Same Behaviour

[skyonedot]

Related Safe Addresses

In this issue, I detailed the problematic multi-sign address and the corresponding owner's abnormal behavior. 🍄

The owner of group is the same, and it has never changed since its creation, which is the most doubtful and basic point. 🚨🚨

0x0ed9eef0d135ea684067b2cf7c9a8809200ffc4d
0x2696b20a5e3bd09703f825d449fb973ed18315b9
0x74071154a47cb452b53d1c8940ebfe86620b515a

0x72d31f74f57426ec6a469c15667ec3dd43e956e9
0x182d949b2f98bed88a99a0e1ea00d651f2bdc783
0x3b2d7aa366f35efb450bf7fe7bd2126976c52f97

0x1f6c5cfe9244b60f6597aec8324309c98f99f6f4
0x99cccea2d7893311b3292bdfb6af13f5e3d62d87
0x9ff7ff43dab41db38f4772a286a61a99de840065

0xb4839a670971c0e3cd933bc128dbdf0746b697a3
0xe999aecda2837a4b20fdc1bd74ec3b63d86c7635

Reasoning

There is an abnormal behavior that is understandable

However, if there are many abnormal behaviors, then there is enough reason to determine that these addresses are airdrop farmer.

• Safe address in each group have transferred the same number of ETH to the same Receiver, at the same time [Check The Table below]🚨🚨

• All of group1 transfer 0.008 ETH to 0xb8ae362cc213ef5acf9d2d202c06ac78456aa745(Owner) at 2022-08-13

• Group1 Owner is always same, no add and no remove,

  • 0xb8ae362cc213ef5acf9d2d202c06ac78456aa745 -- send 9 transactions, Wallet 1,
  • 0xfd6e168196ade8a51ebe8787aa14a02d20a99787 -- send 3 transactions, Wallet 2, First money came from wallet1 at Aug-13-2022 03:07:08 AM +UTC. https://etherscan.io/tx/0xe7a7bd4e0c180f52315a1b63a902362132ae91cc98e21dcc29383cfc1e24f840

• All of group2 transfer small amount ETH to 0x30a268aac763770e132de1297a053b7248fe832c(Owner)

• Group2 Owner is always same, no add and no remove

  • 0x3906d93e2f34554e08a0268f87e94c265e0fb5c2 -- send 57 transactions, Wallet1
  • 0x30a268aac763770e132de1297a053b7248fe832c -- send 62 transactions, Wallet2, First Money 0.023ETH came from wallet1 at Aug-27-2019 04:19:19 PM +UTC .https://etherscan.io/tx/0x141879d62a0f79c96158bf756a49f62ae5da314b5247893c9d1f5a6b5814d49c
  • 0x4f34867398a7f24596efbd7b89f1131cc0f95175 -- send 21 transactions, Wallet3,
  • 0xabfd6c17b8375552abfdaf10328d103bab707ba0 -- send 7 transactionss, wallet4, First Money 0.02ETH came from wallet2. https://etherscan.io/tx/0xa37f783b2b1724126422acaec4937f4c25db2a08329bf116ad8f07d4d7e30601

• All of group3 transfer 0.1 ETH to 0xe67a7449d124c83cf77ce405d43ee313e78619c1 (The owner money came from this address)

• Group3 Owner is always same, no add and no remove

  • 0x2d5e0f61e3830ea4621877ef5085035e6f15bb3f -- send 0 transactions, Empty WALLET
  • 0x34e9d38d2031d44d9469a9a610c433f7e36d33f7 -- send 0 transactions, EMPTY WALLET
  • 0x8d0e4e0170d9b72a667aae54b8c0d1d3d7f218eb -- send 2 transactions, wallet 1, first money 0.15ETH came from 0xe67a7449d124c83cf77ce405d43ee313e78619c1 at Jul-30-2022 07:12:41 AM +UTC. https://etherscan.io/tx/0x15985a440a34da536bf202d89d440622d12f67db6e867b9a7837cf75b7377ab7
  • 0x600b68b6d5fb59160c8aac6dfbfdc826ced58dd5 -- send 5 transactions, wallet 2, second money 0.15ETH came from 0xe67a7449d124c83cf77ce405d43ee313e78619c1 at Jul-30-2022 07:12:01 AM +UTC. https://etherscan.io/tx/0x8bfc47a95fe1405ea85ee6fba0d9f93fe25f5763ddad92ef5d2ca4cbd73580f7

• All of group4 transfer 0.01 ETH to 0x0419395ef65947b74ad9ccd1a9753251e72e411b (owner)

• Group4 Owner is always same, no add and no remove

  • 0x0419395ef65947b74ad9ccd1a9753251e72e411b -- send 308 transactions
  • 0x564fc5027be63048121d54608cabf441e1f63473 -- send 561 transactions
  • 0x97263302056c9d2f708153c0aeee7b7fe5ebec93 -- send 142 transactions

• These multi-sign addresses have a very small number of sending transactions, more like farmer of airdrop

• Please Check Table 👇🏻

  • Address -- multi-sign safe address
  • Execute transactions -- The number of execute transactions by multi-sign address
  • Receiver -- The USDT Receiver
  • Token -- USDT
  • Date -- The Date of send USDT to same receiver
  • Tx -- tx

Address	Execute Transactions	Receiver	Amount	Token	Date	Tx
0x0ed9eef0d135ea684067b2cf7c9a8809200ffc4d	1	0xb8ae362cc213ef5acf9d2d202c06ac78456aa745	2022/08/13	0.0008000000	ETH	https://etherscan.io/tx/0x7ca78280f254898132f7266056c9762a507fcd7658e1807278048b901d1e196b
0x2696b20a5e3bd09703f825d449fb973ed18315b9	1	0xb8ae362cc213ef5acf9d2d202c06ac78456aa745	2022/08/13	0.0008000000	ETH	https://etherscan.io/tx/0x0fc3967580e7f433a51099a2b24ba3049706cd308418eab3253eb0bf90986e4f
0x74071154a47cb452b53d1c8940ebfe86620b515a	1	0xb8ae362cc213ef5acf9d2d202c06ac78456aa745	2022/08/13	0.0008000000	ETH	https://etherscan.io/tx/0xffe17d3bd04f60a7ebfe8c3733dcaa8f2496f839f065fb451c3ec309f1cc5fb8
---	---	---	---	---	---	---
0x72d31f74f57426ec6a469c15667ec3dd43e956e9	1	0x30a268aac763770e132de1297a053b7248fe832c	2021/07/01	0.0001600000	ETH	https://etherscan.io/tx/0x1018f2adad01da6c864d77a78fd492cdaf10073269cd586deeaba301c4090c75
0x182d949b2f98bed88a99a0e1ea00d651f2bdc783	1	0x30a268aac763770e132de1297a053b7248fe832c	2021/08/31	0.0050000000	ETH	https://etherscan.io/tx/0x92f667e8914e23e09c6887664721620cc410206a5beeb4ee6b8af11a79fd72de
0x3b2d7aa366f35efb450bf7fe7bd2126976c52f97	1	0x30a268aac763770e132de1297a053b7248fe832c	2022/08/09	0.0005000000	ETH	https://etherscan.io/tx/0x1bc070a9a59837523231050a2f0d33ff6788a7f2f185b75892e722f674a15397
---	---	---	---	---	---	---
0x1f6c5cfe9244b60f6597aec8324309c98f99f6f4	1	0xe67a7449d124c83cf77ce405d43ee313e78619c1	2022/07/30	0.1000000000	ETH	https://etherscan.io/tx/0x16e8fea4b4dd3805fac3a2c0c53481445ba82f3e80f3ed0861669fac3ee19563
0x99cccea2d7893311b3292bdfb6af13f5e3d62d87	1	0xe67a7449d124c83cf77ce405d43ee313e78619c1	2022/07/30	0.1000000000	ETH	https://etherscan.io/tx/0x6bfc4644e0dae4457dc8d88ce62e92e17dea5df3799fdab44f9e2dbc164200a4
0x9ff7ff43dab41db38f4772a286a61a99de840065	1	0xe67a7449d124c83cf77ce405d43ee313e78619c1	2022/07/30	0.1000000000	ETH	https://etherscan.io/tx/0x1c62f7f81b43d48823d5d7b47e8089dee6d3eee244c6137b7e23f540d05ca3c1
---	---	---	---	---	---	---
0xb4839a670971c0e3cd933bc128dbdf0746b697a3	1	0x0419395ef65947b74ad9ccd1a9753251e72e411b	2022-08-19	0.0100000000	ETH	https://etherscan.io/tx/0xd853e13cc63cf039c244bd68b6b4dd645fba2f1a59b6788f8d76f1bc6ea3e9f3
0xe999aecda2837a4b20fdc1bd74ec3b63d86c7635	1	0x0419395ef65947b74ad9ccd1a9753251e72e411b	2022-08-19	0.0100000000	ETH	https://etherscan.io/tx/0xf6dfca9dc1478aa324cee0f136245495c0133aa8992ec73bdcd47acff8a4c013

---

Methodology

Addresses are reported by retrieving information from the chain, using bitquery's graphql, and detecting abnormal behavior, such as empty wallets, mutual transfers, etc.

When only some of the anomalous behaviors are present, we can consider the address reasonable, but when an address has all the anomalous behaviors, we have good reason to suspect that the address is false. Especially if the multi-signature address and the owner address have obvious exceptions both, then it is obvious that this is airdrop farmer.

Abnormal behaviors include

• For Multi-Sign Address

  • Few transactions were executed
  • There is a lot of overlap in the interactions, such as the destination address, and the time
  • The owner of multiple multi-signature addresses is exactly the same, and never changes from start to finish

• For Owner Address

  • Empty address
  • The first source of funds is the owner.
  • Mutual transfer
  • Behavior similarity

If the verification is passed and my strategy is great, I can provide my source code, but for now it is not conveninet

Safe Address

0xce495858e36c95f491b5a32ca2664405cf10ab76

Thanks

[tschubotz]

Thanks for the report. All of these Safes except for 6 have been found by a previous report, unfortunately.

And for these ones I'm unable to follow your reasoning. It might be legitimate use.

0x72d31f74f57426ec6a469c15667ec3dd43e956e9
0x182d949b2f98bed88a99a0e1ea00d651f2bdc783
0x3b2d7aa366f35efb450bf7fe7bd2126976c52f97
0x1f6c5cfe9244b60f6597aec8324309c98f99f6f4
0x99cccea2d7893311b3292bdfb6af13f5e3d62d87
0x9ff7ff43dab41db38f4772a286a61a99de840065