Crypto Trading Investigation: A Deeper Look at Chainlink (LINK)
This analysis was conducted by the AnChain team between July 8–15, 2019 and is now being made available to the public. The purpose of this analysis is to review the trading activity around LINK and highlight our ability to produce actionable indicators and insight on the flow and price fluctuations of various tokens.
The aim of this report is to illuminate how on-chain data can be utilized to provide insight into the overall health and behavior of any given token that is being traded on the market.
Utilizing our suite of proprietary analytics tools, we can uncover relationships, correlations, and metrics to create insight into token transactions, token market price, and suspicious address activity that can often drive token market price fluctuations.
While AnChain continuously strives to ensure the accuracy of the information used in our reports, we will not be held responsible for any missing or inaccurate information. AnChain provides all information as is.
You, the reader, understand that you are using any and all information available here at your own risk. The information provided within this report does not constitute investment advice, financial advice, trading advice, or any other sort of advice and should not be regarded or cited as such.
contract: 0x514986ca ; address affiliated with token’s contract
admin: 0xf5501780 ; addresses affiliated with token issuer
We have performed our analysis using transaction data collected between April 1, 2019 and July 15, 2019 on the LINK token.
The reasoning behind this chosen timeframe is simple: in order to best determine the behavior of any given price fluctuation one must analyze the transaction dataset prior to any substantial price movement. If one were to front-run this price movement, the best (or last) time to accumulate would have been between April 1 and July 15, 2019..
Within this timeline, there are a total of 111,858 transactions recorded on the LINK network. By decoding the input data of each transaction, we can see that the contract function calls are distributed among the functions presented in Figure 1, below:
Among the total 111,858 transactions, there are 110,947 transactions that have been successfully confirmed. That equates to a 99.19% transaction confirmation ratio.
Among these successful transactions, the contract function calls are distributed as shown in Figure 2, below.
The total volume of tokens transferred between April 1 and July 15, 2019 was 665,961,964. During this timespan, several unusual spikes in transaction volume are observable. Abrupt spikes taking place in such a short timespan are often indicators of anomalous activity, as clearly observed in Figures 3 and 4.
This behavior must be noted not only in the context of suspiciously inflated unique transactions, but also in the uncanny similarity in gross transaction volume between spikes as illustrated in Figures 5 and 6.
According to the charts provided above, we can see that both transfer volume and transaction count spiked around June 13, June 28, June 30, and July 9, 2019.
The spikes are dramatic, sudden, and to a shocking degree, nearly identical in size, duration, and scale. As for failed transactions, they consistently rise in accordance with total transaction count. This is in no way consistent with normal market behavior, and is representative of coordinated behavior.
The notability of this behavior is further compounded by the dramatic price action that immediately follows the latter spike in particular, ultimately culminating in the price peak of $4.45 on June 29th, 2019 09:34:01 PST prior to a precipitous drop over the ensuing weeks.
We believe that this unusual pattern of transaction volume, price action, and timing is representative of a coordinated pump and dump price manipulation.
What is Pump and Dump?
Pump and dump is a form of microcap fraud in which the price of an asset, often of low market cap and share volume, is manipulated by a group of coordinated actors through a series of high-volume purchases.
This artificially inflated demand triggers a dramatic increase in the price of the aforementioned asset, and is often accompanied by an influx of unknowing investors who are unaware of the manipulated nature of the spike. Often this phase is augmented through the proliferation of misleading positive statements or recommendations by experts, further driving casual traders to market.
Ultimately, the perpetrators dump their shares, flooding the market and overwhelming organic demand. At this point the share price of the asset plummets, leaving ordinary investors holding now heavily devalued shares.
Cryptocurrencies tend to be exceptionally vulnerable to this form of attack, as coins are often heavily concentrated in the hands of a comparatively small number of individuals, whose market activities can dramatically impact the coin price. When groups of these individuals collaborate, their combined market influence can easily manipulate market pricing.
While pump and dump manipulations are illegal and highly policed in the legacy economy, no such regulations exist in the crypto economy.
Masking Techniques: Exploiting the ‘Coinbase Effect’
While it is tempting to immediately attribute such price action to natural market forces, such as positive press and the oft-discussed ‘Coinbase Effect’, the on-chain data reveals coordinated activity that significantly pre-dates the associated press release. The evidence may even suggest the exploitation of the ‘Coinbase Effect’ and media hype as a masking and concealment agent for underlying manipulation. A timeline containing key transactional landmarks alongside the LINK token’s price action can be found in Figure 7 below.
Starting on June 26th, 12:27:00 PST, nearly two days before the announcement of the LINK token’s impending listing on Coinbase, a cluster of addresses (hereafter referred to as Group 101) began to accumulate large quantities of Ethereum (ETH). None of the addresses in Group 101 had any previous transactions, and all of the associated ETH was sourced from mining nodes, a technique that is highly suggestive of concealment effort.
From June 27th to June 29th, Group 101 collectively purchased 11,000,000 LINK via Binance, comprising nearly 10% of all transaction volume across this span. This activity can be observed below in Figure 8
Over the following days, these addresses funneled their collectively purchased LINK through a series of jump addresses in an apparent effort to mask their collusive activity. Ultimately, the purchased LINK was accumulated in three holding addresses (hereafter referred to as Group 102), two containing 4,000,000 LINK each, and a third containing 3,000,000 LINK. Prior to receiving this LINK, none of the aforementioned holding addresses comprising Group 102 had any previous transaction history.
The collaborative behavior of these addresses is highly suggestive of coordinated action by a single controlling party. The first accumulation of LINK by this cluster of addresses precedes the Coinbase listing announcement by more than twenty-four hours, suggesting that the culprit has exploited privileged information, utilizing the predictable hype surrounding the announcement to mask otherwise blatant market manipulation.
Address Analysis and Exchange Distribution
A total of 30,054 different addresses successfully initiated transfers.
Using our TAP/BEI platform, we detected the following hacker/phishing address:
We also detected 28 unique addresses associated with exchanges. The distribution of transaction count and volume amongst these exchanges is shown below in Figure 10.
The total successful transfer volume is 1.7647E+62 tokens, most of which are to private addresses. The 28 exchange addresses contributed 3.21E+08 tokens.
Distribution of the volume can be found below in Figure 11.
It is not atypical for Binance activity to account for the majority of transaction volume of this particular token. As can be seen below in Figure 12, Binance transactions regularly represent a large proportion of total LINK activity.
However, while it is not at all unusual for Binance activity to account for large proportions of the LINK token’s total activity under normal conditions, further examination of periods between June 27th through June 29th, 2019 and July 8th, through July 19th, 2019 reveals a truly disproportionate volume of token movement associated with Binance, as can be observed below in Figure 13.
An examination of daily outflow volume for the months of June and July 2019 reveals anomalous and largely disproportionate LINK outflow through the Binance exchange. The timing of each spike corresponds with both dramatic price action spikes in the LINK token, in addition to the coordinated transaction behavior of Group 101 and Group 102.
Transaction Flow Analysis: Mechanism of Action
Starting on June 28, 2019 the token’s market price begins to rise quite dramatically.
Examining the number of transactions and overall volume, we observe a corresponding hike starting on June 28, 2019, seen in Figures 14 and 15 below.
As seen above in Figures 14 and 15, focusing closer on the time range between June 27–30, 2019 immediately reveals a small number of addresses representing Group 101 and Group 2012 (eg. 0x56d08812 in Figure 16), which account for a large proportion of LINK transferred in.
This presents reason to suspect that these addresses are performing a coordinated pump of LINK’s price on a particular exchange by purchasing large quantities of the token.
Next, we track down the source of the LINK being traded, which ultimately originates from Binance exchange (0x0681dbbf in Figure 16). Examining the interactions between the suspicious address (0x56d08812) and the exchange address (0x0681dbbf), we observe that multiple jump addresses are used to mask the token flow; often an indicator of a user trying to cover his/her tracks and remain undetected.
Another traceable path is the ETH gas fee trace (represented by horizontal flows in Figure 16). By examining the small amounts of ETH transfer flows used for token transfer gas fees, we can see that all the ETH sent to the jump addresses are sourced from mining nodes (0xea678ec8, 0x2a658226). This is a sophisticated tactic that hides the player’s real address.
Below is a flow chart of the two tracing paths:
Horizontal flows represent ETH transfer flow. Vertical flows represent LINK transfer flow.
While selling action from Chainlink’s admin addresses is already well-documented, and the company’s official statement on the matter is backed by the whitepaper, it must be mentioned when discussing the price action of the LINK token.
Between July 2–26, 2019, a group of admin addresses, hereafter referred to as Group 201, executed 12 separate transactions of 700,000 LINK apiece. These transactions entered a holding wallet prior to over 4 million of the aforementioned LINK moving through a series of jump addresses before ultimately hitting the Binance exchange.
Whether or not these transactions had any affiliation to the prior pump, there is no question that such sizable sales impacted the price of the token during this period.
It is likely that sophisticated price manipulations of this nature are not unusual in the cryptocurrency ecosystem at large. This manipulation in particular, however, demonstrates that even highly-reputable projects are vulnerable to coordinated tampering due to the inherently low market cap of all but the largest cryptocurrencies.
While we have the necessary capabilities to identify pump and dump manipulations as they occur, affiliating these activities with tangible entities is the natural next step in the progression. The crucial identifying information lies in the hands of the exchanges on which these wallets operate, and in the off-chain data which we cannot access. We can, however, draw valuable conclusions pertaining to the executing party from the nature of this manipulation.
- The executing party has access to privileged information and insider news.
- The executing party has sufficient ability, resources, and capital to source enough mined ETH to purchase 11 million LINK.
- The executing party operates primarily through the Binance exchange.
As previously mentioned, the manipulation is currently entirely legal, but it is without question that regulatory oversight will close this loophole and demand greater transparency as cryptocurrency continues to expand and legitimize itself. Moving forward we would recommend that exchanges exercise enhanced diligence towards market manipulating actors, and that the blockchain industry as a whole take a stance of proactivity towards self-regulation and market monitoring.
The inherent immutability of the blockchain allows for deep analysis of marketplace activity and network interaction. Utilizing our analytics capabilities and proprietary platform, we are able to construct a directory of key addresses, affiliations, and transaction pathways in order to create a clear picture of the many moving pieces behind various token price movements.
The implications of these discoveries are far-reaching: beyond the ability to uncover and blacklist users and addresses involved in collusion and market manipulation, from a security perspective comprehensive analytics of this nature can be utilized predictively, allowing for high-velocity responses to market trends and protracted surveillance of addresses with a history of anomalous behavior.
Whereas traditional scanning techniques are thwarted by obfuscation and concealment strategies, AnChain’s analytics platform is able to trace activity directly to the source, whether it be to an exchange, coordinated scheme, mining pool, individual user, etc.
Our platform can be used to identify and profile unique addresses by behavior and cluster them based on their collective behavior, opening the door to ongoing monitoring and near-instantaneous informed action on capital flows large and small throughout the crypto economy.
A blockchain data analytics firm providing intelligence, indicators, and investigative resources for clients to enhance their security, risk, and compliance strategies.
Feel free to reach out to us directly at: firstname.lastname@example.org
With extensive experience in cybersecurity, artificial intelligence, cloud computing, and big data AnChain is continuously securing top-tier crypto exchanges, protocols, investors, custodians, and enterprise with our Blockchain Ecosystem Intelligence.
A special thanks to Graphistry for powering some of the graphics displayed in this piece.