Of Degens and Defrauders: Using Open-Source Investigative Tools to Investigate Decentralized Finance Frauds and Money Laundering

Fraud across the decentralized finance (DeFi) ecosystem is growing, with victims losing billions to DeFi scams every year. However, there is a disconnect between the reported value of these scams and associated legal prosecutions. We use open-source investigative tools to (1) investigate potential frauds involving Ethereum tokens using on-chain data and token smart contract analysis, and (2) investigate the ways proceeds from these scams were subsequently laundered. The analysis enabled us to (1) uncover transaction-based evidence of several rug pull and pump-and-dump schemes, and (2) identify their perpetrators' money laundering tactics and cash-out methods. The rug pulls were less sophisticated than anticipated, money laundering techniques were also rudimentary and many funds ended up at centralized exchanges. This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered.


Introduction
Decentralized finance (DeFi) refers to a system of financial products and services created by smart contracts on blockchains like Ethereum. Fraud across the DeFi ecosystem is a growing concern, with victims losing an estimated $7.8 billion in cryptocurrency in 2021 to various types of DeFi scams. DeFi-based money laundering from cybercrimes also increased by an estimated 1,964% from 2020 to 2021 (Chainalysis, 2022). Despite this reported growth, associated enforcement actions remain minimal, with only 50 cases having been completed specifically involving DeFi tokens in the United States as of the end of November 2022 (Blockchain Association, 2022); many of these involved Initial Coin Offering (ICO) scams completed prior to DeFi's more widespread adoption. While responsibility for DeFi's oversight remains disputed among enforcement agencies, so far, the U.S. Securities and Exchange Commission (SEC) has asserted its authority and argued in many cases that DeFi tokens constitute securities (see (Securities and Exchange Commission v. LBRY, 7 November 2022)).
Existing literature (Wang et al., 2021b;Hu et al., 2021;Fan et al., 2021;Xia et al., 2021;Mazorra et al., 2022) focuses on detecting various categories of DeFi-based securities violations, such as Ponzi schemes and rug pulls (a type of exit scam). However, all of these studies except that by Xia et al. (2021) primarily present results at an aggregate level (and even Xia et al. (2021) only explore such violations on a single platform). While this is useful to characterize the landscape of DeFi fraud, and the extent to which these scams are detectable, there is a disconnect between the scale of the frauds these papers detail and prosecutions which address them.
Our research therefore focuses on using open-source investigative tools to extract evidence of Ethereum-based DeFi frauds that could be used in prosecuting them. We use these tools to (1) investigate potential frauds using on-chain data and token smart contract analysis, and (2) investigate the ways that proceeds from these scams were ultimately laundered. We extract transactionbased evidence which could potentially be used in a court of law. The on-chain evidence we extract also offers insight into how DeFi frauds are committed on Ethereum. In addition to determining how the frauds were executed we also investigate how the proceeds of these schemes were subsequently laundered.
Our research questions are the following: This study makes the following contributions to research on this topic: We demonstrate how open-source investigative tools can be used to extract transaction-based evidence of Ethereum-based frauds that could be used in a court of law to prosecute such scams. In addition to determining how the Ethereum-based DeFi frauds were carried out, we investigate how these funds are subsequently laundered. Finally, we conduct these on-chain investigations more systematically, providing a blueprint for investigators or researchers to use open-source investigative tools to conduct granular DeFi fraud investigations.
Against this background, this article begins with an overview of Ethereum and DeFi, 1 followed by an exploration of DeFi fraud and money laundering. We then discuss prior work on detecting DeFi fraud, with an emphasis on rug pulls (a commonly-committed DeFi fraud). We then outline our investigative methods, present the results of our investigations, and discuss our findings and their wider implications.

Introduction to ethereum and decentralized finance
In 2008, a pseudonymous developer going by the name Satoshi Nakamoto envisioned a novel financial system, whereby participants could transact with one another in a peer-to-peer manner, rather than through a centralized authority (Nakamoto, 2008). Transactions would be recorded in a distributed ledger (called a blockchain) through an innovative combination of existing cryptographic primitives (Narayanan, 2018). In 2014, a group of developers extended this idea, creating a blockchain-based system of applications that could carry out financial (and other) functions, called Ethereum (Buterin, 2022).
Unlike Bitcoin addresses, which store information on so-called Unspent Transaction Outputs, Ethereum addresses store account information like balances as well as code for smart contracts. Smart contracts are computer programs that carry out certain actions upon completion of certain conditions specified within them. There are two types of Ethereum accounts: externally owned accounts (which the owner's private key controls) and contract accounts (which the smart contract code controls) (Buterin, 2022).

Ethereum transactions
Ethereum transactions are essentially cryptographically signed data packages sent from an externally owned account to a recipient, and contain the signature of the sender, the value to be transferred, and a value known as the "gas fee" for the transaction. In Ethereum, users must pay these gas fees to reflect the computational power required to execute the transaction. The fees are paid in Ethereum's native cryptocurrency, Ether (ETH), which powers the Ethereum ecosystem. This is another difference between Ethereum and Bitcoindrather than being a store of value like Bitcoin, ETH is "fuel" for the system (Buterin, 2022). Fig. 1 depicts the process of executing an Ethereum transaction (Ethereum.org, 2023).
At the time of our research Ethereum used proof-of-work (PoW), like Bitcoin, as the consensus mechanism for executing these transactions. Ethereum moved to proof-of-stake (PoS), an alternative consensus mechanism, in September 2022 (Ethereum.org, 2022). In contrast to PoW, wherein validators execute transactions and secure the network by competing to solve computationally hard puzzles, PoS requires would-be validators to lock ETH as collateral; validators who do so are chosen at random to execute transactions and create blocks.

Ethereum applications
Applications are a key part of the Ethereum ecosystem and the primary characteristic differentiating Ethereum from Bitcoin. The Ethereum Virtual Machine (EVM) uses a stack-based bytecode programming language to execute these applications (Buterin, 2022). Smart contract code for Ethereum applications is written in a programming language called Solidity and then compiled into the bytecode. The bytecode executes various operational codes (opcodes), which provide computational instructions to the EVM (Wood, 2022;Cai et al., 2018).
Ethereum has three primary types of applications: financial applications, semi-financial applications, and non-financial applications (Buterin, 2022). In this paper, we focus on the financial applications. "Decentralized Finance," or "DeFi" for short is one category of financial applications built on Ethereum (though, of course, DeFi also exists on other blockchains). DeFi is a system of smart contract-enabled financial products and services like currency exchange, loans, and derivatives, which are built and delivered in an open-source, permissionless, and decentralized way with smart contracts. At all times, users retain custody of their own funds (Sch€ ar, 2021). For a full introduction to Ethereum-based DeFi and its current, primary product offerings, see (Trozze et al., 2021).
Tokens are a key part of the Ethereum ecosystem. These include "sub-currencies" and utility tokens (Buterin, 2022). Colloquially and collectively, these are called "altcoins". Many Ethereum-based DeFi projects have associated governance or utility tokens which follow the ERC-20 standard. The ERC-20 token standard specifies various characteristics which developers must define for tokens to ensure their interoperability with the Ethereum ecosystem. Governance tokens (i.e., the UNI token for the Uniswap decentralized exchange) allow participants to vote on the future of projects and project treasury allocation. The process for creating ERC-20 tokens is shown in Fig. 2 in steps 1e4 (Bachini, 2021). For full details on Ethereum and the ERC-20 standard, see (Wood, 2022) and (Pomerantz, Ori, 2021), respectively.

DeFi fraud and money laundering
Empirical research has chronicled various types of fraud across DeFi, including market manipulation (Hamrick et al., 2021;Mazorra et al., 2022;Qin et al., 2021;Victor and Weintraud, 2021;Wang et al., 2021a), fraudulent investment schemes (Xia et al., 2021;Mazorra et al., 2022), and exit scams (called "rug pulls") (Xia et al., 2021;Mazorra et al., 2022). Xia et al. (2021) describe a typical rug pull scam. A scammer creates a token and provides liquidity on Uniswap to trade this token with a popular cryptocurrency. They use social media and advertisements, often on Telegram, to find victims. Then, the scammer removes all tokens from the liquidity pool, leaving the victims holding the now-defunct token. They note that rug pulls are often combined with pump-and-dump schemes, 1 In this research, we focus only on Ethereum-based DeFi, though we acknowledge that DeFi applications exist on manifold blockchains. In this article, where we refer to DeFi, we mean Ethereum-based DeFi.
A. Trozze, T. Davies and B. Kleinberg Forensic Science International: Digital Investigation 46 (2023) 301575 whereby scammers manipulate the price of their token before they sell (which then crashes the price). Rug pulls are one of the most costly types of securities fraud across DeFi overall, with victims losing $2.8 billion (of the total $7.8 billion lost to DeFi scams) in 2021 to rug pulls (Chainalysis, 2022). Specific aspects of the DeFi ecosystem facilitate these frauds like price oracles (Gudgeon et al., 2020;Sch€ ar, 2021) and flash loans (Caldarelli and Ellul, 2021;Gudgeon et al., 2020;Qin et al., 2021;Wang et al., 2021a;Xu et al., 2022). Further definitions of these types of fraud can be found in (Kamps et al., 2022).
There is sparse peer-reviewed research on the use of DeFi specifically in money laundering, though private companies like Chainalysis have reported on its use (Chainalysis, 2022). Their 2022 Crypto Crime Report estimates that addresses they have tagged as "illicit" sent $900 million to DeFi protocols in 2021. Furthermore, they allege that North Korean hackers are using DeFi on various blockchains and mixers to launder the proceeds of their DeFi hacks and highlight an example of an unspecified attacker using blockchain bridges and mixers like Tornado Cash to launder the proceeds of another hack (Chainalysis, 2022). Blockchain bridges allow users to move cryptocurrencies from one blockchain to another, for example, from the Ethereum blockchain to the Polygon blockchain (McCorry et al., 2021). Most commonly, bridges utilize smart contractsda user sends the tokens they wish to "bridge" to the smart contract on the originating blockchain. These tokens are locked in the smart contract on the originating blockchain; a smart contract on the destination blockchain then mints equivalent tokens on the destination blockchain, which the user can then use on that blockchain (Belchior et al., 2021). A visual representation of this process can be found in Fig. 3 Mixers are a type of privacy-preserving technology and have been used to launder proceeds of crime (Akartuna et al., 2022). Tornado Cashdone of the most popular Ethereum smart contract mixersdis the most relevant for our purposes (B eres et al., 2021). Users send funds to the Tornado Cash smart contract and, in turn, generate a cryptographic note. When they want to withdraw their funds, they use this deposit note and zero knowledge proofs (which allow one to prove their knowledge of something without revealing the thing itself) to prove the deposit is theirs (Chainalysis Team, 2022;Wade et al., 2022).
A relayer service further ensures anonymity. Relayers are a decentralized network of users who manage mixer withdrawals from the Tornado Cash smart contractdthey pay the gas fees required to conduct the withdrawal transactions (and also deduct a fee for themselves from the withdrawal itself). This inhibits linkages being made between the deposit and withdrawal accounts because the recipient is not the one paying the withdrawal gas fee (Chainalysis Team, 2022). A visualization of the Tornado Cash mixing process is in Fig. 3(c).
While these figures and case studies are a useful starting point for understanding the DeFi-based money laundering more generally, we note that Chainalysis research is (a) not peer-reviewed, and (b) published primarily for marketing purposes.
Despite the absence of DeFi-specific money laundering research, academic work has long discussed the use of cryptocurrencies more broadly for money laundering. In general, cryptocurrency money laundering fits into the traditional money laundering stages of placement, layering, and integration (Desmond et al., 2019); however, the placement process is only relevant in cases where a criminal is seeking to launder proceeds of non-cryptocurrencynative offenses (as, otherwise, the funds are already present in the cryptocurrency ecosystem). The layering processdwhere criminals attempt to hide the path their cryptocurrencies take (Albrecht et al., 2019)demploys various devices including: Peel chains, meaning creating various addresses to which the criminal transfers smaller amounts of cryptocurrencies (Tsuchiya and Hiramoto, 2021;Pelker et al., 2021). Mixers (Akartuna et al., 2022;Durrant and Natarajan, 2019), such as Tornado Cash, as discussed above. Exchanging cryptocurrencies for other cryptocurrencies and moving existing cryptocurrencies to other blockchains ("chainhopping"), generally through numerous, quickly-executed transactions (Raza and Raza, 2021;Pelker et al., 2021;Durrant and Natarajan, 2019). Chain-hopping requires the use of blockchain bridges, as described above. Privacy coins and blockchains (Raza and Raza, 2021;Durrant and Natarajan, 2019;Akartuna et al., 2022), such as Monero. Monero utilizes several measures to enhance the anonymity of their users and their transactions. It uses "ring signatures" to hide transactions' origins, which involve combining decoy transaction outputs from previous transactions. Each of the Fig. 2. Schematic diagram of the process of creating an ERC-20 token and carrying out a rug pull/pump-and-dump scheme. 1. Write ERC-20 token contract in Solidity, using Open Zeppelin library. 2. Use Solidity compiler to compile code so it can be executed by the EVM. 3. Deploy contract to Ethereum blockchain (in this case, the Goerli test network). 4. Mint new tokens and send to a specific address. 5. Initiate trading for new token on Uniswap. 6. Add liquidity to enable trading between ETH and ABC token. 7. Swap newly minted ABC tokens for ETH to "pump the price" and then back again (for a profit). 8. Remove liquidity from Uniswap to halt trading of ABC token. decoy signatures, along with the single-use send key generated for the transaction, look equally likely to an outside observer to be the true sender. Monero also employs "Ring CT" technology which hides transaction amounts and single-use addresses called "stealth addresses" (Monero, a,b,c). Gambling services (Fanusie and Robinson, 2018), which comingle tainted funds with other customers' funds.
We depict these money laundering techniques visually in Fig. 3.
The criminal completes the integration process, which entails using the funds for non-nefarious purposes and co-mingling them with other funds which are not proceeds of crime (Albrecht et al., 2019;Durrant and Natarajan, 2019). This could involve transferring the proceeds of crime to government-issued fiat currencies or conducting further cryptocurrency investment activities (Durrant and Natarajan, 2019).

Detecting DeFi fraud
There is limited literature devoted to using computational methods to detect fraud or other illicit activity in DeFi on Ethereum specifically. This research uses various machine learning algorithms to detect smart contract Ponzi schemes on Ethereum including using long short-term memory neural networks (Wang et al., 2021b; Hu et al., 2021) and an "anti-leakage" ordered boosting model (Fan et al., 2021). Two other studies (Xia et al., 2021;Mazorra et al., 2022) also use machine learning models to detect scam tokens on the Uniswap decentralized exchange.

Rug pulls
As discussed above, rug pulls are a type of exit scam. The perpetrator creates a token and then adds liquidity on a decentralized exchange to enable users to trade this new token with another, existing cryptocurrency (most commonly a reputable cryptocurrency like Ethereum) (Xia et al., 2021). Uniswap is one of the most popular decentralized exchanges and anyone can add token trading pairs to it (and, unfortunately, many that are added end up being rug pulls) (CoinGecko, 2023). The scammer then recruits victims, often on social media or messaging apps like Telegram, convincing them to buy the token. Scammers employ various tactics at this point (described below), but, ultimately, the result of their actions is that victims are left holding a worthless token they are unable to trade (Xia et al., 2021). See Fig. 2 for more details on the rug pull execution process. Xia et al. (2021) find more than 10,920 rug pull scams on the Uniswap decentralized exchange (about 50% of the listed tokens at the time) with profits of at least $16 million (though they provide limited detail as to how they calculate this profit). They highlight the prevalence of so-called "collusion addresses" in coordination with scam creators and the existence of token smart contract backdoors which further perpetrators' profits. The study identifies 39,762 "potential victims" of these scams.
Their ground truth comes from manually selected phishing tokens and tokens labelled as scams on the Ethereum blockchain explorer Etherscan. The authors subsequently use guilt-byassociation heuristics to expand their data set. They build classifiers (a random forest model performed best) including temporal, transaction, investor, and Uniswap-based features. Xia et al. (2021) describe a typical rug pull scam, citing the RADIX token as an example of this tactic. However, the authors are not systematic in conducting the analyses which led to this conclusion (beyond the use of their machine learning classifier). Mazorra et al. (2022) build on Xia et al.'s (2021) work, adding 16,037 more tokens to their Uniswap scam token data set. They also develop machine learning models with smart contract and investor distribution features, which they assert allows them to preemptively detect rug pulls. They further advance Xia et al.'s work by systematizing profit calculations for these schemes. Mazorra et al. (2022) claim to manually analyze the data from their classifier to develop typologies of rug pull scams on Uniswap. However, they do not offer details on how they conduct this analysis, nor do they indicate that it was conducted systematically. They identify three rug pull typologies: Simple rug pulls, in which the developer simply removes liquidity from Uniswap (Mazorra et al., 2022) (akin to a "fast rug pull" as identified by Mackenzie (2022)). Sell rug pulls, whereby a scammer creates a token and adds a portion of liquidity to the Uniswap protocol. Victims begin participating in the scam, swapping their legitimate tokens for the scam one. At some point, the fraudster swaps the remaining supply of the token for the legitimate token paired with it in the Uniswap liquidity pool. In some cases, the scammer can also recover their original liquidity too (Mazorra et al., 2022). This type of rug pull is slightly harder to identify and calculate profits of than simple ones. Mackenzie (2022) refers to this as a "slow rug pull" and highlights the psychological manipulation tactics scammers may use to further their scam, such as reassuring investors on Telegram or Discord and encouraging them to purchase more tokens at the now lower price. Smart contract trapdoor rug pulls, which embed attack vectors in the token smart contract code. These are the most difficult to identify and prevent (Mazorra et al., 2022). There are several such functions that can be coded into smart contracts, such as automatically charging investors to swap their tokens (advance fee tokens) and prohibiting holders from selling the tokens (Xia et al., 2021). Mazorra et al. (2022) use a tool called Slither to identify such issues in smart contract code, which we also utilize in this study.

Method
We conducted detailed, manual investigations of five ERC-20 tokens using open-source investigative tools to extract evidence of fraudulent activity and uncover subsequent money laundering tactics. From on-chain data, we identified patterns in DeFi fraud and money laundering offending. We show our full investigative process in Fig. 4.
We chose to investigate five tokens based on the level of granularity with which we planned to conduct our investigations. For each token, we manually inspected at least hundreds (and, in some cases, thousands) of individual transactions and the components thereof, as well as the addresses that conducted them (alongside their transactions, which were, again, generally quite numerous) to trace the scheme and associated money laundering. For reference, a full-scale securities fraud investigation, carried out by a team of investigators, tends to take several months or even years (U.S. Securities and Exchange Commission, 2014).

On-chain investigations
Following (Dyson et al., 2020), we began our investigation with Etherscan. Etherscan has both a web-based version and a publiclyavailable API. For each contract, Etherscan displays various information from the Ethereum blockchain, including the contract creator, contract balance, ERC-20 token transactions, and contract events, among other information. It also provides analytic information, for example, regarding the contract's highest and lowest balances, and any comments from the community. On the token page (reachable from the contract page), Etherscan shows the price, fully diluted market cap, maximum total supply, transfers, current holders, decentralized exchange trades, and contract source code in Solidity. The page also displays any token reputation tags submitted by the Ethereum community and analytic information on the amount of money in the contract, the number of unique senders and receivers, and the number of token transfers. For further details on the information Etherscan and its API provide and the usefulness of this information for blockchain forensic investigations, see (Dyson et al., 2020). In Appendix A, Figure A.8 we show the token page and the contract page for the UNI token.
For the purposes of our investigation into potential fraudulent activity, we were concerned with the ERC-20 token transfers. We manually examined each transaction, noting its actions and the addresses involved to develop a picture of the scheme. We conducted our analysis in two parts: (1) investigating the scheme itself, (2) tracking the money laundering process.

Fraud investigation
In the first step of the analysis phase of our investigations, we were primarily concerned with the occurrence of token eventsdnamely, events like adding liquidity, token transfers, exchanges to and from ETHdas well as price fluctuations as these events took place. We examined each transaction involving the token in question in detail.
At this stage, we also identified potential victims of the scam based on which token holders were unable to exchange their ERC-20 tokens for ETH or another reputable cryptocurrency before the end of the scam. We note that addresses that generally held many non-reputable ERC-20 tokens could, in fact, have created various other scam tokens ( (Xia et al., 2021) found that 24% of scammer addresses were repeat offenders) or may not, in fact, be victims at all, but rather active participants seeking high return in exchange for participating in a high-risk investment. These types of traders are called "degens" in the cryptocurrency community, which is short for the phrase "Decentralized Finance Degenerates" (Nabben, 2023). Finally, when the perpetrator of a scam removes liquidity for an ERC-20 token on a decentralized exchange, they receive both the remaining ERC-20 token and the token with which it is paired (usually ETH). Therefore, while they are also "stuck" holding the worthless ERC-20 token, they are, of course, not victims.
Following (Mazorra et al., 2022), we used Slither (Feist et al., 2019) to identify potential smart contract trapdoors among the tokens we analyzed. Slither is "a Solidity static analysis framework". Since the original paper detailing Slither was published, the package now runs 80 different detectors, including vulnerability, informational, and optimization detectors. This includes vulnerabilities including re-entrancy vulnerabilities and contract name reuse (Crytic, 2022).

Money laundering investigation
The final step of our analysis involved "following the money" to identify where funds exchanged for ETH from the tokens analyzed in our fraud investigation ended up and the path they travelled, a process known as "tracing" (Pelker et al., 2021;Dyson et al., 2020). This required us to use various heuristics to identify addresses likely to be associated with the scammer. We assumed the contract creator (and any wallets that funded the address that created the contract) were associated with the fraudster because only the perpetrator or someone colluding with them could have created the fraudulent token. The address which provided the initial liquidity for the token to a decentralized exchange and to whom the majority of the liquidity was ultimately removed from said exchange (if applicable) are scammer-controlled for the same reason. Finally, in some cases, addresses that managed to exchange the scam token for ETH at the token's highest value could be associated with the scammer, though they could also simply be lucky participants in the scam (because the coordinator of the scheme to "pump" the price of their token would be the only party able to perfectly time the highest value of the token (Kamps and Kleinberg, 2018). Furthermore, these addresses may show a spike in their value at the time of or immediately following the scam; unless a scam was particularly poorly executed, it is likely the perpetrators themselves would extract the most profit from it. We focused our attention on addresses which received the highest value of funds from the scheme for this reason.
We note that Xia et al. (2021) describe similar heuristics for what they term "collusion addresses", including those who add initial liquidity on Uniswap, those to whom liquidity was removed on Uniswap, those who exchange tokens for the scam tokens, and those who exchange the scam tokens for legitimate ones. However, we note that only those addresses falling into the first two categories are undoubtedly scammers, which is why we provide further specificity in the heuristics detailed above. While those who are simply exchanging tokens may be engaging in wash trading (which Victor and Weintraud (2021) suspect may be an issue on decentralized exchanges like Uniswap), we are unable to verify this.
For the money laundering portion of our analysis, we also utilized Breadcrumbs, a blockchain visualization tool. 2 Breadcrumbs' Investigation Tool is an open tool that generates visual representations of the flow of funds to and from cryptocurrency addresses. We note that using an openly available tool like Breadcrumbs allays Pelker et al. (2021)'s concerns about the potential (though not "insurmountable") litigation risks of using certain popular subscription-based blockchain analytics tools that "incorporate sensitive or proprietary techniques that cannot be readily presented in open court". Breadcrumbs shows the originating and destination addresses for funds, amounts sent, balances, and other information for each address. For very active addresses, we focused our attention on shorter periods immediately after the scam period, when scammers would be most likely to move the proceeds of their crimes. Finally, we would expect criminal addresses to cease activity after they laundered their funds; therefore, addresses that are still active are less likely to be associated with the scammers. However, those that are inactive are not necessarily scammers; they may just not be participating in trading due to market conditions or for other reasons.
Using the Breadcrumbs tool, we followed the flow of funds across various addresses until they reached either (a) an address tagged as a centralized exchange, or (b) a mixer like Tornado Cash. Once funds reach these destinations, we are unable to trace them further (though, in the case of centralized exchanges, law enforcement intervention could elicit further information, as many centralized exchange services require customers to submit Know Your Customer information upon registration) (Dyson et al., 2020). 3 We note that Etherscan also indicates where wallet addresses are also found on blockchain explorers for other blockchains. This could even be the case for the tokens themselves. However, for the purpose of this study, we only examine activity on the Ethereum blockchain. It would be useful for future research to explore automated detection and, subsequent, manual investigation of DeFi tokens on other blockchains, particularly given that so-called "chain-hopping" is a well-known cryptocurrency money laundering method (Pelker et al., 2021).

Schemes
All of the five schemes we analyzed were rug pull scams that exhibited pump-and-dump behavior. All the scams had an "unknown" reputation according to Etherscan, indicating that these are as yet unreported. The general pattern of behavior is as follows (and is also depicted in Fig. 2): 1. Scammer creates set number of tokens. 2. Scammer enables trading of the new token on Uniswap, creating and funding a liquidity pool for the token/ETH trading pair. 3. The scammer (through various addresses they likely control), or others they influence, buy the token on Uniswap using ETH, artificially inflating demand for the token and, therefore, its price. 4. The scammer (or and other traders who manage to time the pump-and-dump scheme correctly) sell the token for ETH on Uniswap. This buying and selling pattern may occur in rapid succession several times. 5. The scammer removes liquidity from the Uniswap pool, either by using the "remove liquidity" function and sending the remaining funds to an address they control, or swapping the rest of the remaining scam token in the pool to ETH.
Appendix B gives a practical overview of the investigative process for Token 1, including screenshots of the tools we used at various stages of our investigation. Table 1 highlights various characteristics of the (anonymized) scams we investigated. In terms of the other characteristics of the scams, it is harder to generalize amongst those investigated besides the overall pattern of behavior. The length of the scam ranged from 40 min to four days and the number of transfers of each of the tokens between 92 and 500. The percentage of remaining token holders (of all the unique addresses involved) varied between 23% and 83%.
We cannot calculate the profitability of the scams without knowing all of the addresses associated with the perpetrator; however, we estimate the minimum potential profitability, p, in the following equation, where R is the revenue earned, in ETH, S is the total ETH spent, and L is ETH liquidity for the token-ETH pool: We estimate the maximum potential profit, P, using the same variables, as: The ranges for potential profitability vary greatly among the schemes and suggest that some may not have been very profitable at all. Future research could investigate this further. Fig. 5 shows the change in the price of Token 5 throughout the scheme. The other tokens' prices showed a similar trend, with the exception of Token 4, which experienced several more peaks and troughs in its price throughout the life of the scam (depicted in Fig. 6). This is because there were more sales throughout the life of Token 4 interspersed with the buy orders, rather than a series of several buy orders followed by a series of several sell orders only (as was the case in some other schemes).

Smart contract analysis
Of the 24 high-impact vulnerabilities Slither detects, all tokens except Token 4 exhibited only a single vulnerability: re-entrancy vulnerabilities. 4 However, we do not see any of the trapdoor rug pull vulnerabilities cited by Mazorra et al. (2022), such as the TransferFrom vulnerability.
We note that in some of the scams (Tokens 3 and 5) every transfer of the token to ETH seemed to automatically also add liquidity to the Uniswap pool. While this is not inherently malicious (and, likely why Slither does not evaluate these fees), it seems unlikely these fees are advertised in advance. These tokens, therefore, appear to follow the pattern of "advance fee tokens" as described by Xia et al. (2021).

Money laundering
As discussed, we began our money laundering investigations with the addresses which created the scam tokens, added liquidity to Uniswap to trade them, and to which liquidity for the trades was ultimately removed. These are the only addresses we could be certain belonged to the scammer. We also examined how these scammer-controlled addresses (a) were funded, (b) sought to hide the trail of funds earned from the scam, and (c) cashed out to fiat currency after the scam (if applicable). Table 2 summarizes the money laundering schemes for each of the tokens analyzed. In all cases, the scammer's wallet was not active for very long (though this varied between a single day and just over a month), and generally did not have many transactions. All of the scammer wallets had some connection to addresses tagged by the community as various centralized exchanges, and received or sent amounts to them that would likely require them to provide KYC information. This is an avenue law enforcement would be able to follow.
The tactics these addresses used to launder funds ranged. In some schemes (Tokens 3 and 4), no specific laundering techniques appear to have been employed. In the case of Tokens 2 and 5, the scam wallet sent small amounts of ETH to various addresses they 3 We also attempted to use K-Means clustering on the addresses involved in the schemes and any addresses with which they interacted to determine whether any of the addresses may be controlled by the same person. However, ultimately, this clustering split the addresses into two classes, (1) those who participated in the scheme, and (2) those that did not. We note that Mazorra et al. (2022) found as well that the addresses involved in the rug pulls they examined also evaded existing Ethereum address clustering techniques. 4 Re-entrancy attacks exploit a smart contract vulnerability which allows an attacker to call a smart contract multiple times before the contract has finished executing and the state has been updated. An attacker could, for example, call a contract repeatedly to withdraw funds from it several times before the state is updated to reflect the fact that they have already withdrawn their funds. (Crytic, 2018).
A. Trozze, T. Davies and B. Kleinberg Forensic Science International: Digital Investigation 46 (2023) 301575 seemingly controlled in an attempt to obfuscate the trail of funds. Finally, one scheme (Token 1) used chain-hopping (sending tokens to another blockchain via the Synapse bridge) to hide the trail of their funds. Following the funds on other blockchains was outside of the scope of this study, so we instead examined some of the other addresses with which the scammer interacted in more detail. Fig. 7 depicts the money laundering activity related to Token 1. The wallet was initially funded by what we refer to as a "burner address", meaning an address created only for a discrete purpose, after which it becomes inactive. Burner addresses may suggest nefarious activity, but could also be used for legitimate purposes (such as privacy protection or for security when interacting with untested dApps or tokens that could have trapdoors in their code). This money was, in turn, funded by an active address that appears to have received money from a ByBit account. In the case of Token 1, while most funds went to this blockchain bridge, some money was sent to another burner address. This address sent funds to another burner address, which traded on Uniswap and also sent money to the mixer Tornado Cash. Still other funds went to another burner address, which, on the day of the Token 1 scam, sent 6.3 ETH to an active address (with 70,375 ETH in outgoings throughout its existence). These funds are unlikely to be the proceeds of the Token 1 scam due to their high value relative to the maximum potential profit from scam 1, but could potentially be from other fraudulent schemes. Some funds were then sent from this address to a gambling platform and two centralized exchanges, in amounts that would legally require them to hold KYC information about the scammer in many jurisdictions. This behavior also suggests the scammer may use gambling platforms to launder other funds.
In the case of Token 2, various addresses sent funds to one another, including addresses where funds were received and then immediately sent out to another address. The address that funded the address that created the scheme seems to have been used to cash out the proceeds. This wallet is still active and has made more than 100,000 transactions. Its highest balance was 17,804.31 ETH in September 2022. After the scam, the wallet's balance dwindled for several days, before rising again a week later (potentially from proceeds of another scam). This wallet sent large amounts of funds   to various centralized exchanges (much more than the likely proceeds of the Token 2 scam), including Bitfinex, OkEx, Crypto.com, Gate.io, Bittrex. Since these transactions are co-mingled, it is unclear to which centralized exchange the proceeds of the Token 2 scam, specifically, went. The addresses responsible for creating Tokens 3 and 4 did not participate in sophisticated money laundering activity. In fact, in the case of Token 3, the scammer address was funded by a Coinbase account, before sending funds to another account, which then sent funds to Coinbase. In the case of Token 4, the wallet initiating the scam was funded by Binance and then sent funds to Binance a few days after trading of the token ended. Since this coin had more peaks and troughs in its price, it is likely that more addresses were involved, perhaps as part of a coordinated pump-and-dump scheme. However, many of the addresses involved held and traded hundreds of extremely lowvalue altcoins. This suggests that they are either serial scammers who have conducted similar schemes across many different coins, or that they are merely opportunistic traders. Traders who trade risky altcoins in the cryptocurrency space are generally referred to as "degens", and use various tools or programs to identify tokens with a low market capitalization with the potential for large price gains. They generally expect to lose money on some of these trades, while gaining exceptional returns on others. They are aware they are gambling. This was also the case for other addresses that exchanged the scam tokens for ETH throughout the life of these schemes.
Various addresses involved in trading Token 4 exhibited what we may label as "suspicious" behaviour, but we are unable to confirm they are associated with the scammer. Future research involving computational clustering could address this. Notably, many of the addresses involved with Token 4 utilised Miner Extractable Value (MEV) bots. This suggests that the traders involved were perhaps more sophisticated than in some of the other schemes. MEV refers to Ethereum miners ordering transactions they see in the mempool in a block in a way that captures additional profit for the miner (Daian et al., 2019). This may involve tactics such as front-running, backrunning, or sandwich attacks, which combine the two (Xu et al., 2022). Bots can be coded for this purpose and appear to be utilized in this case. However (Mazorra et al., 2022) cite an example of a scam token designed to trick MEV bots.
Finally, from June 5, the creator of Token 5 sent small amounts of ETH to 28 different addresses after the scam (totalling 2.8 ETH, with the highest transfer being for 1.23 ETH). These wallets transferred funds among one another and are generally still active. The address that received the 1.23 ETH, sent 6.14 ETH to Kucoin on the same day. This address is still active and has, at various times, had a very high balance (57,342.74 ETH before the scam). 5

Key takeaways
Our findings with respect to our key research questions can be summarised as follows: 1. Using open-source investigative tools, including Etherscan and Breadcrumbs, to conduct on-chain investigations, proved fruitful in identifying evidence of several rug pull scams and their perpetrators' money laundering tactics, which could be used in prosecuting these crimes. 2. These open-source investigative tools also successfully revealed some patterns in how DeFi frauds are committed. Our investigations exclusively found rug pull scams which also utilized pump-and-dump tactics. Overall, the schemes were less sophisticated than we expected. 3. The open-source investigative tools we used showed funds were laundered in these schemes using rudimentary obfuscation techniques, such as peel chains and chain-hopping. Ultimately, most of the proceeds of the scams arrived at centralized exchanges, where we expect they were withdrawn as fiat currency in amounts under the required limit for submitting Know Your Customer information.

Tools to detect and investigate DeFi fraud
Notably, our investigations (albeit into a limited number of contracts), only revealed rug pulls of Ethereum-based DeFi tokens, which is perhaps less surprising given estimates that 35.9% of funds lost to DeFi scams in 2021 were as a result of such schemes (Chainalysis, 2022). However, the fact that we found these exclusively may suggest that something about them makes them disproportionately obvious. Rug pulls may also be underreporteddmany cryptocurrency market participants, in fact, consider being "rug pulled" as a rite of passage. It is also unlikely that the figure provided by Chainalysis includes smaller-scale rug pull schemes like those this paper investigates.
Our manual analysis of the subsequent money laundering activity highlighted Ethereum addresses which participated in the purchase of DeFi tokens which, at first glance, appear to exhibit similar behaviour to those analysed in this study. Future research could analyze patterns of behavior among these addresses, namely, whether they are repeat offenders, or merely so-called "degens" looking to invest in high-risk, high-reward tokens. If they are, in fact, repeat rug pull offenders, the value lost to these scams may be much higher than previously reported.
While the use of Etherscan and Breadcrumbs certainly proved useful in exposing on-chain evidence of multiple rug pull scams, the investigation process proved time-intensive (several full days of work for each token we investigated). Particularly in the money laundering investigation phase, various addresses of interest executed more than 100,000 transactions throughout their existence. While law enforcement agencies generally have a team of investigators to conduct their investigations, the prevalence of rug pulls means that even these resources are insufficient to capture all offending. Therefore, it may be fruitful for future research to explore ways to automate more of this process, such as automatically applying the heuristics we identified as part of the money laundering investigation phase.
Slither offered rudimentary insight into the content of the smart contract codes in question. Further, manual smart contract analysis was outside of the scope of this study, but is a useful avenue for further research. Furthermore, such analysis could feed into more targeted tools for detecting various types of smart contract trapdoor rug pull schemes.

Legal value of evidence and next steps for investigators
The data extracted using these open-source investigative tools have evidentiary value because they establish a fact pattern of criminal behavior. With support from an expert witness, this would be useful in prosecuting these frauds. Furthermore, because we use openly available tools rather than proprietary "black box" algorithms to arrive at the relevant conclusions, this evidence is more easily explicable in court.
However, to use the evidence we revealed in a prosecution, law enforcement would need to connect the wallets analyzed with "real-world" identities. Investigators could subpoena centralized exchanges to which tainted funds were sent. Even if funds were sent in small enough amounts to evade KYC requirements (which was not the case in many instances), the scammer may have sent funds to a bank account in their name, or used their real email, or real phone number. Some exchanges also collect IP addresses, "browser fingerprints", and other information about customers (Coinbase, 2022). This information could be used to issue further subpoenas, for example, of mobile phone carriers or internet service providers. Ethereum wallets communicate with the Ethereum blockchain through a JSON RPC (remote procedure call) server. This server is often delivered through a "proxy node" from a third-party node service provider like Infura (Zhang and Anand, 2022). The default RPC endpoint for the most popular non-custodial, hot Ethereum wallet (often used to interact with the DeFi ecosystem), MetaMask, is Infura. Infura collects transaction data and user IP addresses, which they retain for seven days unless the user switches their MetaMask RPC endpoint (Kessler, 2022). While there is the possibility that the scammers could use fake KYC information for their exchange accounts, the overall lack of sophistication of their schemes and money laundering methods makes this seem less likely.
Investigators would also likely seek information elsewhere, such as from Twitter, Telegram, or Discord accounts; and marketing materials and websites. We note that many of the smart contracts list the tokens' Telegram channel and/or Twitter handle before the start of the code. They could also conduct interviews (U.S. Securities and Exchange Commission, 2017) and engage further expert witnesses (Pelker et al., 2021). Dyson et al. (2020) also offer methods law enforcement could use to crack users' wallet passwords or uncover their seed phrases, which is likely necessary to recover the proceeds of crime.

Ethereum-based DeFi fraud
As discussed in section 4.3, it was somewhat surprising that all of the scams we investigated involved rug pulls and that they only involved Uniswap. Based on the amount of research on automated detection of Ponzi schemes on Ethereum (see, for example (Wang et al., 2021b;Hu et al., 2021;Fan et al., 2021)), we would have expected to see some (though our sample was very small). Furthermore, our sample came from the most recent set of blocks extracted from Ethereum; it is possible that the type of offending has changed over time (given that many of the aforementioned papers rely on data from 2019 (Bartoletti et al., 2020)).
Our research complements findings from Mazorra et al. (2022) and Xia et al. (2021). We find that the rug pulls we examined are sell rug pulls based on Mazorra et al. (2022)'s categorization and that some also appear to employ smart contract trapdoors in their code. Though we did not quantify this, we also found evidence, as Xia et al. (2021) did, that those who participated in these schemes seemed to participate in others. However, our examples did not show repeat scam efforts using the same tokens (unlike Xia et al. (2021)'s research). Xia et al. (2021) also found that 37% of scams lasted only one hour or less; this was the case for two of the tokens we analyzed, while the other three were slightly longer.
We were surprised by the relative lack of sophistication of these schemes (particularly Token 3). While we are unable to definitively comment on scammers themselves, our findings suggest that they could be relatively unsophisticated, merely copying a low-effort pattern of offending that worked for others. However, we note that, like Xia et al. (2021), we saw evidence of the use of arbitrage bots in some cases, which might point to more sophisticated perpetrators. They found that 27 of the addresses they identified participated in more than 1,000 Uniswap pools, which they identified as the result of using these bots.

Ethereum-based DeFi fraud money laundering
Similarly to the schemes themselves, the money laundering tactics subsequently applieddif they existed at alldwere relatively unsophisticated. Known tactics such as chain-hopping and peel chains are present in some schemes (Pelker et al., 2021). Our findings are only somewhat consistent with the narrative that "high-risk" exchanges are often used to launder funds (Chainalysis, 2022). While some of the exchanges used could be considered slightly higher risk, others, like Coinbase, are publicly listed in the U.S..

Victims
While we have not conducted a detailed analysis of these schemes' victims, we can make some initial comments. There is some question about whether so-called "degen traders" can be considered victims at all. While violations of securities laws are still illegal, the "victims" very likely understood that they were gambling.
In terms of how scammers may have recruited victims, we can only hypothesize based on the analysis we conducted. Previous research has reported that many pump-and-dump schemes are coordinated on social media or messaging applications like Telegram (Xia et al., 2021). Many DeFi users also use tools such as DEX Screener 6 which shows new trading pairs on various decentralized exchanges or automated trading services that often trade these sorts of assets. 7 In our manual analysis of the subsequent money laundering activity associated with the scam tokens studied, we noticed Ethereum addresses purchasing other DeFi tokens which, at first glance, appear to exhibit similar behavior to those scam tokens we analyzed in this study. Future research could analyze patterns of behavior among these addresses, namely, whether they are repeat offenders, repeat victims, or merely so-called "degens" looking to invest in a high-risk, high-reward token.

Limitations and future research
The primary limitation of our research was that we could not investigate more individual tokens because the process was so time consuming. However, even with a limited sample, firm patterns emerged. Future research could explore how to automate more of this process and also conduct similar research on other blockchains. Using automated extraction methods on a larger set of tokens could uncover more robust typologies of Ethereum-based DeFi scams. Furthermore, while we attempted to be as systematic as possible in our on-chain analysis, there are still subjective elements of the process, particularly in our investigation of the money laundering schemes (a point (Dyson et al., 2020) echoes). Future research could employ various annotators to conduct analysis on the same tokens. Finally, we only used open tools in our analysis. There are other, potentially more powerful, proprietary blockchain analytics tools offered by private companies.

Conclusions
Fraud across DeFi is a widely-discussed issue. This paper provided various insights about the nature of Ethereum-based DeFi crime and demonstrated how open-source investigative tools can be used to extract evidence of scams on Ethereum which could be used in prosecuting the same. We conducted these investigations in a systematic manner which would be of use to law enforcement and other researchers. Our investigations using these tools revealed evidence of a series of rug pull scams which employed pump-anddump tactics. We also systematically investigated money laundering tactics following Ethereum-based DeFi frauds. Like the schemes themselves, the money laundering tactics were rather unsophisticated and easily detectable strategies (like peel chains and chain-hopping); in some cases, scammers did very little to hide their crimes. The proceeds of the rug pulls primarily arrived at centralized exchanges, which represents a useful "choke point" for law enforcement to identify DeFi users. Our findings suggest that rug pulls may be a highly detectable and identifiable type of Ethereum-based DeFi scam and that several, smaller-scale rug pulls may be taking place which are not included in mainstream statistics on DeFi-based offending. Further automation of the investigative process proposed in this paper could allow more, even smallerscale offenders to be prosecuted.

Funding
This project was funded by UK EPSRC Grant EP/S022503/1 which supports the Centre for Doctoral Training in Cybersecurity at UCL.

Declaration of competing interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Data availability
Data will be made available on request.
Appendix A. Etherscan Token Page and Contract Page  .9 shows the Etherscan token page for Token 1. As discussed in our Method section, we manually examined every ERC-20 token transfer involving Token 1. We focused on identifying token events like adding and removing liquidity and token swaps.We do not reproduce every token event or transfer here, however, Figure B.10 shows an example of one such key event: the perpetrator removing liquidity on Uniswap. Figures B.11 and B.12 show additional Etherscan tools we used in our investigations, namely, the Dex Trades tab of the Token 1 page (which shows the price of Token 1 for each trade) and the Holders tab (used to identify potential victims left holding Token 1 after the rug pull), respectively. Table 1 shows the full results of our fraud investigation of Token 1. Figure B.13 shows the output from Slither for the analysis of the Token 1 contract. Section 3.1.1 details the outcome of our smart contract analyses.  Figures B.14 and B.15 show the funding of the scammer address on Etherscan. This is also depicted in Figure B.16, which is a selected screenshot from our Breadcrumbs-based money laundering investigation of Token 1. This figure shows the process of funding the scammer wallet and the scammer laundering money through a burner address, then sending some funds to another burner address, Uniswap, and Tornado Cash. The full money laundering scheme is depicted in Fig. 7. Further results of these money laundering analyses can be found in Section 3.2 of the body of this article.