Defending Ethereum and The Like from Crypto Scams

Blockchain technology has revolutionised how currencies and digital assets can be transferred and exchanged among anonymous participants, providing significantly higher privacy protection and reducing the transaction-latency. With the invention of smart contracts, blockchain has expanded its applicability to many sectors, including supply chain, data sharing, games, and the Internet of Things. The rapid development of blockchain has led to more and more funding pouring into the cryptocurrency market. However, this phenomenal success of blockchain technology in digital finance has also led to a rising number of cybercrimes, resulting in blockchains becoming a paradise for a plethora of devastating crypto scams, most notably Ponzi schemes, Honeypots, Phishing, Pump and Dump, and Rug Pull. The rise of crypto scams has drawn great attention to not only academia but also governments around the world. This motivated our research to develop effective detection techniques and analytical tools for identifying and understanding crypto scam behaviours on blockchain platforms.

We started our research by improving methods for detecting the Ponzi scheme, an old-fashioned but popular fraud on Ethereum. Most of the proposed detection methods in the literature are based on smart contract source codes. This contract-code-based approach, while achieving very high accuracy, is not robust because a Ponzi developer can fool a detection model by obfuscating the opcode or inventing a new profit distribution logic that cannot be detected. In contrast, a transaction-based approach could improve the robustness of detection because transactions are harder to manipulate. However, the current transaction-based detection models achieve fairly low accuracy. In this work, we aim to improve the accuracy of the transaction-based models by employing time-series features, which turn out to be crucial in capturing the lifetime behaviour of a Ponzi application but were completely overlooked in previous works. We propose a new set of 85 features that allows off-the-shelf machine learning algorithms to achieve up to 30% higher F1 scores compared to existing works.

In the second part of our research, we investigate Trapdoor tokens, which have cost investors billions of US dollars on Uniswap, the largest decentralised exchange on Ethereum, from 2020 to 2023. In essence, Trapdoor tokens allow users to buy but prevent them from selling by embedding logical bugs and/or owner-only features in their smart contracts. By manually inspecting a number of Trapdoor samples, we established the first systematic classification of Trapdoor tokens and a comprehensive list of techniques that scammers used to embed and conceal malicious codes in their scam contracts. In particular, we developed TrapdoorAnalyser, a semantic and behavioural detection tool, to reliably identify a Trapdoor token. TrapdoorAnalyser not only outperforms the state-of-the-art commercial tool GoPlus in accuracy but also provides traces of malicious code with a full explanation, which most of the existing tools lack. Using TrapdoorAnalyser, we constructed the very first dataset of about 30,000 Trapdoor and non-Trapdoor tokens on UniswapV2, which allows us to train several machine learning algorithms that can detect with very high accuracy, even Trapdoor tokens without available source codes.

Ultimately, in the third part, we explored the ubiquitous phenomenon of serial scammers who deployed thousands of addresses to conduct a series of similar Rug Pulls. We first constructed two datasets of around 384,000 scammer addresses behind Rug Pulls on Uniswap and Pancakeswap. We also identified four distinctive scam patterns that reveal typical ways scammers run multiple Rug Pulls and organize the money flow among different scam addresses. We then studied the more general concept of scam cluster, which comprises scammer addresses linked together via coin and token transfers or behind the same malicious DEX exchange pools. We found that scam token contracts are highly similar within each cluster and dissimilar across different clusters, corroborating our view that each cluster belongs to the same scam organization. Lastly, we analyze the scam profit by employing a novel cluster-aware profit formula that takes into account the important role of wash traders. The analysis shows that the existing formula inflates the profit by at least 32% on Uniswap and by 24% on Pancakeswap.