In the blockchain, certain clusters of addresses are likely to be associated with high-risk activities such as money laundering, fraud, and hacks. These clusters can include addresses linked to mixer services. Services which allow users to mix tainted funds with clean ones to obscure their transactions on the transparent blockchain. The mixer service is associated with malicious activity; hackers use it to hide their tracks.
At Cyvers, a web3 security company, we understand the importance of identifying and mitigating these risks.
We also understand that hackers or malicious actors are not the only ones using these mixer services.
That's why we've developed an algorithm to track the incoming funds' exposure to any malicious address or a cluster of addresses, including those associated with mixer services.
Our technology increases the compliance and trust level for exchanges while it decreases the rate of declined transactions.
After the OFAC Tornado Cash sanctions, this issue is even more relevant.
In this article, we'll explain the algorithm and provide an analysis of the Tornado Cash and Aztec clusters, two clusters of mixer services that we used to test our algorithm.
Cyvers designed the algorithm to identify an address's exposure to a specific cluster of risk-associated addresses. Here's a detailed, step-by-step guide to how it works:
We begin by assuming that we have a list of root addresses part of the original cluster. The exposure score for these root addresses is constant and equal to 1.
For each new transfer, we check to see if the sender has an exposure score greater than a predetermined threshold. We refer to these as "transfers from exposed addresses".
For each transfer from an exposed address, we update the exposure score of the receiver. If the address has received funds only from the cluster, its exposure score is 1. If the address has received funds only from other sources, its exposure score is 0. The exposure of the receiver will increase to a greater extent if a large proportion of his funds originate from the mixer cluster.
Using this algorithm, we can determine the exposure score of any address in the blockchain to a particular cluster of addresses.
Our algorithm tracks the exposure to mixer funding across long chains of money transfers. In some cases, we see the money moved across more than ten addresses in a row and probably done by the hacker / malicious actor to avoid detection and reduce AML score.
To test the effectiveness of our algorithm, we used a dataset containing all transfers on Ethereum Mainnet between January 17, 2023, 00:00:11, and February 7, 2023, 11:03:47. The dataset included regular transactions, internal transactions, and token transfers. It included tens of millions of transfers across more than 4 million addresses!
We focused on two clusters of mixer services: Tornado Cash and Aztec. These clusters are known to be popular among malicious actors, as they allow users to mix their transactions and obscure their tracks on the blockchain.
Our analysis revealed a significant number of exposed addresses in the given period. We found 140k exposed addresses, with exposure scores ranging from 0 to 1. The majority of these addresses, however, had exposure scores of less than 0.1. This indicates that a large portion of their received funds originated from the mixer cluster at no point in the time range.
Out of over 4 million addresses that transferred funds during the experiment, ~3% had some exposure to funding from mixers. Our investigation also provides some valuable insights into the behavior of these exposed addresses. For example, we found addresses closer to the root addresses in the cluster tended to have higher exposure scores than those further away.
In general, such exposure indicates risky addresses that might be used for attacks; our goal is to find them as early as possible to stop the malicious activity.
The exposure score depends on the proportion of funds that entered the address originating from the cluster of mixer addresses. Suppose most of the money is from legitimate sources. The exposure score will remain low. We track the exposure over time, meaning we could warn if an address had high exposure at any time in the past, and we can show the change in exposure over time.
We also found that many exposed addresses had only received a small portion of their funds from the mixer cluster, indicating they may not be directly involved in malicious activity. However, the fact that they had received funds from the cluster suggests they may be at risk of being unwittingly involved in illegal activities.
In this article, we've discussed the investigation and algorithm created by Cyvers to find addresses exposed to a cluster of risk-associated addresses on the blockchain. In addition, we've introduced an algorithm that can help track exposure to these clusters and provided an analysis of two clusters of mixer services. Our analysis reveals a considerable number of exposed addresses, for many of which, only a small portion of the received funds originated from mixers. This highlights the importance of identifying and monitoring these clusters to prevent fraudulent activities and maintain the integrity of the blockchain.
Our algorithm is useful for monitoring exposure to these clusters and identifying potentially risky addresses. By regularly tracking exposure scores and distance from the cluster, we can quickly detect any suspicious activities and take action to prevent further harm. It is important to note that this is just one step in a comprehensive approach to web3 security which Cyvers has. There is no silver bullet for protecting against all threats, but Cyvers is confident we are on the right track.
As the web3 ecosystem evolves, we must prioritize security measures to ensure its long-term success. In addition, the increased use of decentralized finance (DeFi) protocols and other web3 applications means that more financial transactions are taking place on the blockchain, making it even more important to identify and address potential security risks.