Publication Type

PhD Dissertation

Version

publishedVersion

Publication Date

4-2025

Abstract

The rise of cryptocurrency, particularly Bitcoin (BTC), has revolutionized the financial landscape, enabling decentralized, peer-to-peer transactions without the need for intermediaries such as banks or financial institutions. Since its inception in 2009, Bitcoin has grown exponentially, not only in terms of market value but also in its impact on global finance. However, together with this popularity comes a wide range of cybercrimes including hacking, Ponzi schemes, wash trading, extortion, and money laundering. As noted in recent research, the volume of illicit cryptocurrency activities has grown significantly, with billions of dollars in crypto assets being stolen or used for illegal purposes each year.

To better understand and counter these threats, we focus on four key properties (decentralization, fluidity, connectivity, and regularity) that collectively shape how assets flow and how illicit behaviors manifest in the Bitcoin network. Each property provides a unique analytical lens: decentralization captures asset control distribution; fluidity reveals transaction dynamics; connectivity uncovers structural patterns among addresses; and regularity enables interpretable profiling of behavior over time. This thesis introduces a complete framework that systematically addresses each of these dimensions to support early-stage, scalable, and interpretable fraud detection.

In particular, we proposed an analysis framework covering four critical properties (decentralization, fluidity, connectivity, and regularity) to guide the analysis. Firstly, by constructing a full-history dataset that spans over 15 years of Bitcoin transactions, we offer new insights into the decentralization of the Bitcoin transaction network. These insights allow us to measure and quantify the degree of decentralization in Bitcoin from a financial asset perspective, shedding light on how control over Bitcoin assets is distributed and how it has evolved over time. Through this analysis, we can better understand the implications of Bitcoin’s network structure on its overall financial stability and transparency.

In the analysis of fluidity, our objective is to profile dynamic BTC transactions. We proposed asset transfer path to profile both structure and value of different transaction patterns. We then dive into real-world scenarios to justify the utility of our asset transfer path. Traditional approaches to detecting fraud and malicious behavior in cryptocurrency networks often rely on comprehensive historical transaction data and full address networks. These methods are typically retrospective in nature, meaning they can only detect malicious behavior after it has fully manifested, which limits their effectiveness in stopping fraud early. Additionally, many existing detection models depend on the availability of complete transaction networks, which are not always available, especially in the early stages of fraudulent activity. In rapidly evolving and often sparse early-stage transaction networks, these methods struggle to provide timely and accurate results. Furthermore, many traditional models are designed around specific types of fraudulent behavior, making them less adaptable to new and emerging forms of attacks.

We introduce a novel approach, Evolve Path Tracer, to address these limitations by focusing on the early detection of malicious cryptocurrency addresses. The Evolve Path Tracer is designed to operate effectively in fastevolving, incomplete networks, where traditional methods falter. By tracing asset transfer paths and encoding dynamic transaction patterns into graphbased structures, our model can detect suspicious activities before they fully manifest in the network. This is achieved through a combination of innovative techniques in asset path encoding and graph neural networks, allowing the model to capture complex transaction flows even in sparse networks. By focusing on early-stage detection, Evolve Path Tracer offers a proactive solution that can prevent malicious addresses from gaining a foothold in the network.

The links between different addresses can be used to profile certain connectivity of the entire network. Follow this idea, we try to combine the connectivity analysis with malicious address detection. Most existing detection models focus only on the target address and overlook sibling addresses that are often controlled by the same malicious actor. These sibling addresses frequently share critical segments of asset transfer paths, which carry significant informational value. The inability to detect and issue early warnings for these related addresses greatly limits the practical effectiveness of such models in real-world applications. Considering this limitation, we first proposed a node clustering model on several general network datasets to detect node communities based on the network structure. Follow the similar idea, we proposed the Clustering-based Path Selector module to find possible sibling accounts for the target address. Path Selector assigns a weight to each asset transfer path to alleviate the computation cost of data preparation and remove noise introduced by irrelevant paths.

Many malicious behaviors among cryptocurrency platforms are packaged as commercial projects to lure victims into investing. The regularity analysis is thus important to the whole ecosystem’s health. To better reflect the regularity of the whole actions, investors must be able to get the explanation under the investigation to tell real creditable projects from fraudulent ones. However, most detection methods nowadays hardly offer insights into the model’s predictions. In particular, most models tend to improve recall for better safety and work appropriately for the surveillance department. However, it may increase the risk of missing investment opportunities for common investors. From the perspectives of regulators and investors, model interpretability offers a deeper understanding of the underlying intention behind malicious behaviors, which is crucial for correctly assessing and identifying malicious behaviors.

Intention Monitor upgrades Evolve Path Tracer by introducing a new layer of interpretability and action prediction. While detecting malicious activities is crucial, understanding the intention behind these activities provides deeper insights into fraudulent behaviors. The Intention Monitor utilizes asset transfer paths and a Status/Action Proposal Module (S/A-PM) to dynamically propose statuses and actions based on address behavior. By analyzing the segmented observation periods, the model can identify patterns of actions and statuses that correspond to illicit activities. The Intention-VAE module further enhances this by generating hidden intent-snippet embeddings, which capture and predict the latent intentions driving malicious behaviors. This allows the model to not only detect fraud early but also anticipate future malicious actions based on observed transaction patterns, providing a more holistic view of the potential risks associated with particular addresses.

Additionally, this thesis addresses key limitations found in current detection methods. As a result, our fundamental analysis and corresponding sophisticated models together offer a robust framework for early fraud detection, enhancing not only the accuracy of detection but also the interpretability of model predictions. This combined approach allows us to anticipate and mitigate emerging threats in an ever-evolving landscape of cybercrime, ensuring the security and resilience of cryptocurrency networks.

Keywords

Cryptocurrency, Bitcoin, Transaction Network, On-chain Analysis, Early Malice Detection

Degree Awarded

PhD in Computer Science

Discipline

OS and Networks

Supervisor(s)

ZHU, Feida

First Page

1

Last Page

165

Publisher

Singapore Management University

City or Country

Singapore

Copyright Owner and License

Author

Download

Share

COinS