LEVERAGING HONEYPOTS AND MACHINE LEARNING TO DETECT MALICIOUS ETHEREUM ACCOUNTS

Abstract

The rise of Web3 has brought decentralization and transparency, with Ethereum emerging as a key platform for decentralized applications. However, its popularity has also made it a prime target for attacks. This study aims to enhance Ethereum security by improving node honeypots, account risk scoring, and account classification. Over 28 days, Ethereum node honeypots recorded 88,224 JSON-RPC requests, revealing attacker patterns such as reconnaissance through account enumeration. The study investigates three key research questions. First, findings show that honeypots returning transaction hashes, especially random ones, receive the highest engagement, as attackers verify these hashes on block explorers before attempting Ether theft. This highlights the importance of response design in studying attacker behavior. Second, the study evaluates the effectiveness of the RiskProp method for Ethereum account risk scoring and finds it inadequate for newly observed or low-activity accounts due to its reliance on prior transaction history. Lastly, the study explores improvements to Ethereum account classification, demonstrating that machine learning models such as Random Forest and XGBoost outperform RiskProp in accuracy and generalization. Key classification features include transaction counts, active days, and Ether balance. Based on these findings, the study recommends enhancing honeypots with high-balance accounts to attract more sophisticated attackers, exploring adaptive risk-scoring methods, and incorporating deep learning techniques for improved classification. These insights contribute to advancing Ethereum security research and strengthening risk assessment methodologies. The code and dataset used in this study will be publicly available at GitHub.