Yufeng Xu,Lun Zhang,Turan Vural,Peng Qian,Yanbin Wang,Yuqing Fan,Ming Li,Xueyan Tang,Zheng Cao

DOI: https://doi.org/10.1145/3650400.3650499

2023-01-01

Abstract:Due to the decentralized and transparent characteristics of the blockchain ecosystem, malicious activities such as phishing scams on the Ethereum platform result in significant financial losses for users. The current methods for detecting phishing largely rely on analyzing original transactions, which makes uncovering hidden transaction patterns challenging. To tackle this limitation, we introduce the Spatio-Temporal Fusion Network (STFN) designed to identify phishing scams on the Ethereum network. Specifically, STFN incorporates two key components: the transactions subgraph encoder for formalizing spatial features, and the transaction sequence BERT encoder for capturing temporal features. By fusing these spatio-temporal features, we facilitate their integration into a machine learning algorithm for classifying phishing accounts. The experimental outcomes underscore the effectiveness of the STFN, achieving an AUC of 93.26% and a Recall of 94.53%, outperforming previous methods for Ethereum phishing detection.

Jieli Liu,Jinze Chen,Jiajing Wu,Zhiying Wu,Junyuan Fang,Zibin Zheng

DOI: https://doi.org/10.1109/tifs.2024.3359000

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:As one of the most typical cybercrime types, phishing scams have extended the devil's hand to the emerging blockchain ecosystem in recent years. Especially huge economic losses have been caused by phishing scams in Ethereum, the second-largest blockchain system. Existing approaches for Ethereum phishing detection, however, typically use machine learning or transaction graph embedding methods to identify phishers in isolation and do not effectively uncover the group of transaction accounts linked to scams (which we term a "gang"). Since accounts are pseudonymous in Ethereum, these undisclosed conspirator accounts have potential risks to the system. In this paper, we conduct the first study that characterizes and detects Ethereum phishing gangs. We first investigate the transaction behaviors in phishing gangs from the perspectives of individuals, pairs, and higher-order patterns. Our analysis reveals that although the Ethereum transaction graph is sparse with a highly skewed degree distribution, phishing accounts in the same gang have closer relationships and share specific transaction patterns. Based on our findings, we formalize the phishing gang detection problem and introduce a novel detection model named PGDetector. Given a risky phishing account as a seed, PGDetector can find out the potential risky accounts sharing close relationships within the seed's community based on genetic algorithm optimization. Experimental results on large-scale Ethereum transaction data demonstrate the effectiveness of PGDetector.

computer science, theory & methods,engineering, electrical & electronic

Bowen He,Yuan Chen,Zhuo Chen,Xiaohui Hu,Yufeng Hu,Lei Wu,Rui Chang,Haoyu Wang,Yajin Zhou

DOI: https://doi.org/10.1145/3576915.3623210

2023-01-01

Abstract:The prosperity of Ethereum attracts many users to send transactions and trade crypto assets. However, this has also given rise to a new form of transaction-based phishing scam, named TXPHISH. Specifically, tempted by high profits, users are tricked into visiting fake websites and signing transactions that enable scammers to steal their crypto assets. The past year has witnessed 11 large-scale TXPHISH incidents causing a total loss of more than $70 million. In this paper, we conduct the first empirical study of TXPHISH on Ethereum, encompassing the process of a TXPHISH campaign and details of phishing transactions. To detect TXPHISH websites and extract phishing accounts automatically, we present TxPhishScope, which dynamically visits the suspicious websites, triggers transactions, and simulates results. Between November 25, 2022, and July 31, 2023, we successfully detected and reported 26,333 TXPHISH websites and 3,486 phishing accounts. Among all of documented TXPHISH websites, 78.9% of them were first reported by us, making TxPhishScope the largest TXPHISH website detection system. Moreover, we provided criminal evidence of four phishing accounts and their fund flow totaling $1.5 million to aid in the recovery of funds for the victims. In addition, we identified bugs in six Ethereum projects and received appreciation. Based on the detection results, we perform a comprehensive study of TXPHISH websites and phishing accounts. Our study reveals that TXPHISH websites have a short lifespan, low cost, and fast update frequency. Besides, Our analysis of phishing fund flow demonstrates that 54.0% of phishing funds ($43.7 million) flowed into centralized exchanges, where the identity of owners could be traced. Our research can serve as a valuable reference for Ethereum service providers to safeguard their users against TXPHISH and assist in the recovery of victims' crypto assets.

Qi Yuan,Baoying Huang,Jie Zhang,Jiajing Wu,Haonan Zhang,Xi Zhang

DOI: https://doi.org/10.1109/iscas45731.2020.9180815

2020-01-01

Abstract:With the increasing popularity of blockchain technology, it has also become a hotbed of various cybercrimes. As a traditional way of scam, the phishing scam has new means of scam in the blockchain scenario and swindles a lot of money from users. In order to create a safe environment for investors, an efficient method for phishing detection is urgently needed. In this paper, we propose a three steps framework to detect phishing scams on Ethereum by mining Ethereum transaction records. First, we obtain the labeled phishing accounts and corresponding transaction records from two authorized websites. According to the collected transaction records we build an Ethereum transaction network. Then, a network embedding method node2vec which can extract the latent features of accounts is used for subsequent phishing classification. Finally, to distinguish whether the account is a phishing account, we adopt the one-class support vector machine (SVM) to classify. The experimental result demonstrates that F-score of our phishing detection method can achieve 0.846, which verifies the validity of our model. To the best of our knowledge, this is the first work that investigates the phishing scams on Ethereum based on transaction records.

Weili Chen,Xiongfeng Guo,Zhiguang Chen,Zibin Zheng,Yutong Lu

DOI: https://doi.org/10.24963/ijcai.2020/621

2020-01-01

Abstract:In recent years, blockchain technology has created a new cryptocurrency world and has attracted a lot of attention. It also is rampant with various scams. For example, phishing scams have grabbed a lot of money and has become an important threat to users' financial security in the blockchain ecosystem. To help deal with this issue, this paper proposes a systematic approach to detect phishing accounts based on blockchain transactions and take Ethereum as an example to verify its effectiveness. Specifically, we propose a graph-based cascade feature extraction method based on transaction records and a lightGBM-based Dual-sampling Ensemble algorithm to build the identification model. Extensive experiments show that the proposed algorithm can effectively identify phishing scams.

Jinhuan Wang,Pengtao Chen,Xinyao Xu,Jiajing Wu,Meng Shen,Qi Xuan,Xiaoniu Yang

DOI: https://doi.org/10.48550/arxiv.2208.12938

2022-01-01

Abstract: Due to the decentralized and public nature of the Blockchain ecosystem, the malicious activities on the Ethereum platform impose immeasurable losses for the users. Existing phishing scam detection methods mostly rely only on the analysis of original transaction networks, which is difficult to dig deeply into the transaction patterns hidden in the network structure of transaction interaction. In this paper, we propose a \underline{T}ransaction \underline{S}ub\underline{G}raph \underline{N}etwork (TSGN) based phishing accounts identification framework for Ethereum. We first extract transaction subgraphs for target accounts and then expand these subgraphs into corresponding TSGNs based on the different mapping mechanisms. In order to make our model incorporate more important information about real transactions, we encode the transaction attributes into the modeling process of TSGNs, yielding two variants of TSGN, i.e., Directed-TSGN and Temporal-TSGN, which can be applied to the different attributed networks. Especially, by introducing TSGN into multi-edge transaction networks, the Multiple-TSGN model proposed is able to preserve the temporal transaction flow information and capture the significant topological pattern of phishing scams, while reducing the time complexity of modeling large-scale networks. Extensive experimental results show that TSGN models can provide more potential information to improve the performance of phishing detection by incorporating graph representation learning.

Sijia Li,Gaopeng Gou,Chang Liu,Chengshang Hou,Zhenzhen Li,Gang Xiong

DOI: https://doi.org/10.48550/arXiv.2204.13442

2022-04-28

Cryptography and Security

Abstract:In recent years, phishing scams have become the most serious type of crime involved in Ethereum, the second-largest blockchain platform. The existing phishing scams detection technology on Ethereum mostly uses traditional machine learning or network representation learning to mine the key information from the transaction network to identify phishing addresses. However, these methods adopt the last transaction record or even completely ignore these records, and only manual-designed features are taken for the node representation. In this paper, we propose a Temporal Transaction Aggregation Graph Network (TTAGN) to enhance phishing scams detection performance on Ethereum. Specifically, in the temporal edges representation module, we model the temporal relationship of historical transaction records between nodes to construct the edge representation of the Ethereum transaction network. Moreover, the edge representations around the node are aggregated to fuse topological interactive relationships into its representation, also named as trading features, in the edge2node module. We further combine trading features with common statistical and structural features obtained by graph neural networks to identify phishing addresses. Evaluated on real-world Ethereum phishing scams datasets, our TTAGN (92.8% AUC, and 81.6% F1score) outperforms the state-of-the-art methods, and the effectiveness of temporal edges representation and edge2node module is also demonstrated.

Liang Chen,Jiaying Peng,Yang Liu,Jintang Li,Fenfang Xie,Zibin Zheng

DOI: https://doi.org/10.1145/3398071

IF: 5.3

2020-01-01

ACM Transactions on Internet Technology

Abstract:Blockchain has attracted an increasing amount of researches, and there are lots of refreshing implementations in different fields. Cryptocurrency as its representative implementation, suffers the economic loss due to phishing scams. In our work, accounts and transactions are treated as nodes and edges, thus detection of phishing accounts can be modeled as a node classification problem. Correspondingly, we propose a detecting method based on Graph Convolutional Network and autoencoder to precisely distinguish phishing accounts. Experiments on different large-scale real-world datasets from Ethereum show that our proposed model consistently performs promising results compared with related methods.

Baoying Huang,Jieli Liu,Jiajing Wu,Quanzhong Li,Dan Lin

DOI: https://doi.org/10.1109/ISCAS46773.2023.10182206

2023-01-01

Abstract:As one of the most active blockchain platforms at present, Ethereum attracts a great deal of interest, including that of fraudsters. They exploit the anonymity of Ethereum accounts to perpetrate varieties of scams, the most common of which is phishing frauds. However, existing phishing detection work ignores the heterogeneity of Ethereum transaction edges. In fact, the activities on Ethereum include external transactions, internal transactions, and token transactions. Therefore, this paper proposes an Ethereum account phishing fraud detection method named HTSGCN. Based on heterogeneous transaction subnets, our method makes full use of the type and direction information contained in transactions. First, we collect Ethereum transaction data and construct a k-order heterogeneous subnet for each account. To aggregate the neighbor feature, we design a message propagation mechanism based on graph convolution network. Finally, we classify node representation vectors containing neighborhood and its own characteristics. Experimental results show that HTSGCN has a better effect on detecting phishing accounts than previous work which is based on homogeneous networks.

Jiajing Wu,Qi Yuan,Dan Lin,Wei You,Weili Chen,Chuan Chen,Zibin Zheng

DOI: https://doi.org/10.1109/tsmc.2020.3016821

2022-01-01

Abstract:Recently, blockchain technology has become a topic in the spotlight but also a hotbed of various cybercrimes. Among them, phishing scams on blockchain have been found making a notable amount of money, thus emerging as a serious threat to the trading security of the blockchain ecosystem. In order to create a favorable environment for investment, an effective method for detecting phishing scams is urgently needed in the blockchain ecosystem. To this end, this paper proposes an approach to detect phishing scams on Ethereum by mining its transaction records. Specifically, we first crawl the labeled phishing addresses from two authorized websites and reconstruct the transaction network according to the collected transaction records. Then, by taking the transaction amount and timestamp into consideration, we propose a novel network embedding algorithm called trans2vec to extract the features of the addresses for subsequent phishing identification. Finally, we adopt the oneclass support vector machine (SVM) to classify the nodes into normal and phishing ones. Experimental results demonstrate that the phishing detection method works effectively on Ethereum, and indicate the efficacy of trans2vec over existing state-of-the-art algorithms on feature extraction for transaction networks. This work is the first investigation on phishing detection on Ethereum via network embedding and provides insights into how features of large-scale transaction networks can be embedded.

Chaofan Dai,Qideng Tang,Huahua Ding

DOI: https://doi.org/10.1109/cits61189.2024.10608015

2024-01-01

Abstract:In recent years, blockchain has emerged as a promising technology with extensive applications in various fields. One of its most notable applications is cryptocurrency. However, the prevalence of phishing scams in blockchain transaction networks has led to significant economic losses and poses a severe threat to transaction security within the cryptocurrency ecosystem. Existing methods for phishing scams detection often employ traditional machine learning techniques or graph embedding methods to extract key information that distinguishes phishing addresses. Nevertheless, these methods often overlook the temporal information within transaction networks, failing to fully capture the dynamic nature of the blockchain transaction network, resulting in suboptimal detection performance. In this paper, we propose a Temporal Graph Attention Network for blockchain phishing scams detection. Specifically, we use a Long Short-Term Memory (LSTM) network to obtain temporal transaction representations. Additionally, we utilize an attention mechanism to aggregate transaction features and features between neighboring nodes. Finally, by incorporating the obtained node representations and the topological characteristics of nodes, we identify phishing addresses using a Multilayer Perceptron (MLP). Experimental results on three real-world Ethereum phishing scams detection datasets indicate that our proposed method significantly outperforms competing approaches.

Sijia Li,Gaopeng Gou,Chang Liu,Gang Xiong,Zhen Li,Junchao Xiao,Xinyu Xing

DOI: https://doi.org/10.1145/3627106.3627109

2023-01-01

Abstract:Phishing scams have become the most serious type of crime involved in Ethereum. However, existing methods ignore the natural camouflage and sparse distribution of phishing scams in Ethereum leading to unsatisfactory performance, and they are also limited by the data scale which cannot be applied to real-world dynamic scenarios. In this paper, we propose a Transaction Graph Contrast network (TGC) to enhance phishing scam detection performance on Ethereum. TGC inputs subgraphs instead of the entire graph for training, which eases the model’s requirements for machine configuration and data connectivity. Motivated by phishing nodes are surrounded by normal nodes, we design the comparison between node-level to help phishing nodes learn the unique properties of themselves different from their neighbors. Observing the small number and sparse distribution of phishing nodes, we narrow the distance between phishing nodes by comparing node context-level structures, so as to learn universal transaction patterns. We further combine the obtained features with common statistics to identify phishing addresses. Evaluated on real-world Ethereum phishing scams datasets, our TGC outperforms the state-of-the-art methods in detecting phishing addresses and has obvious advantages in large-scale and dynamic scenarios.

Panpan Li,Yunyi Xie,Xinyao Xu,Jiajun Zhou,Qi Xuan

DOI: https://doi.org/10.48550/arXiv.2204.08194

2022-04-18

Abstract:Blockchain has widespread applications in the financial field but has also attracted increasing cybercrimes. Recently, phishing fraud has emerged as a major threat to blockchain security, calling for the development of effective regulatory strategies. Nowadays network science has been widely used in modeling Ethereum transaction data, further introducing the network representation learning technology to analyze the transaction patterns. In this paper, we consider phishing detection as a graph classification task and propose an end-to-end Phishing Detection Graph Neural Network framework (PDGNN). Specifically, we first construct a lightweight Ethereum transaction network and extract transaction subgraphs of collected phishing accounts. Then we propose an end-to-end detection model based on Chebyshev-GCN to precisely distinguish between normal and phishing accounts. Extensive experiments on five Ethereum datasets demonstrate that our PDGNN significantly outperforms general phishing detection methods and scales well in large transaction networks.

Social and Information Networks

Yun Wan,Feng Xiao,Dapeng Zhang

DOI: https://doi.org/10.1007/s00500-022-07661-0

IF: 3.732

2022-12-06

Soft Computing

Abstract:As cryptocurrency is widely accepted and used, attendant illegal activities have attracted extensive attention, especially phishing scams, which bring great losses to both customers and countries. From the perspective of crime prevention, early warning of such illegal behaviors is of great significance. However, most existing studies focus on detecting phishing scams that have already occurred and been reported. In addition, previous studies ignore the temporal order of users' appearance and thus cannot accurately extract features reflecting users' transaction patterns. In this paper, we propose a framework called early-stage phishing detection to address the problem of early phishing detection. According to the phishing amount, we first divide the process of phishing scams into three stages: early stage, middle stage, and late stage. Then, we develop a feature extraction method to capture features from both the local network structures and the time series of transactions. In experiments, the dataset is strictly partitioned by time series, and experimental results show that our proposed method outperforms existing graph embedding methods on a real-world Ethereum transaction dataset. Finally, we select the ten most important features and analyze the differences between phishing users and normal users on these features, which provide useful insights for regulators and platforms to detect phishing scams in advance.

computer science, artificial intelligence, interdisciplinary applications

Dunjie Zhang,Jinyin Chen

DOI: https://doi.org/10.48550/arXiv.2108.08456

2021-08-19

Abstract:With the popularity of blockchain technology, the financial security issues of blockchain transaction networks have become increasingly serious. Phishing scam detection methods will protect possible victims and build a healthier blockchain ecosystem. Usually, the existing works define phishing scam detection as a node classification task by learning the potential features of users through graph embedding methods such as random walk or graph neural network (GNN). However, these detection methods are suffered from high complexity due to the large scale of the blockchain transaction network, ignoring temporal information of the transaction. Addressing this problem, we defined the transaction pattern graphs for users and transformed the phishing scam detection into a graph classification task. To extract richer information from the input graph, we proposed a multi-channel graph classification model (MCGC) with multiple feature extraction channels for GNN. The transaction pattern graphs and MCGC are more able to detect potential phishing scammers by extracting the transaction pattern features of the target users. Extensive experiments on seven benchmark and Ethereum datasets demonstrate that the proposed MCGC can not only achieve state-of-the-art performance in the graph classification task but also achieve effective phishing scam detection based on the target users' transaction pattern graphs.

Machine Learning

Haixian Wen,Junyuan Fang,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1109/iscas51556.2021.9401091

2021-01-01

Abstract:With the prosperous development of blockchain technologies in the past few years, some cybercrimes have emerged in the blockchain ecosystem, such as the phishing scams on Ethereum. To alleviate these security problems, a few anomaly detection frameworks were proposed. Specifically, previous studies usually model the transfer relationship between accounts in the blockchain ecosystem as a transaction network, where nodes represent accounts and edges represent the corresponding transaction records. Inspired by the adversarial attacks on graph data, we believe the robustness of existing detection frameworks still needs to be further verified even though they have achieved good performance. In this paper, a phishing detection framework based on feature learning and a phishing hidden framework based on inserting transaction records are proposed, respectively. Experimental results show the effectiveness of our phishing detection framework and the superiority of the phishing hidden strategies, which indicate that existing phishing detection frameworks are lack of robustness and still need further improvement against malicious attacks.

Haixian Wen,Junyuan Fang,Jiajing Wu,Zibin Zheng

DOI: https://doi.org/10.1109/tcss.2022.3203081

2022-01-01

IEEE Transactions on Computational Social Systems

Abstract:With the wide application and development of blockchain technology, the past years have witnessed the emergence of various cybercrimes, which have caused a huge amount of economic loss. Among them, phishing scams on the blockchain are regarded as a serious threat to the trading security of the blockchain ecosystem. By modeling the transaction data of blockchain as a network, a series of graph-based phishing detection frameworks have been proposed. Enlightened by adversarial attacks of graph data, we propose to verify the robustness of current phishing detection frameworks under intentional attackers aiming to hide phishing behaviors. In this study, we first propose a general phishing detection framework based on feature engineering and then propose a phishing hiding framework combing the greedy selection mechanism with four phishing hiding strategies to measure the robustness of the proposed general detection models. Extensive experiments evaluate the detective performance of the phishing detection model and its robustness against the hiding framework. The experimental results indicate that the detective model based on feature engineering is rather fragile under adversarial attacks.

Mingdong Tang,Mingshun Ye,Weili Chen,Dong Zhou

DOI: https://doi.org/10.1016/j.eswa.2024.124941

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:With the burgeoning adoption of blockchain technology, cryptocurrencies have surged in popularity, becoming a focal point of global interest. Concurrently, the emergence of cryptocurrency phishing scams poses a significant threat to the financial security of the blockchain ecosystem, inflicting substantial economic damage on platforms and users alike. This study introduces an innovative approach leveraging an attention-augmented Bidirectional Long Short Term Memory Network (BiLSTM), termed BiLSTM4DPS, for the detection of phishing scams within the Ethereum network. We initiate by converting account transaction records into sequences, thereby extracting temporal and latent patterns of transactions. Subsequently, we integrate BiLSTM with multi-head attention mechanisms and masking techniques to construct a robust classification model aimed at identifying fraudulent accounts. Extensive experiments were conducted to assess the efficacy of BiLSTM4DPS, particularly under scenarios with limited account activity data. The results demonstrate that BiLSTM4DPS achieves remarkable predictive accuracy, surpassing existing state-of-the-art methods.

Jiaqi Dong,Zishu Qin,Zhou Fang,Xuan Chen,Zengfeng Huang,Haoyun Guo,Richen Liu,Cagatay Turkay,Siming Chen

DOI: https://doi.org/10.1145/3615522.3615540

2023-01-01

Abstract:The phishing scam is a major kind of fraudulence in blockchain. And it has become an urgent issue to discern and prevent the fraudulent behaviors. However, the large-scale and dynamic nature of transaction network imposes great challenges on the identification and analysis. While there have been many sophisticated machine learning approaches providing predictive capability in terms of detecting such cases, they usually offer little insight into the essence of those behaviors and the occasion when phishing scam activities happen. Motivated by these shortcomings and bottlenecks, this paper proposes a suite of visual analytical methods for interpretable and explorable fraudulence identification in large-scale blockchain transaction networks, incorporating an anomaly detection model based on multiple feature extraction manners. In this paper, we adopt two types of graph embedding methods and variable derivation to generate features from transaction data. Then we use machine learning classification approaches to fit the three sets of features. Evaluations show that all kinds of features perform well in classification. Besides, we design an interactive visualization system displaying the transaction networks and classification models, which allows users better explore the data and understand the models. Furthermore, we demonstrate two cases through the visualization system to unearth fraudulent patterns and interpret classification results. Finally, we close with discussions for further improvements of our models and system.

Jingjing Yang,Jieli Liu,Dan Lin,Jiajing Wu,Baoying Huang,Quanzhong Li,Zibin Zheng

DOI: https://doi.org/10.1109/tifs.2024.3463541

IF: 7.231

2024-10-11

IEEE Transactions on Information Forensics and Security

Abstract:With the popularity of Non-Fungible Tokens (NFTs), the high value of NFTs makes them a target for phishing scammers, which harms the security and reliability of the Web3 NFT ecosystem. Despite the significance of this issue, there is a lack of systematic research in the area of emerging NFT phishing scams. To address this gap, we are the first to conduct a case retrospective analysis and empirical measurement study of real-world historical NFT phishing scams on Ethereum. We collect and publicly release the first NFT phishing dataset which includes 1,625 NFT phishing accounts and transaction records as of August 2023. We further categorize the existing scams into four phishing patterns and investigate their distinguishable behaviors. Then, we reveal the modus operandi preferences and economic impacts to characterize NFT phishing scams. We find that NFT phishers stole 67,188 NFTs, with a total direct selling profit of 20.92 million. We also observe that scammers favor certain categories and collections of NFTs, coupled with signs of gang theft. Furthermore, we design a variety of account features for the classification task of NFT phishers based on empirical conclusions. Experimental results on real-world NFT transaction data demonstrate the effectiveness of these features in detecting NFT phishing accounts, and outperform traditional phishing detection methods with 41% average Precision and 44% average Recall.

computer science, theory & methods,engineering, electrical & electronic