Mapping the DeFi Crime Landscape: An Evidence-based Picture

README - Crime Events Dataset

This document provides a detailed overview of the structure of the dataset for the paper: "Mapping the DeFi crime landscape: An Evidence-based Picture", published in the Journal of Cybersecurity, and available here: https://academic.oup.com/cybersecurity/article/11/1/tyae029/7962044

The following fields are included, each representing different aspects of the events collected.

Data Fields

1. unique_key
    Description: A unique number assigned to identify each event in the dataset.

2. Agregators 
    Description: The sources where the event is listed. Aggregators include:
     - De.Fi REKT
     - SlowMist
     - CryptoSec (rebranded to ChainSec as of February 2023)

3. DeFi actor involved 
    Description: The name of the DeFi actor involved in the event (target, perpetrator, or intermediary).
    Sources: 
     - On De.Fi REKT: Found as the "Title" of the event’s listing.
     - On SlowMist: Found under the “Hacked target” title.
     - On CryptoSec: Found in the "Title" of the event’s listing with the date.

4. REKT URL  
    Description: The URL to the event's listing on De.Fi REKT.
    Process: Found by searching for the DeFi actor involved in the REKT Database: https://de.fi/rekt-database

5. SlowMist URL  
    Description: The URL to the event's listing on SlowMist.
    Process: Available via https://hacked.slowmist.io/search/. Note that searching the actor's name will lead to the event but without an individualized URL.

6. CryptoSec URL  
    Description: The URL to the event's listing on CryptoSec.
    Process: Found at https://chainsec.io/defi-hacks/. Events are listed on a single page; use traditional keyboard search to locate specific events.

7. Aggregator Summary  
    Description: A summary of the event provided by the aggregator.
    Sources: 
     - On De.Fi REKT: Found under "Quick Summary" and "Details of the Exploit".
     - On SlowMist: Under "Description of the event".
     - On CryptoSec: Below the title in quotation marks.

8.  Aggregator sources URL  
     Description: The URLs of references linked by the aggregator in the event’s listing.
     Sources:
     - On De.Fi REKT: Found at the bottom by clicking "Source" or "Archived link".
     - On SlowMist: Found by clicking "View Reference Sources".
     - On CryptoSec: Available by clicking the source’s name at the end of the summary.

9.  Event date  
     Description: The date the event occurred.
     Sources:
     - On De.Fi REKT: Listed under the "Date" field.
     - On SlowMist: At the top right of the listing.
     - On CryptoSec: Listed in parentheses behind the actor’s name.

10. Event year  
      Description: The year the event occurred, extracted from the Event date.

11. Stolen amount USD  
      Description: The total amount stolen, converted to USD.
      Sources:
      - On De.Fi REKT: Found under "Funds lost".
      - On SlowMist: Under the title “Amount of loss”.
      - On CryptoSec: Behind the title "Amount stolen".
      Note: If needed, conversions were manually performed using CoinMarketCap’s historical data as explained in the paper. 

12. Implication of actor  
      Description: Indicates whether the DeFi actor was a target, perpetrator, or intermediary in the event. Manually coded after reviewing the aggregator’s summary and linked sources.

13. Strategy  
      Description: The main approach used to steal funds. Six categories are possible: Technical vulnerability, Human risks, Undetermined, Malicious use of contract, Misappropriation of funds, and Imitation. This was manually coded from the event summary and sources.

14. General tactic  
      Description: The common techniques or methods used by malicious actors. Eleven categories are possible, defined in the appendix. Manually coded after reviewing the summary and linked sources.

15. Specific tactic  
      Description: The precise technique used to commit the crime. Thirty-seven categories are possible, defined in the appendix. This was manually coded based on the event summary and sources.

16. Paper category  
      Description: The main area of operation of the involved DeFi actor. Twelve categories are possible: Blockchain, Bridge, DApp, Derivatives, Exchange, Fungible Token (FT), Non-Fungible Token (NFT), Oracle, Yield, Staking, and Others. This was determined by the event summary and research on the actor.

17. Stack category  
      Description: The technical layer of the DeFi Stack Reference (DSR) model corresponding to the paper category. Five categories are possible: DeFi Compositions (CP), DeFi Protocols (P), Cryptoassets (CA), Distributed Ledger Technology (DLT), and Interfaces (INT).

---

For more detailed information on the tactics, strategies, or categories used, please refer to the appendix of the dataset or the associated documentation.

The previous version included duplicates. They have been removed in the second version.