Found a giant cryptocurrency mixer Ethereum

Original author: cyber.blog
  • Transfer

68% of all Ethereum transactions are controlled by one system.


When analyzing the Ethereum transactions, our team discovered such an amazing fact that we immediately went deep into studying it. Now we want to share with all our discoveries, and we hope that we will find explanations for them together (the data for self-analysis are posted on GitHub ).

What we found


The grouping of all Ethereum addresses since the advent of cryptocurrency until September 15, 2017 has revealed a class of addresses that we will call temporary in this article. These are the addresses to which they are received, and from which then almost immediately the funds leave - no later than an hour, after which these addresses are never used. Temporary addresses accounted for 46% of all active addresses and processed 65% of all transactions for the period studied. After analyzing the transactions involving these addresses, we gradually put together the full picture of what is happening:



In the center of the picture is the core of the mixer, consisting of more than 95% of the temporary addresses. This core interacts with a group of addresses from the shell, which includes both temporary and permanent addresses. The shell receives the ETH from the addresses that we will call input (on the left), and sends the ETH to the output addresses located on the right of the diagram. Based on data from Etherscan, very few of these addresses have the name of the owner. The names listed in the diagram are taken from user comments on Etherscan, so we can only assume that they are the real owners of addresses. In general, it turned out that the amount of funds transferred to the core and from the core is 4 times the amount received and then released from the shell with the core inside. We decided that such a scheme is a sign of the currency mixing mechanism, which we call here a mixer.



Of all the transactions that took place on the Ethereum blockchain during the period under review, addresses with incoming amounts of approximately 500, 1000, 2000, 3000, 5000 and 10000 ETH make up 68.5% (2,601,041,693.6 of 3,791,195 132.0 ETH) in currency terms and 10.7% (6,216,314 out of 58,035,623) by quantity. Subsequent analysis showed that these addresses are related to each other and can be controlled by one organization.

This is how the proportion of this mixer in all Ethereum transactions changed over time:





The system was apparently tested for the first time in 2016, and after launch in 2017, it was actively used. This can be explained by the increase in capitalization and liquidity of Ethereum. The most interesting thing is that the overall growth pattern of transactions Ethereum looks completely different without the mixer transactions. If we exclude them from the analysis, it becomes obvious that it is the mixer that is responsible for most of the transaction growth.



Analysis


In terms of transaction volume, these addresses are distributed as follows:



From the 6,282,858 addresses involved in the transactions in the blockchain 6,282,858 from the moment of its launch until September 15, 2017, the following set of addresses attracted our attention: the

image
incoming amount / number of addresses / share in the list of active addresses

These The addresses are responsible for 67.5 of all transferred ETHs and make up 8.5% of the total number of Ethereum transactions for the period studied. Why do we think these addresses are related?

The graph below shows how these sets of addresses replace each other one by one. Take one set of addresses, for example, addresses with incoming currency in the region of 1000 ETH. After being active for some time, the addresses from this set become inactive, after which another set of addresses comes into play, receiving about 3000 ETH per transaction. Addresses work as if under control, one set replaces the other, which led us to the idea of ​​the existence of a control system. These addresses constitute the core of the whole scheme.



What found


Further analysis of the system showed the presence of temporary and permanent addresses surrounding the core and associated with it. Calculations for the kernel and related addresses for a specified period resulted in the following results:
• Rotational transactions: 67% of the volume of all transactions for active addresses.
• Input transactions: 0.8% of all transactions for active addresses
• Output transactions: 0.8% of all transactions for active addresses

Hypotheses


Here are the likely explanations of the detected activity:
• Protection offered by cryptocurrency exchangers to clients: all client funds are mixed in the mixer, so that the sources of funds cannot be traced, and owners of clean money cannot be accused of illegal transactions.
• A mechanism to protect US citizens who want to avoid control by US regulators.
• The mechanism used by a large private exchange to protect customer privacy. This exchange can work with fiat money .
• The mechanism used to securely transfer cryptocurrency between exchangers.
• Money laundering scheme.

These are only hypotheses that we would like to discuss with all those interested. If you have any other suggestions or suggestions, please contact us at datascience@cyber.fund, analytics@cyber.fund. If you want to explore the addresses on the Etherscan site yourself, a list of them can be found in this Google Sheets document.

20 most used addresses for entering cryptocurrency into the mixer



20 most used addresses for withdrawing cryptocurrency from the mixer


Also popular now: