Mapping the DeFi Crime Landscape: An Evidence-based Picture

*PLEASE REFER TO THE SECOND VERSION UPLOADED IN JANUARY 2025. THIS VERSION CONTAINS A FEW DUPLICATES. VERSION 2 IS AVAILABLE FOR DOWNLOAD HERE:  https://zenodo.org/records/14706760

README - Crime Events Dataset

This document provides a detailed overview of the structure of the dataset for the paper: "Mapping the DeFi crime landscape: An Evidence-based Picture".  

The following fields are included, each representing different aspects of the events collected.

Data Fields

1. unique_key
    Description: A unique number assigned to identify each event in the dataset.

2. Agregators 
    Description: The sources where the event is listed. Aggregators include:
     - De.Fi REKT
     - SlowMist
     - CryptoSec (rebranded to ChainSec as of February 2023)

3. DeFi actor involved 
    Description: The name of the DeFi actor involved in the event (target, perpetrator, or intermediary).
    Sources: 
     - On De.Fi REKT: Found as the "Title" of the event’s listing.
     - On SlowMist: Found under the “Hacked target” title.
     - On CryptoSec: Found in the "Title" of the event’s listing with the date.

4. REKT URL  
    Description: The URL to the event's listing on De.Fi REKT.
    Process: Found by searching for the DeFi actor involved in the REKT Database: https://de.fi/rekt-database

5. SlowMist URL  
    Description: The URL to the event's listing on SlowMist.
    Process: Available via https://hacked.slowmist.io/search/. Note that searching the actor's name will lead to the event but without an individualized URL.

6. CryptoSec URL  
    Description: The URL to the event's listing on CryptoSec.
    Process: Found at https://chainsec.io/defi-hacks/. Events are listed on a single page; use traditional keyboard search to locate specific events.

7. Aggregator Summary  
    Description: A summary of the event provided by the aggregator.
    Sources: 
     - On De.Fi REKT: Found under "Quick Summary" and "Details of the Exploit".
     - On SlowMist: Under "Description of the event".
     - On CryptoSec: Below the title in quotation marks.

8.  Aggregator sources URL  
     Description: The URLs of references linked by the aggregator in the event’s listing.
     Sources:
     - On De.Fi REKT: Found at the bottom by clicking "Source" or "Archived link".
     - On SlowMist: Found by clicking "View Reference Sources".
     - On CryptoSec: Available by clicking the source’s name at the end of the summary.

9.  Event date  
     Description: The date the event occurred.
     Sources:
     - On De.Fi REKT: Listed under the "Date" field.
     - On SlowMist: At the top right of the listing.
     - On CryptoSec: Listed in parentheses behind the actor’s name.

10. Event year  
      Description: The year the event occurred, extracted from the Event date.

11. Stolen amount USD  
      Description: The total amount stolen, converted to USD.
      Sources:
      - On De.Fi REKT: Found under "Funds lost".
      - On SlowMist: Under the title “Amount of loss”.
      - On CryptoSec: Behind the title "Amount stolen".
      Note: If needed, conversions were manually performed using CoinMarketCap’s historical data as explained in the paper. 

12. Implication of actor  
      Description: Indicates whether the DeFi actor was a target, perpetrator, or intermediary in the event. Manually coded after reviewing the aggregator’s summary and linked sources.

13. Strategy  
      Description: The main approach used to steal funds. Six categories are possible: Technical vulnerability, Human risks, Undetermined, Malicious use of contract, Misappropriation of funds, and Imitation. This was manually coded from the event summary and sources.

14. General tactic  
      Description: The common techniques or methods used by malicious actors. Eleven categories are possible, defined in the appendix. Manually coded after reviewing the summary and linked sources.

15. Specific tactic  
      Description: The precise technique used to commit the crime. Thirty-seven categories are possible, defined in the appendix. This was manually coded based on the event summary and sources.

16. Paper category  
      Description: The main area of operation of the involved DeFi actor. Twelve categories are possible: Blockchain, Bridge, DApp, Derivatives, Exchange, Fungible Token (FT), Non-Fungible Token (NFT), Oracle, Yield, Staking, and Others. This was determined by the event summary and research on the actor.

17. Stack category  
      Description: The technical layer of the DeFi Stack Reference (DSR) model corresponding to the paper category. Five categories are possible: DeFi Compositions (CP), DeFi Protocols (P), Cryptoassets (CA), Distributed Ledger Technology (DLT), and Interfaces (INT).

---

For more detailed information on the tactics, strategies, or categories used, please refer to the appendix of the dataset or the associated documentation.