Advanced Analysis: Lightweight Fund Tracking

In this guide, we'll explore MetaSleuth's fund-tracking feature, which simplifies monitoring outgoing transactions from a specific address.

Advanced Analysis: Lightweight Fund Tracking

In this tutorial, we will describe the fund-tracking functionality of MetaSleuth. During the investigation, we usually want to track the outgoing funds from an address. MetaSleuth facilitates this process by supporting tracking fund flow from one direction.

[MetaSleuth Tutorial: Use MetaSleuth’s advanced analysis for lightweight fund tracking](https://www.youtube.com/watch?v=EH7x7BTumIQ)

In the following, we show a real example of tracking the phishing victim to demonstrate this functionality. The address tracked is ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713).

What is Fund Tracking and Why Metasleuth

From its inception, MetaSleuth aimes to provide analysts with more convenient visual analysis capabilities. After immersing in the on-chain sleuth group and Web3 community, we discovered that one of the most common tasks is to track the outgoing funds from a specific address within a defined time range.

For instance, this involves tracking stolen funds from a victim's address to recover the funds, monitoring the targets of smart money for better investments, and tracking suspicious transactions for anti-money laundering (AML) purposes.

However, the fund flow from these active addresses can be extremely complex, involving multiple tokens, diverse targets, and spanning long periods. This situation does bring troubles for on-chain sleuths who must spend time extracting relevant information for their analysis.

To solve this problem, MetaSleuth has provided the most lightweight/ best user experience/ fastest solution plan among all the assistant tools.

Case Details

  • Background: ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713) has suffered huge losses in phishing scam. And furious on-chain sleuth tasked with finding out where stolen funds are going and uncovering hidden phishing groups.

  • Assistant Tools: the advanced analysis function in Metasleuth.io

  • Known Clues

    Victim:ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)

    Time: around 2023.02.25-2023.02.27

    Loss Assets: unknown token, unknown amount

    Network: Ethereum

Step 1: Select the address

Visit MetaSleuth, select the corresponding blockchain network (the default is Ethereum), and enter the origin address of the funds, i.e., ryanwould.eth. Metasleuth will resolve the corresponding address based on the ENS name. Then, on the search box's right side, use Metasleuth's core function, Advanced Analyze.

Entry point of Metasleuth.io

Step 2: Select the direction

After entering the Advanced Analyze Settings panel, we can choose the funds' direction and the time range. In this task, we only focus on the outflow of funds (out) and the time period around the fishing occurred (2023-02-25->2023-02-28). After completing the configuration settings, we click apply and press Enter to enter the canvas.

Advanced analyze setting

Step 3: Generate the first fund flow graph

That's great! Metasleuth.io quickly generates a visual graph of all outgoing fund flows between February 25, 2023, and February 28, 2023. Thanks to this function, we save a lot of data sifting time.

Moreover, leveraging the address label maintained by MetaSleuth, we can readily identify that within this brief timeframe, only two unusual fund flows were detected, both directed toward the address "Fake_Phishing11227". These anomalous transactions involved 1,842 USDC and 519,351 DATA tokens, as depicted in the graph.

The initial fund flow

Step 4: Filter interested tokens

For better display, we open the token configuration item, remove other default tokens, leaving only the stolen tokens (USDC, DATA), and then confirm our changes.

Token filter

Step 5: Extend the fund flow of interested address

The fund flow becomes extremely concise and clear. To trace the fund outgoing, we further extended the second hop of the fund transfer. In the second hop of the fund transfer relationship, we found that the phishing address "Fake_Phishing11227" transferred the stolen funds to Airswap and exchanged tokens through Airswap.

The filtered fund flow

Step 6: Process the token swap operation

Due to our token filtering configuration, we only focused on DATA and USDC, which obscured the process of token swapping. To address this, we added ETH to the token configuration and added the swap transaction (0x23f4ed07e2937c3f8f345e44ce489b8f83d2b6fdbf0697f6711ff4c7f2a55162) again. With this update, we now have a complete view of the token-swapping process. The phishing actor exchanged USDC and DATA tokens through AirSwap and obtained 14.58 ETH. At this stage (2022-02-27 22:30), solely focusing on USDC and DATA would no longer be meaningful. We need to trace the path of the acquired ETH to uncover additional phishing addresses.

Add transaction
The complete fund flow

Step 7: Further filter with time range

Therefore, we continued with the Advanced Analysis of the phishing address "Fake_Phishing11227". Similarly, we only focus on the outgoing funds, and the time range between February 27, 2023, and February 28, 2023. We proceed by clicking the "Analyze" button to proceed with the analysis.

Further analyze button

Step 8: Stop the investigation when finding interested recipients

We have obtained the fund destinations from "Fake_Phishing11227" within the specified time range. It appears that there are numerous receiving addresses involved, indicating a process of distributing the illicitly obtained funds.

Among all the recipients, the addresses "offtherip.eth", "Fake_Phishing76579", and "Fake_Phishing7064" received the majority of the distributed funds, amounting to 10.36 ETH, 8.36 ETH, and 1.85 ETH, respectively.

Based on this distribution ratio, we regard offtherip.eth as the most suspicious entity in this investigation and attract attention.

Final trace result

With obtaining the unusual address "offtherip.eth", further steps may require utilizing non-blockchain techniques, such as social engineering analysis. However, in this analysis focused on on-chain fund transfers, metasleuth.io has provided a plethora of convenient technical assistance, enabling the entire analysis to be completed in less than 10 minutes.

Conclusion

  • Victim: ryanwould.eth (0xc6D330E5B7Deb31824B837Aa77771178bD8e6713)
  • Time: 2023-02-27 22:00
  • Loss Assets: 1,842 USDC, 519,351 DATA
  • Network: Ethereum
  • Funds Target:
  • First Hop: Fake_Phishing 11227
  • Second Hop:
  • offtherip.eth
  • Fake_Phishing76579
  • Fake_Phishing7064
  • Analysis Time consumed: <10 min

Use metasleuth.io to make analysis easy and technology cheap.

About MetaSleuth

MetaSleuth is a comprehensive platform developed by BlockSec to assist users in effectively tracking and investigating all crypto activities. With MetaSleuth, users can easily track funds, visualize fund flows, monitor real-time fund movements, save important information, and collaborate by sharing their findings with others. Currently, we support 13 different blockchains, including Bitcoin (BTC), Ethereum (ETH), Tron (TRX), Polygon (MATIC), and more.

Website: https://metasleuth.io/

Twitter: @MetaSleuth

Telegram: https://t.me/MetaSleuthTeam

Sign up for the latest updates