How to Visualize Ethereum Transactions using Maltego

According to Chainalysis Crypto Crime Report 2022, cryptocurrency-based crime hit a new all-time high in 2021, with illicit addresses receiving $14 billion over the course of the year. Although, illicit activity’s share of cryptocurrency transaction volume has never been lower.

The report offers an incredible perspective into the world of cryptocurrency and related criminal activities. Despite the fact that blockchain transaction data is publicly available, it is not an easy feat to cluster the information and derive meaningful insights from it. Of course, there are plenty who deride Chainalysis, and others in the space like CipherTrace, Elliptic etc, for surveillance on behalf of governments and law enforcement agencies, but these companies are unfortunately a necessary evil to thwart platform abuse for nefarious purposes.

That said, wouldn't it be fun if you could analyse your own blockchain transactions? Or those of crypto whales? Or scams that you've read about on Twitter? Blockchain forensics services from the firms above are either not available to or not affordable for individuals, who are left to search for alternatives. However, thanks to folks at Maltego and Tatum, we can get a taste of blockchain forensics too. Mind you, it's just a taste, don't expect a buffet ;) Let's dive in.

What is Maltego? What are Transforms?

Maltego, at its heart, is a graphical link analyses tool. What makes it special is the variety of use cases that it can be applied to. With real-time data gathering and node-based graph representation capabilities, Maltego is very handy for security professionals, forensic investigators, journalists, researchers and just curious folks in general. It integrates with a huge variety of data sources, and consequently is a very popular tool in everyone's OSINT (open-source intelligence) toolkit. Here is an example of how it integrates with an investigative workflow.

Maltego offers modular building blocks called transforms, which allow you to pivot between nodes as you see patterns emerge in the graphical analysis. One such set of transforms is the Tatum Blockchain Explorer, which helps investigators explore and gain rich insights across five blockchains - Bitcoin, Ethereum, Litecoin, Bitcoin Cash and Dogecoin. A free tier is available for Maltego users with up to 2000 transform runs/month. This is plenty sufficient for us to play with.

Create an Ubuntu Droplet on DigitalOcean

I'm going to use DigitalOcean for this post - if you don't have an account, sign up here. If you sign up using my link, you’ll receive a $100, 60-day credit as soon as you add a valid payment method to your account.

Assuming you are familiar with droplet creation in DigitalOcean, I won't go into step-by-step detail. Basically, you need to choose a plan (4GB RAM / 2 CPU), an image (Ubuntu 20.04), the data center region, an authentication option (password for now, but SSH in a real environment) and the hostname.

Next, install an Xfce desktop environment and Xrdp remote desktop application - you can follow this step-by-step tutorial. Alternatively, you can skip the cloud instance completely and deploy Maltego on your local machine.

Download and Configure Maltego CE

Maltego was born in the thick-client era and has several client requirements for you to consider, most notable of which is Java. Suffice to say that it didn't tickle my fancy, and hence I decided to go with a cloud instance instead of my laptop.

# Check if the Java Runtime Environment (JRE) is installed
java -version

# If JRE is not present, install it now
apt install default-jre

Use the built-in web browser to download the latest .deb file for Linux from the Maltego Downloads page.

# Assuming you downloaded the .deb file to /root/Downloads, change directory and install the package
cd /root/Downloads
dpkg –i <maltego.vX.X.X>.deb

Once installed, navigate to Application Finder and select Maltego. When launching Maltego for the first time, you'll get a pop-up to choose the edition. The paid versions have obviously more features, but the Community Edition (CE) is sufficient for our present use case.

Select the Maltego CE (Free) option. On the next page, you'll be asked for Maltego login credentials. To use Maltego CE, you need to first create an account with them, so click on register here and sign up. Read my post on email aliases if you are concerned about privacy.

Once your email has been verified, login and complete the rest of the steps on this wizard. The default options should be just fine, bringing you to an open canvas.

Install Tatum Transforms for Maltego

Click on the Transforms tab to bring up the Maltego Transform Hub, and filter by Blockchain data category and Free pricing to narrow down the list of available transforms.

We are interested in Tatum Blockchain Explorer, so click Install and confirm your action. The installation will complete shortly, with the new transforms available in the Transform Manager.

Let's come back to the blank graph. On the left side, you'll see the Entity Palette. Scroll down until you see the Cryptocurrency category, select the Ethereum Address entity and drag it onto the graph.

If you right-click on this entity, you'll see a few Tatum transforms available. The simplest one is To Details, which can annotate an address, a block or a transaction. The more interesting ones are the To Input/Output Addresses and To Input/Output Transactions. These allow you to reconstruct and visualize the chain of activities around the selected Ethereum address. Each new entity found is an entity for you to inspect further. You can also get creative with the different views and layout options available. See here for additional ideas.

Once you play around with Maltego, you'll realise how powerful and flexible the concept of a transform truly is. And this extends to non-cryptocurrency transforms too. Unfortunately, you will also realise a few shortcomings. Maltego is based on ancient technologies like Java, so you don't get to enjoy the fluid React-app like experience we are now used to. Second, Maltego CE only allows for 12 results at a time. While it may be ok for a fun exploration, it is obviously not good enough for a serious forensic investigation. If that's a concern, you may have to shell out for the paid version of Maltego, or subscribe to one of the aforementioned blockchain forensics services. Either way, I hope this was a fun use of your time.