• Anomalous trades on FTX

  • LINK Trading Volumes Deviations on Huobi

  • Crypto in the FinCEN Leak

  • October Spike in Crypto Scam Activity — Finland

Anomalous trades on FTX

FTX demonstrates a noticeable leading digit spike, possibly indicating non-standard trading activity on the exchange. Recent order distribution sizes for COMP (Compound) deviate from other markets and contradict Benford’s law.

Frequency distribution of leading digits. Spot market COMP token order size Nov 8–10, 2020 (~500,000 events used)

Application of Benford’s Law to Fraud Detection

The ACFE published an article on how to discern naturally occurring statistical deviations from fraud using Nigrini’s tests. Evidence based on Benford’s law has been used in federal and state criminal and regulatory cases.

Typically, frequency distributions for logged trade volumes have an near linear relationship with a negative slope, and a long tail (at the high end of trade size). As an example, in comparing LINK trading activity, the distribution on Huobi stands out when compared to other high-liquidity exchanges.

Frequency distribution of trading volumes of LINK token on Coinbase, Binance, Huobi exchange Oct 10 — Nov 10, 2020. Source: NTerminal

Exchanges or token creators can use trading algorithms that increase trading volumes to create an impression of a more active market. Many of the more simplistic and standardized methods of anomaly detection, such as aggregate raw trade-size distribution analysis, can be rendered ineffectual by more sophisticated wash trading schemes. Significant deviations from the theoretical power-law distribution in published trade volumes may be a reason for closer inspection.

Crypto in the FinCEN Leak

Our investigations team went through the FinCEN leak and found a few suspiciously similar transactions on Bitcoin blockchain. By looking at the transaction sizes and timestamps, NTerminal matches senders (originator banks) and receivers (beneficiary banks) mentioned in Suspicious Activity Reports (SARs) to specific blockchain addresses and business entities:

Blockchain and flagged bank transaction volume (USD) streams overlapped in the common time period, Jan — Dec, 2016. Source: NTerminal

More cases with corroborating evidence, indicating that the flagged participants are likely using Bitcoin, can be found in the recent Inca Investigation Team post. The results highlight the importance of publicly available data and systems capable of correlating large datasets when performing fraud analysis.

October Spike in Crypto Scam Activity — Finland

Traditionally, the United States and Russia lead in reported crypto scam activity. However, there was a recent spike in scams targeting Finland.

The number of reported abuse cases by country. Source: bitcoinabuse.com, tracks bitcoin addresses used by ransomware, blackmailers, fraudsters. Source: NTerminal

Such a spike may be explained by the recent data leak of 50,000 patients of Finnish mental health services provider Vastaamo. The data breach was discovered after many patients received messages threatening to publish personal data unless a bitcoin ransom is paid. Vastaamo admitted to losing their patients’ data 2 weeks ago. This resulted in thousands of fraud reports submitted to bitcoinabuse.com and at least 6 ransom transactions totaling 0.467 BTC paid to the scammers.

Many of these reports are associated with a coordinated effort. Ransom attacks were conducted via the email “[email protected]” which threatened to release patient records, therapy notes, and personal data. Blackmailer(s) sent Finnish emails demanding a payment of “200 euros during the first 24 hours or 500 euros during 48 hours in order to destroy our data.”

Source: link