TEGDetector: A Phishing Detector That Knows Evolving Transaction Behaviors

Recently, phishing scams have posed a significant threat to blockchains. Phishing detectors direct their efforts in hunting phishing addresses. Most of the detectors extract target addresses' transaction behavior features by random walking or constructing static subgraphs. The random walking methods, unfortunately, usually miss structural information due to limited sampling sequence length, while the static subgraph methods tend to ignore temporal features lying in the evolving transaction behaviors. More importantly, their performance undergoes severe degradation when the malicious users intentionally hide phishing behaviors. To address these challenges, we propose TEGDetector, a dynamic graph classifier that learns the evolving behavior features from transaction evolution graphs (TEGs). First, we cast the transaction series into multiple time slices, capturing the target address's transaction behaviors in different periods. Then, we provide a fast nonparametric phishing detector (FD) to narrow down the search space of suspicious addresses. Finally, TEGDetector considers both the spatial and temporal evolutions toward a complete characterization of the evolving transaction behaviors. Moreover, TEGDetector utilizes adaptively learned time coefficient to pay distinct attention to different periods, which provides several novel insights. Extensive experiments on the large-scale Ethereum transaction dataset demonstrate that the proposed method achieves state-of-the-art (SOTA) detection performance. The code of TEGDetector is open sourced at https://github.com/Seaocn/TEGDetector.