FairWin Scam Smart Contract Coinpath Investigation​

What if you see a smart contract in Ethereum blockchain with the following impressive activity:

• More than 500K ETH coin flow for less than a month (around $100M / month)
• More than 60K ETH per day (around $10M / day)
• More than 400K transactions, with significant gas prices

You probably will be thinking that this is another ICO or some new Vitalik project… NO! This is a scam smart contract, mockingly called "FairWin".

And here it is along with September,2019 activity, daily :

Fairwin scam: September activity of FairWin smart contract. Source: Bloxy.info This is so called "Ponzi scheme" type of scam, where gullible people send their money in the wait to multiply them in a short term. This is totally a crowd manipulation technique, when everybody believes he is smarter than others.

Running ahead will note, that now it is totally dead, emptied, and not interesting to track. However the historical data worth analyzing.

The balance history of the contract can be seen on Portfolio analysis tab of the page on bloxy.info:

Fiarwin scam: Balance on smart contract, by day. Source: Bloxy.info

The pattern for this balance graph is very clear — contract has an "accumulating" period, when it accumulates the funds from people, some “plato” to identify that the growth is not developing anymore, and abrupt "fall". During the fall, most of the people are loosing the previously invested money.

We have a hypothesis, that the accumulating money on the smart contract was actually done with the help of artificially created deposits and withdraws. The money could be cycled many times to make an impression of constant activity and growth. It forced other people to believe that there are many other actors, involved in the scam.

Checking this hypothesis is not easy, as there are hundreds thousands transactions from a similar count of addresses for this smart contract, with very distinct amounts and behaviors.

We applied the advanced Coinpath® technology from Bloxy.info to build a graph of the money flow. We place two goals in this investigation to identify:

• abnormal patterns of money flow during the “accumulating” phase, in particular “loops” and automated activities
• where money actually gone on “fall” period, find the main beneficiaries of the scam

Coinpath® is accessible as a set of API endpoints from the Bloxy.info web site. However, it does not require any software or programming efforts to use

Looking for end to end Crypto investigation tool? Explore Coinpath Moneyflow, built for investors and law enforcement agencies. Check it out here!

Where is the money from?

This contract has 57,691 inbound transactions, depositing Ethereum, with the amount of 693 K Eth in total. The question is where these 693K ETH, which is by the way around $100M, came from?

We use the Coinpath® method "Inbound addresses, sending coin or tokens to an address in a number of hops":

Set of API endpoints for Coinpath® Bloxy API

This methods tracks the money of one or multiple tokens, received by the specific address. It goes more than one level, identifying which particular transactions participated in amount received by the address under investigation. For FairWin we get the following list of top contributors:

Fairwin scam: Source addresses for FairWin. Source Bloxy.info Coinpath API

What you first see is that all of them except the one (#7) did not participate directly. The min Hop value is 2, meaning that between the address and FairWin was at least one intermediary address, which actually sent ETH to smart contract.

Most of these addresses are not exchanges. The first exchange found is #10, Gate.io. It means, that they collected funds on address before the game begins, and did not withdraw from exchange. All of top 10 addresses are high volume & balance addresses. If you are curious of further looking on them, here is a short list:

• https://bloxy.info/address/0x137ad9c4777e1d36e4b605e745e8f37b2b62e9c5
• https://bloxy.info/address/0x5861b8446a2f6e19a067874c133f04c578928727
• https://bloxy.info/address/0xd8a83b72377476d0a66683cde20a8aad0b628713
• https://bloxy.info/address/0x926fc576b7facf6ae2d08ee2d4734c134a743988

If you look at statistics for these addresses, they all look very similar in volumes and patters. As example, compare these 2 graphs of activities for 0xd8a83b72377476d0a66683cde20a8aad0b628713 and 0x926fc576b7facf6ae2d08ee2d4734c134a743988:

https://bloxy.info/address/0x926fc576b7facf6ae2d08ee2d4734c134a743988

https://bloxy.info/address/0xd8a83b72377476d0a66683cde20a8aad0b628713

There is a very high probability they all belongs to the same person or organization.

How is the game going?

What about the direct participants in the game? We will now look on a more detailed graph of the money flow using a different Coinpath® method, "Inbound Money Address Graph". It builds the graph of the money flow, starting from the FairWin smart contract and looking for all inbound money transfers, tracking the money for multiple hops from it.

The result can be exported as CSV, JSON, or in GEFX XML format, used for the graph investigation. The graph then can be exported to the tools like Gephi or processed using C++, R, Python and any other language.

We loaded the graph of inbound graph in Gephi, and filtered just the most connected participants using K-core algorithm and Fruchteman Reingold Layout technique. Here is the graph we get in a result:

Fiarwin scam: Graph of major active participants in FairWin game

This "blowball" has some remarkable features:

• The center of it is FairWin smart contract, which receives from and sends ETH to other addresses. The red arrows means higher volume transactions, the blue means lower volume.
• Most other addresses are organized in “clouds”. They exchange money between each other in a very random way, working as a “money mixer”. We previously seen several of them, including the Large Ethereum Mixer.

Selecting just one of the "top" addresses that we identified as top sources, we get the graph, showing how many intermediary participants were "funded"from this source:

Fiarwin scam: Graph filtered by the one of top addresses

The source address 0x137ad9c4777e1d36e4b605e745e8f37b2b62e9c5 did not contributed directly, but through the huge number of addresses. The same story with the other top addresses from the list above.

We can give more dynamics to this using wonderful Gephi tool feature of “timeline”. This allows to build a series of snapshots, or even the movie of how the graph was developed:

Fairwin scam money flow

The video of the complete story can be seen at youtube

Who get all the money?

I mean not directly, but in a result…see what i mean? Most of the money withdrawn from the smart contract were forwarded to a limited set of top addresses, some of them we already see in source addresses:

Outbound addresses, received coin or tokens from an address in a number of hops, source: Coinpath

Here the minimum number of hops is 3, that is there are at least 2 intermediary addresses between it and the FairWin.

Conclusions

It was exciting experience to make this analytics, as FairWin case shown many features, that are well known, but hardly can be found in one place:

• Definitely the network around FairWin smart contract was artificially generated. Most of the money was fed into by several top addresses and distributed using a series of intermediary addresses
• The network originated from the funds, received from the previous version of FairWin smart contract, which was active in July, 2019;
• In addition, some sort of mixer was used, as a set of hundreds of addresses moving money between in some random manner.

Technology support as Coinpath® from Bloxy.info and Gephi graph analytical tools is essential to make such kind of analysis. The number of transactions does not allow to operate this manually, and the complexity of patterns requires sophisticated algorithms to use.

This article was composed of the data and by analytical tools from Bloxy.info analytical engine BLADE. Bloxy.info web site provides a set of tools for analytics, traders, companies, and crypto enthusiasts.

The tools include Bitquery, a set of APIs, Coinpath®, dashboards, and search engines. All information is available on the Bloxy website, providing accurate data, indexed directly from the blockchain live node.

Bloxy’s mission is to make blockchain more transparent and accessible to people and businesses. Please, make a reference to the source of data when referencing this article.