<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/">
    <channel>
        <title>Alex Stoliar</title>
        <link>https://paragraph.com/@alexstolr</link>
        <description>Mostly write about blockchain stuff...</description>
        <lastBuildDate>Thu, 09 Jul 2026 15:59:03 GMT</lastBuildDate>
        <docs>https://validator.w3.org/feed/docs/rss2.html</docs>
        <generator>https://github.com/jpmonette/feed</generator>
        <language>en</language>
        <image>
            <title>Alex Stoliar</title>
            <url>https://storage.googleapis.com/papyrus_images/876d6d4664fbf316b5070e7d133fc2b78d084bb8f366b894f6e522b837881142.jpg</url>
            <link>https://paragraph.com/@alexstolr</link>
        </image>
        <copyright>All rights reserved</copyright>
        <item>
            <title><![CDATA[Identifying Ethereum address owners using testnet faucet mechanisms]]></title>
            <link>https://paragraph.com/@alexstolr/identifying-ethereum-address-owners-using-testnet-faucet-mechanisms</link>
            <guid>Qhh07Zu0IHi9BGDlJkV7</guid>
            <pubDate>Fri, 07 Jan 2022 19:56:03 GMT</pubDate>
            <description><![CDATA[FaucetsAbout a year ago I used the Ethereum Kovan testnet to test an application I was developing at the time. It required getting some testnet ETH(KETH) using the Kovan faucet to create transactions and test the application.First result on google leads to the Kovan faucet on gitter The way Kovan faucet works is as follows:Join the Kovan testnet/faucet room on gitter using your GitHub account login.Post your Ethereum address to which you would like to receive the testnet funds.The funds are s...]]></description>
            <content:encoded><![CDATA[<h2 id="h-faucets" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Faucets</h2><p>About a year ago I used the Ethereum Kovan testnet to test an application I was developing at the time. It required getting some testnet ETH(KETH) using the Kovan faucet to create transactions and test the application.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/b89a9ece66c04081714382c2ddb262abf5825ff029f578814562327c75980216.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>First result on google leads to the Kovan faucet on gitter</p><p>The way Kovan faucet works is as follows:</p><ol><li><p>Join the Kovan testnet/faucet room on gitter using your GitHub account login.</p></li><li><p>Post your Ethereum address to which you would like to receive the testnet funds.</p></li><li><p>The funds are sent to your address on the Kovan network.</p></li></ol><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/ba42d796d8d68f21c23005b46436ab2b6ed7e4969d825942c2715a8fe59f7be0.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>Messages on the gitter public chat show addresses and GitHub account</p><h2 id="h-extracting-the-data" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Extracting the data</h2><p>At the time this got me thinking about my privacy and how this public gitter chat could be used to map my real identity to my Ethereum address through my GitHub account by anyone with some basic coding skills and some spare time.</p><p>Time passed by and lately I started to take interest in Blockchain data analytics, and I remembered the Kovan faucet idea I had. I wondered how hard it could be to create a mapping of all the Kovan faucet chat.</p><p>Turns out it isn’t complicated and requires only some basic coding skills. I will briefly describe how this can be done. A first version of my code is publicly available at my GitHub ‘<a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/alexstolr/identifyeth">identifyEth’ </a>repository. Just to clarify, creating the mapping does not require any hacking or scraping, it is all public information which is easily accessible using the gitter API. Here’s how it can be done:</p><ol><li><p>Sign in to <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://developer.gitter.im/docs/welcome">gitter developer</a> and <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://developer.gitter.im/apps">register </a>your application.</p></li><li><p>Clone the gitter <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://gitlab.com/gitterHQ/gitter-demo-app">demo application</a>, and follow the steps found in the README.md</p></li><li><p>Open your web browser and open <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="http://localhost:7000/">http://localhost:7000</a> then sign in, allow and save your Bearer token that appears on the screen.</p></li><li><p><a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://developer.gitter.im/docs/rooms-resource">Identify </a>“kovan-testnet/faucet” roomId using curl from your terminal: curl -X POST -i -H “Content-Type: application/json” -H “Accept: application/json” -H “Authorization: Bearer YOUR_TOKEN” “<a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://api.gitter.im/v1/rooms">https://api.gitter.im/v1/rooms</a>&quot; -d ‘{“uri”:”kovan-testnet/faucet”}’ extract the room id from the response.</p></li><li><p>Fetch all the chat messages using a loop and the following endpoint <code>GET /v1/rooms/:roomId/chatMessages?limit=50 </code>. Note that this only retrieves the last 50 messages. Use pagination as described in the gitter API documentation to get all the other previous messages.</p></li></ol><p>My initial code is available in my ‘identifyEth’ <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/alexstolr/identifyeth">repository</a>, however I also developed an extended version which extracts more data and integrates with several APIs and provides additional information.</p><h2 id="h-sample-data" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Sample data</h2><p>*identifying information was removed</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/bb496821c992777f956723b283e60b82d678c3b10a7ecbe8f645d36d2bd83ee4.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>sample of the data</p><h2 id="h-dataset-applications" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Dataset applications</h2><p>In some of the cases, the user was aware about privacy and used a one-time address, specially created one time GitHub account using a one-time email address. In other cases, when the person shares personal information such as name, email address, LinkedIn account, etc, looking at the GitHub/Twitter account could expose the REAL identity of the address/wallet owner, Furthermore, if the same address was used in mainnet, this could expose the address owner’s crypto financial activity, along with other owned addresses by using some advanced methods. We can probably assume that Microsoft (GitHub), and Twitter can access metadata related to their users, the IPs from which the account was created, and other interesting user related data. This information could be used by malicious actors such as scammers or even government backed hackers, companies, governments and law enforcement agencies.</p><h2 id="h-breakdown-of-the-data" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Breakdown of the data</h2><p>Total of <strong>278,090</strong> records extracted. <strong>126,823</strong> unique addresses. <strong>39,287</strong> unique addresses <strong>with positive balance on mainnet</strong>.</p><p>The total amount of ETH held on these addresses is 19,318.</p><p>The total amount of USDT held on these addresses is 10,560,961.</p><p>The total amount of USDC held on these addresses is 34,938,658.</p><p>The total amount of DAI held on these addresses is 2,881,050.</p><p>The total amount of WBTC held on these addresses is 88.70257.</p><p>Excluding any other token and NFT’s and other chains such as BSC, Polygon, etc. Meaning — at least <strong>110,328,886</strong>$ based on the current ETH price of 3008$ and BTC price of 43286$.</p><p>The holdings of some of the largest accounts are:</p><ol><li><p>0x4b85a658bd606ba20745fdc644a109eba9abe553 1025.64814ETH(3,622,220$) + 2,476,512.22$ worth of tokens.</p></li><li><p>0x331B898B738146E3Fc55385216DD46a2CdE9462f 630.143ETH(2,223,656.53$)</p></li><li><p>0xb1dB3e730dF1833983222130cF95139f6b563578 612.122ETH($2,161,416.76) +10,950,304.38$ worth of tokens</p></li></ol><p>A quick check shows that at least one of these address owners is identifiable using the dataset.</p><h2 id="h-example" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Example</h2><p>Let’s dive into one of the records from the data set:</p><p>2021–09–07T01:04:39.836Z,0x6773ec31aa7719b30a02a3ab151a2b578ef17842,XXXos,AAAAAA BBBBB,<a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://avatars2.githubusercontent.com/u/27937746?v=4&amp;s=128,github">https://avatars2.githubusercontent.com/CCCCCCCCCCC,github</a>,0.008869738068446203,0,0,0,0</p><p>I made sure to remove any identifying data, but this is an example of how this data could be used.</p><p>The record provides us the date in which the faucet request was submitted, The GitHub username, Real full name (First and Last) and the user avatar.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/9655e61b418f55abadac97c0c5cb3e5aa710d62bc234c81bed672cfff072ced5.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>GitHub account of XXXXos</p><p>As you can see, we can extract the users’ Gmail, LinkedIn account, which basically disclose his real identity (Which we already have anyway from the dataset).</p><p>Now lets take a look at the users Ethereum address on the <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://kovan.etherscan.io/address/0x6773ec31aa7719b30a02a3ab151a2b578ef17842">Kovan testnet explorer</a>:</p><p>0x6773Ec31Aa7719b30A02A3Ab151a2b578eF17842</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/4df7bfd5aaf995f7a6ae865cf4aa4272bc29dd7b0a9ff51f96419d98e2d95eed.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>We can see that the address owner, initially received some funds from the faucet, and then he created some contracts and sent some funds to the Kovan Chainlink contract(oxa36…). Which indicates that the user is probably learning or developing an application.</p><p>Now lets take a look at the same address on the <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://etherscan.io/address/0x6773ec31aa7719b30a02a3ab151a2b578ef17842">Ethereum mainnet</a>:</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/516d6bb81742e9520846f5b569878c3bc948a120ea62458ac6bb38b9b7ae81f2.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>The address owner used the same address on testnet for his mainnet activity, which now discloses some of his real life financial activity. We can see that he own 34.44$ worth of Ethereum and 152.01$ worth of some other tokens in the current market price. The Ethereum owned in this address was most likely purchased on an exchange(based on the <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://etherscan.io/address/0x912fd21d7a69678227fe6d08c64222db41477ba0">activity </a>of the input address in the first transaction) and withdrawn to this address. The address owner than tried to make an interaction(which failed due to lack of gas) with OpenSea the largest NFT market place, and eventually swapped some of the ETH to SPANK token using Metamask .</p><p>This is a simple example, but on the data set you could find accounts which expose large portfolios and activity and can be mapped to real identities.</p><h2 id="h-de-anonymize-other-cryptocurrency-address-owners" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">De-anonymize other cryptocurrency address owners</h2><p>A simple google search for “gitter faucet” shows that the same technique could be used for okexchain and evannetwork(Which i am not familiar with…).</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/0b55c21d105e7e339a555c2846b71dd9e792785440f2fed7961052d5734af900.jpg" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>“gitter faucet” on google</p><p>Of course, how it can be leveraged depends also on the properties of the blockchain. In Ethereum, testnet and mainnet addresses will be generated in the same manner, thus exposing a testnet address will expose the mainnet activity of the same address. In Bitcoin, knowing the testnet address, you would like to reverse the process of <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses#How_to_create_Bitcoin_Address">address generation</a> to get the public key, from it you could generate the corresponding mainnet address. However reversing this process is not possible because SHA-256 is a one way function and cannot be reversed.</p><h2 id="h-airdrops-as-a-risk-factor" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Airdrops as a risk factor</h2><p>A known way for new Defi protocols of testing their protocols, is deploying the dApp to testnet with an incentive campaign called an airdop. Such campaigns attract users to “play around” in the testnet environment and perform some actions in the new protocol before it launches to mainnet.</p><p>The addresses that were active in the testnet during the incentivized testnet campaign later receive some governance or utility tokens of that protocol as a reward for their participation. This method forces users to use the same address on both testnet and mainnet. This increases the risk of exposing their real mainnet activities.</p><h2 id="h-conclusions-and-further-discussion" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Conclusions and further discussion</h2><p>Clearly, Blockchain/Crypto developers must be aware of their privacy as most of the ledgers are public and different techniques could be used to de-anonymize their activity. However, requiring users to link their address to their online identity in faucets is at best a poor design for such a system.</p><p>Some of the possible methods to avoid identification using faucets are: Using a proxy, creating new accounts, avoiding the usage of Testnet wallet on Mainnet, using privacy enhancing crypto solutions.</p><p>Faucet analytics — Exploring the dataset shows that there was a massive spike in the faucet activity at the end of March after which Ethereum price spiked to an ATH at mid April.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/c81b7c57d61e6be1724a769a5fdd81b0ed9596e79705eeffe44e335ef4ba1c0d.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><p>Other unique patterns such as same address being used by multiple different accounts allowes mapping teams working on the same project.</p><figure float="none" data-type="figure" class="img-center" style="max-width: null;"><img src="https://storage.googleapis.com/papyrus_images/51b57df7d412b6d307d0fbc04e3239b087b533af67aceb0184a99deb01c5b4af.png" alt="" blurdataurl="data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=" nextheight="600" nextwidth="800" class="image-node embed"><figcaption HTMLAttributes="[object Object]" class="hide-figcaption"></figcaption></figure><h2 id="h-about-me" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">ABOUT ME</h2><p>I am a Blockchain Developer at the Applied Research group in J.P. Morgan. I am a Computer Science graduate from Ben Gurion University.</p><h2 id="h-links" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0">Links</h2><p>Github repository: <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://github.com/alexstolr/identifyeth">https://github.com/alexstolr/identifyeth</a></p><p>Linkedin: <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="https://il.linkedin.com/in/alex-stoliar-6a6416a4">https://linkedin.com/in/alex-stoliar-6a6416a4</a></p><p>Email: <a target="_blank" rel="noopener noreferrer nofollow ugc" class="dont-break-out" href="mailto:alexstolr@gmail.com">alexstolr@gmail.com</a></p><h2 id="h-any-views-or-opinions-expressed-are-my-own" class="text-3xl font-header !mt-8 !mb-4 first:!mt-0 first:!mb-0"><strong>Any views or opinions expressed are my own</strong></h2>]]></content:encoded>
            <author>alexstolr@newsletter.paragraph.com (Alex Stoliar)</author>
        </item>
    </channel>
</rss>