XRP forensics

xrplorer in collaboration with GateHub to protect users as Wallet Protect is announced.

As GateHub announced their newest service offering last week, Wallet Protect, we are happy to confirm our partnership with GateHub.

The new service, which offers a range of new capabilities such as back-up keys, fund recovery, and insurance, also screen all transactions against our data to protect users from sending money to identified illicit accounts.

Wallet Protect, which is launched in collaboration with Coincover, is offered in two tiers, offering insurance of up to $10,000 and $100,000.

The xrplorer advisory list has in the past 6 months prevented more than 500,000 XRP from being sent to scams and stopped more than 2,000,000 XRP from being laundered.

We are happy to announce our partnership with Flare, to help oversee the Spark distribution.

As external auditors of the distribution process, our objective is to identify participating XRPL accounts and analyze historic transaction patterns and account connections to help, amongst others:

- identify virtual asset service providers that have set the MessageKey but are not officially participating in the distribution event.

- identify participating “whale”-accounts and likely accounts closely connected to XRPL founders and early Ripple employees.

- identify participating accounts engaged in fraud/scams/thefts.

The output of our involvement is a continuous data evaluation and review of participating XRPL accounts, from which Flare can make better-informed decisions.

We will also assist Flare to publish the figures needed to calculate the amount of Spark claimable, in a reasonable time after December 12th.

While transactions on the XRPL are public, identities and account ownership are anonymous. Therefore it is impossible to guarantee a 100% fair distribution, but given our in-depth knowledge of the XRPL, transaction patterns, and analytic abilities in historic transaction data, we hope and believe our data reviews will help ease the minds of all parties involved: from Flare, to virtual asset service providers and to individual investors participating in the event.

A common practice to combat laundering from scams or thefts is publishing and maintaining blocklists and sharing these lists of blocked accounts with virtual asset service providers to stop and withhold deposited funds. But it doesn't cut it.

Stopping illicit funds and returning them to their rightful owners is an effective means to combat financial crimes like scams, phishing, and thefts – and it is a method largely made possible because of the pseudo-anonymous nature of most blockchains: accounts and transactions are public.

In 2020 we have monitored more than 20,000,000 XRP being laundered, from regular thefts, phishing, and cryptocurrency scams, through legit virtual asset service providers. And most recently, another 18.5 million XRP has been reported stolen from KuCoin, still waiting to be laundered.

Caption: Chart showing the amount of XRP received from thefts and scams in 2020, by accounts controlled by VASPs.

Blocklists are meaningful but in large very circumventable: The accounts reported used in thefts and scams were only responsible for laundering less than 20% of the total amount, while the remaining was laundered by accounts created at the time of laundering to circumvent the blocklists. This is largely made possible by faster blockchains, where transactions happen in seconds – but there is a solution.

Real-time monitoring

We are publishing a blocklist, or in our terminology, an advisory list, but we are adding a second layer: real-time monitoring.

We extend the advisory list from user reports, law enforcement reports, social media scraping, and more like most other blocklist providers, but that is only the beginning, as the powerful algorithms take over and monitor all associated activity in real-time, adding any newly created or intermediary accounts as money is moved around to circumvent blocklists on it's way to laundering.

Caption: Graph showing the the journey stolen money have taken from a user's account to VASPs, through several intermediary accounts.

The XRP ledger has close to 1 million daily transactions on average, and our technology is monitoring all of them, providing live alerts as potential exploits are happening or illicit money is moving – and updating the advisory list for virtual asset service providers to be able to respond in real-time.

Sustainability and possibilities – special 2020 offer

Our technology is built for the XRP ledger, and on-boarding responsible blockchain ecosystem participants to our advisory list subscriptions are the only way to sustain our business. But it can make a difference:

1. Warn your users to help prevent your users to send money to scams.

2. Stop illicit deposits and request additional KYC or proof of origin of funds, or reach out to us for additional information on why the account has been flagged on our advisory list.

3. Connect with us to help trace the money, or get access to our compliance toolbox to unlock powerful XRP ledger tools for your own compliance staff.

In the light of the KuCoin security event, we are offering virtual asset service providers 50% off, for the rest of 2020, on new basic or sync advisory list subscriptions, as we wish to express our support for responsible participation in combating financial crimes on blockchain: https://xrplorer.com/products/advisorylist

Photo by Markus Spiske on Unsplash

On January 17, 2020, the first micropayments went across the ledger with memo messages like “Starting February 1st, 2020, Ripple is releasing 3 Billion XRP to incentivise network users. Get 25% more XRP added to your account balance in just minutes.” with a link to a website, appearing to be Ripple's Insights blog with a message about a grand giveaway.

With a well-crafted website, replicating websites well-known to most XRP investors, a well-written message, and domains that seemingly look right, the scam did succeed and the spam messages on payment memos continued for more than a month to lure users to new websites.

The warning signs

1. The domains are not the official domains, but homoglyph domains. A hòmoglyph ís a character that cân bë substituted for another, making it more difficult to quickly spot: ripple.com <> rípple.com.

2. If it sounds too good to be true, it probably is.

3.If you have to send money to participate, or even worse, send your account information and secret keys, don't do it.

Still, in a moment of weakness, people fall for the trap, and moments later, life savings are gone.

Cryptocurrencies: money or gambling?

That giveaway scams work, is not solely based on catching weak moments: it is also because of the unhealthy environment around cryptocurrencies; Instead of treating digital assets like money, it is promoted in line with gambling with legitimate giveaways, airdrops, and trading competitions.

With seasoned investors and traders used to navigate between the billboard signs of fake promises, for new traders and investors, it's a like a first casino visit – and with many fake giveaways looking more professional than many legitimate ones, it is a jungle to navigate.

The heist continues

All good movies get a sequel so, after roughly one month of memo spamming, it was time for a new wave of attacks in May 2020. This time, not with payment memos, but with e-mails targeted users likely interested in cryptocurrencies and XRP.

These e-mails have continued in waves from May and are still ongoing.

The loot

The entire heist operation is an elaborate setup with messages sent to XRP accounts based on their holdings, homoglyph domains, fake but trustworthy marketing material, tools to collect secret keys that also checks balance on the XRPL and much more. But looking on the ledger activity, we can also see the way of which they operate when laundering the money.

The account types:

Victims: Accounts belonging to users who have entered their account information on the phishing websites

Theft pool accounts: Accounts used to empty victim accounts in batches

Intermediary accounts: Accounts created by the thieves (typically in 2 degrees), just before sending money to a swap service, likely to avoid blacklists.

Memo spam accounts: Accounts created to send the memo spam messages

Exchanges: the exchanges receiving and laundering the stolen funds

The graph is constantly changing as new victims appear and more money is laundered, but the current state (June 15) is more than 2,100,000 XRP stolen and 1,980,000 XRP laundered, mainly through to swap services: ChangeNOW and CoinSwitch.

Are you a victim?

The XRP ledger, like most other blockchains, is decentralised and no-one have the power to freeze or retrieve funds. So, if you have lost money, you need to file a police report with your local police.

Help us

We have monitored the activity since January, and receive push notifications every time new victims are made, or funds are laundered. By using our APIs, exchanges, swap services and other entities can help prevent XRP/IOU money laundering in real-time. You can help us by spreading the word to the services you use: https://xrplorer.com/forensics/advisorylist

The data in this article was generated with our XRP compliance toolbox: a collection of tools making it easy to extrapolate clusters and “follow the money”. Contact us for more information.

Photo by Luis Villasmil on Unsplash

The xrplorer.com forensics advisory list is the result of both smart design and data processing, but also manual processing and vetting of gathered intelligence.

For the advisory list to have any effect, it needs implementation in exchanges. We believe that XRP service providers (exchanges, swap services, payment providers …) can do a better job of protecting their users and play a part in combating money laundering on the XRPL.

That can be done reactively: reacting to incoming payments, checking if they are potentially illicit, and seize or report the transaction.

But there is also a proactive measure: protecting users from themselves, by implementing a check and warning when users withdraw funds to a potentially dangerous account.

In 2019-2020 close to 9,000,000 XRP was withdrawn directly from exchanges to scams. The proactive measurement of warning users can prevent a large part of these and is already implemented in several services, including Gatehub, Xumm, and xrpl.ws.


Professionalization and monetization

While we wish to continue to serve the community with personal advice in cases of thefts and scams and forensics assistance, we need to think of monetization. We need to cover the costs of our computing- and human resources and continued professionalization to offer better and better protection.

We honor our promise to the XRP community and maintain community access for non-commercial use and community protection to the advisory list free of charge.

For commercial use, we now introduce a public pricing model for XRP service providers: https://xrplorer.com/forensics/advisorylist.

While the advisory list is our most visible product, we also offer access to data intelligence and analytics through customized APIs. Contact us with your needs, and we will help find a solution.

Cover photo by Sanjeevan SatheesKumar on Unsplash

IOUs on the XRPL is a fantastic feature. It allows anyone to issue tokens, and anyone who trusts that the tokens are valid can add a trustline to be able to trade, send, and receive the token.

It also has its downsides, as there is no protection of token names (except for “XRP”), everybody can issue a USD, EUR, or BTC token. Still, there are no guarantees that the token represents any value at all.

This makes any analysis into value transferred on the XRPL, except for that of XRP, worthless. E.g., looking at raw numbers from the XRPL on December 12, 2019, more than 30,000,000 BTC was sent in 116,000 payments. But it is highly unlikely that the tokens were actually representing any value.

The numbers used in this article are from early January 2020.

Diving into IOUs

The key element of the IOU feature is trustlines (or more technically correct, “RippleStates”) – which is an object shared by two accounts to keep track of the balance, the issuer, and the account. The XRPL has roughly 785,000 of these.

By fetching all trustlines and filtering by issuer and currency, we can quickly extract a list of all IOUs currently issued on the XRPL: ~6,700 issued tokens, issuing tokens with ~1,100 different currency codes (remember that several entities can issue, e.g., a USD token).

So how do we determine if the “LOL” token represents real LOL value (?). There is no way to be certain, without knowing, and trusting the issuer. But we can define some parameters to narrow it down:

1: How many accounts are trusting the issued token?

Is just having more than one trustline the margin? Then the number already shrinks from ~6,700 to ~1,900 issued tokens. In this article, we want to focus on tokens that are broadly trusted; hence we can presume represents a value. We set the margin to having more than 50 trustlines, which leaves us with a list of 190 issued tokens and 84 currency codes.

The list went from ~6,700 to 190.

2: Manual filtering

By gathering intelligence, we know of some tokens that are issued either as fun or part of actual scams.

The list went from 190 to 134.

3 …: Additional parameters

To keep narrowing down the list to most plausible IOUs, we could look at, e.g., how many payments have been made with the token, the market depth, trading prices compared to average market trading prices, the connectedness of accounts with trustlines and much more.

Value represented on the XRPL

Given the list of 134 semi-verified IOUs, we can generate an overview of what kind of values are represented on the XRPL (a select list):

BTC: 14 issuers, ~36,500 trustlines, ~2,400 BTC

ETH: 1 issuer, ~24,000 trustlines, ~20,500 ETH

USD: 10 issuers, ~18,500 trustlines, ~33,000,000 USD

EUR: 3 issuers, ~10,000 trustlines, ~1,600,000 EUR


There are thousands of IOUs on the XRPL. But likely only a small fraction is representing real value. Circling back to the beginning, December 12, 2019. If we omit IOUs not part of the roughly filtered list of 134 tokens, how many BTC payments were actually sent? Four payments, 0.245 BTC in total.

Cover photo by Micheile Henderson @micheile010 // Visual Stories [nl] on Unsplash

A new kind of spam surfaced on the XRP ledger a few days ago. Where the most common method has been to advertise fake airdrops or giveaways through “reply spam” on Twitter, and fake YouTube streams, the new approach was to target users directly, in their accounts.

The attackers had a plan:

1) Make a replica of Ripple Insights, using special characters in the domain name to make it look legitimate (rippłe != ripple)

2) Add an article about a massive airdrop, promoting a new “Claim” feature in XRPL

3) Link to a replica of the Bithomp website, from the article, with a tool to use said “Claim” feature. A fake tool, which only serves to send secret keys to the attackers’ website so that they can take full control of the account.

In the afternoon of January 16, the attackers made the first tests. Small payments of 88 drops (0.000088 XRP) were sent through the ledger, with memos like “Welcome magic!” and “Magix!!” (initial testing). A few days later, when the fake websites were ready, presumably, the attack started: thousands of 88 drop payments were sent out to XRP accounts directly (seemingly targeted by balance), with a link promoting a fake airdrop, with no purpose other than to lure secret keys from the recipients.

We do not yet have an estimate of how many funds were stolen in the attack.

A few weeks ago, we shared details about the database driving xrplorer, less about how it is put to use.

There are several great resources for getting information about the XRPL, both through websites and APIs. When working with data analytics and forensics on the XRPL, it requires a big palette of features that until now have only been met by using information from many different sources, such as Bithomp, XRP Scan, xrp1ntel, Google BigQuery, and the xrpl.org APIs.

This fragmented workflow led to the introduction of xrpgraph.com, but while it offers a great backend for querying payment-related XRPL data, it also has its limitations; Moving from a 75GB dataset of payments to a 5TB dataset of all history and information of the XRPL is going to change that.

xrplorer will launch with three main focus areas:

1. Analytics

Our curiosity about events on the XRPL often leads to interesting discoveries. From time to time, we will share our findings here, while also offering help to custom, targeted analytics.

2. Forensics

XRP Forensics initiated initially as a community initiative to help prevent and combat fraudulent activity on the XRP ledger; this effort will be continued as a part of xrplorer. It also means an improved API for exchanges to warn users when sending funds to potentially harmful accounts.

3. APIs

While the database itself will not be public, public APIs are made available to harvest information from the XRPL. The APIs will launch in beta with a small range of endpoints, but we are hoping it is well received and wish to extend the API with features that developers need to build cool stuff on the XRPL.

But there is more …

APIs, analytics, big data, it's complicated. Still, we hope to make it accessible to everyone through the public front-end of xrplorer: a block explorer where all ledgers, transactions can be browsed and information is presented in an accessible way.


Key metrics are charted throughout the explorer, such as account activity (article header image), ledger metrics, XRP flow and more.

When first establishing a graph database representation of the successful payments and account relationships, it was quite a feat (read the story here: part one, part two). It was months of learning the XRPL, figuring out how to decode and filter the content I needed, and injecting everything in an efficient way to a Neo4j database.

The usefulness of having all this information in an easily queriable form proved to be many, e.g., analyzing how XRP flows between accounts, how accounts form clusters by interaction, and much more.

This usefulness led to thoughts of not only including payment transactions, but replicating the entire XRPL in a model, and has been a project I have been working on ever since – and now, close to a year after, it's almost ready.

The model

The XRPL is to most people a ledger that keeps track of “how much do I own” and “who sent the money, when and where.” But it's much more than that. You can send people money indirectly, by creating an Escrow and make the release destination another account, or through payment channels. You can send partial payments, payments that automatically bridges between currencies. You can make offers, trading directly on the XRPL between XRP and many IOUs that are issued by various gateways, and much more.

The database model is built to reflect the XRPL as closely as possible, with all of the “ledger objects” (AccountRoot, Escrow, Offer, RippleState …), and all of the transaction types (Payment, EscrowCreate, OfferCreate …).

Every time a transaction happens, it affects one or more ledger objects, e.g., sending an XRP Payment will affect the sending account (balance decreases) and the receiving account (balance increases). Or if an Offer is created, and it matches existing counter-offers, the transaction might affect multiple offers and accounts. All of these affections are also included in the model, making it possible to replay any object's state from its birth.

The implicit relationships

Some relationships are very visible: account A sends payment to account B; they form a directed relationship, (A)-[sent a payment to]–>(B). Other relationships are not directly inferred from the XRPL data model, such as account A sends payment to account B, but B is not yet activated, and the payment activates account B, hence (A)-[activated]–>(B).

A set of these implicit relationships is included as actual relationships, while some will have to be, and easily can be, deferred in queries, e.g. (A)-[activated]–>(B) and (A)-[activated]–>©, hence (B)<-[has sibling]–>©. Or even if two accounts have both sent money to the same destination, they form a relationship of some sort.

These implicit relationships are partly why the data model does not only contain accounts that are activated – but all accounts ever used. If account A sent payment to inactivated account B but didn't send enough to activate, the database will keep a record of this, and keep a copy of account B. If another account, C, tries to do the same, then the inactivated account B will share relationships with both A and C, hence making an implicit relation between A and C. Or even if an inactive account is in the signer list of multiple accounts, it's a strong indication that said accounts are tightly related.

It is getting very technical

Yes, it is getting very technical, but the point I am trying to make is that the access to knowledge like this is not possible without a database like this. The benefits are enormous: analyzing how money is flowing, both XRP and IOUs, for use in data analytics, market predictions, AML, AI training, and much more.

We will share much more about how it is going to be used in a post in the near future.