{"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00239373","sets":["581:11492:11502"]},"path":["11502"],"owner":"44499","recid":"239373","title":["EtherWatch: A Framework for Detecting Suspicious Ethereum Accounts and Their Activities"],"pubdate":{"attribute_name":"公開日","attribute_value":"2024-09-15"},"_buckets":{"deposit":"e1c715dd-4fde-4595-9e52-4ffaab8c9a65"},"_deposit":{"id":"239373","pid":{"type":"depid","value":"239373","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"EtherWatch: A Framework for Detecting Suspicious Ethereum Accounts and Their Activities","author_link":["656106","656103","656101","656109","656107","656110","656104","656108","656105","656102"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"EtherWatch: A Framework for Detecting Suspicious Ethereum Accounts and Their Activities"},{"subitem_title":"EtherWatch: A Framework for Detecting Suspicious Ethereum Accounts and Their Activities","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"[特集:サプライチェーンを安全にするサイバーセキュリティ技術] cyberattacks, blockchain, ethereum, honeypot, JSON-RPC, proxy","subitem_subject_scheme":"Other"}]},"item_type_id":"2","publish_date":"2024-09-15","item_2_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"University of Tsukuba"},{"subitem_text_value":"Yokohama National University"},{"subitem_text_value":"Yokohama National University"}]},"item_2_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"University of Tsukuba","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"},{"subitem_text_value":"Yokohama National University","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"eng"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/239373/files/IPSJ-JNL6509019.pdf","label":"IPSJ-JNL6509019.pdf"},"date":[{"dateType":"Available","dateValue":"2026-09-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-JNL6509019.pdf","filesize":[{"value":"1.1 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"0","billingrole":"5"},{"tax":["include_tax"],"price":"0","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"8"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"425cfa7f-63f4-4866-8116-f958891fffd1","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2024 by the Information Processing Society of Japan"}]},"item_2_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Takayuki, Sasaki"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Jia, Wang"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kazumasa, Omote"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Katsunari, Yoshioka"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tsutomu, Matsumoto"}],"nameIdentifiers":[{}]}]},"item_2_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Takayuki, Sasaki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Jia, Wang","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kazumasa, Omote","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Katsunari, Yoshioka","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Tsutomu, Matsumoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_2_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN00116647","subitem_source_identifier_type":"NCID"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_6501","resourcetype":"journal article"}]},"item_2_publisher_15":{"attribute_name":"公開者","attribute_value_mlt":[{"subitem_publisher":"情報処理学会","subitem_publisher_language":"ja"}]},"item_2_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"1882-7764","subitem_source_identifier_type":"ISSN"}]},"item_2_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"In recent years, Ethereum, which is a leading application for realizing blockchain services, has received much attention for its usability and functionality. Ethereum executes smart contracts and arbitrary programmable calculations, in addition to cryptocurrency trading. However, cyberattacks target misconfigured Ethereum clients with application programming interface (API) enabled, specifically JSON-RPC. Herein, we propose EtherWatch, a framework to detect and analyze malicious and/or suspicious Ethereum accounts using three data sources (a honeypot, an internet-wide scanner, and a blockchain explorer). The honeypot, named Etherpot, leverages a proxy server placed between a real Ethereum client and the internet. It modifies client responses to attract attackers, identifies malicious accounts, and analyzes their behaviors. Using scan results from Shodan, we also detect suspicious Ethereum accounts registered on multiple nodes. Finally, we utilize Etherscan, a well-known blockchain explorer, to track and analyze the activities of the detected accounts. During six weeks of observations, we discovered 538 hosts attempting to call JSON-RPC of our honeypots using 41 types of methods, including a type of unreported attack in the wild. Specifically, we observed account hijacking, mining, and smart contract attacks. We detected 16 malicious accounts using the honeypots and 64 suspicious accounts from the Shodan scan results, with five overlapping accounts. Finally, from Etherscan, we collected records of activities related to the detected accounts, including transactions of 21.50 ETH and mining of 22.61 ETH (equivalent to 39,494 US$ and 41,533 US$, respectively, as of June 9, 2023).\n------------------------------\nThis is a preprint of an article intended for publication Journal of\nInformation Processing(JIP). This preprint should not be cited. This\narticle should be cited as: Journal of Information Processing Vol.32(2024) (online)\nDOI　http://dx.doi.org/10.2197/ipsjjip.32.789\n------------------------------","subitem_description_type":"Other"}]},"item_2_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"In recent years, Ethereum, which is a leading application for realizing blockchain services, has received much attention for its usability and functionality. Ethereum executes smart contracts and arbitrary programmable calculations, in addition to cryptocurrency trading. However, cyberattacks target misconfigured Ethereum clients with application programming interface (API) enabled, specifically JSON-RPC. Herein, we propose EtherWatch, a framework to detect and analyze malicious and/or suspicious Ethereum accounts using three data sources (a honeypot, an internet-wide scanner, and a blockchain explorer). The honeypot, named Etherpot, leverages a proxy server placed between a real Ethereum client and the internet. It modifies client responses to attract attackers, identifies malicious accounts, and analyzes their behaviors. Using scan results from Shodan, we also detect suspicious Ethereum accounts registered on multiple nodes. Finally, we utilize Etherscan, a well-known blockchain explorer, to track and analyze the activities of the detected accounts. During six weeks of observations, we discovered 538 hosts attempting to call JSON-RPC of our honeypots using 41 types of methods, including a type of unreported attack in the wild. Specifically, we observed account hijacking, mining, and smart contract attacks. We detected 16 malicious accounts using the honeypots and 64 suspicious accounts from the Shodan scan results, with five overlapping accounts. Finally, from Etherscan, we collected records of activities related to the detected accounts, including transactions of 21.50 ETH and mining of 22.61 ETH (equivalent to 39,494 US$ and 41,533 US$, respectively, as of June 9, 2023).\n------------------------------\nThis is a preprint of an article intended for publication Journal of\nInformation Processing(JIP). This preprint should not be cited. This\narticle should be cited as: Journal of Information Processing Vol.32(2024) (online)\nDOI　http://dx.doi.org/10.2197/ipsjjip.32.789\n------------------------------","subitem_description_type":"Other"}]},"item_2_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographic_titles":[{"bibliographic_title":"情報処理学会論文誌"}],"bibliographicIssueDates":{"bibliographicIssueDate":"2024-09-15","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"9","bibliographicVolumeNumber":"65"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":239373,"updated":"2025-01-19T08:18:21.933058+00:00","links":{},"created":"2025-01-19T01:42:59.061979+00:00"}