Topic: Anti fraud / scam tools for Bitcoin - UPDATES! (Read 356 times)

There was a site called, Badbitcoin.org that did something similar. It started way back in 2014 and they lost interest in the project, so it is not being updated anymore. I hope the same thing is not going to happen with your pet project, once you finish with your studies and then go onto something else. 

I used to refer loads of people to Badbitcoin.org in a time when there were loads of scams doing the rounds. (Ponzi schemes and scam ICOs and also Phishing sites)

------ NEWS/UPDATES (14 July 2023) --------

4. The algorithm now responds in real time. The inference calculation on an address, if it hasn't been in the database for the last three months, is now calculated on the fly.

You are welcome to list features you would like to see on our site!

/Michele

------ NEWS/UPDATES (4 July 2023) --------

1. Login removed! This change is based on numerous requests and concerns we received from various channels.
2. Scam Search Engine Section Added: We now report results from google.com, reddit.com, and ChainAbuse.
3. A technical document explaining the technology behind our service has been published on our main page.

/Michele

Dear Mr. Magkaisa,

Thank you for your inquiry. The purpose of our platform is to provide a tool that calculates a score on the likelihood that a given address has been used for fraudulent activities or scam APPs (Authorized Push Payment), i.e., those scams where the user is convinced to send funds.

We believe it's always beneficial to test an address before sending funds, especially if you are not an experienced user or unfamiliar with the counterparty. I hope this clarifies our platform's objective.

PS: We previously required registration to limit platform access, but we have removed it based on user feedback.

Best regards,
Michele

     -  I don't really understand the catch of that platform, please correct me, maybe I misunderstood. Is the function of the site platform to tell if the address we paste on their website is to know if it is still safe or not?

Is that what it means? Is it far from the risk of being hacked or phishing? is that right? Then I don't see any log-in or sign-up either. I don't care what this site platform that OP posted here can really help with?

Thank you NotATether for your feedback!
Based on your numerous requests, we have removed the login requirement from our service: https://carscore.io
Now you can access the scores and information simply by browsing the website without any restrictions.

Furthermore, we are working on creating a comprehensive FAQ section that will contain a technical document explaining the functionality and workings of our service. This document will provide detailed insights into what our service does and how it accomplishes it.

We appreciate your ongoing support and encourage you to continue providing us with your suggestions and feedback. Your input helps us improve and shape the website according to your needs.

Michele

Ideally, the service shouldn't require any login even, and should be able to be used as a guest. Sure, this means more network infrastructure is required to prevent DDoS, but this is an important service to have anyway, so it works out. Also an API + a detailed list of components and their sub scores in addition to the main score will serve to be useful to determine what are the specific problems with this address.

Thank you for the feedback. Based on your responses, we've built a small roadmap.

1. In a few days, we will remove the login and introduce Google reCAPTCHA v3.
2. As a further step, we'll then add evidence from third-party sites like BitcoinAbuse and BitcoinWhosWho (if you have other sites you'd be interested in integrating, feel free to write to us here!).

The third stage of the roadmap involves adding more cryptocurrencies, but the work required to find reliable data and train a machine learning algorithm is on the order of 3-6 months, so it will be a development that we can undertake later on if the service should be used in the meantime.

Talk to you soon!

The concept of this creation is good because it will help a lot of Bitcoin users and investors from being other victims of fraud but it will be nice if the area aspect of sign-in before using the tool is removed because it is a turnoff for me personally since some platform use the idea to collect cryptocurrency enthusiasts email which they later sell.
Second, it will be good if you could extend to tool capacity to the most or at least top 10 crypto and the time span it can bark.

We use AI that has been trained with 10,000 addresses from user fraud reports (at least 10 reports on an address) as well as fraudulent addresses labeled by chain analysis experts provided by elliptic.co. A fraudster can change their address with each transaction, although this doesn't always seem to be the case. For instance, if they run email SPAM campaigns, they always use the same address, not a different one for each email.
So, it's reasonable for someone sending money to question if an address with 0 transactions isn't already an indication.
It's like buying from a supplier with 0 reviews on eBay or Amazon. A "unrated" creditor isn't the pinnacle of reliability, so while we may not classify them, this does not make them reliable, quite the opposite.
\M

I am very curious to know how you determine that a Bitcoin address are fraudulent or not? Do you only use AI algorithms or do you get data from people who has been scammed?

Why would a skilled fraudster re-use a Bitcoin address that were used for a scam? It is very easy to generate several paper wallets in seconds and then dispose of it, once it was used and swept to another wallet and pushed through a Mixer service. 

Thanks for the feedback! We are updating the FAQ section.
It was written by a colleague who works in marketing, and we are now reviewing the content!

We were considering a roadmap where we could also incorporate different kinds of information.
When you mention more traditional tools providing information on the possibility of fraud, what exactly are you referring to? For example, bitcoinabuse.com?
Could you provide me with a brief list of tools that you currently use to determine whether an address is a scam and that you'd like to see also embedded in our service?

This would be very useful for us, thank you so much!

But your FAQ section says otherwise ^{[you might want to edit those parts (e.g. this)]}!

Considering that some of the scammers tend to move their assets after a year or two, I think you should extend the period in which your AI barks

You're correct, but it's worth noting that there are a lot of false positive results as well ^{[unfortunately]}.

IMO, there's value in it, but I'd still combine it with the traditional tools.

Thank you for giving me the chance to clarify this. Our research, as a part of our master's program at Politecnico, has been devoted to the analysis of Bitcoin transaction records. We aimed to discern whether it's possible to identify fraudulent behavior just by scrutinizing these transactions. Our results were encouraging; we look solely at the transaction record, not at the network of interconnected transactions, at least in this phase.

In terms of the algorithm, here's a bit more detail. From a transaction record, we derive roughly 200 attributes or 'features.' Some of these are proprietary, but most can be shared. They include the average of received and sent amounts over different time periods (day, week, month), as well as the minimum and maximum amounts received and sent. We also look at the frequency of transactions. These are mostly simple statistical metrics, though some more complex features are also calculated from the transaction record.

At this point, our artificial intelligence (AI) steps in. It's been trained to take all these factors into account and understand which are the most significant in identifying a fraudster's behavior. As for how the AI makes these decisions, it's a bit of a black box – hence why machine learning algorithms are often referred to as 'unexplainable.' The AI surpasses human ability to evaluate large amounts of statistical data, making it an ideal tool for tasks like this one. Similar technologies are used in advanced anti-fraud systems across the payment industry.

To summarize, our process works as follows:

1. For a given address, we examine the transaction history.
2. We calculate roughly 200 statistical metrics related to that address and pass this data to an algorithm, which has been trained to spot the telltale signs of a fraudulent actor.
The exact way the algorithm weighs each of these metrics, and why, is something that remains opaque to us. We know that during training, the algorithm adjusted the weights of the features, looking for the combination that was most successful in identifying fraudulent behavior from the pool of 10,000 addresses (good and bad) that we used for training it.

At this juncture, I would recommend that you give it a try: https://carscore.io . Through your own experience, you can gauge whether its predictive capabilities are of value to the community. That's the very reason we embarked on this project. See you soon! /M

Dog training is known for way longer, and the trainer can explain the way they train it as far as I'm aware. I don't think you can say the same thing if you just say "our machine learning works by reading some data" without adding some context. For example, giving reasons why the number X or Y is safe, and which transaction is considered suspicious, and so on. I do think there is a formula or algorithm at play even if you use AI. The basic one would be "transaction linked to previously known scammer address is likely to be a scammer", or something similar. CMIIW.

Ok, we'll work on the login feature.

I understand the reluctance to use a non-deterministic algorithm, especially if not all users have a basic understanding of AI. The analogy I could use is that of police dogs trained to sniff out drugs. They undergo training where they're conditioned to recognize certain smells and situations. Then, when they're used in the field, they've developed the ability to identify new situations they've never encountered before. Machine Learning works in the same way. We've trained our electronic "sniffer" using a database from elliptic.co and bitcoinabuse.

Now, if an address has at least 3 transactions in 6 months, our AI can "bark"! :-)

Thank you all, but please bear in mind that there's no formula behind it, it's an application of artificial intelligence and machine learning. At the moment, an ensemble of XGBoost and Logistic Regression is used for inference. There is no source from which we take data, no user reports, no averaging or summing of external opinions. The algorithm was calibrated using mostly data from Elliptic on Kaggle and from Bitcoinabuse data filtered for at least 5 or 10 reports.

Your score will be like many scores from many review websites. If they don't public their formulas, source code, you will no be able to check the reasonable formula and its accuracy.

There are some websites to get community warnings, reports labels about tagged scam addresses. Those tags are from community reports, tags so they can be inaccurate. Like Trust Rating on Trust pilot and the likes. We can use them for references but validity and accuracy are unknown.

https://bitcoinwhoswho.com/tags
https://insight.is/
https://github.com/janoside/btc-rpc-explorer

Does your AI also contribute exclusively to search output, I mean without involving the valuation of the three sites you use?
I'm also curious about each ranking from the most risky to the safest, for example you gave an example of 76/100 for a safe ranking label, then what about the labels if it's 53, 99 or something else? I recommend that you also provide detailed descriptions of ranking on that page. I see a lot of space available there.

Yes, there is no registration, only login. For now, login with email and password is disabled and you can only log in with Google. Once you do that, paste the address you are interested in verifying. If we have recently analyzed it, we give you the score immediately, if not, we have to calculate it. Today we calculate all addresses at 00 CEST, but one proposal could be to calculate new addresses every hour for now since usage is very limited. What do you think?

Firstly, thank you all so much for your contributions, this exchange is extremely useful for us. A clarification: our research is different from what you do on Google. We have trained an AI to recognize a behavior. We do not search for that specific address anywhere, we ask the AI if, in its opinion, the behavior of that address seems suspicious compared to how we trained it.

That's pretty much like I can just google on specific address I want to search and if listed on bitcoinabuse or any site related about it, the address is belong to scammer. Not all report in bitcoinabuse is legit, someone can just blindly report it including you, me or anyone else.

I think you should add walletexplorer.com as one of your source, that's a good explorer because you can search the particular address and you will find the wallet, you can also track the other address associated with the wallet as long as the address have been used.

You should work together with blockchain explorers, something like what Etherscan does for Ethereum addresses (you can see which wallets are always guilty of fraud, which wallets always do scam transactions).

So you might for example work with Blockchain explorer to see address info taken from your software, instead of people manually entering addresses.

Well, here in our country you can't create many emails because each email that is created has an attached personal mobile device number that is registered in our name. So it means that it is difficult on our part to create more than 2 email accounts because there is simcard registration here in our country.

The only thing I don't understand much about CARS is that we only see log in and no sign-up, instead it looks like we just copy and paste the address, right?

We can predict behavior before the address is reported somewhere. Our thesis is based on the analysis of an address's account statement and we have trained artificial intelligence to recognize the usage pattern of an address through various sources (elliptic.co, kaggle, bitcoinabuse). Essentially, we look at the transactions of an address and predict the likelihood of it being a scammer. If the address is new, we can't make any predictions and advise treating it with caution, because the general rule of payment systems applies, namely that the creditor side should not seek anonymity.If, on the other hand, the address has at least 3 transactions, we can generate a prediction.

An example like that does work to get some initial feedback
My first thought when seeing that score would by: why? What's the rationale behind the number? Was it linked to a scam somewhere, did it get some negative reviews,... ?

Wow! Thank you so much, I wasn't aware of them. They focus on AML and are a company :-), whereas in our thesis we focused on Scam (what the EPC calls APP fraud). So, you would also prefer a login with email?? Where I acquire personal data, whereas with Google I wouldn't? Ok we will work on that.

An example like that can work? (https://i.postimg.cc/JnPG0P34/Schermata-2023-06-21-alle-12-45-35.png)
https://i.postimg.cc/JnPG0P34/Schermata-2023-06-21-alle-12-45-35.png

I mean to say that if you input the address again, you will get the result immediately now. I know we haven't yet implemented a filter to prevent the registration of random or malicious text strings. But if you genuinely enter a Bitcoin address with at least 3 transactions, we provide a scam evaluation for that address.

I know that I can't stop users from registering multiple accounts, the goal is to discourage some if I make their life a bit more complicated. That said, I would really appreciate it if you also tested our algorithm! (which is the interesting part for us :-) ). Thanks a lot for the feedback, we will work on the login process and the frequency of updates.

/Michele

What do you mean my results are online, like the wallet I requested, the results are found? If yes then after searching the result and getting 24 hours waiting notification I signed up and now when I signed in again, I found no way to my previous request like how can I see the results, do I have to put the address again and wait for the next 1 hour (as you aforementioned, you will change the waiting time).

And yeah mocacinno, is saying right, people could come up with various email and you know there are temporary email too, even I have enough email go use all of the daily limits. 

Hi @Faisal2202 and thank you for the review.

Yes, the project is still in its early stages and we've been more focused on the AI models rather than on the User Experience (UX).
We have some reservations about storing users' emails, as there are many responsibilities involved due to privacy concerns, which is why we have not yet activated this feature.

I understand that our database is still quite empty, so the site often asks you to wait. I'm going to run the rating evaluation script now, so you don't have to wait for 24 hours. Meanwhile, I'll modify this setting to run it more frequently. Would every hour be alright? Would you be willing to wait 1h to receive the assessment from our AI?

Thank you for the feedback, your results are online.

/Michele

I get the fact that you want to limit the amount of querys on your system to avoid having to buy/lease more performant (and more expensive) hardware. This being said, using google's SSO isn't a foolproof way to avoid people signing up with multiple accounts either... It's just an extra hoop multiaccounters have to jump trough. And like i said: using google's SSO will deprive you from several beta testers... I'm not completely against google's SSO, but i avoid it whenever i can (and i only use it for services that i trust and offer little or no other way of creating accounts).

AFAIK, there is no foolproof way to avoid multi accounters... People can create a dozen of google accounts (or buy them in bulk), or they can use throwaway emails, they can use vpn's or proxy's... Or tor... They can change their browser's fingerprint, they can (potentially) bypass (some) captcha vendors...

Personally, i'd probably allow people to sign up using their email and require a captcha completeion, then block >10 lookups per day based on ip address... It's not a perfect system, people can still get around it, but there are sufficient hoops so most of them won't be able to manage more than a handfull of alt accounts on your service.

If you really want to crack down on multi accounts, it'll require grunt work... Maybe work with invites and communicate with your members trough your platform... But it'll require significant effort from your side.

In the field of cryptocurrency, when a website ask us to sign in directly through email, this raises concerns, but after reading your FAQs, i can not stop myself to check your feature out, i have a spare device to check things out which is totally cutoff from mine, so i think it is safe to click on, but not a single "Text Edit Button" is working like ok I understand you guys block the one where we have to paste the address but why did you no enable the "Email" and "password" button, well maybe i am being too skeptical, as i think they will be enable after i signed up, so lets check,

Nah, 👎, your website is still new and you are asking to wait for 24 hours.

We apologize for that, I'd like to keep the system open, but due to the costs of running the service on Amazon Web Services, we've had to implement a login system to limit usage to 10 address consultations per day. This is a measure we've taken to ensure we can continue offering a free tool without going bankrupt!

We recognize that this might not be ideal for everyone, and we are considering implementing other login alternatives in the future. Any idea for that?

thank you!
/M

There doesn't seem to be a way to create an account without linking it to my google account (which i usually don't do, especially for new projects)?

Hello Bitcointalk Community,

We're a group of students from Politecnico di Milano who have recently completed our thesis project - the Crypto Antifraud Rating Score (CARS). CARS is a free online tool designed to assign a fraud risk score to Bitcoin addresses. We used AI and signal theory to analyze account statements, extract behavioral patterns, and provide inferences (https://carscore.io).

We're eager to receive your feedback and hear about any similar tools or projects you may know of in the Bitcoin community. We are open to finding synergies and exploring collaborative opportunities.

Looking forward to your insights and thoughts!

------ NEWS/UPDATES (14 July 2023) --------

1. Login removed! This change is based on numerous requests and concerns we received from various channels.
2. Scam Search Engine Section Added: We now report results from google.com, reddit.com, and ChainAbuse.
3. A technical document explaining the technology behind our service has been published on our main page.
4. The algorithm now responds in real time. The inference calculation on an address, if it hasn't been in the database is now calculated on the fly.

Through your feedback, we will build a roadmap of features to be added. Our aim is to provide not only predictions made with an AI model but also to create a one-stop shop for scam analysis.

Thank you all for the contributions received so far.

/Michele