Project Record

Sybil Detection (Internal + On-chain)

Heuristic detection layer that combines shared internal identifiers and wallet-graph behavior.

riskfraudgraph

Context

Sybil resistance matters both on-chain (wallets, DeFi, governance) and internally (multiple accounts, shared devices, KYC bypass). This layer combines internal identity signals (email, device, IP) with on-chain behavior (wallet graph, transfer patterns, volume) to flag likely sybil clusters for review or exclusion.

Problem

Single signals (e.g. one shared email) are weak; sophisticated sybils rotate identifiers. We need a composite risk score that aggregates identity overlap, wallet overlap, transfer loops, and volume anomalies so that high-risk clusters can be prioritized without over-blocking legitimate users.

Scope

The engine consumes identity overlaps, wallet overlaps, transfer loops, and volume anomalies. Each signal is normalized and weighted into a single risk score.

Risk Composition

R = 0.45I + 0.35W + 0.15L + 0.05V

Where:

$I$ is shared identifier intensity (emails, devices, IPs)
$W$ is wallet overlap intensity (address clustering, funding paths)
$L$ is loop behavior (circular transfers, wash-trade patterns)
$V$ is high-volume anomaly indicator (spikes vs. baseline)

Implementation

Data: internal identity graph + on-chain tx and balance feeds.
Graph ops: connected components, centrality, cycle detection.
Scoring: per-entity and per-cluster; thresholds tuned via labeled samples.
Output: risk tiers, cluster IDs, and evidence links for manual review.

Trade-offs

Heuristic weights and thresholds can be gamed over time. We treat this as a detection layer, not a final decision; human review and periodic retraining keep false positive rates acceptable.