Multifaceted Analysis of Malicious Ethereum Accounts and Corresponding Activities

Abstract

In recent years, Ethereum, one of the leading applications to realize the service of blockchain technology, has received a great deal of attention with the usability and functionality to execute smart contracts, arbitrary programmable calculations in addition to cryptocurrency trading. However, misconfigured Ethereum clients with application programming interface (API) enabled, JSON-RPC in particular, are targeted by cyberattacks. In this research, we propose a new framework to detect malicious and suspicious Ethereum accounts using 3 different data sources (honeypot, Internet-wide scanner and blockchain explorer). The honeypot, named Etherpot, utilizes a proxy server placed between a real Ethereum client and the Internet. It modifies responses from the Ethereum client to attract attackers, identifies malicious accounts and analyzes their behaviors. With the Internet-wide scan results from Shodan, we also detect suspicious Ethereum accounts that are registered on multiple nodes. Finally, we utilize Etherscan, a well-known blockchain explorer for Ethereum, to track and analyze the activities related to the detected accounts. Through the observation of 6 weeks, we observed 538 hosts trying to call JSON- RPC of our honeypots with 41 different types of methods, including 2 types of unreported attacks in the wild. We detected 16 malicious accounts from the honeypots and 64 suspicious accounts from Shodan scan results, 5 out of which are overlapped. Finally, from Etherscan, we collected records of activities related to the detected accounts, including transactions of 21.50 ETH and mining of 22.61 ETH (equivalent to 167,560 USS at the rate of 2021/10/14). To an end, we provide a much brighter view of malicious activities on Ethereum.