Compromised Account Monitoring
Description
This test identifies potential compromised account activities by analyzing transaction patterns and price deviations over specified periods. The function uses parameters such as average daily volume (ADV), price deviations, and transaction volumes to detect abnormal activities that may indicate unauthorized account access or manipulation.
Use Cases
-
Unauthorized Access Detection: Identify accounts exhibiting unusual transaction patterns or significant deviations in trade volumes and prices, which may signal unauthorized access or hacking.
-
Fraud Prevention: Flag accounts with abnormal trading behavior, such as sudden high-volume transactions or trades significantly deviating from historical patterns.
Required Data
Trades Data
| Variable | Description |
|---|---|
timestamp | Timestamp of the trade made (YYYY-MM-DD hh:mm:ss). |
user_id | User ID to identify the individual user. |
symbol_pair | The asset symbol; e.g., BTCUSDT, SHIBETH, DOGEUSDT. |
side | Whether the trade is a BUY or SELL. |
price_usd | The price of the symbol in USD. |
price | The quote currency in terms of the base currency; e.g., ETH/BTC = 0.03781. |
amount | The amount of the symbol being traded. |
Parameters
| Parameter | Description | Type | Default Value | Configurable |
|---|---|---|---|---|
analysis_window | Length of the analysis window in hours. | Integer | 24 | Yes |
adv_window | Number of days used to calculate the Average Daily Volume (ADV). | Integer | 7 | Yes |
adv_dollar_threshold | Threshold for average daily volume in dollars below which symbol_pairs are considered for analysis. The test focuses on identifying compromised accounts that trade illiquid markets. | Float | 100000 | Yes |
manual_price_deviation | Flag to enable manual price deviation checks. If set to False, the test will use the VWAP +/- 3 standard deviations as the threshold. | Boolean | False | Yes |
manual_price_deviation_threshold | Price deviation threshold as a percentage relative to a reference price, above which transactions are flagged. | Float | 0.2 (20%) | Yes |
create_ticket | Flag to determine if tickets should be created for alerts. | Boolean | True | Yes |
Methodology
-
Review Historical Trading Activity Analyze trading data to calculate the average daily trading volume (ADV) for each symbol pair. This helps identify assets with unusually low trading activity that are more prone to manipulation.
-
Establish a Baseline with VWAP Use historical transactions to calculate the volume-weighted average price (VWAP) for each flagged symbol pair. This serves as a benchmark for comparing the prices of recent trades.
-
Identify Price Anomalies Compare recent trade prices to the calculated VWAP baseline. Flag transactions where prices deviate significantly, either rising too high or dropping too low compared to typical market activity.
-
Categorize Suspicious Transactions Group flagged trades into categories such as "above normal price" and "below normal price." Summarize trading metrics like total value and trade volume to assess the severity of the anomaly.
-
Generate Reports for Actionable Insights Compile flagged trades and summaries into clear reports, enabling further investigation into accounts exhibiting unusual trading patterns. These reports help identify potential compromised accounts or fraudulent activities for further review.