Crypto Trading Investigation: A Deeper Look at Chainlink (LINK)

Executive Summary

The aim of this report is to illuminate how on-chain data can be utilized to provide insight into the overall health and behavior of any given token that is being traded on the market.

Utilizing our suite of proprietary analytics tools, we can uncover relationships, correlations, and metrics to create insight into token transactions, token market price, and suspicious address activity that can often drive token market price fluctuations.

Disclaimer

You, the reader, understand that you are using any and all information available here at your own risk. The information provided within this report does not constitute investment advice, financial advice, trading advice, or any other sort of advice and should not be regarded or cited as such.

Chainlink (LINK)

admin: 0xf5501780 ; addresses affiliated with token issuer

Transaction Analysis

The reasoning behind this chosen timeframe is simple: in order to best determine the behavior of any given price fluctuation one must analyze the transaction dataset prior to any substantial price movement. If one were to front-run this price movement, the best (or last) time to accumulate would have been between April 1 and July 15, 2019..

Image for post
Image for post
LINK Price Action; CoinMarketCap

Within this timeline, there are a total of 111,858 transactions recorded on the LINK network. By decoding the input data of each transaction, we can see that the contract function calls are distributed among the functions presented in Figure 1, below:

Image for post
Image for post
Figure 1

Among the total 111,858 transactions, there are 110,947 transactions that have been successfully confirmed. That equates to a 99.19% transaction confirmation ratio.

Among these successful transactions, the contract function calls are distributed as shown in Figure 2, below.

Image for post
Image for post
Figure 2

The total volume of tokens transferred between April 1 and July 15, 2019 was 665,961,964. During this timespan, several unusual spikes in transaction volume are observable. Abrupt spikes taking place in such a short timespan are often indicators of anomalous activity, as clearly observed in Figures 3 and 4.

Image for post
Image for post
Figure 3 — Dated histogram of total successful unique transactions.
Image for post
Image for post
Figure 4 — Dated histogram of total failed transactions.

This behavior must be noted not only in the context of suspiciously inflated unique transactions, but also in the uncanny similarity in gross transaction volume between spikes as illustrated in Figures 5 and 6.

Image for post
Image for post
Figure 5 — Dated histogram of successful transaction volume.
Image for post
Image for post
Figure 6 — Dated histogram of failed transaction volume.

According to the charts provided above, we can see that both transfer volume and transaction count spiked around June 13, June 28, June 30, and July 9, 2019.

The spikes are dramatic, sudden, and to a shocking degree, nearly identical in size, duration, and scale. As for failed transactions, they consistently rise in accordance with total transaction count. This is in no way consistent with normal market behavior, and is representative of coordinated behavior.

The notability of this behavior is further compounded by the dramatic price action that immediately follows the latter spike in particular, ultimately culminating in the price peak of $4.45 on June 29th, 2019 09:34:01 PST prior to a precipitous drop over the ensuing weeks.

We believe that this unusual pattern of transaction volume, price action, and timing is representative of a coordinated pump and dump price manipulation.

What is Pump and Dump?

This artificially inflated demand triggers a dramatic increase in the price of the aforementioned asset, and is often accompanied by an influx of unknowing investors who are unaware of the manipulated nature of the spike. Often this phase is augmented through the proliferation of misleading positive statements or recommendations by experts, further driving casual traders to market.

Ultimately, the perpetrators dump their shares, flooding the market and overwhelming organic demand. At this point the share price of the asset plummets, leaving ordinary investors holding now heavily devalued shares.

Cryptocurrencies tend to be exceptionally vulnerable to this form of attack, as coins are often heavily concentrated in the hands of a comparatively small number of individuals, whose market activities can dramatically impact the coin price. When groups of these individuals collaborate, their combined market influence can easily manipulate market pricing.

While pump and dump manipulations are illegal and highly policed in the legacy economy, no such regulations exist in the crypto economy.

Masking Techniques: Exploiting the ‘Coinbase Effect’

Image for post
Image for post
Figure 7

Starting on June 26th, 12:27:00 PST, nearly two days before the announcement of the LINK token’s impending listing on Coinbase, a cluster of addresses (hereafter referred to as Group 101) began to accumulate large quantities of Ethereum (ETH). None of the addresses in Group 101 had any previous transactions, and all of the associated ETH was sourced from mining nodes, a technique that is highly suggestive of concealment effort.

From June 27th to June 29th, Group 101 collectively purchased 11,000,000 LINK via Binance, comprising nearly 10% of all transaction volume across this span. This activity can be observed below in Figure 8

Image for post
Image for post
Figure 8Graphistry;Transaction Map for June 26–30th

Over the following days, these addresses funneled their collectively purchased LINK through a series of jump addresses in an apparent effort to mask their collusive activity. Ultimately, the purchased LINK was accumulated in three holding addresses (hereafter referred to as Group 102), two containing 4,000,000 LINK each, and a third containing 3,000,000 LINK. Prior to receiving this LINK, none of the aforementioned holding addresses comprising Group 102 had any previous transaction history.

Image for post
Image for post
Figure 9Graphistry; Group 101, Group 102, jump addresses, and the Binance exchange.

The collaborative behavior of these addresses is highly suggestive of coordinated action by a single controlling party. The first accumulation of LINK by this cluster of addresses precedes the Coinbase listing announcement by more than twenty-four hours, suggesting that the culprit has exploited privileged information, utilizing the predictable hype surrounding the announcement to mask otherwise blatant market manipulation.

Address Analysis and Exchange Distribution

Using our TAP/BEI platform, we detected the following hacker/phishing address:

Image for post
Image for post

We also detected 28 unique addresses associated with exchanges. The distribution of transaction count and volume amongst these exchanges is shown below in Figure 10.

Image for post
Image for post
Figure 10

The total successful transfer volume is 1.7647E+62 tokens, most of which are to private addresses. The 28 exchange addresses contributed 3.21E+08 tokens.

Distribution of the volume can be found below in Figure 11.

Image for post
Image for post
Figure 11

It is not atypical for Binance activity to account for the majority of transaction volume of this particular token. As can be seen below in Figure 12, Binance transactions regularly represent a large proportion of total LINK activity.

Image for post
Image for post
Figure 12

However, while it is not at all unusual for Binance activity to account for large proportions of the LINK token’s total activity under normal conditions, further examination of periods between June 27th through June 29th, 2019 and July 8th, through July 19th, 2019 reveals a truly disproportionate volume of token movement associated with Binance, as can be observed below in Figure 13.

Image for post
Image for post
Figure 13

An examination of daily outflow volume for the months of June and July 2019 reveals anomalous and largely disproportionate LINK outflow through the Binance exchange. The timing of each spike corresponds with both dramatic price action spikes in the LINK token, in addition to the coordinated transaction behavior of Group 101 and Group 102.

Transaction Flow Analysis: Mechanism of Action

Image for post
Image for post

Examining the number of transactions and overall volume, we observe a corresponding hike starting on June 28, 2019, seen in Figures 14 and 15 below.

Image for post
Image for post
Figure 14
Image for post
Image for post
Figure 15

As seen above in Figures 14 and 15, focusing closer on the time range between June 27–30, 2019 immediately reveals a small number of addresses representing Group 101 and Group 2012 (eg. 0x56d08812 in Figure 16), which account for a large proportion of LINK transferred in.

This presents reason to suspect that these addresses are performing a coordinated pump of LINK’s price on a particular exchange by purchasing large quantities of the token.

Next, we track down the source of the LINK being traded, which ultimately originates from Binance exchange (0x0681dbbf in Figure 16). Examining the interactions between the suspicious address (0x56d08812) and the exchange address (0x0681dbbf), we observe that multiple jump addresses are used to mask the token flow; often an indicator of a user trying to cover his/her tracks and remain undetected.

Another traceable path is the ETH gas fee trace (represented by horizontal flows in Figure 16). By examining the small amounts of ETH transfer flows used for token transfer gas fees, we can see that all the ETH sent to the jump addresses are sourced from mining nodes (0xea678ec8, 0x2a658226). This is a sophisticated tactic that hides the player’s real address.

Below is a flow chart of the two tracing paths:

Horizontal flows represent ETH transfer flow. Vertical flows represent LINK transfer flow.

Image for post
Image for post
Figure 16

While selling action from Chainlink’s admin addresses is already well-documented, and the company’s official statement on the matter is backed by the whitepaper, it must be mentioned when discussing the price action of the LINK token.

Between July 2–26, 2019, a group of admin addresses, hereafter referred to as Group 201, executed 12 separate transactions of 700,000 LINK apiece. These transactions entered a holding wallet prior to over 4 million of the aforementioned LINK moving through a series of jump addresses before ultimately hitting the Binance exchange.

Whether or not these transactions had any affiliation to the prior pump, there is no question that such sizable sales impacted the price of the token during this period.

Image for post
Image for post
Figure 17 Graphistry; Group 201, a holding wallet, and jumps to Binance

Implications

While we have the necessary capabilities to identify pump and dump manipulations as they occur, affiliating these activities with tangible entities is the natural next step in the progression. The crucial identifying information lies in the hands of the exchanges on which these wallets operate, and in the off-chain data which we cannot access. We can, however, draw valuable conclusions pertaining to the executing party from the nature of this manipulation.

  1. The executing party has access to privileged information and insider news.
  2. The executing party has sufficient ability, resources, and capital to source enough mined ETH to purchase 11 million LINK.
  3. The executing party operates primarily through the Binance exchange.

As previously mentioned, the manipulation is currently entirely legal, but it is without question that regulatory oversight will close this loophole and demand greater transparency as cryptocurrency continues to expand and legitimize itself. Moving forward we would recommend that exchanges exercise enhanced diligence towards market manipulating actors, and that the blockchain industry as a whole take a stance of proactivity towards self-regulation and market monitoring.

Conclusion

The implications of these discoveries are far-reaching: beyond the ability to uncover and blacklist users and addresses involved in collusion and market manipulation, from a security perspective comprehensive analytics of this nature can be utilized predictively, allowing for high-velocity responses to market trends and protracted surveillance of addresses with a history of anomalous behavior.

Whereas traditional scanning techniques are thwarted by obfuscation and concealment strategies, AnChain’s analytics platform is able to trace activity directly to the source, whether it be to an exchange, coordinated scheme, mining pool, individual user, etc.

Our platform can be used to identify and profile unique addresses by behavior and cluster them based on their collective behavior, opening the door to ongoing monitoring and near-instantaneous informed action on capital flows large and small throughout the crypto economy.

About AnChain.AI

Feel free to reach out to us directly at: info@anchain.ai

With extensive experience in cybersecurity, artificial intelligence, cloud computing, and big data AnChain is continuously securing top-tier crypto exchanges, protocols, investors, custodians, and enterprise with our Blockchain Ecosystem Intelligence.

A special thanks to Graphistry for powering some of the graphics displayed in this piece.

Written by

Blockchain data analytics firm providing security, risk, and compliance solutions.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store