover possible connections. For instance, an address may participate in the transaction chain both before depositing into and after withdrawing from Tornado Cash.

Explore further details on reused addresses and their transaction histories here.

Example: Running the above query, we see that address 0x7d3bb46c78b0c4949639ce34896bfd875b97ad08 has been involved in numerous transactions, including airdrops, totaling 38,465 transactions.

Network Analysis

It's important to conduct network analysis when tracking money that was deposited or withdrawn from Tornado Cash wallets. By exploring transaction flows and connections between addresses, we can identify commonalities or clustering of addresses engaging with Tornado Cash.

Instead of analyzing one particular wallet and its transaction, we should look at all the addresses that interacted with Tornado Cash on the same network around the same time (or within a span of 2 weeks) and try to look at commonalities between input and output transactions to Tornado Cash. This can help us understand the flow of funds and potentially identify patterns or connections between different addresses.

Root Changes

Explore root history: Tornado Cash keeps a history of Merkle tree roots. Investigate changes in roots to understand the evolution of the Merkle tree.

Look for significant root changes: Identify transactions or events leading to substantial shifts in the Merkle tree roots.

1. Bitquery Explorer allows you to view the transaction history of Tornado Cash smart contracts. Locate the relevant smart contract address associated with the Tornado Cash instance of interest.
2. Look for events related to root changes: Tornado Cash emits events or logs when there are updates to the Merkle tree roots. These events are often named or labeled accordingly. Identify events that indicate changes in the Merkle tree structure.
3. Cross-reference root changes with deposit and withdrawal transactions: Look for correlations between root changes and user activities, such as deposits or withdrawals. Understanding how user interactions coincide with root updates provides context to the changes.
4. Correlate root changes with external events: Consider external factors or events in the blockchain ecosystem that might coincide with root updates. Changes in the broader Ethereum network could influence Tornado Cash dynamics.

--

About Bitquery

Bitquery is your comprehensive toolkit designed with developers in mind, simplifying blockchain data access. Our products offer practical advantages and flexibility.

• APIs - Explore API: Easily retrieve precise real-time and historical data for over 40 blockchains using GraphQL. Seamlessly integrate blockchain data into your applications, making data-driven decisions effortless.

• Coinpath® - Try Coinpath: Streamline compliance and crypto investigations by tracing money movements across 40+ blockchains. Gain insights for efficient decision-making.

• Data in Cloud - Try Demo Bucket: Access indexed blockchain data cost-effectively and at scale for your data pipeline. We currently support Ethereum, BSC, Solana, with more blockchains on the horizon, simplifying your data access.

• Explorer - Try Explorer: Discover an intuitive platform for exploring data from 40+ blockchains. Visualize data, generate queries, and integrate effortlessly into your applications.

Bitquery empowers developers with straightforward blockchain data tools. If you have questions or need assistance, connect with us on our Telegram channel or via email at sales@bitquery.io. Stay updated on the latest in cryptocurrency by subscribing to our newsletter below.