 My name's Heidi, I'm a part of the special investigations team at Coinbase, and I am super excited and also very honored to be able to present to you guys at DevCon, rug life, using blockchain analytics not only to detect illicit activity, but also to track stolen funds and hopefully stay safe. And I really liked the previous presentation actually right before mine because it was all about sort of detection, right? But this is about once your funds kind of get stolen, what do you actually do? So quick TLDR, I know we all don't have time to be sitting around a panel all day. So if you've got places to go, TLDR is be paranoid, be paranoid. That is literally the end of this presentation. The rest of this presentation is going to be full on paranoia mode. You're going to want to lock down everything throughout your computer and just give up on this. But if you want to stick around for the rest of it, let's go for it. So first and foremost, we need to find what illicit actually is, right? There are a lot of people who say, oh, scammers are illicit, dark markets are bad, thefts are also bad. Shrew traders who do market manipulations, they're also bad. Oh fact entities more recently, also bad. Like we've got a whole like swath of different terrible bad actors out there. But today we're only going to be concentrating on one, which is thefts. I personally believe that thefts are like the worst thing that can happen with this ecosystem, right? First and foremost, you see millions and millions of dollars like just last night, we saw $100 million being drained out of mango finance, right? That's horrible for the entire ecosystem. It doesn't matter what chain it happened on, right? Not only that, but it also drives more regulators scrutiny. Do we really necessarily want that? We want to be able to develop, right? We want to be able to build without having to even consider things like that. So this is why we need to start thinking about things like, how do we prevent this kind of stuff? No, I don't want to spend that long on this. I think we need to talk about different theft typologies out there. Now, I largely bucket into three different sort of categories. First and foremost, you have the dev slash team initiated thefts, right? AKA, we all know these rugs, right? What does a rug actually look like? First and foremost, you've got some token dumping, you've got unlimited or even limiting usually of functions, as well as cashing out of any and all proceeds possible. Now, sometimes with rugs, what will also happen is websites will 404 and obviously social media accounts will go totally dark. Now, the biggest bucket, though, are third party thefts, right? And those I actually put into two different categories. First and foremost, you've got hacks, right? Third parties hack into places all the time, right? For example, let's think of the different sexes that have been hacked in the past couple of months, right? And also, you've got another thing called market manipulation, as we all know, like what happened with Mango last night. Now, what exactly do we define as a hack? Well, a hack is very similar actually to a rug, right? The only difference I would say in this very generalized sort of rule of thumb is that with a hack, you usually don't have the website of the team, I don't know if it's not working. This media of the team also going down. So you don't have that actually happen with a hack. Now, but what you do see is obviously the cashing out and of proceeds extremely, extremely rapidly and obviously the dumping of funds. Now, in terms of market manipulation, what usually happens there is usually a flash loan will be taken out nine times out of 10 and what will happen is a certain pool is manipulated, right? Where one token's price is arbitrarily pushed up, for example, what happened last night with Mango, right? Price automatically gets pushed up, then suddenly a dumping of that Mango, right? And then an exchange for tokens that actually have value. And finally, there's another bucket of thefts, right? And I'm not going to go too much into these, but these are sort of more third-party service attacks. So think of, for example, when you're in a Discord, right? You're managing a Discord. You probably have a whole bunch of different Discord bots out there, right? They're doing a whole bunch of different things, but sometimes those Discord bots get exploited, meaning that, you know, people who are investing in your project sometimes fall for those exploits and then, unfortunately, you get their funds siphoned off of them and then they blame you, which isn't really fair, but it definitely happens. Now, I actually want to go into detection methods. Like, how do we actually detect this kind of stuff? How do we find this stuff, right? And so there are a lot of ways to do detection. Forda just did an amazing presentation on how they go about doing detection, but as a protocol, what you want to do is you want to actually just set up alerting for large flows of funds. That's actually something that Forda does. Another thing you can do as well is use various different platforms that have listed on here to actually start alerting you for when sort of any sort of strange activity happens. Finally, another thing you might consider doing is following a whole bunch of auditors online, because chances are, on Twitter, the auditors will alert you probably before, you know, even your most avid Twitter followers will alert you of something strange happening. Now, unfortunately, this is all fine and great, but once a transaction is broadcast to the blockchain, you're screwed, right? You're done for. So this is great. We can detect this all day, every day, but we need to actually prevent this stuff, right? And so what we need to actually do is we need to start detecting this sort of weird kind of activity before any money starts to move, right? And so if you're a dev, there are a couple things you can do. First off, you want to constantly audit, right? Your debits and credits, and I know this sounds super effing boring. Oh, I just got one out again. I know it sounds super boring, but for example, Nomad, they would have been able to detect some strange stuff happening going all the way back to July, and they could have probably prevented what then ended up happening at the beginning of the rest. Now, another thing you might want to do too is monitor who's transacting with your contract. What are they actually doing with their funds, right? And finally, another thing too is you want to be monitoring your sites back end, but also your site's front end. For example, Seller Bridge. That's actually how they were exploited more recently, right? Is their front end was attacked? Now, this is all great, but if you're an investor, right, this means nothing to you. Like, you're not gonna be debiting and crediting a particular, like, protocols, smart contracts. That's not your job, right? So what should you be doing? Well, one thing you can do is make sure you know what contract you're actually interacting with, right? So when you're on MetaMask and you are trying to do a transaction before you click that button, make sure that the contract is indeed the contract you want to be transacting with. Finally, or next, rather, revoke cash. So for example, when you interact with a contract, right? Before you interact with that thing to send your tokens anywhere, you have to allow those tokens to be moved, right? Now, when you allow those tokens to be moved with that contract, you're granting that contract license to move them. You want to revoke those every once in a while because chances are those contracts you interacted with back in 2021 or even 2020, they might not even exist anymore, right? You don't want to have anything to do with them, right? So revoke those. I would say just clean them out probably every once a month or so, probably. And last, but certainly not least, is you want to monitor the social medias of your projects, right? And as well as all of the wallets that you hold. I know this is exhausting and annoying, but it's also one way to also stay a little bit more safe. Now, I want to get to the most fun part of this presentation, which is actually tracking the funds. So let's say your project is wrecked, right? Like suddenly all the funds have been siphoned off, or let's say you're an investor and you invest actually in a project and oh damn, their money's all gone. What happens? Like can I even do anything, right? So I'm not going to be boring you guys with many more bullet points on slides. Don't worry, this is the last one. But first and foremost, you want to learn how to read Etherscan, right? There's no point in like pretending to track funds if you can't read Etherscan, right? And I know Etherscan is painful to read as ArbaScan is, as Snowtrace and all the other ones are, but it's super, super, super important to learn how to read a BlockExplore. Another thing too is once you learn how to read a BlockExplore, you're going to be much more savvy with blockchain analytics tools like Dune and Bloxy and whatnot, and they're going to be able to help you track on those funds further. Now, there are a whole bunch of other tools out there that I haven't listed on this slide, but yeah, these at least, at the very least, are free and open source. Now, another thing you can also do as well is leverage Twitter investigators, but I say that with a massive caveat. So there are a lot of really amazing Twitter investigators out there, right? And I think we probably all know their names, right? But there are also some overzealous researchers as well. And I saw this in fact actually last night with a Mango exploit. There were several people who called out several different addresses, but were indeed not related to the Mango finance exploit. So yeah, it's kind of frustrating at times for people like me when I'm going through this and I get pings from all sorts of people about things. So yeah, leverage them, but do it cautiously. The biggest point on here though that I want to make is if you do have a project that gets hacked, right? Or if you're a part of a project that gets hacked, what you want to do is immediately reach out to law enforcement. So IC3 is with the FBI and you can file a complaint with them and they're quite good at tracking down funds. This is regardless of whether or not you're US based, because chances are you probably have an investor somewhere in there in your project who might be US based. So I would go ahead and file it with them, as well as obviously whoever your local law enforcement is. Now the next biggest point on here is if you are a dev and your guys' project gets hacked, you want to communicate, communicate, communicate. Because the worst thing is you're silent, right? And then all of your investors are sitting there like what the hell is going on? Oh my God, oh my God, oh my God. And then immediately the FUD starts. And immediately people are like oh my God, the project got rugged. And then all of the rumors, the rumor-mobligans, right? So you want to communicate as much as possible, as much as you possibly can. And I know you're gonna probably hire lawyers and whatnot, but try to communicate as best you possibly can. Now I want to get you guys prepared for my favorite thing, which is story time, because I want to actually give you guys a good case study. And unfortunately this is not gonna be a nice story time, this is gonna be a nightmare story time. We're gonna be talking about the Ronan theft that happened earlier this year. I'm sure we all know about it, but about $600 million was stolen from the Ronan Bridge. And what effectively happened was these guys stole all this ETH and as well as USDC from the Ronan Bridge. I think it was like 173,000. And they had all this ETH, right? What did they do with it? First and foremost what they did with it is they started cashing it out at various different sexes. Now this was also around the same day where the Ronan Bridge came out and they finally announced that they had been exploited. And what do you think the attackers did? They had to immediately stop because the sexes then caught on like, oh dear God, we're being used to cash out of these terrible proceeds, we gotta stop this. And of course the attackers then also paused too, right? And then two weeks later they start mixing funds through tornado cash, right? And all of this ETH flows through tornado cash. Now one thing I have to mention is this was a ton of ETH, right? I just mentioned it's 173,000 ETH. This is a ton of money. I had never seen this much money flow through tornado cash. So the sheer volume was already unprecedented. But the other thing that was also crazy too was these guys were rinsing and repeating the exact same methodology over and over and over again, right? So what they would do is they would mix the money through tornado cash and then they would then swap it using the same DEX over and over again to RenBTC which is a Bitcoin proxy, right? And then after that what they would do is they would burn that RenBTC in exchange for Bitcoin. And this happened time after time after time, day after day. And I mean, we're all human, right? These attackers are human, right? And so we like a good pattern. And it's one thing that you'll notice in this presentation is that patterns get repeated all the time and that's part of doing analytics and tracing funds, right? Is you start to notice these typologies over time. Now what happened with this Bitcoin? This Bitcoin was then sent on to Chipmixer and you guys might know Chipmixer. Chipmixer is a Bitcoin mixing service. Now when I look at Chipmixer I think to myself, oh my God that's so 2019, no one uses Chipmixer anymore. Like there's so many better services out there, right? And of course, again, why am I saying that's so 2019, right? Well, what I'm essentially saying by that is there's no liquidity in there, right? You want a deep liquidity pool when you actually care about privacy, right? Because you don't want to be found out. You don't want people like me to go looking for you, right? And of course these guys had a ton of money that was flowing through Chipmixer, right? So what effectively happened was is unfortunately we could trace through it. And a lot of it went to an APAC-based sex, but not all of it. So not all of the funds actually were mixed this way. This was only their pattern in May. And by the way, we're gonna skip all of the patterns that happened in June and July and we're gonna go straight to the pattern that started in late August and is continuing to today. So some of that Bitcoin that they had, what they started actually doing, and this is late August, beginning of September, they started splitting it out into these weird increments of rounded five, six, seven, and eight BTC, right? They split out all these funds. What do they do with it? Send directly to REN, mint some REN BTC, great, right? This is a very, very, very easy pattern to detect on chain, right? And from there, what they did was they used a DEX, they swapped it into USDT, and then they got a little confused midway, they wanted some ETH, go back into USDT, and they ended up caching it out at OTCs and Bunch of Sexes. And they continued doing this pattern, right? Through September, it was the, I mean, it was very, very obvious, right? Even if you were to just look at REN BTC-based mints, you'd be able to find this stuff. What they also did is they got lazy in between and just cashed out directly from Tether. And now one thing that you'll notice is that I have USDT and ETH written on here, right? And for those of you that are savvy, you're like, hey, wait a second, Heidi, what about gas fees? Did you get anything out of gas fees? Yes, the gas fees actually originated from those sexes right here, right? So it's a very roundabout pattern that we end up seeing. So what also ended up happening as well is they had this large sum of Bitcoin and they got super, super lazy, and they started just caching it out directly to sexes, and then they decided to get un-lazy because unfortunately some people found them, and they decided to go back to the REN BTC route and then do the same thing over and over again, right? Now, what am I trying to take away with this case study? That was a lot, right? This was overwhelming. Now, what I'm trying to tell you with this is blockchain analytics ain't easy, it's quite complicated, and trying to recoup stolen funds is no joke, right? It's not only extremely costly, it's very, very, very time consuming, right? I've been tracking these guys literally or yeah, March, right? And not only that, but the amount of funds that the whole crypto community has been able to recoup has been so limited, right? So you don't want this to happen. Now, luckily we do have the transparency of the blockchain right now, which allows us obviously to trace funds, right? The fact that it's permanent, it's immutable, right? And it's fully transparent, awesome, right? But it doesn't change the fact that tracing this money is a lot more work down the line than actually trying to prevent the bad activity. Now, let's go into actually what we can do about this, right? I hope I scared you guys enough. Now we've got the crazy slide that I actually wanna take a pause on and I want you guys to actually take a picture of because I'm not gonna be talking about it because I want us to actually talk through case study examples. So on this slide, we've got lots of different recommendations in terms of general stuff, blockchain stuff, social media, email stuff, and doing your basic due diligence, i.e. DYOR. Cool, we all got our photos? Awesome, okay, worst case, I can share the slides with you after the fact. Now, I wanna share a couple examples with you guys and I wanna share an example of being impulsive and not checking the contracts that you're interacting with before you interact with them. Now, back in April, Board Ape Yacht Club's Instagram was hacked. I'm sure you guys remember this, right? Their Instagram was hacked, suddenly there was like this announcement of like, oh, we're giving away this land, all you have to do is if you hold an ape, this mint this land token. And of course, people fell for this, right? They didn't actually look at the correct that they were interacting with. And what happened? Well, sure enough, you can imagine what happened. All of their most prized NFTs were ripped from them, and one thing that was very noticeable when looking at this initial contract is that there was this set approval for all function that kept on being called by these addresses that had been phished over and over and over again rapidly. And when you see this on chain, run, run from that contract, right? Because what that effectively, that contract's being run by some sort of phishing, person who's doing phishing. Now, these NFTs were immediately sold for ETH on a whole bunch of different marketplaces, right? And then after that, the ETH was cashed out at a bunch of sexes immediately, right? Really good. Then also it was sent to the Ukrainian Armed Forces. That's interesting. Maybe that tells us about where the threat actor might be. We'll see in just a second. And then we also see that they're sending money to a carding shop. So they're clearly bailing fake IDs, right? Probably using those fake IDs to sign up for those sexes. Interesting, right? Now, remember how I talked about those gas fees? Those are something you want to look at when you're initially interacting with a contract, right? So you can see where do they initially get their funds from. And if you take a look at that ETH, right? That paid off those, topped up that address to initially get those gas fees, you'll actually find that that address indeed also did a whole bunch of different phishing and made a ton of money, right? Great. What else can we find out about this address? One thing that I found that was really interesting with this particular address, it also cashed out a whole bunch of sexes as well, was that it also sent money to this very interesting social NFT marketing page, right? So essentially what you could do is you could pay this money to market your NFT project on various different social media websites. Interesting. I don't think that's Ukrainian right there, right? And my perspective actually is, is these guys probably actually just donated to the Ukrainian armed forces in order to probably throw people like me off of their tracks, right? And so this is one very, very easy way to do it because as we all know, that address for the Ukrainian armed forces is tagged on EtherScan, right? So it's very, very obvious. So this is an example of being impulsive and this is what you don't wanna do. So take those two minutes, literally two minutes, right? And look at that address before you interact with it, right? Look at what those other addresses that are sending funds are actually doing, right? Or are they actually getting something for it? Are they actually minting any land? Or are they getting nothing out of it, right? Now, I also wanna talk about an example of social engineering. This has nothing to do with blockchain analytics yet, but it will, right? So here's a great example from Poly Play and they were amazingly transparent about their exploit that happened last year. This is actually from one of their tweets. As you can see here, the Binance team reached out to Poly Play in order to pretty much list their token, right? And as you can see is this looks pretty legit in terms of a LinkedIn page. He's got like 400 or so month followers. This seems like a pretty legit email or whatever it is, but there are a couple funky things with it, right? First off, they're asking, they're saying, hey, please donate to the Binance Charity Foundation. That's a little weird, right? Like, and they're asking donation in Bitcoin too. I don't know, that's a little sus, right? So it's one thing that you wanna kinda look at, right? When you're looking at people who reach out to you is verify indeed their identities, right? For example, if you look up Teddy Lin right now on LinkedIn, I'm sure this isn't the only Teddy Lin at Binance you're gonna find, right? And so it's one thing that you're gonna wanna do. You're gonna wanna verify with these teams before you start interacting with them, right? Cause the worst thing is, is you get down the line, they send you over documents to agree to, you download that document and that document includes a whole bunch of malicious code and your whole project gets screwed over, right? And what's interesting about this particular social engineering incident is that Poly Play ended up getting hacked, right? Because of all of this. And what happened? Well, if you looked on chain, you'll actually find that the Poly Play hack is related to the BZX hack that happened back in November and also linked to the mgnr.io hack as well. And if you look back up, what you'll end up finding is all of them fell for very similar social engineering tactics. So this is a common one used by many nation states actually, one in particular and you guys can guess who that might be. Now, one thing we talked about before is what's the difference between a hack and a rug, right? But I actually wanna talk about what is the difference between an actual dev team cash out and a rug? Because a lot of times dev teams, I mean, a lot of times, dev teams need to cash out of their funds, right? They make money, they need to be able to move their money around and do things that maybe isn't crypto, right? How do they actually do that? And I wanna give you guys an example of how a legit team looks like when they're caching out versus an illegit team because I think the comparison is quite stark. So in this example, what we have here is we have 10KTF, which is a very large NFT project. They get proceeds, right, from their NFT sales and you can see that on chain and all of those are then sent to the 10KTF Deployer Address. Dev Deployer Address then sends on to their Gnosis Multisig. Fine, that seems fair, right? Another thing that we also see too is Renga Deployer, they also send funds onto their Gnosis Multisig. So if you weren't following projects, which I wasn't, I had no idea these projects were intertwined actually until I was looking at their Gnosis Multisig and actually found, oh wow, they're clearly a part of the same ecosystem, right? And if you take a look at their Gnosis Multisig and by the way, this is a great practice, right? You want to see a project using a Multisig and keeping their funds locked up there. They sometimes will actually cash out directly to FTX, right? But they do this over time, right? Their website is still active, their social media is still active. These guys are still clearly involved with the community, right? So nothing weird is going on here. This is the kind of activity you wanna be seeing when you're analyzing on-chain, seeing where devs are cashing out at. Now what do you not wanna see? This is exactly what you don't wanna see. So I'm sure you guys heard about the Squid Game rug poll last year, but essentially the Squid Game token launched, right? On the BSC network. And what effectively happened was you couldn't trade this Squid token. So you could only trade it, you could only buy it with B&B because it was on pancake swap, but you couldn't sell it. So effectively what happened was is the price was driven up to like $2,500, right? And suddenly one day, the website 404s, all social media's are deleted, right? And suddenly then the Squid token is swapped for B&B and fully dumped, right? Suddenly the Squid token now is valueless. Now one thing the devs did right here though is they decided to unlimited that contract so that suddenly you could actually sell your Squid. But of course it was worthless. So who cared at that point in time, right? And so anyways, you had this B&B, right? These guys then decided to rapidly send that B&B through Tornado, right? And again, this was a very high volume going through Tornado at that point in time so it was kind of traceable. Now there's one thing to note about privacy protocols. Privacy protocols are incredibly important. I'm not trying to be a proponent here in this presentation to say, oh, you know, we can de-mix everything, you know? Or whatever. But what I am trying to say about privacy protocols are that unfortunately, illicit actors, while they do use them, it is quite easily traceable to see where they're moving funds to because usually they move a ton of money at once and why do they do that? Because they're paranoid. They don't trust anyone with that money but themselves. So the sooner they can get that money out, the better, right? Privacy protocols are incredibly important and I think we're gonna still continue seeing them in the space. In fact, I've been super excited to see all the ZK Stark discussion here, right? But effectively all these funds then went through tornado cash and again these guys rinsed and repeated the exact same transaction patterns because once they got that B&B out, what they immediately did, and this is all in one single transaction every single time, was they would swap that B&B for dye, right? And this is on BSE and they would bridge that dye through any swamp then into ETH based dye or under other stable coins, right? And this was a very, very, very particular pattern. So it was super, super obvious. Now, once they had this dye in this ETH based dye, what they end up doing with it? Well this ETH based dye, they ended up swapping for ETH and then they sent it through tornado one more time on Ethereum, right? And they could not be more paranoid, right? But of course, they're moving this money through super, super fast. Again, super obvious. Now one thing I've noticed actually about these attackers more recently is especially in the squid game situation, right? As you guys remember, this particular rub was super, super known, right? This was all over mainstream media, right? So this guy was super hyper paranoid, right? So what he decided was, oh shit, I'm just gonna sit on this money for a while. But he just didn't wanna sit on that ETH. No, no, no, no, no. He wanted to earn some yield. So he decided to swap that money in a USDT and lend it to the USDT pool and then he lent it out to Compound. And from there, he sat pretty for a while and then slowly started cashing out to two different APAC-based sexes, right? And this is actually a pattern of activity that I've continued seeing quite often, unfortunately. Now it's unfortunate but also fortunate, right? Because once they're sitting in these pools, we can still see that. That's the beauty of the blockchain, right? And so because of that is once they exit out, right? It's kinda great, because we can also potentially recoup all the interest that they've earned. So it's one thing to also think about. Now, I wanna leave you guys with a couple predictions because I only have a couple minutes left is, and by the way, I wrote this slide deck a week ago. This was before the BNB bridge attack. This was also before mango finance. But unfortunately, this is now reality. We expect we hacks and scams continue even in the bear market, right? DeFi protocols, particularly those with high TVL, right? Will continue to be perceived, unfortunately, as honey pots, right? And threat actors, as I was talking about before, they're mainly gonna continue sitting on funds, right? That's actually what we're seeing with the BNB bridge attacker right now. He's just sitting on the funds. We see that actually with quite a few different attackers at the moment, right? And to possibly earn yield, right? For example, if you take a look at mango finance guy, what do you think he's investing in right now? I'm not gonna say you guys look it up. Anyways, some quick predictions, right? First and foremost, be paranoid, right? Hopefully this has been a lesson in paranoia here. And you wanna protect yourself before something happens, right? You don't want stuff to be broadcast to the chain, right? That is the ultimate thing that you do not want to have happen because once it's broadcast to the chain, it's done, right? Money is gone, right? And of course, you wanna do your own research. That should be obvious, right? Do not rely on other randos to do research for you and just believe them because they're aynons on Twitter that what they're saying is correct. You want to verify. And last, but certainly not least, definitely learn how to read a block explorer. Block explorers are extremely powerful and all of this research I actually mostly did using Dune Analytics and just either scan. As well as BSC scan a couple others. And don't forget to set up monitoring and that's all. Thanks guys.