Open source investigators are struggling to maintain law and order in the wildest recesses of cryptocurrency’s Wild West.
The account called itself Gabagool.Ξth (a blend of references to the The Sopranos and the Ethereum blockchain) and featured a fuchsia nebula as a profile picture. It called out what it saw as foul play in decentralized finance, or DeFi—a galaxy of blockchain-based apps providing cryptocurrency lending and exchange services. Creators of DeFi protocols often foster user loyalty by staging “airdrops”: distributions of cryptocurrency tokens rained down unannounced on users who have deposited a certain amount of cryptocurrency on the network. In May, a service called Ribbon carried out such an airdrop, doling out 30 million Ribbon tokens to 1,620 wallets. The tokens were designed so that they could not be cashed out until October 8.
On October 8, Gabagool spotted something suspicious. A cluster of 36 wallets that had received the Ribbon tokens had swiftly exchanged them for the popular ether cryptocurrency, then transferred the ether to one cryptocurrency wallet. Gabagool thought that the person or people behind that wallet had likely created the 36 Ribbon accounts shortly before the airdrop, to maximize their chance of getting tokens. By Gabagool’s calculations, the wallet to which they were transferred accrued at least 652 ether, valued at $2.3 million at the time. “I thought, ‘OK, this person kind of gamed the airdrop,’” the man running the Gabagool handle tells me in a phone call.
That kind of chicanery is not unusual in cryptocurrency trading, a sphere where fake identities and sock puppets abound. Then Gabagool discovered who owned the wallet: By cross-referencing the address with information from Twitter and crypto-wallet register ENS Domains, Gabagool concluded it belonged to Bridget Harris, a junior employee at Divergence Ventures, a San Francisco-based venture capital firm that has invested in over 50 cryptocurrency projects—including Ribbon.
Gabagool saw that as dishonest. He wondered whether, as a Ribbon backer, Divergence Ventures might have had advance knowledge of the airdrop and then used that intel to milk millions out of it by converting the Ribbon tokens to ether. “They attempted to exploit that information to extract profit, and they did so while publicly stating to be very bullish and excited about Ribbon,” he says, comparing the actions to insider trading. Gabagool distilled his information in a tweet, which “kind of blew up” as soon as he fired it off, he says.
Divergence Ventures denied insider knowledge about the airdrop but later admitted to “crossing a line”; it eventually returned the ether to Ribbon. In the wake of the incident, reference to the Ribbon investment disappeared from Divergence Ventures’ website. Divergence Ventures did not reply to a request for comment, and Harris did not reply to several requests for an interview via Twitter.
Gabagool is among an emerging breed of sleuths bent on spotting, tracking down, and exposing questionable practices in the budding DeFi world. Cryptocurrency is intended as electronic money that users can exchange anonymously and without intermediaries. But that anonymity comes with transparency: Cryptocurrency transactions are inscribed in an open digital ledger, the blockchain, which provides a record of how assets flow through the system. Companies such as Chainalysis and Elliptic have created software to aid law enforcement investigations into illicit activities involving cryptocurrency. In contrast, these new amateur detectives rely on their hunches and tips from others, use free tools to examine blockchain activity, and broadcast their findings from pseudonymous Twitter accounts like Gabagool, Zach, and Sisyphus. Gabagool says he noticed the questionable Ribbon activity while poring over Etherscan, a tool to keep track of blockchain transactions. He and other sleuths say they are animated by a penchant for investigative work, resentment, or frustration with the brazenness of some people in the space. They say they are trying to save DeFi from itself—by becoming its sheriffs.
DeFi is arguably the wildest recess of cryptocurrency’s Wild West. Its advocates cast it as a happy digital island where investors have eliminated financial middlemen to interact on a peer-to-peer basis. Practically, it can at times resemble the digital equivalent of touring Las Vegas high on LSD. DeFi protocols are often run as decentralized autonomous organizations: online-only operations that claim to be managed collectively by users rather than by a C-suite. Most DAOs provide financial services via self-executing software programs, which users can mix and combine to devise unique trading strategies. New shiny crypto-tokens are constantly launched, generally on the Ethereum blockchain; users earn tokens as interest by parking cryptocurrency on a decentralized exchange, or just by playing videogames. Non-fungible tokens, or NFTs—cryptographic stand-ins for memes and pieces of digital art—are sometimes accepted as collateral for cryptocurrency loans.
Even as other corners of the cryptocurrency world edge toward the mainstream, this fast-moving, nihilistic mirror-world of precious tokens and runaway meme-coins remains largely beyond the purview of regulators—as the overall value of the cryptocurrency invested in DeFi platforms has surpassed $250 billion, according to data aggregator Defi Llama. Predictably, DeFi is rife with behaviors that would be considered questionable elsewhere. There are exit scams, or “rug-pulls,” where the creator of a DeFi project absconds with users’ cryptocurrency, as well as more nuanced “white collar” misdeeds, like promoting a project without disclosing payments from its creators, or exploiting connections and influence to gain an unfair advantage on the market.
According to Zach, another Twitter-based sleuth, the lack of regulatory oversight in DeFi makes self-policing necessary. “In every other industry, there are regulations at the [bare] minimum,” Zach says in a Telegram conversation. “These people give the industry a bad name and turn people off.” Zach, who focuses on exposing promoters who hide ties to a token’s backers, says the sleuths started exposing “bad actors” because they were angry that there appeared to be no consequences for taking advantage of people. Zach, whose Twitter bio reads “10x Rug pull survivor,” might also have a personal axe to grind. Zach says the 10x reference is a joke but adds, “If you’re in the space for a while, it’s pretty much impossible not to [have been swindled] in some capacity.”
Gabagool thinks that he and his fellow investigators want to ensure DeFi’s survival. “There is a real possibility, within DeFi, to create a different type of financial system,” he says. “But that requires us to actively attempt to protect retail users from sophisticated actors who have privileged information.”
Gabagool—who says he is a US-based academic and declines to disclose his real name to avoid damaging his teaching career—says he started trading crypto on DeFi platforms at the outset of the pandemic, and did well enough he’s now “paying [his] rent in tokens.” Then he began looking at other activity on these networks, primarily using open source technologies. Since the Ribbon incident, he’s been collaborating with a group of three to seven other amateur digital gumshoes on investigations and has launched his own token with the aim of creating a collective for research. At the peak of the Ribbon hoo-ha, Gabagool and Sisyphus set up a crowdfunded bounty program called digitalwatchers.ethto reward people providing tips about “bad behavior” in DeFi. According to Etherscan data, digitalwatchers.eth has received about seven ethers from other wallets and transferred just over two ethers to three wallets. Sisyphus declined to be interviewed for this story unless they were paid for their time.
The main problem with amateur investigations is, of course, that they lack teeth. The Twitter threads or blog posts in which crypto-sleuths reveal their findings are only good for warning potential victims or shaming perpetrators. The hope is that people will care enough about their reputations to make amends. That happened with Divergence Ventures, and earlier with NFT marketplace OpenSea, which in September found itself at the center of another “insider trading” scandal after a Twitter user accused its head of product of hoarding NFTs by artists who were about to be featured on OpenSea’s homepage, thus profiting from the spike in hype. The head of product was forced to resign.
But when shame doesn’t prompt change, there’s little one can do. Many of the behaviors that crypto-sleuths expose take place in a regulatory vacuum. “Insider trading has a very specific meaning—using nonpublic information when trading on the stock market,” says Nick Price, a crypto-asset disputes specialist at law firm Osborne Clarke. “These tokens are not stocks and shares. NFTs aren’t regulated, so it is not insider trading.”
Cases of fraud, such as thefts of crypto or manipulating a smart contract, can be reported to the police, Price says. But he says the level of scrutiny coming from the cryptocurrency community, and the quality of the information that it can crowdsource, is “unprecedented.” For instance, in October the users of DeFi protocol Indexed Finance said they had unmasked the person who had carried out a $16 million heist on the network—although negotiations with the hacker to recover the funds ultimately did not pan out. The team is working “to determine which authorities have jurisdiction over the attack,” according to a recent Twitter post.
The blockchain’s open ledger is a big advantage for investigating mischief. It “leaves a much better audit trail than in other sectors,” Price says. “There is more information out there for people who are willing to do the technical analysis.”
That said, there are risks in relying on anonymous Twitter accounts to police a feverish, high-stakes online space. In May, @WARONRUGS, a Twitter-based watchdog who made a name as a fiery scam-hunter, allegedly ran away with almost $500,000 in stolen crypto. Even discounting instances of extreme dishonesty, some worry that a system based on online call-outs is just too prone to abuse. Mitchell Amador, founder of Immunefi—a company that brokers “bug bounty” deals between hackers and DeFi developers—is critical of what he calls “the crowdsourced panopticon” and points to the Twitter abuse heaped on Harris, the young Divergence Ventures employee who had run the wallet used to orchestrate the airdrop operation. Harris, who is still a college student, was targeted with dozens of mocking, taunting, and insulting tweets. Divergence Ventures said she was not to blame for the firm’s actions, but Harris still deleted her Twitter bio and went silent on social media.
Gabagool acknowledges that there is a “sinister side” to policing by Twitter. “I think, for some people, it’s reminiscent of a kind of ‘cancel culture.’ But that was really not my intention,” he says. For him, self-regulation is still the best route to preserve DeFi’s space of freedom and innovation. Failing that, he fears that “there will be something else that emerges. And I can’t guarantee that alternative will be beneficial for the community,” he says.
It might already be too late to stave off that scenario. In September, the US Securities and Exchange Commission launched an investigation into Uniswap Labs, the developer of DeFi exchange Uniswap. SEC chair Gary Gensler has said some DeFi protocols could eventually be subject to securities regulations.
“The question is, do we use an open system people created themselves? Or do we use the long arm of the state?” Amador says. “Either way, we’ll end up with some form of regulations—there’s no doubt about that outcome. Right now, we are still in that adjustment period.”
All Rights Reserved for Gian M. Volpicelli