Our AI Detects Your AI — Revealing the Secret World of Blockchain Bots (Part 2: TRON)

AnChain.AI
Oct 8 · 11 min read

AnChain.AI Team. 2019/10

Key discovery:

Blockchain bots contributed to 30.7% of the 62000+ unique accounts, accounting for over $270 million USD of transaction volume in the top 10 gambling DApps on the TRON network in 2019Q1. We also identified a new bot strategy that is unique to Tron, likely due to its DPOS consensus implementation.

Disclaimers:

1, AnChain.AI is NOT affiliated with TRON, EOS, or Ethereum foundation.

2, Bots are common in blockchains as they are throughout the legacy internet. Good bots, bad bots, and neutral parties are expected parts of the ecosystem.

3, Bot presence is, among other indicators, a key component of our proprietary Blockchain Transparency Index. Bot presence should be only considered as one of the many valuable metrics for evaluating the health and security of a blockchain ecosystem.

Abstract

AnChain.AI leverages artificial intelligence (AI) to reveal the prevalence of bot activity within the Tron blockchain DApp world. To date, this analysis is the largest scale study of bot presence within the Tron DApp ecosystem.

Similar to the legacy internet’s epidemic of content scraping bots, cryptocurrency businesses are inundated with a wide variety of bots which make it difficult to distinguish true business metrics from manipulated ones, as noted in the recent SEC filing by Bitwise.

Building atop our previous EOS blockchain Bot research, we dive into the Tron blockchain in this report. Analyzing the Top 10 gambling Tron DApp transactions in Q1 2019, we have determined that blockchain bots contribute to 30.7% of unique accounts and 19.3% of transactions. Per TokenInsight, there are 117 gambling DApps on Tron that collectively account for 68% of Tron DApp accounts. We believe our research has captured a representative snapshot of the Tron ecosystem.

This report showcases the various blockchain bot behaviors, the challenges associated with detecting them, the new and difficult to detect Group Bot strategy that the AnChain.AI research team has identified, and how we have extended our highly accurate machine learning model to detect them at scale.

Key Insights

Figures 1–3 : A visualization of bot account and transaction metrics across the top 10 gambling DApps in 2019Q1
  1. In the Top 10 gambling DApps in 2019Q1, we analyzed 96,943 unique accounts accounting for millions of transactions. We identified several different account archetypes: inactive, active, champion, and bot. This report will focus on bot accounts.
  2. The top 3 Tron DApps observed a relatively small percentage of bot activities.
  3. We observe substantially higher bot presence among the top 4 to 10 DApps. DApp 4, 7,9, and 10 in particular are dominated by bot presence: over 70% of their accounts are bot accounts.
  4. “Group Bot” is a unique bot strategy we discovered in Tron blockchain: a group of bots that, on an individual basis, exhibit a low activity level but which tightly coordinate their transactions dominate DApps 4, 9 and 10. DApp 9, for example, is comprised of over 70% of bot accounts, while accounting for less than 10% of total transactions. These bot clusters are incredibly difficult to detect, but can be caught with a sufficiently thorough methodology.

Why Does Bot Detection Matter?

Blockchain technology and its associated financial markets are still in their relative infancy, and are subject to a great deal of speculative volatility. New blockchain protocols and currencies are constantly being created within this space, and more often than not, user activity, transaction volume, daily volume, and other growth metrics are used as proxies for how well they are performing.

Bot activity calls into question the integrity of such metrics and makes the industry much more difficult to understand, regulate, operate, and secure.
In order to truly understand the health of the blockchain industry and the various crypto-assets within, it is crucial to understand how much of the activity taking place within the marketplace is authentic, and how much of it is being driven by bots with unclear incentives.

Within the blockchain industry the impact of trading bots on cryptocurrency exchange volumes, a primary driver of the overall cryptocurrency market, was recently analyzed in an SEC filing report by Bitwise Asset Management. [2]
This report concluded that “95 percent of reported Bitcoin volume is fake.” This fake volume is being driven by trading bot accounts that skew blockchain transaction volume datasets to the upside, fooling investors, regulators, builders, operators, and enthusiasts in the process.

Figure 4: Bitwise’s report shows trading bots found in several crypto exchanges [2].

Striking New Bot Behaviors Discovered in Tron Blockchain

Per TokenInsight, there are 117 active gambling DApps on Tron that have dominated 68% of Tron DApp accounts. Furthermore, the gambling DApp category has witnessed strong and consistent growth. We believe our research has captured a representative sample of the Tron ecosystem.

Figure 5. Gambling DApps have attracted 68% of the active Tron DApps accounts in 2019Q1. Tron DApp trending in 2019Q1. Gambling DApps dominate and experience the most rapid growth, vs. categories such as exchanges, games, etc., Per TokenInsight.

Previously, we covered 4 categories of bot behaviors in our EOS bot blog, the most common of which are derived from single accounts behaving with inhuman levels of frequency and consistency. On the Tron blockchain, however, we discovered far more sophisticated bot-masking techniques.

Among the leading DApp friendly blockchains, Tron resembles EOS on the DPOS (Delegated Proof-Of-Stake) consensus mechanism with its own implementation, while sharing many features with the Ethereum smart contract engine (EVM vs. TVM, ERC-20 vs TRC-20, etc.).

Interestingly, using a similar Deep Learning model to the one we trained to detect EOS bots, we still identified tens of thousands of bots in Tron. For example, the figure below shows the Tron bot accounts in our “Level 1: Simple Bots — Hyperactive” category.

Figure 6. An illustration of how a typical hyperactive bot transacts with the DApp from 3/12/2019 to 4/1/2019

This Tron bot placed identical bets, without interruption, for 18 days, leading to 75,000+ transactions, and single-handedly accounting for 12.2% of the total transactions in Q1. This hard-working bot is likely to drive the business metrics for that gambling DApp, earn dividends, or drive other financial motives.

These bots are common, easy to execute, and simple to detect, and there are even Youtube tutorials on how to use macros to auto-bet in Tronbet.

Figure 7. Youtube tutorial showing how to use macros to auto-bet on Tronbet DApp.

While we were investigating those human accounts using the same Deep Learning model, we discovered an entirely new category of discrete bot behavior that is far more difficult to detect. We call it a “Group Bot”:

Group Bot: Each account has infrequent, seemingly innocuous activity. However, their group behaviors show statistically significant correlated structure, behaving like a coordinating crowd.

We present one example of such Tron group bot accounts to demonstrate how such masking behaviors can evade most standard detection engines:

1. The below account behaves perfectly normally, with a frequency that highly resembles a human player.

Figure 8. This account would not ordinarily be any cause for alarm.

2. However, striking correlation patterns emerge when we visualize these ten low-frequency accounts together. A clear collusion emerges as we examine the first 3 groups of synchronized patterns, which appeared on Feb 21, 22, and 23.

Note that these 10 accounts are identified by our machine learning model, and they are a small subset sampled from tens of thousands of such bot accounts.

Figure 9. When clustered, the coordination becomes clear. They activate together, largely in the same order, and at the same time intervals.

3. If we observe them across a longer period of time, the coordination becomes all the more obvious. The accounts::

  • Activate at the same time.
  • Go dormant at the same time.
  • Behave almost identically when active.

Figure 10. The tight coordination in the activity, dormancy, and resurrection of these accounts is unmistakable.

4. The raw transactions of the group bot addresses in Tron explorer as seen below demonstrate a clear regularity of schedule on a collective scale. This level of coordination cannot be accomplished even by a collaborating group of human players.

Figure 11. The transaction intervals are highly regular within accounts and between accounts.

The Reason Behind the New Bot Strategy on TRON

It is highly unusual to find a completely novel bot strategy that was seemingly entirely absent from our EOS analysis, but we hypothesize that its presence on TRON can be attributed in large part to the implementation of the DPOS consensus, per this article by SVK Crypto firm in UK :

- Tron offers Free accounts, while EOS only has paid accounts.

- Tron offers 5000 free bandwidth points per day, while EOS requires staked EOS.

Figure 12. The key differences between EOS and TRON. Note especially the free accounts and transaction fees.

With this in mind, it’s far easier and cheaper to create a large number of accounts for such coordinated bot campaigns on Tron than it is on EOS. This concurs with our discovery of many large sheer volumetype bot accounts on Tron.

Bad Bots vs Good Bots in the Blockchain World

Not all bots are created equal. There are good bots and bad bots in the blockchain world, just like in the Internet world.

How Bad Bots Damage the Blockchain Ecosystem, Economy, and Security

Bad bot usually have malicious intentions, such as:

  • Boosting DApp rankings by augmenting transaction metrics, often a proxy of overall business health. This is similar to Internet SEO (Search Engine Optimization) bots that simulate mouse clicks to fool the search engines into listing the desired site higher in results rankings.
  • Increasing liquidity of DApp utility tokens. Most DApps are backed by tokenomics, meaning they have a token crypto asset that is actively traded across various crypto exchanges. If there is no trading activity for this token and the exchange where it is listed has an illiquid order book, the token asset will likely face sell-side pressure and decrease in value. A very common use case for bots is employing them as a tool for market making to ultimately increase liquidity of the tokens and prop up, or grow, asset values.
  • Earning profits on the payout dividends. Most DApps pay generous dividends, in coins or tokens, to incentivize players to play their DApps (mostly gambling related).
  • Sabotaging competitors by congesting the DApp, similar to a Denial-of- Service (DoS) attack on the Internet.
  • Launching BAPT (Blockchain Advanced Persistent Threat) attacks on targeted vulnerable DApps. [3]

Why Good Bots Exist

Good bots are often developed by the DApp team, with the purpose of:

  • Running automated product quality assurance tests within the DApp (i.e. quality assurance bot)
  • Interacting with human players. For example, DApp players cannot always find sufficient human players to interact with, so a bot player will be deployed to fill the void.

What can we do as an Industry?

It is evident that the DApp, as the most relevant application of blockchain as of this writing, is currently being heavily influenced by bots; something that the industry has a responsibility to understand and address.

Fortunately, just as in the centralized internet, it is real human users who are the main drivers of the decentralized blockchain ecosystem as they drive real capital into the ecosystem and drive adoption. Organic growth of the DApp ecosystem is the key to its success, so ensuring this ought to be a top priority for all DApp developers, operators, investors, and crypto enthusiasts alike.

Although the blockchain industry is currently unregulated, it is clearly trending towards greater scrutiny, and as the top crypto exchanges come under the SEC’s oversight trading bots will likely be dealt with in a compliance and regulatory context.

That said, the blockchain industry needs to raise awareness on the prevalence of bot activities in blockchains, starting with DApps.

Our recommendations to various sectors:

Blockchain Rating Sites:

  • All DApp rating sites ought to leverage bot detection engines to make sure the rankings are fair and up-to-date with real-time metrics, and the practice of using static blacklist addresses databases should be done away with.

Blockchain Protocols:

  • As the platforms where the DApps are hosted and run, protocols ought to discourage DApps from using cheating bots in order to fake volume, transactions, etc. in order to appear higher on rankings.
  • Protocol teams have all of the available data for each of the DApps within their protocol, so they ought to lead the charge with transparency and re-focus on driving organic growth which will benefit themselves and the industry in the long-term.

DApp Teams:

  • Focus on organic human user growth. This will drive sustained success in the long run.
  • Invest in good bots that help improve product quality and increase liquidity.
  • Do not cheat by building or encouraging bad bots.
  • Defend against malicious bots, such as BAPT (Blockchain APT hackers)[3].

Crypto Exchanges:

  • Reputation systems akin to a FICO credit score need to be in place in order to block suspicious accounts related to bot activities.

Deep Dive into the New Bot Detection Machine Learning Model

In this research, we leverage the existing EOS bot detection Deep Learning model, ensembling with a new model to detect the newly discovered “Group bot” army. The Machine Learning Methodology is as follows:

1. The existing CNN (Convolutional Neural Net) model for EOS bot is trained to achieve high precision and low recall, leading to a detection rate of 18% accounts, in top 10 TRON blockchain gambling DApp. This showcases that our deep learning model is blockchain agnostic and learning the intrinsic behaviors, NOT any blockchain specific patterns. On the other hand, blockchain bots share common behavioral characteristics.

2. The figure below shows the account distribution with different levels of activity. More than 30% are low-frequency accounts, having fewer than 10 transactions in 2019Q1. When we investigate the missed detections, we identified new categories of bot behaviors that are unique to the Tron blockchain. As mentioned above, we were able to identify group bots in these inactive accounts. Can we design a machine learning model to further detect them all?

Figure 13. Account Distribution by Activity Level

3. To detect the group behaviors from these inactive accounts that may form the group bot behaviors, we designed a new set of 25 features, and trained a clustering model. A few strong indicators (features) in our clustering model:

  • Highest active time interval rate. The higher the rate, the more likely to follow some fixed active pattern.
  • Transaction level. The higher the transaction level, the heavier the transaction number.

4. Silhouettes score, a quality measure of cluster tightness and far separated cluster distance, is adopted for optimizing our clustering model. The figure below shows a selected Tron DApp silhouette plot, which illustrates each cluster achieving a high cohesion. The average silhouette score is 0.64, indicating reasonably high quality clustering.

Figure 14: A silhouette plot for the various clusters

5. Furthermore, We use t-SNE (t-Distributed Stochastic Neighbor Embedding) to visualize the clustering results. As illustrated below, our model has successfully identify a tight cluster of “group bot” accounts.

Figure 15. A Three Dimensional Visualization of Account Clusters

Zooming in, we can see the different clusters are well separated nonlinear manifolds.

Figure 16. A Close-Up of the Three Dimensional Visualization of Account Clusters

6. With this extra layer of diligence and through the implementation of our clustering model, we increased our detected bot accounts from 18.0% to 30.7%.

As shown in the Venn diagram, the newly designed model has only 3.2% overlap with the Deep Learning model, nearly doubling the detected bot accounts.

Figure 17. Minimal overlap in the detection capabilities of our two models.

Coming Next :

The AnChain.AI engineering team is working hard towards sharing more blockchain bot research with the public and the blockchain community at large. Follow us on social media for the latest updates on our research efforts.

Medium: https://medium.com/@AnChain.AI

Twitter: https://twitter.com/AnChainAI

AnChain.AI

Written by

AI Powered Blockchain Ecosystem Security

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade