On-Chain Behavioral Taxonomy of Malicious Actors
Three published papers establishing a classification framework for malicious on-chain actors by behavioral signature rather than address label — applicable to incident triage, KYT rule design, and investigative methodology.
Background
Most on-chain threat identification relies on labeled address databases — known drainer wallets, flagged mixer outputs, exchange hot wallets. This works until a threat actor deploys fresh infrastructure. The question this series addresses: what behavioral patterns persist across fresh wallets, and how reliably can those patterns distinguish actor type before any label exists?
Paper 1 — Drainer Behavioral Signatures
Establishes the repeatable infrastructure pattern behind phishing drainers on EVM chains: vanity address clustering, operator hub seeding behavior, short operational lifespan before fund consolidation, and characteristic timing intervals between victim drain and bridge hop.
Key finding: fresh drainer wallets exhibit a statistically distinguishable seeding pattern (single funding transaction from a hub, no prior history) that precedes every drain event in the sample set.
Paper 2 — MEV Bot Identification Without Labels
Maps the transaction-level behavioral signature of sandwich bots and arbitrage contracts: sub-block timing, gas bid patterns relative to target transactions, and the contract interaction fingerprint that distinguishes automated MEV from manual trading at similar volumes.
Key finding: MEV contracts cluster tightly on three behavioral axes (timing precision, gas multiplier, contract age at first profitable transaction) in ways that manual actors cannot replicate at scale.
Paper 3 — Wash Trading Coordination Patterns
Identifies the on-chain coordination signatures of organised wash trading across NFT and low-cap token markets: wallet age homogeneity within a trading cluster, round-trip fund flows, and the timing correlation between coordinated buy/sell pairs that distinguishes wash volume from genuine liquidity.
Key finding: wash trading clusters share a funding provenance signature — wallets within a cluster are disproportionately funded from the same upstream address within a narrow time window — that persists even when traders attempt to obscure coordination through intermediary hops.
Methodology note
All three papers follow the same analytical discipline: findings are classified as confirmed (directly verifiable on-chain), probable (consistent with the evidence, alternative explanation possible), or unconfirmed (hypothesis requiring further data). No claims exceed what the transaction data directly supports.
Status
Published on Paragraph.com. Full series publicly accessible.