Our AI Detects Your AI — Revealing the Secret Blockchain DApp World of Bots (Part 1 — EOS)

AnChain.AI
May 30, 2019 · 13 min read
Image for post
Image for post

Key discovery: AnChain.AI discovered that in Q1 2019 blockchain bots contributed to 51% of unique accounts and 75% of transactions. In other words, every day the equivalent of $6 million USD in transaction volume is driven by bots.

Abstract

Similar to how the Internet at large is suffering from content scraping bots, crypto businesses are inundated with a wide variety of bots which make it difficult to distinguish true business metrics from manipulated ones.

In this analysis, we focus on analyzing the variety of bots that are currently active within the blockchain DApp world. By analyzing the Top 10 EOS blockchain gambling DApp transactions in Q1 2019, we are able to determine that blockchain bots contribute to 51% of unique accounts and 75% of transactions, equivalent to roughly $6 million USD in daily transaction volume!

This report showcases the various blockchain bot behaviors, the challenges associated with detecting them, how our team at AnChain.AI has built a highly accurate deep learning model to detect them at scale, and what we can do about the issue of blockchain bots as an industry.

Key Insights

Image for post
Image for post
Figure 1: Model Prediction Results For Bot Prevalence in Top 10 EOS DApps — Unique Accounts (left), Transaction Volume (right)
Image for post
Image for post
Figure 2: Bot vs. Human Accounts (left) and Transaction Activity (right)
  1. In terms of unique accounts, the most active DApp (DApp-1) has only a small percentage of bot activity.
  2. The remaining Top 10 DApps (DApps-2–10) all have substantial bot activity.
  3. With 4500+ unique accounts, DApp-2 attracted the most bots (~1900) while its organic human generated traffic is lower than that of DApp-1. This dynamic hints at the competitive nature of the DApp world, in which the runner-ups are leveraging bots in order to augment overall ecosystem usage metrics.
  4. Without the use of our sophisticated prediction models, DApp leaderboard websites, ratings agencies, investors, developers, and enthusiasts alike will be fooled into believing DApp-2’s significant 200K+ transactions (roughly 4x that of DApp-1 transactions) signals more popularity, value, and usage. Meanwhile the reality is that DApp-1 has the most authentic human accounts and it did not employ a bot army to augment its numbers.

Why does blockchain bot detection matter ?

Bot activity calls into question the integrity of such metrics and makes the industry much more difficult to understand, regulate, operate, and secure.

In order to truly understand the health of the blockchain industry and the various crypto-assets within, it is crucial to understand how much of the activity taking place within the marketplace is authentic, and how much of it is being driven by bots with unclear incentives.

While bots are by no means a new topic, no extensive research has been done on bots specific to the blockchain industry, especially in the blockchain DApp world.

Back in the legacy economy, almost 40% of all Internet traffic in 2018 alone was bot driven[1]!

These bots are most evident in the millions of “price scraping bots” that crawl across the web of e-commerce sites and the army of Google bots indexing the entire internet to facilitate its search engine.

Image for post
Image for post
Figure 3: Internet Bot Research Report — Distill Networks, 2019 [1]

Within the blockchain industry the impact of trading bots on cryptocurrency exchange volumes, a primary driver of the overall cryptocurrency market, was recently analyzed in a SEC filing report by Bitwise Asset Management. [2]

This report concluded that, “95 percent of reported Bitcoin volume is fake.” This fake volume is being driven by trading bot accounts that skew blockchain transaction volume datasets to the upside fooling investors, regulators, builders, operators, and enthusiasts in the process.

Image for post
Image for post
Figure 4: Bitwise‘s report shows trading bots found in several crypto exchanges [2].

Background: Blockchain Ecosystem and DApp

The top 3 DApp friendly blockchains (EOS, TRON, and ETH) recorded 2,600+ DApps, 253K users, and $43 Million in daily volume as of April 22, 2019.

Statistics for Q1 2019 provided by TokenInsight:

  • EOS is the #1 DApp blockchain with $480 million in weekly transaction volume.
  • Gambling DApps dominate 65% of all EOS DApp ecosystem transaction volume. Games account for 12%, Marketplaces for 7%, with various uses for the remaining 16%.
  • Out of the 1.2 million total EOS addresses, the Top 20 EOS DApp addresses contribute $114 million in weekly transaction value, equivalent to 24% of all ecosystem volume.
  • Utilizing our AnChain.AI Platform we analyzed the millions of transactions from the Top 10 EOS Gambling DApps, which represent the majority of overall ecosystem activity.

We chose the Top 10 EOS Gambling DApps because EOS is the most active DApp blockchain, gambling is the most active EOS DApp category, and the top 10 DApps offer the richest dataset of transactions for us to analyze.

Note that all DApp names and addresses are intentionally anonymized.

Image for post
Image for post
Figure 5: Comparison of Top 3 DApp-Friendly Blockchains (EOS, TRON, ETH). April 2019 Dapp.Review — Full Version in Appendix
Image for post
Image for post
Figure 6: TokenInsight’s Q1 2019 DApp Report
Image for post
Image for post
Figure 7: DApp Hot 20 EOS Board. March 2019, TokenInsight.

Blockchain Bot vs. Human Behaviors

While this report focuses on bot accounts within EOS Blockchain DApps, we are aware that other protocols and blockchain projects have similar bot profiles.

First, let’s look at an easily detected, easily understood EOS DApp bot transaction for illustrative purposes.

The figure below illustrates how the bot account interacted with a gambling DApp on 4/22 and 4/23. Considering that the account displays identical bet behavior and that the timestamp is exactly 24 hours apart, we can quite easily deem this a bot account and rule out a human operator. This bot is likely to be motivated by the 0.25 token dividend within the gambling DApp.

Image for post
Image for post
Figure 8: EOS DApp Bot Blockchain Transactions (addresses made anonymous)

Now, in the following figures we will use product screenshots of the AnChain.AI Platform to showcase real-world examples of the difference between bot and human account behaviors.

Image for post
Image for post
Figure 9: Typical Blockchain DApp Bot Behavior

Note the repetitive behavioral patterns shown in Figure 9, allstrong indicators of a bot. This bot, in particular, is interacting with the DApp every 4 hours for more than a week. Human accounts very rarely display this behavior when interacting with a gambling DApp. This bot is likely designed with the specific intent of avoiding detection engines, which flag suspicious behavior such as playing too frequently; by taking a break every 4 hours, it avoids immediate suspicion.

Image for post
Image for post
Figure 10: Typical Human Account Behavior

Figure 10 shows a human player account interacting with the DApp from 4pm PST to midnight within a 24 hour window. One could reasonably estimate this player took a dinner break at 7pm. In addition, its irregular pattern reflects the player exploring different betting options instead of strictly following any playbook.

In essence, the behavior is more volatile, more realistic, and therefore, much more difficult for a bot to replicate. Yet, this is not to say that sophisticated bots cannot behave in a similar fashion because they can, and do. Read on for more information regarding how we detect more sophisticated bots.

Four Blockchain Bot Behavior Sophistication Levels

Interestingly, within these 7,700+ bot accounts, we’ve identified four blockchain bot behavior families presented in the figures below. Each heat map depicts a single, dominating bot family in a different DApp.

X axis denotes dates, Y axis denotes hours, and intensity denotes activity level (i.e. number of hourly transactions).

Level 1: Simple Bots — Hyperactive

Image for post
Image for post
Figure 11: Hyperactive bots (24x7, nonstop, relatively linear)

This bot category is simple to detect due to its obvious bot behavior and hyperactive level. We only encountered this family of bots in a few DApps with one of its most frequent applications coming in the form of operating as a trading bot.

Perhaps more interestingly, some of these bots have been running for months and don’t seem to care about being detected. Something that we intend to help the industry address!

Level 2: Moderate Bots — Evading Attention Through Normalcy

Image for post
Image for post
Figure 12 : Regular patterns — runs every 4 hours (left), runs every hour (right)

These bots seem to be operated by a simple piece of code, waking up at a predetermined time interval to interact with the DApp in an effort to remain stealthy and minimize the risk of garnering attention and being detected

Level 3: Sophisticated Bots — Fooling Simple Detection

Image for post
Image for post
Figure 13: Daily Active Bots Employing Perturbation Techniques

These are the more sophisticated bots that will add randomness into their execution time interval in an effort to fool simple detection engines. AnChain.AI’s engine confirms these are bots by grouping and flagging a small army of 50 similar accounts all created at the same time by the same EOS account.

Level 4: Blockchain Advanced Persistent Threat (BAPT) Bots — Stealthy, Difficult to Detect.

Image for post
Image for post
Figure 14: Blockchain APT [3] hacker group identified in a blockchain DApp in Aug 2018. Each dot in this massive graph represents a blockchain address, and the center is the targeted DApp, Fomo3D.

The 5 suspicious addresses (BAPT hacker group) created 50,000+ self-destructible malicious bots to attack several popular DApps, stealing over $4 million in 2 weeks.

Note, we are not showing a heatmap in Figure 14 because these transactions individually look like human behavior. But by using our Situational Awareness Platform (SAP) we are able to connect these isolated accounts using graph theory and reveal this army of coordinated bots that caused catastrophic damage to the DApp’s integrity.

Read more on AnChain.AI’s BAPT detection, here.

Why are blockchain bots challenging to detect?

Put more simply, the decentralized nature of the blockchain industry creates a much more arbitrary, and nuanced, operating environment that leaves the door open to bots going undetected for extended periods of time.

While there are currently bot detection solutions, such as:

  • Address blacklist databases often collected and maintained by developer/operator communities
  • Rule based detection engines, like “IF active_24_hours THEN bot ELSE human”

These solutions suffer from:

  • Static blacklists; bot addresses can be replaced anytime, and often grow in rapid fashion making it difficult for manual blacklist input or flagging to be a viable approach
  • Sophisticated bots can leverage a range of camouflaging techniques in order to evade multi-variable rule based detection engines
  • Iterating and processing much too slowly in a highly dynamic and evolving threat landscape

For these reasons, we need to leverage advanced machine learning to accurately detect blockchain bots in a pragmatic manner that is both:

  • Scalable to the amount of bot-reported incidents
  • Time-effective (a.k.a. cost effective)

Bad Bot vs Good Bot in Blockchain World

How Bad Bots Damage the Blockchain Ecosystem, Economy, and Security

Bad bot usually have malicious intentions, such as:

  • Boosting DApp rankings by augmenting transaction metrics, often a proxy of overall business health. This is similar to Internet SEO (Search Engine Optimization) bots that simulate mouse clicks to fool the search engines into listing the desired site higher in results rankings.
  • Increasing liquidity of DApp utility tokens. Most DApps are backed by tokenomics, meaning they have a token crypto asset that is actively traded across various crypto exchanges. If there is no trading activity for this token and the exchange where it is listed has an illiquid order book, the token asset will likely face sell-side pressure and decrease in value. A very common use case for bots is employing them as a tool for market making to ultimately increase liquidity of the tokens and prop up, or grow, asset values.
  • Earning profits on the payout dividends. Most DApps pay generous dividends, in coins or tokens, to incentivize players to play their DApps (mostly gambling related).
  • Sabotaging competitors by congesting the DApp, similar to a Denial-of- Service (DoS) attack on the Internet.
  • Launching BAPT (Blockchain Advanced Persistent Threat) attacks on targeted vulnerable DApps. [3]

Why Good Bots Exist

Good bots are often developed by the DApp team, with the purpose of:

  • Running automated product quality assurance tests within the DApp (i.e. quality assurance bot)
  • Interacting with human players. For example, DApp players cannot always find sufficient human players to interact with, so a bot player will be deployed to fill the void

What can we do as an industry?

Fortunately, just as in the centralized internet, it is real human users who are the main drivers of the decentralized blockchain ecosystem as they drive real capital into the ecosystem and drive adoption. Organic growth of the DApp ecosystem is the key to its success, so ensuring this ought to be a top priority for all DApp developers, operators, investors, and crypto enthusiasts alike.

Although the blockchain industry is currently unregulated it is clearly trending towards regulation, and as the top crypto exchanges come under the SEC’s oversight, trading bots will likely be dealt with in a compliance regulatory context.

That said, the blockchain industry needs to raise awareness on the prevalence of bot activities in blockchains, starting with DApps.

Our recommendations to various sectors include:

Blockchain Rating Sites:

  • All DApp rating sites leverage sophisticated bot detection engines to make sure the rankings are fair, up-to-date with real-time metrics, and the practice of using static blacklist addresses databases is done away with.

Blockchain Protocols:

  • As the platforms where the DApps are hosted and run, protocols ought to discourage DApps from using cheating bots in order to fake volume, transactions, etc. in order to appear higher on rankings.
  • Protocol teams have all of the available data for each of the DApps within their protocol, so they ought to lead the charge with transparency and re-focus on driving organic growth which will benefit themselves and the industry in the long-term.

DApp Teams:

  • Focus on organic human user growth. That’s the key to sustained success.
  • Invest in good bots that help improve product quality and increase liquidity.
  • Do not cheat by building bad bots.
  • Defend against malicious bots, such as BAPT (Blockchain APT hackers)[3].

Crypto Exchanges:

  • Reputation systems akin to a FICO credit score need to be in place in order to block suspicious accounts related to bot activities.

How does AnChain.AI detect bots?

We have been collecting threat intelligence on addresses owned by bots, hackers, malware, etc. With this large curated dataset of known bot accounts, we fine-tuned a highly accurate ML detection engine.

This bot detection engine achieves a 99%+ receiver operating characteristic curve (ROC) score at 10 fold cross-validation (CV).

Our bot detection ML models include:

  • Deep Learning (DL), including Convolutional Neural Nets (CNN)
  • Ensembles, including Gradient Boosted Tree (GBT) and Random Forest (RF). Accuracy on validation set achieves 99%+.

The reason we also built a tree ensemble model was for better model interpretability. Tree ensemble models make it easier to explain why the AI makes a given prediction via probabilistic feature importance, whereas deep learning models work like a blackbox.

For instance, these are strong indicators (features) our ML model automatically selected out of a pool of 50+ candidates:

  • Active percentage. The more active, the more likely it’s a bot.
  • Temporal regularity by auto-correlation. Repeated pattern hints at bot behavior.
  • Bet size. A bot is more likely to bet at a fixed amount.
Image for post
Image for post
Figure 15: AnChain.AI convolutional neural network (CNN) model architecture
Image for post
Image for post
Figure 16: Deep learning model performance on training (blue) and validation (orange) set. Achieved 99%+ accuracy on the validation set.
Image for post
Image for post
Figure 17: Random forest machine learning model for bot detection. 99%+ ROC score.

Acknowledgements

  • Berkeley Blockchain Xcelerator Professor Alexander Fred-Ojala, Chief Data Scientist at UC Berkeley, for reviewing the machine learning work.
  • Amino Capital’s anti-fraud experts.
  • Data scientist interns Shengbin (Duke University) and David (Harvard University) for working with AnChain.AI’s Data Platform team.
  • Connie Zheng for editorial support.
  • TokenInsight for providing statistics on DApps.
  • AWS Activate Program for sponsoring the Startup Cloud Credits.

About AnChain.AI

Feel free to reach out to us directly at: info@anchain.ai

With extensive experience in cybersecurity, artificial intelligence, cloud computing, and big data AnChain is continuously securing top-tier crypto exchanges, protocols, investors, custodians, and enterprise with our Blockchain Ecosystem Intelligence.

References:

[2] SEC filing report by Bitwise Asset , March 2019, Managementhttps://www.sec.gov/comments/sr-nysearca-2019-01/srnysearca201901-5164833-183434.pdf]

[3] BAPT (Blockchain APT hackers). Aug 2018,

https://medium.com/@anchain.ai/largest-smart-contract-attacks-in-blockchain-history-exposed-part-1-93b975a374d0

Appendix:

Image for post
Image for post
Full Stats from DApp.Review website.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store