Unmasking Web3 Scam Networks with Graph-Based Behavioral Analysis

TLDR: Web3 scams are evolving beyond simple phishing, using complex, multi-hop transaction networks to obfuscate illicit fund movement. Researchers have introduced ScamSweeper, a framework that combines structure-temporal random walks with transformer models to identify these patterns. By analyzing the dynamic evolution of transaction graphs, this approach significantly improves detection rates for phishing and rug-pull accounts that traditional static analysis misses.

Blockchain security is often treated as a static problem, but the reality of Web3 fraud is highly dynamic. Attackers do not just send a phishing link and wait; they build sophisticated, multi-hop transaction networks to launder stolen assets and mask their tracks. Most existing detection tools rely on static graph analysis or simple sequence matching, both of which fail to account for the temporal nature of these scams. When an account is compromised, the attacker’s behavior changes in real-time, creating a distinct "fingerprint" in the transaction graph that static tools simply cannot see.

The Mechanics of Web3 Obfuscation

Traditional graph-based detection methods, such as those using Top-K algorithms or standard random walks, suffer from a massive noise problem. Because blockchain data follows a power-law distribution, a few high-degree nodes—like major exchanges or popular smart contracts—dominate the graph. When you run a standard random walk to sample transaction paths, you end up with a dataset saturated with noise from these legitimate, high-volume nodes.

ScamSweeper changes this by introducing a structure-temporal random walk (STRWalk). Instead of treating every edge as equal, this algorithm samples transaction paths based on the temporal gap between interactions. It recognizes that a scammer’s behavior is not just about who they interact with, but when they do it. By weighting the sampling process with the inverse ratio of neighboring nodes, the framework effectively prunes the noise, allowing it to focus on the specific, high-risk transaction paths that characterize illicit activity.

Modeling Dynamic Evolution with Transformers

Once the relevant transaction paths are sampled, the framework uses a variation transformer to model the evolution of these accounts. This is where the research gets interesting for anyone working in fraud detection. The transformer architecture treats the transaction history as a sequence, capturing the subtle shifts in behavior that occur as an attacker moves from the initial phishing phase to the obfuscation phase.

The encoder architecture is designed to handle directed graphs, sorting transactions by their execution order. This allows the model to learn the "directed graph feature" of a scam. For a pentester or researcher, this means you can feed the model a series of transactions from an address suspected of being a phishing vector, and the model will output a probability score based on the temporal evolution of that account’s network.

Practical Application for Security Researchers

If you are performing a red team engagement or conducting bug bounty research, you are likely already using tools like Etherscan to manually trace funds. The limitation is that manual tracing is slow and prone to missing the "long tail" of a scam network. ScamSweeper provides a way to automate this discovery.

During a test, you can use this framework to map out the "blast radius" of a compromised contract or a suspected malicious wallet. By identifying the nodes that exhibit the same temporal-structural patterns as known scam accounts, you can uncover the entire infrastructure behind a campaign rather than just the single entry point. This is particularly useful when investigating CVE-2024-27348 or similar smart contract vulnerabilities where the exploit is followed by a rapid, automated withdrawal process.

Defensive Implications

For blue teams, the takeaway is clear: stop relying on static blacklists. Scammers rotate addresses faster than any blocklist can be updated. Instead, focus on behavioral monitoring that accounts for the temporal dynamics of fund movement. If a wallet suddenly begins interacting with a high volume of low-value, high-frequency transactions that deviate from its established baseline, it should trigger an immediate investigation, regardless of whether that address has been flagged by a third-party service.

The research presented at Black Hat 2025 highlights that the future of blockchain security lies in understanding the shape and timing of transactions. As we see more sophisticated crypto-drainer campaigns, the ability to distinguish between a legitimate user and an automated scam network will become a critical skill for any security professional. Start looking at the transaction graph not as a map of static connections, but as a living, breathing sequence of events. The next time you are tracing a suspicious transaction, ask yourself if you are looking at the whole network or just the noise.