Advanced Analysis: Lightweight Fund Tracking
In this tutorial, we will describe the fund-tracking functionality of MetaSleuth. During the investigation, we usually want to track the outgoing funds from an address. MetaSleuth facilitates this process by supporting tracking fund flow from one direction.
In the following, we show a real example of tracking the phishing victim to demonstrate this functionality. The address tracked is ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713).
What is Fund Tracking and Why Metasleuth
From its inception, MetaSleuth aimed to provide analysts with more convenient visual analysis capabilities. After immersing in the on-chain sleuth group and Web3 community, we discovered that one of the most common tasks is tracking outgoing funds from a specific address within a defined time range.
For instance, this involves tracking stolen funds from a victim's address to recover the funds, monitoring the targets of smart money for better investments, and tracking suspicious transactions for anti-money laundering (AML) purposes.
However, the fund flow from these active addresses can be extremely complex, involving multiple tokens, diverse targets, and spanning long periods. This situation does bring troubles for on-chain sleuths who must spend time extracting relevant information for their analysis.
To solve this problem, MetaSleuth has provided the most lightweight/ best user experience/ fastest solution plan among all the assistant tools.
Tracking Details
When investigating a phishing case, the information we have is as follows.
ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713) has suffered considerable losses in phishing. And furious on-chain sleuth tasked with finding out where stolen funds are going and uncovering hidden phishing groups.
Known Clues
Victim:ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)
Time: around 2023.02.25-2023.02.27
Loss Assets: unknown token, unknown amount
Network: Ethereum
Step 1: Select the address
Visit metasleuth.io, select the corresponding blockchain network (the default is Ethereum), and enter the origin address of the funds, i.e., ryanwould.eth.
Metasleuth will resolve the corresponding address based on the ENS name. Then, on the search box's right side, use Metasleuth's core function, Advanced Analyze
.
Step 2: Select the direction
After entering the Advanced Analyze Settings panel, we can choose the funds' direction and the time range. In this task, we only focus on the outflow of funds (out) and the time period around the fishing occurred (2023-02-25->2023-02-28). After completing the configuration settings, we click apply and press Enter to enter the canvas.
Step 3: Generate the first fund flow graph
That's great! Metasleuth.io quickly generates a visual graph of all outgoing fund flows between February 25, 2023, and February 28, 2023. Thanks to this function, we save a lot of data sifting time.
Moreover, leveraging the address label maintained by MetaSleuth, we can readily identify that within this brief timeframe, only two unusual fund flows were detected, both directed toward the address "Fake_Phishing11227". These anomalous transactions involved 1,842 USDC and 519,351 DATA tokens, as depicted in the graph.
Step 4: Filter interested tokens
For better display, we open the token configuration item, remove other default tokens, leaving only the stolen tokens (USDC, DATA), and then confirm our changes.
Step 5: Extend the fund flow of interested address
The fund flow becomes extremely concise and clear. To trace the fund outgoing, we further extended the second hop of the fund transfer. In the second hop of the fund transfer relationship, we found that the phishing address "Fake_Phishing11227" transferred the stolen funds to Airswap and exchanged tokens through Airswap.
Step 6: Process the token swap operation
Due to our token filtering configuration, we only focused on DATA and USDC, which obscured the process of token swapping. To address this, we added ETH to the token configuration and added the swap transaction (0x23f4ed07e2937c3f8f345e44ce489b8f83d2b6fdbf0697f6711ff4c7f2a55162) again. With this update, we now have a complete view of the token-swapping process. The phishing actor exchanged USDC and DATA tokens through AirSwap and obtained 14.58 ETH. At this stage (2022-02-27 22:30), solely focusing on USDC and DATA would no longer be meaningful. We need to trace the path of the acquired ETH to uncover additional phishing addresses.
Step 7: Further filter with time range
Therefore, we continued with the Advanced Analysis of the phishing address "Fake_Phishing11227". Similarly, we only focus on the outgoing funds, and the time range between February 27, 2023, and February 28, 2023. We proceed by clicking the "Analyze" button to proceed with the analysis.
Step 8: Stop the investigation when finding interested recipients
We have obtained the fund destinations from "Fake_Phishing11227" within the specified time range. It appears that there are numerous receiving addresses involved, indicating a process of distributing the illicitly obtained funds.
Among all the recipients, the addresses "offtherip.eth", "Fake_Phishing76579", and "Fake_Phishing7064" received the majority of the distributed funds, amounting to 10.36 ETH, 8.36 ETH, and 1.85 ETH, respectively.
Based on this distribution ratio, we regard offtherip.eth as the most suspicious entity in this investigation and attract attention.
With obtaining the unusual address "offtherip.eth", further steps may require utilizing non-blockchain techniques, such as social engineering analysis. However, in this analysis focused on on-chain fund transfers, metasleuth.io has provided a plethora of convenient technical assistance, enabling the entire analysis to be completed in less than 10 minutes.
Conclusion
In this tutorial, we show an example of using MetaSleuth to track a phishing victim's fund flow. The summary of the analysis is as follows.
Victim: ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)
Time: 2023-02-27 22:00
Loss Assets: 1,842 USDC, 519,351 DATA
Network: Ethereum
Funds Target:
First Hop: Fake_Phishing 11227
Second Hop:
offtherip.eth
Fake_Phishing76579
Fake_Phishing7064
Analysis Time consumed: <10 min
Last updated