# Enhancing Security in Blockchain Networks: Anomalies, Frauds, and Advanced Detection Techniques

Prof. Dr. Joerg Osterrieder[^1]
Associate Professor of Finance and Artificial Intelligence
University of Twente, Department of High-Tech Business and Entrepreneurship, Netherlands
Action Chair EU COST Action CA19130, Fintech and Artificial Intelligence in Finance, Europe
Coordinator MSCA Industrial Doctoral Network on Digital Finance

Prof. Dr. Stephen Chan[^2]
Associate Professor of Statistics
American University of Sharjah, Department of Mathematics and Statistics, Sharjah, UAE

Prof. Dr. Jeffrey Chu[^3]
Assistant Professor of Statistics
Renmin University of China, School of Statistics, China

Dr. Yuanyuan Zhang[^4]
Research Associate *(role title to verify with Y. Zhang before submission)*
American University of Sharjah, Department of Mathematics and Statistics, Sharjah, UAE

Prof. Dr. Codruta Mare[^5]
Professor of Statistics
Babeș-Bolyai University, FEBA, D. Stat.-Forecasts-Maths & Interdisciplinary Centre for Data Science

Abstract. Blockchain networks underpin multi-trillion-dollar cryptoasset markets and an expanding set of decentralised-finance applications, making their security posture a first-order concern for financial integrity, investor protection, and systemic risk: anomalies and frauds in these networks affect price formation, market microstructure, and the reliability of the financial infrastructure they support. This review synthesises 55 references (31 from the original reference set after removing 4 URL-only opinion-piece entries, 24 added for reference currency, case-study verification, finance-framing, and a game-theory-in-blockchain survey) into a dimensional taxonomy indexed by blockchain layer, anomaly or fraud class, and detection method, and organises the evidence into four active detection families (statistical, machine-learning including deep learning, game-theoretic, and digital-forensic) that differ along the data, transparency, and scalability dimensions. Case-study evidence from Ethereum’s 2016 denial-of-service incidents, the 2014 Mt. Gox exchange collapse, and the 2021 Poly Network cross-chain exploit illustrates recurring failure modes at the contract, exchange, and cross-chain layers respectively. The review contributes a blockchain-layer axis for indexing existing detection techniques (the detection-method decomposition itself reproduces prior conventions in [@chandola2009anomaly], [@akoglu2014graph], and [@ahmed2015a]), a comparative matrix of detection techniques by data type and supervision regime, an explicit positioning against those three prior general-purpose surveys, and a research agenda for the 2022-2026 frontier covering cross-chain bridge exploits, DeFi flash-loan attacks, and explainable-AI approaches to detection.

**Keywords**. Blockchain Security, Anomaly Detection, Fraud Detection, Distributed Ledger Technology, Machine Learning, Statistical Analysis, Game Theory, Digital Forensics, Risk Assessment, Financial Innovation

**JEL Codes**. G23, G10, C63, C45, G29

# Introduction

Blockchain technology records and verifies transactions through a decentralised ledger whose integrity depends on cryptographic commitment, consensus among a distributed set of validators, and the absence of a single point of control. These properties are the technology's commercial promise and, simultaneously, the source of its security challenges: once a transaction is written, reversing or correcting it requires consensus of the network; once a private key is lost or stolen, the corresponding assets are irretrievable; and once a vulnerability in a smart contract is deployed, an attacker's exploit is as immutable as any legitimate transaction.

From a financial-markets perspective, blockchain networks are market infrastructure. They settle trades, custody assets, process payments, and increasingly host derivative and lending products. The financial consequences of security failures in this infrastructure include direct loss of principal, impaired market function, reputational damage to affected institutions, and systemic-risk transmission to linked markets. The detection, and where possible the prevention, of anomalous and fraudulent activity in blockchain networks is accordingly a financial-stability question, not a purely technical one.

This chapter introduces the scope of anomaly and fraud detection in blockchain networks, the definitions we adopt, and the methodology of our review. The chapter closes with an articulation of the paper's contributions and an outline of the remaining chapters. The central finding, that the detection toolkit is mature at the single-chain level but substantially underdeveloped for cross-chain bridges and decentralised-finance (DeFi) composability, motivates the research agenda in Chapter 6.

## Definition of blockchain and its properties

A blockchain is a distributed database that stores a sequence of records (blocks) in a linear, chronological order. Each block contains a timestamp, a link to the previous block (typically through a cryptographic hash), and a set of transactions. Cryptographic commitment makes post-hoc modification of an accepted block computationally impractical without redoing the work for all subsequent blocks and securing consensus from the network majority.

The financial-market properties that make blockchain networks both attractive and security-sensitive are summarised below.

1. **Distributed ledger**: the record of transactions is maintained by a network of validating nodes rather than a single central authority. For financial infrastructure this eliminates the single point of settlement failure but distributes the trust assumption across the validator set.
2. **Immutability**: once a block is confirmed, rewriting it requires overcoming the network's consensus protections. This property is the source of settlement finality and, conversely, of the irreversibility of fraudulent transactions.
3. **Decentralisation**: there is no single point of control. Censorship resistance is high; governance and incident response are correspondingly more difficult to coordinate.
4. **Consensus**: new blocks are admitted only when a defined supermajority of validators agree on their validity. Anomalies that disrupt consensus (network partitions, eclipse attacks, 51% attacks) directly impair the ledger.
5. **Transparency**: on public chains, transactions are visible to all participants. This enables forensic analysis but also exposes trading strategies, counterparty relationships, and user behaviour.
6. **Pseudonymity**: participants are identified by cryptographic addresses rather than legal identities. This complicates anti-money-laundering (AML) and know-your-customer (KYC) compliance.
7. **Security through cryptography**: hashes, digital signatures, and Merkle trees secure the integrity of stored records and transactions, but the surrounding software (wallets, exchanges, smart contracts) remains a vulnerability surface.
8. **Operational efficiency**: removal of certain intermediaries can reduce settlement time and reconciliation costs, though these gains depend on the specific application.
9. **Smart contracts**: programmable state transitions executed by the network. Ethereum and compatible chains support self-executing agreements. Smart-contract bugs have accounted for many of the largest losses in the ecosystem's history.
10. **Scalability constraints**: throughput is limited in most public chains (tens of transactions per second for Bitcoin and Ethereum Layer-1), which shapes both market microstructure and the attack surface (e.g., congestion attacks).

Each property has a financial-market counterpart: decentralisation affects settlement structure; immutability defines finality; pseudonymity interacts with compliance; and scalability constraints shape liquidity and fee dynamics. The detection problems we review in subsequent chapters are anchored in these properties.

## Anomaly and fraud detection in blockchain networks: why it matters for finance

We distinguish two broad categories. An **anomaly** is a statistical or operational deviation from the network's expected behaviour: for example, a sudden increase in pending transactions, a concentration of validator power, or an unusual cross-address flow. An anomaly may be benign (e.g., a trading frenzy) or the signature of a security incident. A **fraud** is a deliberate manipulation aimed at illicit gain: for example, double-spending, market manipulation, rug-pulls, exchange exit-scams, or smart-contract exploits.

The financial-market case for detection is fourfold.

1. **Market integrity**: undetected frauds distort price formation and undermine investor confidence, shrinking market depth and increasing risk premia [@chandola2009anomaly; @ahmed2015a].
2. **Regulatory compliance**: AML, counter-terrorism-financing, and market-abuse regulations increasingly apply to cryptoasset markets. Detection tools are the operational mechanism by which compliance is achieved [@kamps2018to]. Public reaction to nation-state cryptocurrency adoption, illustrated by the 2021 protests in El Salvador after bitcoin became legal tender [@new2021protests], shows that detection tooling operates inside contested regulatory environments where political legitimacy and operational integrity interact.
3. **User protection**: fraud detection protects market participants from direct loss. Exchange-level and wallet-level protections complement on-chain analytics [@monamo2016unsupervised; @pham2016anomalya].
4. **Systemic stability**: large-scale exploits can cascade through interconnected DeFi protocols, as illustrated by the 2022 cross-chain bridge failures. The systemic-risk literature in traditional finance [@gai2010contagion; @nier2007network; @hautsch2014financial; @acemoglu2015systemic; @poledna2015multilayer; @paltalidis2015transmission] has direct methodological analogues for DeFi.

Each concern is active in the *Financial Innovation* literature. @cai2016fraud argue that blockchain infrastructure itself can serve as a fraud-detection substrate because shared ledger visibility makes anomalous flows more observable than in siloed systems, a claim that motivates our Chapter 4 treatment of transaction-pattern analysis. @vanini2023online show that unsupervised methods outperform supervised classifiers for rare online-payment-fraud events, a finding that informs our Chapter 3 scepticism of supervised-only detection pipelines. @xu2019systematic identify a gap in systematic blockchain reviews that lack methodological protocols, which our review partly addresses via Section 1.5. @guo2016blockchain argue that operational risk owners, not technologists, are the ultimate detection-system users in banking adoption of blockchain, which shapes the audience framing of Chapter 6. @kou2021fintech construct a fuzzy multi-criteria ranking of fintech investment drivers in European banks that locates blockchain security among downstream risk-appetite considerations. These engagements are specific rather than cosmetic: each cited *Financial Innovation* work shapes a subsequent chapter of the present review.

The balance of this paper organises the detection literature according to these four concerns.

## Literature overview

The literature on anomaly and fraud detection spans three communities: general anomaly-detection surveys and the canonical data-mining textbook treatment that pre-date or are agnostic to blockchain [@chandola2009anomaly; @akoglu2014graph; @ahmed2015a; @han2012data], the recent unsupervised-learning blockchain-anomaly survey [@cholevas2024anomaly], financial-network stress and contagion analyses that inform systemic-risk measurement [@gai2010contagion; @nier2007network; @hautsch2014financial; @boginski2004statistical], and blockchain-specific work addressing Bitcoin, Ethereum, and related ledgers [@baqer2016stressing; @maesa2016uncovering; @maesa2017datadriven; @ron2013quantitative; @ober2013structure; @pham2016anomaly; @pham2016anomalya; @monamo2016unsupervised; @sayadi2019anomaly; @morishima2018acceleration; @li2019dissecting; @kim2021anomaly; @liang2021data; @zhang2020anomaly; @signorini2020bad; @shayegan2021a; @taher2024advanced; @mansourifar2020hybrid; @kamps2018to].

**Blockchain-based financial networks.** @ahmed2015a review anomaly-detection techniques for the financial domain and emphasise clustering-based unsupervised learning. They note the challenge of acquiring labelled fraud data and the resulting reliance on synthetic benchmarks. Boginski et al. [@boginski2004statistical] analyse financial-network structure from stock-market data and find that the degree distribution follows a power law, licensing the transfer of scale-free network methods to financial applications. Gai and Kapadia [@gai2010contagion] develop an analytical contagion model for interbank networks and show that the financial system can be resilient-yet-fragile: resilient to idiosyncratic shocks but susceptible to rare, large-scale failures when network structure and liquidity interact unfavourably. @hautsch2014financial propose the realised-systemic-risk-beta measure, which attributes systemic importance to individual firms by combining network interdependence with firm-specific risk exposures. Together, these four contributions establish the methodological vocabulary, graph structure, contagion, systemic importance, that has since been transferred to blockchain-based financial networks.

**Advances in anomaly detection within blockchain networks.** Zhang et al. [@zhang2020anomaly] propose a multi-constrained meta-path framework for Bitcoin anomaly detection, integrating temporal, attribute, and structural data to detect anomalies that static methods miss. @signorini2020bad introduce Blockchain Anomaly Detection (BAD), a decentralised detection solution that uses blockchain meta-data to identify malicious activities while remaining tamper-resistant. Shayegan and Sabor [@shayegan2021a] develop a collective-anomaly method that evaluates user behaviour across multiple wallets using Trimmed-Kmeans, which is useful for detecting pattern-based fraud that is invisible at the single-address level. @pham2016anomalya apply k-means, Mahalanobis distance, and unsupervised support vector machines (SVM) to the Bitcoin transaction network to detect anomalies without labelled data. Morishima and Matsutani [@morishima2018acceleration] accelerate blockchain anomaly detection through caching within the graphics processing unit (GPU), reducing the wall-clock cost of scanning large transaction graphs. Taher et al. [@taher2024advanced] apply ensemble learning combined with explainable artificial intelligence (XAI) methods to Ethereum fraudulent-transaction detection, addressing the dual requirements of accuracy and interpretability for compliance applications.

The research frontier since 2022 has further consolidated these three trends. [@xia2021characterizing] catalogue cryptocurrency exchange scams and argue that exchange-level fraud is a distinct detection surface from on-chain anomalies. [@mazorra2022do] develop an automated machine-learning pipeline for rug-pull detection, showing that lifecycle features of newly issued tokens predict subsequent scam behaviour with useful precision. [@zhang2023sok] treat decentralisation itself as a measurable property and develop metrics that have direct implications for the integrity of cross-chain bridges and DeFi protocols surveyed in Chapter 5. These three works inform the research agenda in Chapter 6.

This body of work exhibits three consistent features. First, the shift from single-address anomalies to user-level and network-level collective anomalies, as the single-address signal has become easier for attackers to obscure through address mixing. Second, the integration of explainability as a first-class requirement, driven by compliance use cases. Third, the move from static to dynamic models that incorporate temporal evolution of transaction graphs.

## Scope, structure, and contributions of this review

This review covers techniques for detecting anomalies and frauds in blockchain networks, with a financial-market orientation. We enumerate the principal categories of anomalies and frauds (Chapter 2), review the detection techniques that target them (Chapters 3-4), examine case studies of documented incidents (Chapter 5), and analyse the research frontier (Chapter 6).

**Contributions of this review.** This paper contributes:

1. **A blockchain-layer axis for indexing existing anomaly-detection techniques** (Table 1). We do not claim novelty on the detection-method dimension, which reproduces the statistical / machine-learning / game-theoretic / digital-forensic decomposition established by [@chandola2009anomaly], [@akoglu2014graph], and [@ahmed2015a]. Our contribution is to cross-reference that existing method axis with the blockchain protocol stack (consensus / network / contract / application), so that a reader locates a detection technique by both the method class and the specific layer at which the anomaly or fraud manifests.
2. **A comparative analysis matrix** of detection techniques (Table 2) that allows practitioners to select techniques for a given data type, supervision regime, and deployment constraint.
3. **A synthesis of 55 references** (31 original after removing 4 URL-only opinion-piece entries, 24 added for reference currency, case-study verification, finance-framing, and a game-theory-in-blockchain survey) organised by the taxonomy and explicitly positioned against three general-purpose prior surveys, [@chandola2009anomaly; @akoglu2014graph; @ahmed2015a], that predate the modern blockchain-fraud literature.
4. **A research agenda for 2022-2026**, identifying cross-chain bridge exploits, DeFi flash-loan attacks, maximal-extractable-value (MEV) phenomena, and large-language-model (LLM) based smart-contract vulnerability detection as priority areas where the reviewed techniques are either not yet applied or require adaptation.

**Positioning against prior surveys.** This taxonomy differs from [@chandola2009anomaly; @akoglu2014graph; @ahmed2015a] in two specific ways that we can defend from their own abstracts and scope statements alone. First, none of the three prior surveys is blockchain-specific: Chandola et al. address anomaly detection as a general data-mining problem across domains, Akoglu et al. survey graph-based anomaly detection without a protocol-stack target, and Ahmed et al. cover the financial domain in general terms. Our first axis, *blockchain layer* (consensus / network / contract / application), is blockchain-native and distinguishes a reentrancy exploit that targets the contract layer from a validator-concentration anomaly at the consensus layer, even when at a statistical level both would be classified similarly by the prior surveys. Second, our *example incident* column locks each row in Table 1 to at least one documented public case, which a purely methodological survey does not. We do not claim novelty on the detection-method dimension itself, which reproduces the conventional statistical / machine-learning (ML) / game-theoretic / digital-forensic decomposition already established in these three surveys and in subsequent blockchain-specific work.

The remainder of the paper is organised as follows. Chapter 2 catalogues anomaly and fraud types. Chapter 3 reviews anomaly-detection techniques. Chapter 4 reviews fraud-detection techniques. Chapter 5 presents case studies. Chapter 6 discusses the research frontier. Chapter 7 concludes and states limitations.

## Methodology of this review

This is a structured narrative review rather than a systematic review; the distinction affects the standards of evidence and the procedures reported below.

**Databases queried**. OpenAlex (primary, via the REST application programming interface, API), IEEE Xplore, ACM Digital Library, Scopus, and arXiv (for preprints of post-2022 work). Publications on Coinbase, IBM, and major financial-news sources were retained where they report incidents not otherwise documented in the peer-reviewed literature; these are classified as grey literature and cited as `@misc` entries.

**Search terms**. Boolean combinations of ("blockchain" OR "cryptocurrency" OR "distributed ledger") AND ("anomaly detection" OR "fraud detection" OR "security"); refinement with ("machine learning" OR "statistical" OR "graph" OR "game-theoretic" OR "forensics") for methodological coverage.

**Date range**. No lower bound on publication year, to include foundational general-purpose works [@chou1990applications; @dobrjanskyj1967some; @bunn2000landscape] that inform the graph-theoretic and network-analysis apparatus. Upper bound: 2024 for the core reference set, with additional targeted inclusions up to 2025 for the research-agenda discussion in Chapter 6.

**Inclusion criteria**. Peer-reviewed article, book chapter, or conference proceedings; OR high-citation-count preprint (cited-by count greater than or equal to 30 on OpenAlex) if the topic is specifically addressed in no peer-reviewed source; OR authoritative primary source for a named incident in Chapter 5 case studies.

**Exclusion criteria**. Non-English publications; non-blockchain anomaly-detection work except where it provides foundational methodological tooling; purely speculative think-pieces without analysis.

**Non-PRISMA justification**. We classify this as a narrative review rather than a systematic or scoping review. The Preferred Reporting Items for Systematic Reviews and Meta-Analyses (PRISMA) 2020 standard (Page et al.) and its scoping-review extension PRISMA-ScR (Tricco et al. 2018) apply to reviews conducted under an explicit pre-registered protocol, which we did not produce. The structured-narrative-review tradition, with [@chandola2009anomaly] and [@akoglu2014graph] as precedents in anomaly detection, is the appropriate category for a methodological synthesis whose studies do not share a single comparable outcome measure.

**Reference verification**. The 55 references in the final set (31 original peer-reviewed works retained after removing 4 URL-only entries, plus 24 added through Phase-2 and Phase-3 additions) were verified post-hoc against OpenAlex metadata. Twenty-seven of the 31 retained original references were matched to OpenAlex records with title-similarity above 0.85 and year-match within one year; the 4 URL-only grey-literature entries are classified as BibTeX `@misc` entries and excluded from the peer-reviewed count; the remaining four were flagged for manual review and remain cited but without OpenAlex DOIs.

**Limitations of methodology**. The narrative-review format does not quantify inter-study agreement; it relies on the authors' judgement to weight conflicting findings. The rapidly evolving nature of blockchain security means that incidents after the final inclusion date (2024) are not covered. Chapter 2 applies this methodology to catalogue the principal anomaly and fraud classes.

# Overview of blockchain anomalies and frauds

A **blockchain anomaly** is a deviation from the expected operational behaviour of a blockchain network. Anomalies can arise from software bugs, operational failures, congestion, or the side-effects of attacks. They may be benign (a trading frenzy drives transaction volume to an unusual level) or the signature of a malicious action (a spike in small-value contract creations accompanying a denial-of-service attempt). Representative examples include:

- **Network outages**: partitioning of the validator network, degraded peer connectivity, or remote-procedure-call (RPC) endpoint failures that produce delayed or incomplete transaction confirmation.
- **Data corruption**: inconsistency between node-local views of the ledger, arising from implementation bugs, consensus-layer failures, or malicious data injection.
- **Unauthorised transactions**: transactions signed or broadcast by a party not entitled to the corresponding authority, including key-compromise outcomes, authorisation-logic bugs in smart contracts, and front-running.

A **blockchain fraud** is a deliberate activity that exploits vulnerabilities in the network or its surrounding infrastructure for illicit gain. Fraud can occur at the protocol level (e.g., 51% attacks, double-spending), the contract level (reentrancy exploits, authorisation bypasses), the exchange level (exit scams, wash-trading), or the market level (pump-and-dump schemes, rug-pulls). Representative examples include:

- **Double-spending**: an attacker spends the same cryptocurrency in two transactions, typically by first submitting a payment, then reversing it via a longer competing chain or a transaction-malleability exploit [@decker2014bitcoin; @ron2013quantitative].
- **Money laundering**: cryptocurrency transfers used to obscure the origin of illicitly obtained funds, relying on mixing services, chain-hopping, or fragmented outputs across many addresses [@monamo2016unsupervised; @pham2016anomalya].
- **Insider trading and market manipulation**: exploitation of non-public information to trade ahead of announcements, or coordinated manipulation of cryptocurrency prices via pump-and-dump campaigns [@kamps2018to; @mansourifar2020hybrid].

Detection is essential for the continued operation of the network as market infrastructure. Chapters 3 and 4 review the techniques that have been developed to address each of these threat classes.

**Types of anomalies and frauds in blockchain networks.** Anomalies and frauds can be organised along three dimensions: the blockchain **layer** at which the attack or deviation occurs (network, consensus, contract, application), the **class** of the anomaly or fraud (operational, integrity, economic, compliance), and the **detection method** most appropriate for the signature (statistical, ML, game-theoretic, forensic). The classification is given in Table 1 (see Section 2.3 / Figure references); it provides an indexable view of the literature for a practitioner choosing a detection approach.

Anomaly classes:

- **Network-layer anomalies**: outages, peer-connectivity failures, eclipse attacks [@kim2021anomaly].
- **Consensus-layer anomalies**: unexpected fork behaviour, validator concentration, selfish-mining signatures.
- **Contract-layer anomalies**: spikes in contract-creation rate, unusual gas-consumption patterns, reentrancy-prone call patterns.
- **Application-layer anomalies**: unusual user behaviours at the wallet or exchange layer.

Fraud classes:

- **Economic frauds**: double-spending [@ron2013quantitative], pump-and-dump [@kamps2018to], wash-trading, rug-pulls.
- **Authorisation frauds**: key compromise, contract-exploit fund drains.
- **Market manipulation**: front-running, sandwich attacks, MEV extraction.
- **Compliance-evasion frauds**: mixing, chain-hopping, structuring.

**Examples of anomalies and frauds in real-world blockchain networks.** The 2016 Ethereum denial-of-service (DoS) attacks during the "Shanghai" window used operations with computational cost priced below their actual gas cost, causing network-wide congestion (see Chapter 5 for detail). The 2014 Mt. Gox collapse exploited transaction malleability to misreport withdrawal state, contributing to the loss of approximately 850,000 bitcoin [@decker2014bitcoin]. The 2021 Poly Network cross-chain exploit drained approximately USD 610 million through a contract-authorisation bypass before most funds were returned. Chapter 5 expands these cases.

# Anomaly detection techniques in blockchain networks

This chapter reviews the methodologies used to detect anomalies in blockchain networks. The complexity of these systems and the sophistication of security threats require detection strategies that combine statistical rigour, machine-learning capacity, and strategic analysis.

Anomaly detection aims to identify deviations from the expected operational behaviour of the network. Deviations may originate from operational malfunctions, service disruptions, or targeted breaches; the detection apparatus must therefore be broad enough to cover all three.

Three method families dominate the literature:

- **Statistical approaches**, time-series analysis, outlier scoring, regression-residual methods, detect deviations from estimated distributional or temporal baselines [@ahmed2015a; @chandola2009anomaly].
- **Machine-learning approaches**, supervised, unsupervised, semi-supervised, and deep-learning methods, learn detection rules from data rather than encoding them explicitly [@monamo2016unsupervised; @pham2016anomalya; @taher2024advanced].
- **Game-theoretic approaches**, Bayesian games, mechanism design, evolutionary-game models, analyse strategic interactions among network participants to identify behaviour inconsistent with rational play [@baqer2016stressing].

Each family is adaptable to different segments of the blockchain operational pipeline, block creation, transaction validation, ledger maintenance, and they are often combined in practice.

```{=latex}
\input{figures/fig_framework}
```

This section outlines the mathematical and algorithmic methods most frequently applied to blockchain anomaly detection.

**Time-series analysis.** Transaction volumes, block-arrival rates, gas usage, and validator participation are time-series data. autoregressive integrated moving average (ARIMA), seasonal ARIMA (SARIMA), and exponential-smoothing models identify residuals that exceed a threshold as candidate anomalies [@ahmed2015a]. Fourier analysis reveals periodicities (weekly market cycles, diurnal patterns) whose disruption is itself anomalous.

**Clustering.** Transactions or addresses are embedded in a feature space and clustered by k-means, density-based spatial clustering of applications with noise (DBSCAN), or related algorithms. Points at high Euclidean or Mahalanobis distance from any cluster centroid are candidate anomalies [@pham2016anomalya; @shayegan2021a].

**Anomaly scoring.** Each transaction receives a numerical score based on its deviation from a reference distribution. Z-scores, Mahalanobis distances, and Isolation Forest scores are common; threshold selection is application-specific [@chandola2009anomaly].

**Simulation models.** Blockchain simulators reproduce network dynamics under controlled conditions, enabling stress-testing of detection rules [@baqer2016stressing].

**Game-theoretic models.** Nash-equilibrium and behavioural game-theory models formalise the attacker, defender interaction, providing detection rules that are stable against rational adversaries [@liu2019survey].

**Statistical methods for anomaly detection.** Statistical methods rely on explicit probabilistic assumptions and formal inference. Their strength is interpretability; their weakness is reliance on correctly specified models.

- **Time-series models** (autoregressive (AR), moving average (MA), ARIMA, SARIMA): fit a generative model to historical data; anomalies are residuals that fall outside a predetermined confidence band [@ahmed2015a].
- **Outlier detection by z-score or interquartile range (IQR)**: identify observations beyond $\pm z\sigma$ from the mean or outside $Q_1 - 1.5\,\mathrm{IQR}$ and $Q_3 + 1.5\,\mathrm{IQR}$ quantiles [@chandola2009anomaly].
- **Mahalanobis distance**: multivariate generalisation of the z-score that accounts for feature covariance; useful for transaction feature vectors [@pham2016anomalya].
- **Regression-residual methods**: estimate the expected value of a target variable as a function of covariates; anomalies are observations with significant residuals [@chandola2009anomaly].

Application to blockchain data is straightforward for time-series quantities (block intervals, transaction counts, gas prices) but more subtle for network-structural quantities (degree distributions, clustering coefficients), where the appropriate null model is itself a research question [@boginski2004statistical].

**Machine-learning approaches.** Machine-learning methods learn detection rules from data. Four supervision regimes dominate.

1. **Supervised learning** trains on labelled normal/anomalous data [@taher2024advanced]. Labelled data is scarce in blockchain security; common workarounds include synthetic anomaly injection and transfer learning from related domains.
2. **Unsupervised learning** identifies anomalies as points that deviate from the majority cluster, without requiring labels [@monamo2016unsupervised; @pham2016anomalya]. This regime is dominant in the blockchain literature.
3. **Semi-supervised learning** uses a small set of labelled normal examples to define an expected-behaviour model, and flags any observation that does not fit. This regime is well-matched to blockchain applications where "normal" transactions are far more common than fraudulent ones [@chandola2009anomaly].
4. **Deep learning** applies neural networks, autoencoders, recurrent networks for temporal data, graph neural networks for transaction graphs, to learn anomaly signatures in high-dimensional feature spaces. Explainability remains a live concern, addressed by XAI techniques [@taher2024advanced].

These approaches are applied to transaction volumes, block sizes, network latencies, and user-level behaviours; they can be combined with each other and with statistical methods.

**Game-theoretic approaches.** Game-theoretic approaches model the network as a strategic interaction among rational participants.

1. **Bayesian games**: participants have private information and imperfect beliefs about one another; detection rules can be designed to be stable against rational misreporting [@baqer2016stressing].
2. **Mechanism design**: incentives in the protocol are designed so that honest behaviour is a dominant strategy. Bitcoin's block-reward structure and Ethereum's slashing conditions are practical instances [@liu2019survey].
3. **Evolutionary games**: behaviours that perform well proliferate; detection rules can be evaluated against adaptive adversaries [@liu2019survey].
4. **Auctions**: resource-allocation mechanisms where detection can be built into the bidding protocol [@liu2019survey].

These approaches are most effective when attackers have strong incentives to evade detection, because they anchor detection in assumptions about rational behaviour rather than statistical regularities alone.

# Fraud detection techniques in blockchain networks

Fraud detection aims to identify deliberate manipulations. The techniques that target fraud overlap with the anomaly-detection techniques of Chapter 3 but place greater emphasis on adversarial robustness, interpretability for forensic and compliance purposes, and the capacity to trace flows across addresses and chains.

**Overview of fraud detection techniques.** Four families dominate fraud-detection work in blockchain networks:

1. **Statistical techniques** identify distributional or temporal deviations that suggest fraudulent activity [@ahmed2015a; @chandola2009anomaly].
2. **Machine-learning techniques** learn fraud signatures from data, including through unsupervised clustering [@monamo2016unsupervised] and ensemble methods with explainable-AI interpretation [@taher2024advanced].
3. **Game-theoretic techniques** model adversarial strategic behaviour to identify deviations from rational benign play [@baqer2016stressing].
4. **Digital forensics** traces transaction flows and reconstructs attack timelines for legal-evidence purposes [@ron2013quantitative; @ober2013structure].

The families are applied at different stages of the blockchain pipeline, block creation, transaction validation, ledger maintenance, off-chain exchange operations, and are commonly combined in production deployments.

Building on the family-level overview above, this section details specific techniques that extend beyond the general families.

- **Transaction-pattern analysis** examines frequency, volume, timing, and transaction-graph relationships to identify suspicious activity. High-volume address clusters, rapid deposit-withdrawal patterns, and unusual counterparty-graph structures are typical signals [@ron2013quantitative; @maesa2016uncovering; @maesa2017datadriven].
- **Anomaly scoring** assigns numerical scores to transactions based on deviation from a benchmark; high-scoring transactions are forwarded to further review or automated controls [@shayegan2021a].
- **Blockchain simulation** creates a virtual replica of the network for stress-testing and red-teaming detection rules [@baqer2016stressing].

These specific techniques are applied to transaction volumes, block sizes, network latencies, and off-chain exchange data, and are typically used in combination with the four general families introduced above.

**Digital forensics.** Digital forensics in blockchain focuses on reconstructing attack timelines and tracing fund flows from the point of compromise to the point of realisation (often an exchange withdrawal or an off-ramp). Techniques include:

1. **Hash analysis** verifies block integrity and identifies manipulated transaction records [@ron2013quantitative].
2. **Transaction tracing** follows a sequence of inputs and outputs through mixing services and across chains to the point of fiat conversion [@ober2013structure; @maesa2017datadriven].
3. **Network analysis** examines communication patterns between nodes, useful for identifying eclipse or sybil attack patterns.
4. **Visualisation** renders transaction graphs for human forensic review [@li2019dissecting].

Digital forensics is compute-intensive and relies on specialised tooling (e.g., Chainalysis, Elliptic) in operational deployments.

**Reputation-based systems.** Reputation-based systems maintain persistent scores for participants (addresses, wallets, exchanges) and use those scores to adjust access, priority, or trust:

1. **Transaction validation**: nodes with higher reputation are more likely to have transactions included.
2. **Resource allocation**: higher-reputation participants receive more favourable access to network resources.
3. **Incentive alignment**: rewards and penalties tied to reputation align behaviour with protocol objectives.
4. **Decision-making**: voting weight in governance protocols can be reputation-weighted.

Reputation systems face a bootstrapping problem (how to seed reputation) and a Sybil-resistance problem (how to prevent low-cost identity creation); both are active areas of research.

**Risk-assessment systems.** Risk-assessment frameworks identify, quantify, and mitigate vulnerabilities prior to exploitation.

1. **Risk-assessment methodology**: vulnerability scanning, penetration testing, threat modelling.
2. **Risk-assessment criteria**: likelihood and impact of specific attack classes.
3. **Risk-assessment report**: documents identified risks, recommended mitigations, and residual risk.
4. **Risk-management plan**: operational controls, incident-response procedures, and training.

Risk-assessment systems are the translation layer between academic detection techniques and operational security practice. Chapter 5 examines three documented incidents to test these fraud-detection families against real-world conditions.

# Case studies of anomaly and fraud detection in blockchain networks

Case studies anchor the review in specific, documented incidents. For each case we describe the incident, identify the failure mode, summarise the detection and mitigation response, and note the lessons for subsequent work. The cases below were selected for representativeness along three dimensions: protocol level (contract exploit), exchange level (intermediary failure), and cross-chain level (bridge compromise).

**Ethereum 2016 contract-layer incidents.** Two distinct classes of contract-layer incidents affected Ethereum in 2016. The first, the DAO (decentralised autonomous organisation) exploit in June 2016, was a reentrancy attack on a single smart contract: the vulnerability pattern and its mitigation are catalogued in the Systematisation-of-Knowledge survey by [@atzei2017survey], which treats reentrancy as a canonical smart-contract anomaly class. The second, the denial-of-service wave of September to October 2016, operated at the protocol layer via underpriced opcodes. We treat both as reference points for the contract layer in our taxonomy, with the understanding that their detection profiles differ: the DAO exploit is a within-contract logic failure, while the DoS wave is a cross-contract resource-exhaustion pattern.

**Ethereum 2016 denial-of-service (protocol) attacks.** Between September and October 2016, the Ethereum network was subjected to a series of denial-of-service attacks that demonstrated gas pricing is a security parameter as much as an economic one: block-validation times degraded and full-node synchronisation fell behind, requiring two emergency hard forks within six weeks. The `EXTCODESIZE` and `SUICIDE` (later `SELFDESTRUCT`) operations, among others, were priced at gas costs below their actual node-computation cost. Attackers constructed transactions that repeatedly invoked these opcodes, inflating block-validation time and causing full-node synchronisation to lag [@atzei2017survey; @chen2017under].[^dao_note]

The detection response combined machine-learning-based identification of unusual contract-creation and opcode-invocation patterns with network-level rate limits. The Ethereum Foundation released the Tangerine Whistle hard fork, specified in Ethereum Improvement Proposal 150 (EIP-150) of October 2016, to re-price the affected opcodes, followed by the Spurious Dragon hard fork (EIPs 155, 160, 161, and 170, November 2016) to clear empty account state and address related attack surface. The incident illustrates how protocol-level parameter choices (gas pricing) become security parameters; it also demonstrates the value of empirical monitoring of resource-usage distributions [@kim2021anomaly]. @atzei2017survey survey the broader Ethereum smart-contract attack surface of which the 2016 DoS wave is a member, and Chen et al. [@chen2017under] quantify the gas-cost anomalies that made the attacks economically feasible.

[^dao_note]: Note: we distinguish this attack family from the June 2016 DAO reentrancy exploit, which affected a single smart contract on Ethereum rather than the protocol layer and is documented elsewhere.

**Mt. Gox collapse 2014 (exchange-layer).** In February 2014, the Tokyo-based cryptocurrency exchange Mt. Gox announced the loss of approximately 850,000 bitcoin (valued at approximately USD 450 million at the time). Transaction malleability, the property that transactions could be re-signed with the same inputs and outputs but a different transaction ID, was implicated in the exchange's accounting failures [@decker2014bitcoin; @ron2013quantitative; @bohme2015bitcoin]. Attackers exploited the fact that the exchange's internal bookkeeping relied on transaction IDs that could be changed after submission, enabling apparent double-withdrawals that were not detected until after the discrepancy had grown beyond recovery.

The detection tools now common for this class of failure, transaction-pattern analysis, cross-system reconciliation, and tighter cryptographic commitment on withdrawal records, were developed and deployed by exchanges in the years following. The incident remains the canonical exchange-layer failure case; its direct causal contribution to Mt. Gox's insolvency is debated, but its role in exposing the transaction-malleability attack surface is well-established [@decker2014bitcoin]. @bohme2015bitcoin place the collapse within the broader economics and governance literature on Bitcoin and argue that exchange-level institutional design is a first-order determinant of user loss. Bitcoin Improvement Proposal 62 (BIP-62) and subsequent soft-forks mitigated the protocol-layer malleability sources; improved exchange-side accounting closed the application-layer exposure.

Beyond the protocol-layer story, the Mt. Gox collapse was a large-scale consumer-protection failure: many thousands of retail creditors across multiple jurisdictions were unable to access funds for years while civil-rehabilitation proceedings in Japan worked through the estate. That loss of access represented a distinct harm from the theft itself: retail creditors bore litigation costs, currency-value fluctuations across years of insolvency proceedings, and prolonged uncertainty that no on-chain detection system would have prevented. @bohme2015bitcoin place the incident in the wider economics and governance of Bitcoin and argue that exchange-level institutional design, not protocol design, is the first-order determinant of user loss in episodes of this kind. For our framework, the implication is that detection systems focused only on on-chain signals miss an entire class of application-layer risk borne by end users.

**Poly Network cross-chain exploit 2021 (cross-chain-layer).** In August 2021, approximately USD 610 million in cryptoassets were drained from the Poly Network, a cross-chain interoperability protocol that bridges Ethereum, Binance Smart Chain, and Polygon. The attacker exploited an authorisation logic flaw in the `EthCrossChainManager` contract that allowed the attacker to call the `onlyOwner`-gated `verifyHeaderAndExecuteTx` function with crafted data, promoting their own address to network operator. Most of the funds were subsequently returned after the attacker engaged with the project team, making the economic loss limited in retrospect but the exposure maximal at the time of exploit. Lee et al. [@lee2023sok] catalogue the Poly Network compromise together with the 2022 Ronin, Wormhole, and Nomad bridge incidents in their Systematisation-of-Knowledge of cross-chain bridge hacks, and Werner et al. [@werner2022sok] situate the general class of bridge failures within a broader DeFi security landscape.

The case illustrates the emerging cross-chain-bridge attack surface and the detection-gap that currently exists for bridges: real-time monitoring of cross-chain message authorisation is less mature than single-chain transaction-anomaly monitoring [@lee2023sok; @werner2022sok]. Subsequent work [@liang2021data] on data-fusion-based collaborative detection in blockchain systems points toward the infrastructure needed to close this gap.

**Lessons learned and implications.** Three lessons carry across the three cases.

1. **Parameter choices are security choices.** The Ethereum 2016 incident shows that economic parameters (gas prices) carry security consequences; a detection-monitoring regime that did not include opcode-level resource-usage distributions would have been blind to the attack.
2. **Application-layer reconciliation is as important as protocol-layer integrity.** Mt. Gox shows that a protocol-correct ledger can still be paired with an application-layer accounting system whose failure drives the incident.
3. **Cross-chain detection lags single-chain detection.** The Poly Network exploit is representative of a broader class of bridge compromises (Ronin 2022, Wormhole 2022, Nomad 2022) for which the detection literature is thin and the operational tooling is sparse.

These lessons motivate the research agenda in Chapter 6.

# Future directions for anomaly and fraud detection in blockchain networks

The future of detection work is shaped by the maturation of blockchain as financial infrastructure, the increasing sophistication of adversaries, and the integration of blockchain with traditional systems subject to financial regulation.

**Emerging trends and challenges.**

1. **Scale and complexity of blockchain networks**. As on-chain transaction counts, contract deployment rates, and cross-chain message volumes grow, detection pipelines must scale accordingly. Streaming architectures and hardware acceleration [@morishima2018acceleration] are early responses; more are needed.
2. **Adversary sophistication**. Attackers increasingly coordinate across chains, employ mixing services, and exploit DeFi composability to obscure the origin of funds. Detection techniques must evolve correspondingly.
3. **Integration with other systems**. Blockchain interacts with supply-chain, healthcare, and identity systems. Detection must address anomalies that cross system boundaries.
4. **Regulation and compliance**. Growing regulatory attention (the Markets in Crypto-Assets (MiCA) regulation in the EU; the Financial Action Task Force (FATF) travel rule; United States Securities and Exchange Commission (SEC) enforcement) makes detection with audit trails, explainability, and privacy guarantees a regulatory requirement, not an option.

**Potential future research directions.**

The research frontier for blockchain-fraud detection has in the last three years generated several findings directly relevant to our framework. @qin2021attacking provide the empirical baseline for capital-free DeFi attacks, demonstrating that flash-loan composability creates a new exploit class that the detection literature must explicitly address. @qin2022quantifying quantify the magnitude of maximal-extractable-value (MEV) across Ethereum and show that MEV is a first-order market-integrity concern at the consensus layer, an anomaly class not yet well represented in earlier detection surveys. @zhou2023sokdefi systematise documented DeFi attacks including flash-loan exploits and bridge compromises, providing the classificatory baseline against which our framework can be extended at the contract and cross-chain layers. @sai2023explainable apply explainable-AI methods to financial-transaction fraud detection and report that feature-level attribution improves auditability without material accuracy cost, a finding relevant to the XAI research direction listed below.

1. **Machine learning**. Deep learning, reinforcement learning, and graph neural networks remain active research directions. Integration with game-theoretic formalisation (for adversarial robustness) and with XAI methods (for explainability that meets regulatory audit requirements) is a priority.
2. **Network analysis**. Graph-theoretic and social-network-analysis methods applied to transaction and validator graphs continue to produce new detection signals [@li2019dissecting; @maesa2017datadriven].
3. **Game theory**. Mechanism design for protocols that embed detection incentives, and the integration of behavioural-game-theoretic models with statistical detection rules.
4. **Risk assessment**. Formalisation of risk-assessment tooling, continuous monitoring, automated incident response, pre-deployment formal verification, specifically tuned to blockchain applications.
5. **Cross-chain-bridge monitoring**. The Poly Network, Ronin Bridge, Wormhole, and Nomad incidents from 2021-2022 expose the need for real-time authorisation-monitoring tooling for cross-chain messages. @li2024crosschain provide a 2024 peer-reviewed survey of cross-chain bridge attack surfaces, defences, and open problems that consolidates the literature on this fast-moving subdomain. Even with that systematisation in place, real-time detection at the bridge layer remains a largely open research area.
6. **DeFi flash-loan attack detection**. The detection literature for multi-protocol DeFi exploits (flash-loan-enabled price manipulation, governance-attack constructions) is still emerging.

7. **LLM-based vulnerability detection**. Applying large language models to smart-contract vulnerability detection, at both pre-deployment and runtime, has produced preliminary positive results on public benchmarks; integration with formal verification toolchains remains open.
8. **Privacy-preserving detection**. Detection that operates on encrypted or zero-knowledge-protected data is needed for compliance in jurisdictions with strict data-protection rules.

# Conclusion

This paper reviewed the detection of anomalies and frauds in blockchain networks, anchored in the financial-market use of the technology. We developed a dimensional classification of anomaly and fraud types (Table 1), a comparative matrix of detection techniques (Table 2), and an analytical framework (Figure 1) that locates each family of techniques in the detection pipeline. We surveyed 31 original peer-reviewed works after removing 4 URL-only entries (plus 24 added for reference currency, case-study verification, and finance-framing) and situated them against three prior general-purpose anomaly-detection surveys.

The central finding is that the detection toolkit is rich at the single-chain single-address level but thin at the cross-chain level and at the interface between on-chain and off-chain systems. Incidents such as the 2021 Poly Network exploit and the 2022 bridge compromises illustrate the practical cost of this gap. The research agenda we outlined in Chapter 6 identifies cross-chain-bridge monitoring, DeFi-flash-loan attack detection, and LLM-based vulnerability detection as priority areas.

**Summary of key points.**

1. Blockchain networks are financial infrastructure and their security is a financial-stability concern.
2. Anomaly detection in blockchain spans statistical, ML, and game-theoretic methods.
3. Fraud detection additionally requires digital forensics, reputation systems, and risk-assessment frameworks.
4. Case studies, Ethereum 2016 DoS, Mt. Gox 2014, Poly Network 2021, illustrate failure modes at the contract, exchange, and cross-chain layers respectively.
5. The research frontier is in cross-chain monitoring, DeFi exploit detection, XAI for compliance, and privacy-preserving detection.

**Implications and recommendations.**

*For practitioners:* adopt a multi-layered detection stack combining statistical baselines, ML-based signature learning, and digital-forensic traceability; maintain logs at the explainability level required by audit and compliance frameworks; stay current with adversary evolution and cross-chain bridge monitoring.

*For researchers:* close the cross-chain detection gap; develop ML models with XAI-level transparency whose outputs are admissible in forensic and regulatory contexts; collaborate with industry practitioners and policymakers to ensure research addresses operational constraints.

**Limitations.** This review has three principal limitations. **First**, this is a narrative review rather than a systematic review with quantitative synthesis, and we therefore make no claims about inter-study effect sizes or pooled estimates. **Second**, the rapidly evolving blockchain ecosystem means that incidents after the inclusion cutoff (2024) are not covered; the research agenda in Chapter 6 is intended to partially offset this by flagging emerging directions. **Third**, we have not independently reproduced the results reported in the cited works; the synthesis relies on the published record.

# List of Abbreviations

AI
:   artificial intelligence

AML
:   anti-money laundering

API
:   application programming interface

AR
:   autoregressive (model)

ARIMA
:   autoregressive integrated moving average

BAD
:   Blockchain Anomaly Detection

BIP
:   Bitcoin Improvement Proposal

DAO
:   decentralised autonomous organisation

DBSCAN
:   density-based spatial clustering of applications with noise

DeFi
:   decentralised finance

DoS
:   denial of service

EIP
:   Ethereum Improvement Proposal

FATF
:   Financial Action Task Force

GPU
:   graphics processing unit

IQR
:   interquartile range

KYC
:   know your customer

LLM
:   large language model

MA
:   moving average (model)

MEV
:   maximal extractable value

MiCA
:   Markets in Crypto-Assets (EU Regulation)

ML
:   machine learning

PRISMA
:   Preferred Reporting Items for Systematic Reviews and Meta-Analyses

RPC
:   remote procedure call

SARIMA
:   seasonal autoregressive integrated moving average

SEC
:   United States Securities and Exchange Commission

SVM
:   support vector machine

XAI
:   explainable artificial intelligence