Bowen He,Yuan Chen,Zhuo Chen,Xiaohui Hu,Yufeng Hu,Lei Wu,Rui Chang,Haoyu Wang,Yajin Zhou

DOI: https://doi.org/10.1145/3576915.3623210

2023-01-01

Abstract:The prosperity of Ethereum attracts many users to send transactions and trade crypto assets. However, this has also given rise to a new form of transaction-based phishing scam, named TXPHISH. Specifically, tempted by high profits, users are tricked into visiting fake websites and signing transactions that enable scammers to steal their crypto assets. The past year has witnessed 11 large-scale TXPHISH incidents causing a total loss of more than $70 million. In this paper, we conduct the first empirical study of TXPHISH on Ethereum, encompassing the process of a TXPHISH campaign and details of phishing transactions. To detect TXPHISH websites and extract phishing accounts automatically, we present TxPhishScope, which dynamically visits the suspicious websites, triggers transactions, and simulates results. Between November 25, 2022, and July 31, 2023, we successfully detected and reported 26,333 TXPHISH websites and 3,486 phishing accounts. Among all of documented TXPHISH websites, 78.9% of them were first reported by us, making TxPhishScope the largest TXPHISH website detection system. Moreover, we provided criminal evidence of four phishing accounts and their fund flow totaling $1.5 million to aid in the recovery of funds for the victims. In addition, we identified bugs in six Ethereum projects and received appreciation. Based on the detection results, we perform a comprehensive study of TXPHISH websites and phishing accounts. Our study reveals that TXPHISH websites have a short lifespan, low cost, and fast update frequency. Besides, Our analysis of phishing fund flow demonstrates that 54.0% of phishing funds ($43.7 million) flowed into centralized exchanges, where the identity of owners could be traced. Our research can serve as a valuable reference for Ethereum service providers to safeguard their users against TXPHISH and assist in the recovery of victims' crypto assets.

Yufeng Xu,Lun Zhang,Turan Vural,Peng Qian,Yanbin Wang,Yuqing Fan,Ming Li,Xueyan Tang,Zheng Cao

DOI: https://doi.org/10.1145/3650400.3650499

2023-01-01

Abstract:Due to the decentralized and transparent characteristics of the blockchain ecosystem, malicious activities such as phishing scams on the Ethereum platform result in significant financial losses for users. The current methods for detecting phishing largely rely on analyzing original transactions, which makes uncovering hidden transaction patterns challenging. To tackle this limitation, we introduce the Spatio-Temporal Fusion Network (STFN) designed to identify phishing scams on the Ethereum network. Specifically, STFN incorporates two key components: the transactions subgraph encoder for formalizing spatial features, and the transaction sequence BERT encoder for capturing temporal features. By fusing these spatio-temporal features, we facilitate their integration into a machine learning algorithm for classifying phishing accounts. The experimental outcomes underscore the effectiveness of the STFN, achieving an AUC of 93.26% and a Recall of 94.53%, outperforming previous methods for Ethereum phishing detection.

Jintao Huang,Pengcheng Xia,Jiefeng Li,Kai Ma,Gareth Tyson,Xiapu Luo,Lei Wu,Yajin Zhou,Wei Cai,Haoyu Wang

DOI: https://doi.org/10.1145/3589334.3645566

2024-01-01

Abstract:Unlike fungible tokens (e.g., cryptocurrency), a Non-Fungible Token (NFT) is unique and indivisible. As such, they can be used to authenticate ownership of digital assets (e.g., a photo) in a decentralized fashion. Given that NFTs have generated significant media attention since 2021, we perform a large-scale measurement study of the NFT ecosystem. We collect over 242M transfer logs and over 97M marketplace transactions until Aug 1st, 2023, by far the largest NFT dataset, to the best of our knowledge. We characterize the on-chain behavior of NFTs and their trading across five major marketplaces. We find that, although the NFT ecosystem is growing rapidly, it is driven by a relatively small set of dominant centralized players, with suspicious trade activities, e.g., over 23% of the monetary volume is generated by malicious wash trading and the ecosystem has experienced over 157K cases of NFT arbitrage, with a total sum of over \25M profit. Our observations motivate the need for more research efforts in the NFT security analysis.

Jieli Liu,Jinze Chen,Jiajing Wu,Zhiying Wu,Junyuan Fang,Zibin Zheng

DOI: https://doi.org/10.1109/tifs.2024.3359000

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:As one of the most typical cybercrime types, phishing scams have extended the devil's hand to the emerging blockchain ecosystem in recent years. Especially huge economic losses have been caused by phishing scams in Ethereum, the second-largest blockchain system. Existing approaches for Ethereum phishing detection, however, typically use machine learning or transaction graph embedding methods to identify phishers in isolation and do not effectively uncover the group of transaction accounts linked to scams (which we term a "gang"). Since accounts are pseudonymous in Ethereum, these undisclosed conspirator accounts have potential risks to the system. In this paper, we conduct the first study that characterizes and detects Ethereum phishing gangs. We first investigate the transaction behaviors in phishing gangs from the perspectives of individuals, pairs, and higher-order patterns. Our analysis reveals that although the Ethereum transaction graph is sparse with a highly skewed degree distribution, phishing accounts in the same gang have closer relationships and share specific transaction patterns. Based on our findings, we formalize the phishing gang detection problem and introduce a novel detection model named PGDetector. Given a risky phishing account as a seed, PGDetector can find out the potential risky accounts sharing close relationships within the seed's community based on genetic algorithm optimization. Experimental results on large-scale Ethereum transaction data demonstrate the effectiveness of PGDetector.

computer science, theory & methods,engineering, electrical & electronic

Qi Yuan,Baoying Huang,Jie Zhang,Jiajing Wu,Haonan Zhang,Xi Zhang

DOI: https://doi.org/10.1109/iscas45731.2020.9180815

2020-01-01

Abstract:With the increasing popularity of blockchain technology, it has also become a hotbed of various cybercrimes. As a traditional way of scam, the phishing scam has new means of scam in the blockchain scenario and swindles a lot of money from users. In order to create a safe environment for investors, an efficient method for phishing detection is urgently needed. In this paper, we propose a three steps framework to detect phishing scams on Ethereum by mining Ethereum transaction records. First, we obtain the labeled phishing accounts and corresponding transaction records from two authorized websites. According to the collected transaction records we build an Ethereum transaction network. Then, a network embedding method node2vec which can extract the latent features of accounts is used for subsequent phishing classification. Finally, to distinguish whether the account is a phishing account, we adopt the one-class support vector machine (SVM) to classify. The experimental result demonstrates that F-score of our phishing detection method can achieve 0.846, which verifies the validity of our model. To the best of our knowledge, this is the first work that investigates the phishing scams on Ethereum based on transaction records.

Zhuo Chen,Yufeng Hu,Bowen He,Dong Luo,Lei Wu,Yajin Zhou

2024-09-04

Abstract:In recent years, a more advanced form of phishing has arisen on Ethereum, surpassing early-stage, simple transaction phishing. This new form, which we refer to as payload-based transaction phishing (PTXPHISH), manipulates smart contract interactions through the execution of malicious payloads to deceive users. PTXPHISH has rapidly emerged as a significant threat, leading to incidents that caused losses exceeding \$70 million in 2023 reports. Despite its substantial impact, no previous studies have systematically explored PTXPHISH In this paper, we present the first comprehensive study of the PTXPHISH on Ethereum. Firstly, we conduct a long-term data collection and put considerable effort into establishing the first ground-truth PTXPHISH dataset, consisting of 5,000 phishing transactions. Based on the dataset, we dissect PTXPHISH, categorizing phishing tactics into four primary categories and eleven sub-categories. Secondly, we propose a rule-based multi-dimensional detection approach to identify PTXPHISH, achieving over 99% accuracy in the ground-truth dataset. Finally, we conducted a large-scale detection spanning 300 days and discovered a total of 130,637 phishing transactions on Ethereum, resulting in losses exceeding $341.9 million. Our in-depth analysis of these phishing transactions yielded valuable and insightful findings. Furthermore, our work has made significant contributions to mitigating real-world threats. We have reported 1,726 phishing addresses to the community, accounting for 42.7% of total community contributions during the same period. Additionally, we have sent 2,539 on-chain alert messages, assisting 1,980 victims. This research serves as a valuable reference in combating the emerging PTXPHISH and safeguarding users' assets.

Cryptography and Security,Software Engineering

Zheng Cao,Yi Zhen,Gang Fan,Sheng Gao

DOI: https://doi.org/10.48550/arxiv.2208.05168

2022-01-01

Abstract: The emergence of metaverse brings tremendous evolution to Non-Fungible Tokens (NFTs), which could certify the ownership the unique digital asset in the cyber world. The NFT market has garnered unprecedented attention from investors and created billions of dollars in transaction volume. Meanwhile, securing NFT is still a challenging issue. Recently, numerous incidents of NFT theft have been reported, leading to incalculable losses for holders. We propose a decentralized NFT anti-theft mechanism called TokenPatronus, which supports the general ERC-721 standard and provide the holders with strong property protection. TokenPatronus contains pre-event protection, in-event interruption, and post-event replevin enhancements for the complete NFTs transactions stages. Four modules are designed to make up the decentralized anti-theft mechanism, including the decentralized access control (DAC), the decentralized risk management (DRM), the decentralized arbitration system (DAS) and the ERC-721G standard smart contract. TokenPatronus is performing on the Turtlecase NFT project of Ethereum and will support more blockchains in the future.

Yun Wan,Feng Xiao,Dapeng Zhang

DOI: https://doi.org/10.1007/s00500-022-07661-0

IF: 3.732

2022-12-06

Soft Computing

Abstract:As cryptocurrency is widely accepted and used, attendant illegal activities have attracted extensive attention, especially phishing scams, which bring great losses to both customers and countries. From the perspective of crime prevention, early warning of such illegal behaviors is of great significance. However, most existing studies focus on detecting phishing scams that have already occurred and been reported. In addition, previous studies ignore the temporal order of users' appearance and thus cannot accurately extract features reflecting users' transaction patterns. In this paper, we propose a framework called early-stage phishing detection to address the problem of early phishing detection. According to the phishing amount, we first divide the process of phishing scams into three stages: early stage, middle stage, and late stage. Then, we develop a feature extraction method to capture features from both the local network structures and the time series of transactions. In experiments, the dataset is strictly partitioned by time series, and experimental results show that our proposed method outperforms existing graph embedding methods on a real-world Ethereum transaction dataset. Finally, we select the ten most important features and analyze the differences between phishing users and normal users on these features, which provide useful insights for regulators and platforms to detect phishing scams in advance.

computer science, artificial intelligence, interdisciplinary applications

Yun Lin,Ruofan Liu,Dinil Mon Divakaran,Jun Yang Ng,Qing Zhou Chan,Yiwen Lu,Yuxuan Si,Fan Zhang,Jin Song Dong

2021-01-01

Abstract:Recent years have seen the development of phishing detection and identification approaches to defend against phishing attacks. Phishing detection solutions often report binary results, i.e., phishing or not, without any explanation. In contrast, phishing identification approaches identify phishing webpages by visually comparing webpages with predefined legitimate references and report phishing along with its target brand, thereby having explainable results. However, there are technical challenges in visual analyses that limit existing solutions from being effective (with high accuracy) and efficient (with low runtime overhead), to be put to practical use. In this work, we design a hybrid deep learning system, Phishpedia, to address two prominent technical challenges in phishing identification, i.e., (i) accurate recognition of identity logos on webpage screenshots, and (ii) matching logo variants of the same brand. Phishpedia achieves both high accuracy and low runtime overhead. And very importantly, different from common approaches, Phishpedia does not require training on any phishing samples. We carry out extensive experiments using real phishing data; the results demonstrate that Phishpedia significantly outperforms baseline identification approaches (EMD, PhishZoo, and LogoSENSE) in accurately and efficiently identifying phishing pages. We also deployed Phishpedia with CertStream service and discovered 1,704 new real phishing websites within 30 days, significantly more than other solutions; moreover, 1,133 of them are not reported by any engines in VirusTotal.

Trishie Sharma,Rachit Agarwal,Sandeep Kumar Shukla

DOI: https://doi.org/10.48550/arXiv.2304.07598

2023-04-16

Abstract:The explosive growth of non-fungible tokens (NFTs) on Web3 has created a new frontier for digital art and collectibles, but also an emerging space for fraudulent activities. This study provides an in-depth analysis of NFT rug pulls, which are fraudulent schemes aimed at stealing investors' funds. Using data from 758 rug pulls across 10 NFT marketplaces, we examine the structural and behavioral properties of these schemes, identify the characteristics and motivations of rug-pullers, and classify NFT projects into groups based on creators' association with their accounts. Our findings reveal that repeated rug pulls account for a significant proportion of the rise in NFT-related cryptocurrency crimes, with one NFT collection attempting 37 rug pulls within three months. Additionally, we identify the largest group of creators influencing the majority of rug pulls, and demonstrate the connection between rug-pullers of different NFT projects through the use of the same wallets to store and move money. Our study contributes to the understanding of NFT market risks and provides insights for designing preventative strategies to mitigate future losses.

Cryptography and Security

Liang Chen,Jiaying Peng,Yang Liu,Jintang Li,Fenfang Xie,Zibin Zheng

DOI: https://doi.org/10.1145/3398071

IF: 5.3

2020-01-01

ACM Transactions on Internet Technology

Abstract:Blockchain has attracted an increasing amount of researches, and there are lots of refreshing implementations in different fields. Cryptocurrency as its representative implementation, suffers the economic loss due to phishing scams. In our work, accounts and transactions are treated as nodes and edges, thus detection of phishing accounts can be modeled as a node classification problem. Correspondingly, we propose a detecting method based on Graph Convolutional Network and autoencoder to precisely distinguish phishing accounts. Experiments on different large-scale real-world datasets from Ethereum show that our proposed model consistently performs promising results compared with related methods.

Xi Chen,Indranil Bose,Alvin Leung,Chenhui Guo

2009-01-01

Abstract:We assess the severity of phishing attacks in terms of their risk levels and the potential loss in market value to the firms. We analyze 1,030 phishing alerts released on a public database as well as financial data related to the targeted firms using a hybrid text and data mining method that predicts the severity of the attack with high accuracy. Our research identifies the important textual and financial variables that impact the severity of the attacks and determine that different antecedents influence risk level and potential financial loss associated with phishing attacks.

Wenkai Li,Zhijie Liu,Xiaoqi Li,Sen Nie

2024-10-28

Abstract:The web3 applications have recently been growing, especially on the Ethereum platform, starting to become the target of scammers. The web3 scams, imitating the services provided by legitimate platforms, mimic regular activity to deceive users. The current phishing account detection tools utilize graph learning or sampling algorithms to obtain graph features. However, large-scale transaction networks with temporal attributes conform to a power-law distribution, posing challenges in detecting web3 scams. In this paper, we present ScamSweeper, a novel framework to identify web3 scams on Ethereum. Furthermore, we collect a large-scale transaction dataset consisting of web3 scams, phishing, and normal accounts. Our experiments indicate that ScamSweeper exceeds the state-of-the-art in detecting web3 scams.

Cryptography and Security

Peng Liao,Chaoge Liu,Jie Yin,Zhi Wang,Xiang Cui

DOI: https://doi.org/10.32604/cmes.2024.043855

2024-01-01

Computer Modeling in Engineering & Sciences

Abstract:Digital assets have boomed over the past few years with the emergence of Non-fungible Tokens (NFTs). To be specific, the total trading volume of digital assets reached an astounding $55.5 billion in 2022. Nevertheless, numerous security concerns have been raised by the rapid expansion of the NFT ecosystem. NFT holders are exposed to a plethora of scams and traps, putting their digital assets at risk of being lost. However, academic research on NFT security is scarce, and the security issues have aroused rare attention. In this study, the NFT ecological process is comprehensively explored. This process falls into five different stages encompassing the entire lifecycle of NFTs. Subsequently, the security issues regarding the respective stage are elaborated and analyzed in depth. A matrix model is proposed as a novel contribution to the categorization of NFT security issues. Diverse data are collected from social networks, the Ethereum blockchain, and NFT markets to substantiate our claims regarding the severity of security concerns in the NFT ecosystem. From this comprehensive dataset, nine key NFT security issues are identified from the matrix model and then subjected to qualitative and quantitative analysis. This study aims to shed light on the severity of NFT ecosystem security issues. The findings stress the need for increased attention and proactive measures to safeguard the NFT ecosystem.

engineering, multidisciplinary,mathematics, interdisciplinary applications

R. Phillips,H. Wilder

DOI: https://doi.org/10.48550/arXiv.2005.14440

2020-05-29

Cryptography and Security

Abstract:Over the past few years, there has been a growth in activity, public knowledge, and awareness of cryptocurrencies and related blockchain technology. As the industry has grown, there has also been an increase in scams looking to steal unsuspecting individuals cryptocurrency. Many of the scams operate on visually similar but seemingly unconnected websites, advertised by malicious social media accounts, which either attempt an advance-fee scam or operate as phishing websites. This paper analyses public online and blockchain-based data to provide a deeper understanding of these cryptocurrency scams. The clustering technique DBSCAN is applied to the content of scam websites to discover a typology of advance-fee and phishing scams. It is found that the same entities are running multiple instances of similar scams, revealed by their online infrastructure and blockchain activity. The entities also manufacture public blockchain activity to create the appearance that their scams are genuine. Through source and destination of funds analysis, it is observed that victims usually send funds from fiat-accepting exchanges. The entities running these scams cash-out or launder their proceeds using a variety of avenues including exchanges, gambling sites, and mixers.

Hanna Kim,Jian Cui,Eugene Jang,Chanhee Lee,Yongjae Lee,Jin-Woo Chung,Seungwon Shin

2023-11-17

Abstract:As Non-Fungible Tokens (NFTs) continue to grow in popularity, NFT users have become targets of phishing attacks by cybercriminals, called \textit{NFT drainers}. Over the last year, \$100 million worth of NFTs were stolen by drainers, and their presence remains a serious threat to the NFT trading space. However, no work has yet comprehensively investigated the behaviors of drainers in the NFT ecosystem. In this paper, we present the first study on the trading behavior of NFT drainers and introduce the first dedicated NFT drainer detection system. We collect 127M NFT transaction data from the Ethereum blockchain and 1,135 drainer accounts from five sources for the year 2022. We find that drainers exhibit significantly different transactional and social contexts from those of regular users. With these insights, we design \textit{DRAINCLoG}, an automatic drainer detection system utilizing Graph Neural Networks. This system effectively captures the multifaceted web of interactions within the NFT space through two distinct graphs: the NFT-User graph for transaction contexts and the User graph for social contexts. Evaluations using real-world NFT transaction data underscore the robustness and precision of our model. Additionally, we analyze the security of \textit{DRAINCLoG} under a wide variety of evasion attacks.

Cryptography and Security

Guglielmo Cola,Michele Mazza,Maurizio Tesconi

2024-06-27

Abstract:This paper presents a case study of a cryptocurrency scam that utilized coordinated and inauthentic behavior on Twitter. In 2020, 143 accounts sold by an underground merchant were used to orchestrate a fake giveaway. Tweets pointing to a fake blog post lured victims into sending Uniswap tokens (UNI) to designated addresses on the Ethereum blockchain, with the false promise of receiving more tokens in return. Using one of the scammer's addresses and leveraging the transparency and immutability of the Ethereum blockchain, we traced the flow of stolen funds through various addresses, revealing the tactics adopted to obfuscate traceability. The final destination of the funds involved two deposit addresses. The first, managed by a well-known cryptocurrency exchange, was likely associated with the scammer's own account on that platform and saw deposits exceeding $3.5 million. The second address was linked to a popular cryptocurrency swap service. These findings highlight the critical need for more stringent measures to verify the source of funds and prevent illicit activities.

Social and Information Networks

Zhutian Lin,Xi Xiao,Guangwu Hu,Bin Zhang,Qixu Liu,Xiapu Luo

DOI: https://doi.org/10.1109/secon58729.2023.10287480

2023-01-01

Abstract:The exponential growth of Ethereum transactions has resulted in a significant increase in phishing scams, leading to substantial financial losses in recent years. Current machine/deep learning-based approaches for classification have been found to be inadequate for large-scale and label-imbalanced Ethereum scenarios. To address this issue, we propose Phish2vec, a novel network embedding approach that takes into account the transaction temporality and heterogeneity in detecting phishing scams on Ethereum. Our approach begins by producing a transaction sub-network through data collection and preprocessing, which includes a novel Statistics-Based Sampling (SBS) method to address label leakage. To generate sequences that contain more comprehensive information, we then utilize two different types of sequences generators: Temporal-based Sequences Generator (TSG) and Heterogeneous-based Sequences Generator (HSG). By concatenating the sequences generated by TSG and HSG together, and feeding them into Word2vec and Fully Connected neural network (FC), our approach can identify phishing accounts with an Fl-score as high as 82.05%, which significantly outperforms classic schemes such as DeepWalk (67.29%), Trans2vec (74.78%), and Node2vec (70.91%).

Shijian Chen,Jiachi Chen,Jiangshan Yu,Xiapu Luo,Yanlin Wang

2024-07-22

Abstract:NFTs (Non-Fungible Tokens) have seen significant growth since they first captured public attention in 2021. However, the NFT market is plagued by fake transactions and economic bubbles, e.g., NFT wash trading. Wash trading typically refers to a transaction involving the same person or two colluding individuals, and has become a major threat to the NFT ecosystem. Previous studies only detect NFT wash trading from the financial aspect, while the real-world wash trading cases are much more complicated (e.g., not aiming at inflating the market value). There is still a lack of multi-dimension analysis to better understand NFT wash trading. Therefore, we present the most comprehensive study of NFT wash trading, analyzing 8,717,031 transfer events and 3,830,141 sale events from 2,701,883 NFTs. We first optimize the dataset collected via the OpenSea API. Next, we identify three types of NFT wash trading and propose identification algorithms. Our experimental results reveal 824 transfer events and 5,330 sale events (accounting for a total of \$8,857,070.41) and 370 address pairs related to NFT wash trading behaviors, causing a minimum loss of \$3,965,247.13. Furthermore, we provide insights from six aspects, i.e., marketplace design, profitability, NFT project design, payment token, user behavior, and NFT ecosystem.

Cryptography and Security,Computational Engineering, Finance, and Science,Computers and Society

Dan Lin,Jiajing Wu,Qishuang Fu,Yunmei Yu,Kaixin Lin,Zibin Zheng,Shuo Yang

DOI: https://doi.org/10.48550/arXiv.2305.14748

2023-05-24

Cryptography and Security

Abstract:With the overall momentum of the blockchain industry, crypto-based crimes are becoming more and more prevalent. After committing a crime, the main goal of cybercriminals is to obfuscate the source of the illicit funds in order to convert them into cash and get away with it. Many studies have analyzed money laundering in the field of the traditional financial sector and blockchain-based Bitcoin. But so far, little is known about the characteristics of crypto money laundering in the blockchain-based Web3 ecosystem. To fill this gap, and considering that Ethereum is the largest platform on Web3, in this paper, we systematically study the behavioral characteristics and economic impact of money laundering accounts through the lenses of Ethereum heists. Based on a very small number of tagged accounts of exchange hackers, DeFi exploiters, and scammers, we mine untagged money laundering groups through heuristic transaction tracking methods, to carve out a full picture of security incidents. By analyzing account characteristics and transaction networks, we obtain many interesting findings about crypto money laundering in Web3, observing the escalating money laundering methods such as creating counterfeit tokens and masquerading as speculators. Finally, based on these findings we provide inspiration for anti-money laundering to promote the healthy development of the Web3 ecosystem.