How Breadcrumbs Updates Labels: the Case of Luna fund flows
Recently, our team at Breadcrumbs re-labelled an address from OKEx (or OKX) to Gemini. How did that happen? Let us look into it more deeply.
1. The address in question
The address in question was 1NYAd6fA2dc5xowuweFUSDRqRTEzDwk28, and it was recently implicated in the Luna transaction in efforts to defend its stablecoin peg. You can see the report here.
In this graph you can see the incoming and outgoing funds from Luna Foundation Guard (LFG). On the left are inflows to the address while on the right are outflows. We start with Luna Foundation Guard’s (LFG) self-declared address (first label), and expand it twice to the right to get to the exchange address mentioned. The transactions to the right of LFG are the outflows of money. The address bc1qly…gu2w sent out money to four different addresses, one of which is the address in question, labelled here as Gemini (previously OKX). bc1qly sent two transactions of 3,000 BTC and 30,000 BTC on 9 May 2022 and 10 May 2022 respectively.
Breadcrumbs Report available at this link
2. The Tip Off
Varying sources label the address as either Okex and Gemini, and it was causing some confusion on Twitter.
https://twitter.com/intangiblecoins/status/1523808822187511809?ref_src=twsrc%5Etfw%22
3. Investigation
After this, the team dove in to investigate our sources and to see which one it was exactly.
3.1. Looking at the address itself
First, we generated a Breadcrumbs Report for this address, and took a look at the transaction pattern. In general, we also thought this looked like an address for a centralised exchange, because of the large amounts of inflows and outflows from this address. It also did not fit the pattern for a coinjoin.
Breadcrumbs Report available at this link
3.2. Word on the street
What we had in our database actually came from the Vivigle entry for this address:
Vivigle entry (red box near the bottom labels it as Okex.com)
Upon further research, we found some places that label this as a Gemini address.
Screenshot of Coindesk report where Glassnode believes the address to belong to Gemini
In the ‘From’ field, the address is labelled as Gemini
In the OXT.me database, it is labelled as Gemini (red box next to address)
We also found other websites that indicated this as an OKX address.
Below the search bar on the right, BitInfoCharts labels this as OKEx
Then, the question becomes how these sources get their data. We don’t know if they implement their own heuristics to find out these labels, or if they are crowdsourced. As such the reliability is questionable without any further proof.
3.3. Honeypotting
One way to determine for yourself if an exchange holds an address is to send money from your own account on one exchange to your own account on another. Then, you can observe the movement of money and use Common Input Ownership Heuristic to check for yourself too. From our experience, we have found this to provide the highest degree of certainty on an address.
We also looked at the transactions to see if we could spot anything that looked interesting. We used Blockchain.Info for this.
During the analysis we saw that one of the addresses looked familiar. We realised that this address bc1quq29mutxkgxmjfdr7ayj3zd9ad0ld5mrhh89l2 was suggested to be a Gemini address by the team from Zero Friction. The team had honeypotted the address with their own Gemini account.
And, the two addresses have both been in a transaction before, together, as the input:
Thus, we can reasonably conclude that this address belongs to Gemini, since we know that bc1quq… also belongs to Gemini.
3.4. Other Possibilities
Of course, we cannot rule out that in some cases, it is possible that the Common Input Ownership Heuristic has tagged this address as both an OKX address and a Gemini address. The Common Input Ownership Heuristic depends on starting tags where one has already labelled some known addresses. It could be that the starting data was labelled differently by different groups, and thus we draw two separate conclusions.
Alternatively, when we start assuming addresses that are a few more steps away from the initial group as belonging to the same exchange, we become more and more uncertain. In the below example, three addresses were labelled as OKX and three other ones as Gemini, in two separate transactions. If they ever interact in the future in an unrelated third transaction, the common input heuristic would be broken. In this case, the address we changed the label of (1NYA) would be address G.
4. Conclusion
But is it really Gemini? If the exchange does not self-disclose that address, we may never know for sure, even with honeypotting. It is also possible that all these different sources are all just referencing each other.
Beyond this specific case study, we think that the more valuable information is the large patterns that we can draw out — that LFG is likely sending this money to market makers and centralised exchanges, and that LFG is indeed using this money to try and stabilise the UST peg.
Keep on crumbing!
by JY Li — Head of Attribution Data
