Huge Ethereum Mixer

The article was removed from the cyber • Fund blog and was republished on this blog.

Serge Nedashkovsky

68% of total Ethereum transaction value controlled by one system

UPDATE: We have released the Jupiter notebook on Github so that anyone can repeat the analysis done.

Analyzing the Ethereum transactions, cyber•Fund has come across a finding that struck us so much that we rushed to dig deeper into this issue. We now wish to share our findings with a community hoping to come up with an explanation together.

What we found

The clusterization of all Ethereum addresses from the inception of Ethereum until 15.09.2017 revealed a class of addresses that we will call in this paper temporary. These are addresses where funds come and leave within a short time interval — no longer than 1 hour, after which the addresses are never used again. The temporary addresses constituted 46% of all active addresses and processed 65% of total transaction value during the analysed period. Analyzing transactions where these addresses were involved, we managed to collect piece by piece a full picture of what was going on:

In the centre of the picture above, one can see a core of the Mixer which consists of more than 95% of temporary addresses. This core interacts with a group of shell addresses, or a shell layer, which includes both permanent and temporary addresses. The shell layer in its turn receives ETH from what we will call input addresses and sends ETH to output addresses displayed left- and right-hand on the scheme respectively. We looked up the names of the owners of these addresses in Etherscan. Only a few of these addresses had a name of the owner attached to them on Etherscan. The other names displayed on the picture above are the names mentioned in users’ commentaries on Etherscan, so we can only assume that they are the real owners of these addresses. In the end, it turned out that the total amount transferred into and out of the core is 4 times higher than the total that entered and left the shell and the core taken together. This made us think of a mixer mechanism (further referred to as Mixer).

Of all transactions executed on the Ethereum blockchain during the analysed period, addresses with the incoming amounts of ~500, ~1000, ~2000, ~3000, ~5000 and ~10,000 ETH constitute 68.5% (2,601,041,693.6 from 3,791,195,132.0 ETH) in money terms and 10.7% (6,216,314 from 58,035,623) in terms of numbers. The further analysis shows that these addresses are linked with each other and might be controlled by a single entity.

This is how the share of the Mixer in all Ethereum transactions has changed over time:

The system seems to be first tested in 2016, and since the start of 2017 it came into active use. This might be explained by the increasing capitalization and liquidity of Ethereum. Most interesting is that an overall growth pattern of Ethereum transactions looks very differently when the Mixer share is excluded. If the Mixer transactions are left out of the analysis, it becomes evident that they contributed to most of the overall Ethereum transaction volume growth.

Analysis that was done

In terms of the incoming transaction volume, these addresses are distributed as follows:

Distribution of Addresses by Transaction Volume

Out of the total of 6,282,858 addresses involved in all transactions executed on the Ethereum blockchain since its inception till 15 September 2017 the following sets of addresses gained our attention:

These addresses account for 67.5% of all transferred ETH and constitute 8.5% of the total number of transactions on Ethereum during the analysed period. So why do we think these addresses are linked?

The graph below displays how these sets of addresses replace each other almost one by one. Take one set of addresses, e.g. addresses with incoming amounts of around 1000 ETH. After being active for some time, this set of addresses becomes inactive and this is when another set steps in, e.g. that with 3000 incoming ETH per transaction. Thus, addresses “act” as if orchestrated following one another over time which makes us think there is a certain system managing these activities. These addresses constitute the core of the scheme.

Findings

Analyzing the system further, we identified temporary and permanent addresses that surround the core and are linked with it. The calculations for the core and the linked addresses for the period starting from the inception of Ethereum until 15.09.2017 bring about the following results:

Hypotheses

These are possible explanations for the detected activities we could come up with:

1. The protection offered to clients by crypto-exchanges: all clients’ funds are mixed so that the funds’ sources cannot be tracked and those holding clean money cannot be unjustifiably accused of any illegal activity
2. A mechanism set in place to protect U.S. residents who wish to avoid control from U.S. regulatory bodies
3. A mechanism used by a large private exchange to preserve the privacy of its clients; this exchange might be operating with fiat money
4. A mechanism used to securely transfer crypto-assets between crypto-exchanges
5. Any kind of Ether-laundering scheme

These are only hypotheses which we would like to discuss with anyone interested in our findings. If you have any other suggestions or explanations, please do not hesitate to share them with us. You can find more details in the Appendix.

You can always contact us at: datascience@cyber.fund, analytics@cyber.fund

Appendix

Note: If you wish to look up the addresses below on Etherscan by yourself, use the list in this Jupyter Notebook.

Top 20 input addresses (ETH transferred into the Mixer)

Top 20 output addresses (ETH transferred out of the Mix)