Same Behaviour(R)

[skyonedot]

Related Safe Addresses

In this issue, I detailed the problematic multi-sign address and the corresponding owner's abnormal behavior. 🍄

Each group received the same number of ETH transferred from the same address at the same time.. 🚨🚨 🚨🚨

0x67380b7bbcaa81ef47a13434c0092739fc0e0bcb
0x261b183938664935f65ff91a9d74f87c4b2c0513
0xbf6b8d52a39efe4fccc1a6605f8279a29b1a5aaa
0xb4c93d4d2de01d8fca2425fae703068792cd5b16
0xd0e04fa0ef76aaaa8f3e46a5dabb8ea90531648f
0xf53b40dc9c2da0a9198d3cfe8a845c9fff3cd3b7
0x0eed91e8b96b9c7b8dca4c525eceeea974070c81
0xf34a75475b6b69637709a66c6eeb94613f69b8e8

0x115a18240ffdf34051c32f3dae15af9e487aa012
0xcc5482edf1f65e964f0775c0ec30fa59adc1f73b
0x3e149bb9fea31238cb0ccd5d83d23f7f0ec00c95
0xe7779ab4bb98547e53395ba599bf5cdf2866d72f
0xe7eb96da71d848ba6f9b0c5e9034cd624c7f5b5b

Reasoning

There is an abnormal behavior that is understandable

However, if there are many abnormal behaviors, then there is enough reason to determine that these addresses are airdrop farmer.

• The Owner of these two groups have never changed, no Add/Remove

• Each group had received the almost same number of ETH from the same address at the same time period. 🚨🚨

• Group1

  • The owner addresses in group 1 receive their first funds from Binance, and the timing is close, the amount is also close.

  • All safe addresser receiver small amount ETH(small 0.1ETH) from same sender address 0xe26650d1146a544e68077b2cbdf40bb3574c2634 as same time 2021/12/19--2021/12/27[Check Table below]

  • same sender 0xe26650d1146a544e68077b2cbdf40bb3574c2634 is one of the owner

  • Group Owner is always same, no add and no remove

    • 0x7fe0a22629ecd75cec5e9427dec9f26c4beb49dd -- send 99 transactions
    • 0xe26650d1146a544e68077b2cbdf40bb3574c2634 -- send 96 transactions

• Group2

  • All safe addresses received 0.01ETH or 0.02ETH to the same address 0xcc61df88ee9ae3e945543075e9b66b7e67f3cd31, at the same time 2021/05/13 [Check Table below]

  • Group Owner is always same, no add and no remove

    • 0x32593dd54cadaeebfa113e7ab57d81664a42e119 -- send 5 transactions
    • 0x3fccd3d9bb68e5d8c709fe50fb908040921c310e -- send 38 transactions
    • 0x9ddb4793c55215d18391cf4568ff90a3e81906cc -- send 0 transactions

• Please Check Table 👇🏻

  • Address -- multi-sign safe address
  • Execute transactions -- The number of execute transactions by multi-sign address
  • Sender -- The ETH Sender
  • Token -- ETH
  • Date -- The Date of receive ETH from the same sender
  • Tx -- tx

Address	Execute Transactions	Sender	Date	Amount	Token	Tx
0x67380b7bbcaa81ef47a13434c0092739fc0e0bcb	4	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/19	0.0299999999	ETH	https://etherscan.io/tx/0x234675eb8d03a5ea59b0db2f7df5b756415e4a017a7c6e357168cd47a1905172
0x261b183938664935f65ff91a9d74f87c4b2c0513	1	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/19	0.0299999999	ETH	https://etherscan.io/tx/0x75ac72384cd69b04e277899a18cadbf399922bb6873cfd647d71dbf074eb9718
0xbf6b8d52a39efe4fccc1a6605f8279a29b1a5aaa	46	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/19	0.0299999999	ETH	https://etherscan.io/tx/0x62ca9db54c42cd07ab8ece9b04196ca6ac505b1a0cff9bcb6e3f8b99f4001c2b
0xb4c93d4d2de01d8fca2425fae703068792cd5b16	0	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/19	0.0299999999	ETH	https://etherscan.io/tx/0xda5bcce3a4a931c414c1cbe76c8826025f102ee844febe2b249841d2d9a6f889
0xd0e04fa0ef76aaaa8f3e46a5dabb8ea90531648f	11	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/19	0.0299999999	ETH	https://etherscan.io/tx/0x1fbabbbbe2931b5701f9ce49a0403ae20c267880c7229764378fbc9db8438164
0xf53b40dc9c2da0a9198d3cfe8a845c9fff3cd3b7	2	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/19	0.0295173100	ETH	https://etherscan.io/tx/0x2cfd1ac29258c28974fe5afb5ef372d68b0cf495d69a1c94340bf8c36972d933
0x0eed91e8b96b9c7b8dca4c525eceeea974070c81	1	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/21	0.0400000000	ETH	https://etherscan.io/tx/0xe98070850c9d3316c6bf49f4303d95175ec9998f9196dad2f19ba127e2687803
0xf34a75475b6b69637709a66c6eeb94613f69b8e8	18	0xe26650d1146a544e68077b2cbdf40bb3574c2634(owner)	2021/12/27	0.1000000000	ETH	https://etherscan.io/tx/0x553bda3f1074bf71eaa5eb3b4826cd4bb164443634d2c51fa8eea66f7a744da5
------------------------------------------	----	------------------------------------------	----------	------------	-----	------------------------------------------------------------
0x115a18240ffdf34051c32f3dae15af9e487aa012	5	0xcc61df88ee9ae3e945543075e9b66b7e67f3cd31	2021/05/13	0.1000000000	ETH	https://etherscan.io/tx/0x32ea6de39bf32e118c89b5d619ee3712fb5d34846b33d4582dbba78c81b2a597
0xcc5482edf1f65e964f0775c0ec30fa59adc1f73b	0	0xcc61df88ee9ae3e945543075e9b66b7e67f3cd31	2021/05/13	0.2000000000	ETH	https://etherscan.io/tx/0x5d4c7e9a6b435e037e9333eea67fd71bb67ad772da5f750f5437adad87ee61a4
0x3e149bb9fea31238cb0ccd5d83d23f7f0ec00c95	0	0xcc61df88ee9ae3e945543075e9b66b7e67f3cd31	2021/05/13	0.2000000000	ETH	https://etherscan.io/tx/0x466d5f02b4651731f76e7eb0257336580d9f981367b065b0cf5b4113080e097b
0xe7779ab4bb98547e53395ba599bf5cdf2866d72f	4	0xcc61df88ee9ae3e945543075e9b66b7e67f3cd31	2021/05/13	0.2000000000	ETH	https://etherscan.io/tx/0x6210f1a940e0cec4f6d5095bcb78115af074b0d2525fdf3c3bf1564c88922e86
0xe7eb96da71d848ba6f9b0c5e9034cd624c7f5b5b	5	0xcc61df88ee9ae3e945543075e9b66b7e67f3cd31	2021/05/13	0.1000000000	ETH	https://etherscan.io/tx/0x80bb6dea3c545c5a72b99f15c155ba9b162dbf761da4f8f0a34341c2b20ea0ff

Methodology

Addresses are reported by retrieving information from the chain, using bitquery's graphql, and detecting abnormal behavior, such as empty wallets, mutual transfers, etc.

When only some of the anomalous behaviors are present, we can consider the address reasonable, but when an address has all the anomalous behaviors, we have good reason to suspect that the address is false. Especially if the multi-signature address and the owner address have obvious exceptions both, then it is obvious that this is airdrop farmer.

Abnormal behaviors include

• For Multi-Sign Address

  • Few transactions were executed
  • There is a lot of overlap in the interactions, such as the destination address, and the time
  • The owner of multiple multi-signature addresses is exactly the same, and never changes from start to finish

• For Owner Address

  • Empty address
  • The first source of funds is the owner.
  • Mutual transfer
  • Behavior similarity

If the verification is passed and my strategy is great, I can provide my source code, but for now it is not conveninet

Safe Address

0xce495858e36c95f491b5a32ca2664405cf10ab76

Thanks

[tschubotz]

I'm unable to follow your reasoning. Also, how is https://gnosis-safe.io/app/eth:0xf34a75475b6b69637709a66c6eeb94613f69b8e8/transactions/history not legitimate use? Store of value is legit use.