Same Behaviour

[skyonedot]

Related Safe Addresses

In this issue, I detailed the problematic multi-sign address and the corresponding owner's abnormal behavior. 🍄

The owner of group is the same, and it has never changed since its creation, which is the most doubtful and basic point. 🚨🚨

0x7bd80021e296694ebb7166ce3e3ad2fc1f568144
0x059abd784c1f01a731f8eb44c0fa70044303ebe0
0xb1161a660de5def46743e3fc972a829980a7fc35
0x072830d270d30d2749b856e38b471f3c574b2ac8
0xb7da669b7e8915b6d3d89464a5fa4a5ceebac76c
0x9a2f6e53ba8c18440591159cc8373e9635820e8f
0xc45f81d76ba33608414ee9a19dd721c634f1f3dd
0xc8df2f735fc367ce3970162a6936f0bd4eca33ad
0xd6d592eabe69dcddd5428b31531c2e7dafe06c5f
0xef3f47f50b64719dd76af31aaf80ace4dd865ad7
0xfd2d5628b478c18efa5d1855914d05ce35d7feb9

Reasoning

There is an abnormal behavior that is understandable

However, if there are many abnormal behaviors, then there is enough reason to determine that these addresses are airdrop farmer.

• All of The Owner first Money From same wallet

• All of The Owner receiver Money at same time period

• Group Owner is always same, no add and no remove

  • 0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77 -- send 127 transactions, Main Wallet, Distribute ETH
  • 0x2913fa494dcc3fa67620ef1a02b5e230d0f86d04 -- send 2 transactions, First Money 💰0.025ETH💰 Came From Main Wallet. Apr-17-2021 04:45:21 PM +UTC. https://etherscan.io/tx/0xa917efa56eb29122ad973b9e1f7830128a07e9378e5ad3d17d809e89f27f338f
  • 0x60989874a480177a1e7f5d53506173d3d81809e7 -- send 46 transactions, First Money 💰0.025ETH💰 Came From Main Wallet. Apr-17-2021 04:46:56 PM +UTC https://etherscan.io/tx/0x6a8e90516a8be0d1a88799cdf328c27d6df814b14124f22e1abdb7876900830d
  • 0x9eee320352d06e06250f04d5d55b42e58169d58d -- send 103 transactions, First Money 💰0.025ETH💰 Came From Main Wallet. Apr-17-2021 04:46:56 PM +UTC https://etherscan.io/tx/0xa08311b4b8dc8e4b5c11abfd88e223cc143d1ee0abb076e97d3da0175c76dcb7

• All of the safe address send ETH To same receiver 0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77 at same time period 2021/09/01, check table 🚨🚨🚨🚨

• All of the safe address send ETH To same receiver 0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77 at same time Amount < 0.001 ETH, check table 🚨🚨🚨🚨

• Please Check Table 👇🏻

  • Address -- multi-sign safe address
  • Execute transactions -- The number of execute transactions by multi-sign address
  • Receiver -- The USDT Receiver
  • Token -- USDT
  • Date -- The Date of send USDT to same receiver
  • Tx -- tx

Address	Execute Transactions	Receiver	Date	Amount	Token	Tx
0x7bd80021e296694ebb7166ce3e3ad2fc1f568144	8	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x5ceeb18a227817e5ca128992304dfb5ebd509c1dac84dc628c244bb611857096
0x059abd784c1f01a731f8eb44c0fa70044303ebe0	1	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x456e294afe105bdf8a93f4095f77aa48b7706932a2a8d00826959e4dbe4d9231
0xb1161a660de5def46743e3fc972a829980a7fc35	1	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x72c969de753e94d17bdc31efc34b4cc6ec6f954d8a718058049a5c3a0b3b4df3
0x072830d270d30d2749b856e38b471f3c574b2ac8	7	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x4af69fc95c50b498b1890616ee34628bf3646fe8fdfc6c77e7fa0a61030b0d67
0xb7da669b7e8915b6d3d89464a5fa4a5ceebac76c	6	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0xaef0d8c5446a18ab7da2f0df6a381b8bf92cbada1b37ca6d3ef82dcf2cfaacef
0x9a2f6e53ba8c18440591159cc8373e9635820e8f	8	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x426e5cfd9ca3b5ff1088d6fef85eb5c4784333d818e29f48554e65fa86eedb5d
0xc45f81d76ba33608414ee9a19dd721c634f1f3dd	8	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0074818530	ETH	https://etherscan.io/tx/0x95b8eb6aec404cc0018a8e4713da60ac4304eba2c624c3cbd3c59d6ab768fa64
0xc8df2f735fc367ce3970162a6936f0bd4eca33ad	67	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075513580	ETH	https://etherscan.io/tx/0x1d754d5c7f5043a3fe1d6c17fbe618cf5482082c712c3d90da682f47cac3f997
0xd6d592eabe69dcddd5428b31531c2e7dafe06c5f	7	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x5519b733759f051d98f30fd050235dba0b65a5c8ad4acc5b963d05f2e2b2cf1f
0xef3f47f50b64719dd76af31aaf80ace4dd865ad7	1	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0xc93c9bf41c1b7bbf78e329071aa8fed6b8bedf14abb1d3efa9a866ef6a827012
0xfd2d5628b478c18efa5d1855914d05ce35d7feb9	1	0x69af5d305e27a4bc55c81cd8e91faf23eb0eaa77	2021\09\01	0.0075634825	ETH	https://etherscan.io/tx/0x31a53698d044764f98c7862767f1cbe441ae758335150367c5c8103d3c774e8a

---

Methodology

Addresses are reported by retrieving information from the chain, using bitquery's graphql, and detecting abnormal behavior, such as empty wallets, mutual transfers, etc.

When only some of the anomalous behaviors are present, we can consider the address reasonable, but when an address has all the anomalous behaviors, we have good reason to suspect that the address is false. Especially if the multi-signature address and the owner address have obvious exceptions both, then it is obvious that this is airdrop farmer.

Abnormal behaviors include

• For Multi-Sign Address

  • Few transactions were executed
  • There is a lot of overlap in the interactions, such as the destination address, and the time
  • The owner of multiple multi-signature addresses is exactly the same, and never changes from start to finish

• For Owner Address

  • Empty address
  • The first source of funds is the owner.
  • Mutual transfer
  • Behavior similarity

If the verification is passed and my strategy is great, I can provide my source code, but for now it is not conveninet

Safe Address

0xce495858e36c95f491b5a32ca2664405cf10ab76

Thanks

[tschubotz]

I'm not able to follow your reasoning how e.g. https://gnosis-safe.io/app/eth:0xc8df2f735fc367ce3970162a6936f0bd4eca33ad/transactions/history should be airdrop farming.