Detecting fraudulent activity on a bitcoin testnet faucet

[Anonymous]

I have written a post about my experience running a bitcoin testnet faucet for the last seven years. It is about how I have created countermeasures against people who try to spam the faucet with requests: https://kuttler.eu/en/post/detecting-fraudulent-activity-bitcoin-testnet-faucet/

[HeRetiK]

Nice post! I'm kinda curious about the "badness score", what metrics have you found to be the most effective? Geolocation, browser, screen resolution? Something else entirely?

Most of the fraudulent requests originated from less wealthy regions and were performed manually, which is not surprising I guess.

I'll be honest, I didn't expect people to manually farm testnet faucets. And there I was thinking the existence of Captcha farms is depressing.


Regarding people accumulating testnet coins rather than using regtest -- Might also be that they're being used for scamming people, occasionally threads pop up with people being sold tBTC rather than the real thing. Probably not that common though.

[Anonymous]

Nice post! I'm kinda curious about the "badness score", what metrics have you found to be the most effective? Geolocation, browser, screen resolution? Something else entirely?

Thanks! Adding the origin of the request to the mix was the most interesting step. Browser fingerprinting itself is not terribly useful, but when you combine the geolocation with browser info like locale and timezone some users start to look more suspicious. Of course there are legit reasons for mismatches there, so blocked requests need to have multiple "suspicious" characteristics. I also keep track of some VPN provider IP ranges to group requests that can not be grouped through geoip data.

[NotATether]

Many captcha or anti-bot services in general analyze mouse movement to determine whether it's user or bot. IMO it'd be easy to detect bot with mouse movement analysis since bot either don't move mouse at all or have stiff movement (e.g. straight or diagonal line).

Here's an example of how not to make a captcha service: the newer recaptcha v3 tracks different activity than mouse movements, as there is no puzzle to solve. It checks the browser type and gives a higher score to popular browsers over more obscure ones or alpha builds of browsers (or even Chromium). It also gives you a low score if it can't set tracking cookies in the browser and temporarily gives a higher score if you log into google services https://stackoverflow.com/questions/52546045/how-to-pass-recaptcha-v3. I think IP addresses and device information is still the best way to distinguish a bot from a human.