Same Behaviour(R)

[skyonedot]

Related Safe Addresses

In this issue, I detailed the problematic multi-sign address and the corresponding owner's abnormal behavior. 🍄

Each group received the same number of ETH transferred from the same address at the same time.. 🚨🚨

0xc90db3aea38970621f2d81fdfe70b1b30103c4a9
0x3f3df308ef35283544ca8eb3345b38dcceb40b2d
0x656afbfb370e763bb2354b4d2f4a1e3b6da5f109
0xfec1d52128816efbf64681606d21ee047f4f77b7

0x517eb2dc62409e14180174277b16bd9b3e31baa3
0xbda497bb2584b79490cd792d8e6248df38a82eea
0xc2404882710364d1b1051e1bfb7ba886a99823f3
0x6a81adc68ea677f053b3207e40416c94140d773b

0x4e50f7a87399e956e399eea81c811cd04ced09f2
0x596aa760ab094ea50579d5cdc6fdbddd7c8b8cc4
0x98453192c444d99bd2a5923cc102e38192a03de5
0xf5ced48c114dd38fff0912ff43aa51fa9e495f95

Reasoning

There is an abnormal behavior that is understandable

However, if there are many abnormal behaviors, then there is enough reason to determine that these addresses are airdrop farmer.

• The Owner of these three groups have never changed, no Add/Remove

• Each group had received the almost same number of ETH from the same address at the same time period. 🚨🚨

• Group1

  • The owner addresses in group 1 receive their first funds from Binance, and the timing is close, the amount is also close.

  • All safe addresser receiver same amount 0.08ETH from same sender address 0x520e728a4b81fa48e3c39c74ec2419b3b99cfb51 as same time 2020/11/27[Check Table below]

  • Group Owner is always same, no add and no remove, only this one owner

    • 0x7e371ddf60f5d415a5f60ba28860839138dcd29f -- send 27 transactions

• Group2

  • All safe addresser receiver same amount 0.05ETH from same sender address 0xa1a3524e1bd29f71d11e787d36baebb91bfc20da as same time 2022/04/06--2022/04/07[Check Table below]

  • same sender 0xa1a3524e1bd29f71d11e787d36baebb91bfc20da is one of the owner

  • Group Owner is always same, no add and no remove, only this one owner

    • 0xa1a3524e1bd29f71d11e787d36baebb91bfc20da -- send 1038 transactions

• Group3

  • All safe addresser receiver same amount 0.035ETH from same sender address 0x0bddf292948e4bc6d766f62bda270d2185bf162b as same time 2022/07/04[Check Table below]

  • Group Owner is always same, no add and no remove

    • 0x11008d9671aaa113c66105154753eb5cfbef76a4 -- send 12 transactions, First money 0.01ETH came from 0x4e50f7a87399e956e399eea81c811cd04ced09f2, at Jul-04-2022 05:12:30 AM +UTC. https://etherscan.io/tx/0x11e97f8dc2d4f159280bcc7d2cd7158d5a3a132ea625b677575f96cbc81b8d89
    • 0xc8339805aed54fd7ebe9ace46208bd68d721faa9 -- send 11 transactions, First money 0.01ETH came from 0x4e50f7a87399e956e399eea81c811cd04ced09f2, at Jul-04-2022 05:10:31 AM +UTC. https://etherscan.io/tx/0x133cd1cfffe7240a9bbc8477ab66b75974743c05ec35b9e4bf546277038eaa9f
    • 0xb50762fc629092072f798a1f0c757b3d92c06f70 -- send 10 transactions, Secomd money 0.005ETH came from 0x4e50f7a87399e956e399eea81c811cd04ced09f2, at Jul-04-2022 04:54:47 AM +UTC . https://etherscan.io/tx/0xd6bb285816ef91056c2c9afa364c5a868f7970ef36ed5165604fa146b31fbeb9

• Please Check Table 👇🏻

  • Address -- multi-sign safe address
  • Execute transactions -- The number of execute transactions by multi-sign address
  • Sender -- The ETH Sender
  • Token -- ETH
  • Date -- The Date of receive ETH from the same sender
  • Tx -- tx

Address	Execute Transactions	Sender	Date	Amount	Token	Tx
0xc90db3aea38970621f2d81fdfe70b1b30103c4a9	1	0x520e728a4b81fa48e3c39c74ec2419b3b99cfb51	2020/11/27	0.0800000000	ETH	https://etherscan.io/tx/0xceb634dae783b31a4450b58b58f1aa40c7662cda4c1659151ecb87d23fc8660e
0x3f3df308ef35283544ca8eb3345b38dcceb40b2d	2	0x520e728a4b81fa48e3c39c74ec2419b3b99cfb51	2020/11/27	0.0800000000	ETH	https://etherscan.io/tx/0xf267cfa088233de9d40c2668e8ee4ee5b8445c4fc88d4a50915963d174c8d6e1
0x656afbfb370e763bb2354b4d2f4a1e3b6da5f109	1	0x520e728a4b81fa48e3c39c74ec2419b3b99cfb51	2020/11/27	0.0800000000	ETH	https://etherscan.io/tx/0xcad83f473109331151aacdd6910660ac5d1a135d9c5549263684f502596e5eaa
0xfec1d52128816efbf64681606d21ee047f4f77b7	1	0x520e728a4b81fa48e3c39c74ec2419b3b99cfb51	2020/11/27	0.0800000000	ETH	https://etherscan.io/tx/0x1e79ae7051d2afeb1c221a046588327fe55620f017656731a3d1c18aaf1d3ef3
------------------------------------------	----	------------------------------------------	----------	------------	-----	------------------------------------------------------------
0x517eb2dc62409e14180174277b16bd9b3e31baa3	2	0xa1a3524e1bd29f71d11e787d36baebb91bfc20da(owner)	2022/04/06	0.0500000000	ETH	https://etherscan.io/tx/0x28cecd4fa9d08491afb999b0b9496696640b2cd339ace6c9db6b2a039ed85fb5
0xbda497bb2584b79490cd792d8e6248df38a82eea	2	0xa1a3524e1bd29f71d11e787d36baebb91bfc20da(owner)	2022/04/06	0.0500000000	ETH	https://etherscan.io/tx/0xa65ac415dff5d62959d2466ffcb0c4b7911beafb29bbb9044f235dd11f4328f4
0xc2404882710364d1b1051e1bfb7ba886a99823f3	2	0xa1a3524e1bd29f71d11e787d36baebb91bfc20da(owner)	2022/04/06	0.0500000000	ETH	https://etherscan.io/tx/0x7f5453ac7b833c0b793a30950b79f8d463e89164526d0ceef35fd012f37041fd
0x6a81adc68ea677f053b3207e40416c94140d773b	2	0xa1a3524e1bd29f71d11e787d36baebb91bfc20da(owner)	2022/04/07	0.0500000000	ETH	https://etherscan.io/tx/0x0b27343aab5c162a29ad9a2ef03e0b8025d1f16f9c17fdd79e8adbb884227d90
------------------------------------------	----	------------------------------------------	----------	------------	-----	------------------------------------------------------------
0x4e50f7a87399e956e399eea81c811cd04ced09f2	4	0x0bddf292948e4bc6d766f62bda270d2185bf162b	2022/07/04	0.0350000000	ETH	https://etherscan.io/tx/0x7809b036f88ac4e0ec2b043bc6dcb861f577cf5dc9bc6860a4abea507d9c8608
0x596aa760ab094ea50579d5cdc6fdbddd7c8b8cc4	1	0x0bddf292948e4bc6d766f62bda270d2185bf162b	2022/07/04	0.0350000000	ETH	https://etherscan.io/tx/0x0f4347410e3ed7c89b5d3f45681c8b1d46bf91fcd5f95fc922da1e25eb2ca7f8
0x98453192c444d99bd2a5923cc102e38192a03de5	0	0x0bddf292948e4bc6d766f62bda270d2185bf162b	2022/07/04	0.0350000000	ETH	https://etherscan.io/tx/0x4690074b73b015c2786a4334e4747340e668d7dafe2fb4c07ff96e88ab2d2a28
0xf5ced48c114dd38fff0912ff43aa51fa9e495f95	15	0x0bddf292948e4bc6d766f62bda270d2185bf162b	2022/07/04	0.0350000000	ETH	https://etherscan.io/tx/0xb3bdeab72720066929e9d15d6e2dc65fc62dd61fcfe78d7eb1a543ff339557b8

Methodology

Addresses are reported by retrieving information from the chain, using bitquery's graphql, and detecting abnormal behavior, such as empty wallets, mutual transfers, etc.

When only some of the anomalous behaviors are present, we can consider the address reasonable, but when an address has all the anomalous behaviors, we have good reason to suspect that the address is false. Especially if the multi-signature address and the owner address have obvious exceptions both, then it is obvious that this is airdrop farmer.

Abnormal behaviors include

• For Multi-Sign Address

  • Few transactions were executed
  • There is a lot of overlap in the interactions, such as the destination address, and the time
  • The owner of multiple multi-signature addresses is exactly the same, and never changes from start to finish

• For Owner Address

  • Empty address
  • The first source of funds is the owner.
  • Mutual transfer
  • Behavior similarity

If the verification is passed and my strategy is great, I can provide my source code, but for now it is not conveninet

Safe Address

0xce495858e36c95f491b5a32ca2664405cf10ab76

Thanks

[tschubotz]

I don't see the connection. These Safes don't behave similarly.