Real-time Visibility into Ukraine Crypto Activity Part I

On February 24, 2022, Russia invaded Ukraine, the shock was felt around the world and only seems to amplify over time. The crypto community stepped up to help by donating significant value in various cryptocurrencies. Even though cryptocurrencies for the most part are extremely transparent, it’s difficult to see all the donations in one place in real-time. A few Splunkers from the blockchain team decided to volunteer some time towards bringing full visibility of this data. A series of multiple blog posts will demonstrate how to bring on-chain, off-chain, and cross-chain data together. In this post, the visualization presented is part of an iterative process, we intend to make our dashboards public and interactive soon, tell us if this is useful and what you want to see. All of what you are about to see/read can be built by anyone with the free version of Splunk and the open-source Splunk Connect for Ethereum. No black boxes here. With that, let’s dive in.

When crypto donations began for Ukraine, we took this opportunity to think like our customers and answer burning questions about donation activities happening in real-time. Who donated the most? Which blockchain tokens are donated the most? What is legitimate vs what could be a scam? Where are the donations being sent to? What is the world media reporting about the situation in parallel? Are there any trends or patterns that stand out? These are only a few examples of questions we could start asking and answering within minutes using the decoded Ethereum data being ingested into Splunk.

Figure 1: [Snapshot taken 3/9/2022]

Using Splunk’s new Dashboard Studio, we built out a high-level view of donation activity. With our new analytical operations center for Stablecoins and other ERC20 tokens, we were able to examine donations given in Ethereum, and popular Stablecoins such as USDC and USDT. Our initial focus is providing an Ethereum native view since it makes up the majority of donations to Ukraine. Soon, we intend to add Bitcoin, DOT, and other networks with significant contributions. Many blockchain networks are data silos, Splunk is known for breaking down data silos and blockchain networks are no exception; with Splunk, anyone can analyze data across chains from a single interface.

Figure 2: [Snapshot taken 3/8/2022 — upper part]

Let’s break down the current version of the Ethereum dashboard. At the top of the dashboard, we see a summary of total donations on Ethereum captured in their USD value. In the case of Stablecoins such as USDC and Tether, the price is straightforward, however, Ethereum’s price is constantly changing over time. Luckily in Splunk, all data is implicitly joined by time, which makes it easy to join additional data sources, such as Chainlink’s ETH/USD price feed. This allows us to capture the real USD value at the time donated. Another approach that could be explored in a further version is the value of Eth donated at time converted. After summarizing the donations, we drilled down to proportions of donations by type, namely: USDC, Ethereum, and Tether. Curious about which addresses are the biggest ETH donors? “Top ETH Donations” visualizes them. In addition, the top 3 cryptocurrencies being donated are shown on the bottom left. Other ERC20 and ERC721 transaction activity and the proportion of known scams amongst them are shown in Figure 2.

Figure 3: Snapshot of other ERC20/721 transaction activity

The lower half of the dashboard, see Figure 4, shows trends over time and unfolds the story further. We combined, in one view, how generous the community is through each transaction and total donation value in the “Top 3 Cryptocurrencies Donated Timeline”. “Latest Global Headlines from GDELT” adds to the narrative with other less structured sources of data such as news media from GDELT — a global collection of news coverage. We used GDELT’s sentiment score by article to visualize the coverage of the conflict in Splunk by charting the average sentiment per leader over time. In this case, the visualization shows that the overall coverage of Zelensky is more positive.

On March 2nd, activity increased when the Ukraine Twitter account mentioned a potential token airdrop to all those who donated. This was shown through the increase in transaction counts and total value donated. However, shortly before the planned airdrop, a fake account (World Peace Token) attempted to spoof users with an airdrop of its own. As we were finalizing the dashboard on March 4th, these fraudulent events came in real-time and we used an event overlay to signify the fake and then canceled airdrop plans.

Figure 4: Zoomed-in screenshot of txn activity with overlay 3/4/2022

Figure 5: Raw but decoded log events of Peaceful world tokens in Splunk Search interface

Splunk’s Blockchain team holds Ukraine and those affected in our thoughts.

P.S. This is volunteer work by the blockchain team at Splunk, if you are interested in knowing where we focus most of our efforts, reach out to blockchain@splunk.com, to hear about how we help customers adopt distributed ledger technology through monitoring, security, and on-chain/off-chain/cross-chain analytics.

Dashboards created by Stephen Luedtke.
Engineered by ccordi, Ryan Moore, and Antoine Toulme.
Written by Stephen Luedtke, Melanie Marsollier, and Janice Ng.