Fraud detection and Cryptocurrency.

Respected colleagues,

Public blockchain means transparency. Does it lead to legality and fairness? — I don’t think so.

The fact that we have access to the whole transactions history in a blockchain gives us huge advantage in detecting malignant or fraudulent activities. In the world of fiat money, anti-fraud and fraud detection systems are widely used to protect ordinary users. We applied a couple of plain algorithms to Ethereum blockchain (which also might be applied to Bitcoin) in order to find suspicious transactions in ICO. We investigated how assets came to a crowdsale wallet and which transactions were made by ICO wallet.

Using anomalies detection with ongoing or completed ICO we can classify suspicious transactions. Investors can build their opinion based on an analysis result and draw their conclusions about the principle used by the ICO team.

Let’s talk about fraud detection and payment anomalies.

We can identify two types of suspicious activities: “cycles” and “group pump”. Both are used to create fake activity on ICO wallets. They are mostly used to fool investors — to make them think that a particular wallet is being actively used by other investors.

Actual cases for testing and ideas were provided by SynergisLab team. synergis.io

Spoiler + disclaimer: I would not provide actual ICO wallet and transaction IDs. None of the transactions can be considered fraudulent. We can only call these transactions suspicious or call them anomalies. This article is mostly about theory with some implementation info.

Implementation.

Blockchain transactions history is a huge directed graph. Actually our algorithms use common graph algorithms under the hood. If you are not interested in reading how we implemented it — scroll down to the results.

Get data.

We used “icofisher” icofisher.com database for our computations. All the transactions were mined from the ethereum public blockchain. The Crawling algorithm is based on BFS. It starts from the ICO Crowdsale wallet and moves farther until it reaches the N-th layer. We classify accounts that sent assets to ICO as “Influx nodes” and accounts that received assets from the ICO wallet as “outflux nodes”. Actually two layers in depth were enough for analysis. This tree is produced by anomaly detection algorithms described below.

Cycles

If a fraudulent ICO is going to mimic a successful crowdsale process, they need to send a valuable amount of money to their crowdsale wallet. What if they don’t have enough money? — They are going to send money to their wallet — then send it back — then send it to the wallet again. So these transactions make a “ring” of “cycle”. If you open this wallet in etherscan — it looks like many people invested in it but actually most assets just did several laps.

That is how it is looks:

Implementation details:

Search criteria:

To find cycles we run DFS algorithms for directed graphs extended by cycle detection. These conditions must be satisfied:

1. Cycle must include “Crowdsale node”
2. Cycle must contain (“outflux” node) — it might be “influx node” at the same time
3. There must be strictly only one time bounce. — All the ethereum transactions have timestamps. We must filter all non-consequent transaction cycles.

Pump

This term sounds pretty familiar for most people who have dealt with exchanges. Pump is mostly used to manipulate price movements. In case of ICO: Pump is a tool to create a fake demand or mimic high demand for ICO token. How it usually happens:

There is an Crowdfunding wallet in the middle. There are “newbie” investor accounts that can be grouped by these factors: all assets came from a common account; all assets were invested in ICO; there are only 2 transactions (input and ico investment); transaction value is usually pretty similar in a group.

These groups might be classified as suspicious anomalies.

Implementation details:

We use tree pruning for this algorithm:

1. Traverse the tree

if a node is not:

1) “Newbie” investor

2) “Newbie” investor’s parent — (all the descendants are “newbies”)

3) Crowdsale wallet

then cut off this node from the tree

Results:

So we applied our algorithms to 150 ICOs:

39 of 150 ICO wallets detected anomalies ~ 26 %

~20000 transactions are classified as suspicious

Total Amount of ETH in suspicious transactions = 60 000 ETHs

1 of 4 ICOs possibly tried to create fake demand on their tokens during crowdsale process.

We double checked the result for projects that our customers were interested in and provided an extended analysis report.

Anonymity and obscurity are not obstacles for fraud detection.

Blockchains (Bitcoin and Ethereum) and services that build on top of them can be made safer with fraud detection and anti-fraud systems. Idea: “Cycles” (or at least outgoing transactions) can be programmatically violated during crowdsale on a smart contract level.