Chain Analytics on Scam Addresses

In January I created a post listing some of the ETH addresses associated with a set of scams targeting the Guild of Guardians community.  Yesterday night a member of the community reached out to as they were a victim of the scam and had performed some research that aligned with our findings, specifically they identified two ETH addresses that were used to move the proceeds of the scam:

  • 0xf319B5047d657c054C73908308E4C22A98dC7C22
  • 0xAcda910E9175E2B174266B9D80ED8be87CC79CB7

If you're new to the cryptocurrency space, it's important to remember that blockchain technology, by default, provides transaction transparency, but in many cases maintains anonymity.  Barring a leak from a centralized exchange or self identifying as the owner of an address, while you can see all transactions on Ethereum, you can't necessarily tie those transactions to a real world individual or group if they are making an effort to remain anonymous.

So what do you do when you have addresses that are associated with a scam?  Let's put the discussion of censorship aside for a moment, as that's a very heated topic, and just pretend that we all agree if we identify an address that has scammed someone from the Guild of Guardians community out of funds we'd like that scammer to own up to what they've done and possibly make it difficult for them to spend the proceeds of that scam.

Depending on the amount of funds and the technical prowess of your local law enforcement, you can and should report the scam, but you might not get a lot of help recovering the funds.  Also, if you yourself are in the crypto space, you might be trying to maintain your own anonymity for personal reasons and might even be in a position where local law enforcement isn't friendly to crypto currency users at all.

The next option is to try and flag the addresses to as many communities as you can, effectively blocklisting the address.  Block listing in this context means ensuring the community blocks interactions with the addresses on the list.  There are some shared tools that many communities, law enforcement and cryptocurrency exchanges subscribe to in order to get lists of addresses they should block.

In some scams, the scammer is looking to cash out their gains, and at some point might try to send funds to a centralized exchange, or some other fiat offramp so they can spend some of their money as in many regions of the world you still can't buy milk and bread with crypto.  When the scammer moves their funds to a centralized exchange (e.g. Coinbase) that exchange can check if that address is on a blocklist and react accordingly.  Each exchange might have a different philosophy, but if an address is flagged as a scam they should at least pause for a moment.  More and more exchanges are required to accept Know Your Customer data (KYC).  Presumably, if the exchange the scammer is sending funds to has done their due diligence then anonymity stops there.  The address that sends the funds to the exchange should now be associated with a real world person.

Now it's up to the exchange, or the local laws that govern that exchange, to decide the next steps. Let's look at an example.  Here is a graph of addresses on Ethereum associated with a set of Guild of Guardian token sale impersonation sites:

There are three addresses labelled as "Guild of Guardians Scam".  These addresses were embedded in fake token websites and in total have received roughly 50 ETH (currently valued at $132,600 USD).  Just take a moment to let that sink in, a value of $132,600 USD is a heck of a return for posting some fake gaming crypto websites.  Scamming in the crypto gaming space is lucrative.

The three addresses funnel, along with other address likely associated with the scammer (labelled "Likely Other Scams" in the graph), to two addresses that together have received a total of roughly 85 ETH.  All of that ETH is then sent along to

This is the transaction transparency part.  We can clearly see where the ill gotten scammer gains have gone, but those addresses have been dormant since around December 2021 after transferring almost all their funds to

How about the anonymity? is one of the oldest Chinese cryptocurrency exchanges founded in 2013 and remains an unregulated exchange.  An unregulated cryptocurrency exchange is an ideal place to funnel stolen crypto as they likely have no or very poor KYC requirements.  I would assume those funds are gone.  Is there any more information we can mine from those Ethereum addresses?  Maybe...

The graph above is a subset of the entire graph, and graph analysis can be tricky.  There may be some connection between these wallets and other wallets associated with the scammer and the rabbit hole can be quite deep.  Importantly, you have to be able to identify at what point "ownership" transfers from the scammer to an unknowing legitimate person.

In an ideal world everyone should be able to remain anonymous.  This is far from an ideal world.  Malicious actors are out there victimizing the crypto community.  If we want to remain anonymous we have to provide at least some level of self policing to make it difficult for bad actors to take advantage of the communities' trust.

That's it for now.  If you come across any GoG related scams don't hesitate to @gogscamtracker on Twitter or email  Stay safe out there.


Popular posts from this blog

Down MetaMask Impersonation Rabbit Hole

NameSilo Abuse Reporting

More Sites Taken Down