If i send someone btc, can they see what kind of wallet i use?

[Darkelf11]

Looking at the raw transaction, no. You'd have to probably do an indepth analysis of the spending behaviour. There could be some behaviours that could give clues to what kind of wallet it is. It's by no means accurate though. For example, a transaction without opt-in RBF and with a legacy address could be a Blockchain.com wallet but it could also be someone intentionally disabling opt-in RBF or just spending from an old Bitcoin Core client.

You can also spend Segwit inputs together with P2SH(3...) or P2PKH(1...) inputs on most wallets so a transaction won't be indicative of what kind of wallet it is primarily.

If that is the case, how does anyone able to tell where some of the stolen bitcoin were sent? For example, there are some hacking incidents to an exchange platform, then investigators was able to tell that some of the stolen funds were sent to binance, and some some was sent to coinbase. How's that? How did they knew it was sent to those trading platforms? AFAIK they can also be considered as bitcoin wallets.

[1715484701]

1715484701

[1715484701]

1715484701

[1715484701]

1715484701

[ranochigo]

If that is the case, how does anyone able to tell where some of the stolen bitcoin where sent? For example, there are some hacking incidents to a exchange platform, then investigators was able to tell that some of the stolen funds were sent to binance, and some some was sent to coinbase. How's that? AFAIK they can also be considered as bitcoin wallets.

Custodial wallets are completely different from the wallets that OP mentioned. Those wallets usually have definitive behaviors, like spending to a central wallets and for which Binance posts theirs publicly but it wouldn't be hard to determine which are the common addresses belonging to the various exchanges. As said in my reply, if you want to determine those kinds of transactions, you'll be looking at the spending habits, periodic spending to specific addresses, batched transactions to known addresses, etc.

If you're using a custodial "wallet", then this shouldn't be a topic at all.

[Darkelf11]

...

Custodial wallets are completely different from the wallets that OP mentioned. Those wallets usually have definitive behaviors, like spending to a central wallets and for which Binance posts theirs publicly but it wouldn't be hard to determine which are the common addresses belonging to the various exchanges. As said in my reply, if you want to determine those kinds of transactions, you'll be looking at the spending habits, periodic spending to specific addresses, batched transactions to known addresses, etc.

If you're using a custodial "wallet", then this shouldn't be a topic at all.

I'm using non-custodial one. I just wonder how those people able trackdown where does those stolen funds was sent. So if the hacker who stole the funds sent it to a secured wallet, like trezor, would those people who investigates the incident still be able to know that it was sent to a trezor wallet? As I understood, they won't, since it isn't centralized. Thanks for the inputs.

[ranochigo]

I'm using not custodial one, I just wonder how those people able trackdown where does those stolen funds was sent. So if the hacker who stole the funds sent it to a secured wallet, like trezor, would those people who investigates the incident still be able to know that it was sent to a trezor wallet? As I understood, they won't, since it isn't centralized. Thanks for the inputs.

Depends. If you use Trezor with a wallet like Electrum, the server will be able to see the addresses associated with the origin IP. It could be requested through a VPN, Tor or proxy. If you were to see it through the transactions associated with the addresses alone, you probably won't know. Unlike custodial wallets, they tend to not have any obvious heuristics that would leave any clues.

[o_e_l_e_o]

So if the hacker who stole the funds sent it to a secured wallet, like trezor, would those people who investigates the incident still be able to know that it was sent to a trezor wallet?

Not just by looking at blockchain records, no.

When investigators say that coins ended up on Binance, for example, this conclusion is usually done by tracking coin movements as opposed to looking at transaction properties and heuristics. For example, if we see some stolen bitcoin move from one address to another address in a 1-input-2-output transaction, and then we see it move from that second address in a transaction with 100 inputs all from different addresses in to a single address, then we can reasonably assume that the first transaction was the bitcoin being deposited to a centralized service, and the second transaction was that centralized service sweeping a bunch of deposits from different customers in to their own main wallet. If we can identify that main wallet address, (for example, since you mentioned Binance, we know one of Binance's main wallet addresses is 34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo), then we can identify which exchange or service it was that those coins were deposited to.

If on the other hand, we see the stolen coins move to a new address and just sit there indefinitely, then we can assume that the attacker has simply moved them to another wallet to hold for a period of time, but we cannot say what kind of wallet that is just by looking at the blockchain.

[Pmalek]

Depending on the service the sender used, you can often (but not always) tell if someone has sent from an exchange or other custodial-type service... as your transaction will be "batched" up and included in a "Pay2Many" type transaction (ie. 1 or 2 very large value inputs and then 10s/100s of smaller outputs). However, even a scenario like this is not "100% guaranteed", as software like Electrum and even Bitcoin Core allow users to send "Pay2Many" transactions... and some online services don't batch transactions.

Signature payments are batched in that way and campaign managers use the Pay2Many feature to pay all the participants at once. If the address the funds are sent from contains a lot of bitcoin originally, you would get exactly those results you explained. 1 larger input and x number of smaller outputs with same or similar amounts, depending on the payment structure of the campaign.   

[o_e_l_e_o]

The difference with signature campaign payments is that they pay (mostly) the same addresses on a weekly basis, and that each output is exactly the same size (if fixed payment per week) or below a fixed cap (if paid per post). Conversely, batched exchange withdrawals pay different addresses each time at different times each week, and outputs will range from anything between a few tens of thousands of sats up to several bitcoin. It is generally fairly easy to differentiate the two.

[PhoenixZephyrus]

Where did is say that?
I gave you an theoretical example where any 3rd person can do that?

And if you are using a VPN, yes.. obviously the VPN provider knows everything about you (and they do make money off your data).

Not always true about VPNs though. Some VPNs have a no-log policy, and many of them have been shown to actually maintain it and this has also been tested in court multiple times. These are the VPNs that do not store your data, so neither do they make money off of your data, nor can they provide info to law enforcement even if their hand is forced, as they simply cannot. How do they earn money? By taking a monthly fee from you and making sure that they are true to their word so they do not lose customers. One example for this has been PIA (their claims have held up in court pretty well), but idk if that will be the case anymore since Kape Technologies has bought them out.

Source: PIA No-log claims held up in court

My point is, not every VPN sells your data off to make money, its mostly the ones that aren't vetted and generally have poor privacy practices. The free ones all DO sell your data, thats how they are free and they shouldn't be used anyways if privacy is your concern.

[o_e_l_e_o]

You don't know for sure that the VPN provider isn't logging your data, though. Yes, some of them have no log policies, and yes, some of the good ones have either been tested in court or undergone independent audits and have proven that they do not keep logs. However, that only definitively proves they were not keeping logs at that time. Saying that they are not keeping logs now is an extrapolation from that data and is not verifiable.

The point about PIA is an important one. They have previously been tested in court, but since then have been bought out by a very unethical company with very dubious business practices, and so I would not trust that they are still not keeping logs of some form, despite what they may tell you.

Yes, there are good VPNs out there which do not log traffic, but since your data passes through their servers unencrypted, then you can never be 100% sure you are not being logged, either by the VPN provider themselves or a malicious third party exploiting some vulnerability.