An Optimized Framework for Detecting Suspicious Accounts in the Ethereum Blockchain Network

Abstract

Detecting, tracking, and preventing cryptocurrency money laundering within blockchain systems is a major challenge for governments worldwide. This paper presents an anomaly detection model based on blockchain technology and machine learning to identify cryptocurrency money-laundering accounts within Ethereum blockchain networks. The proposed model employs Particle Swarm Optimization (PSO) to select optimal feature subsets. Additionally, three machine learning algorithms—XGBoost, Isolation Forest (IF), and Support Vector Machine (SVM)—are employed to detect suspicious accounts. A Genetic Algorithm (GA) is further applied to determine the optimal hyperparameters for each machine learning model. The evaluations demonstrate the superiority of the XGBoost algorithm over SVM and IF, particularly when enhanced with GA. It achieved accuracy, precision, recall, and F1-score values of 0.98, 0.97, 0.98, and 0.97, respectively. After applying GA, XGBoost’s performance metrics improved to 0.99 across all categories.

1. Introduction

The rise of cryptocurrency applications and their underlying technology, blockchain, has transformed the financial sector, introducing new opportunities for innovation and investment. This shift challenges conventional banking systems and establishes the foundation for a decentralized digital economy [1]. Cryptocurrency represents only one part of blockchain applications, where the technology ensures secure transaction processing and record-keeping. This technology extends to various industries, including the Internet of Things (IoT), government operations, and healthcare [2]. The anonymity and decentralization of cryptocurrencies have attracted criminal misuse, including illicit activities such as fraud, money laundering, and terrorist financing. Data reveals that around $33 billion in cryptocurrency was laundered from 2017 to 2021, with $8.7 billion explicitly earmarked for money laundering through cryptocurrency in 2021 [3]. Cryptocurrency money laundering is illegal and involves obscuring the source of funds, making it difficult to trace the illicit origins of the funds. Various methods can be employed, such as transferring funds through multiple intermediary accounts [4,5]. Traditional anti-money laundering models face challenges in detecting cryptocurrency money laundering due to the inherent anonymity of these transactions. Cryptocurrency money laundering often employs techniques such as money mixing, smurfing, and fiat exchanges, which significantly hinder the tracking of laundered funds [6,7].

Therefore, creating a robust detection model is essential in the fight against cryptocurrency money laundering. The integration of artificial intelligence (AI) and blockchain technology within the crypto-system has facilitated the implementation of anomaly detection to pinpoint suspicious or irregular activities, especially those linked to money laundering schemes [8].

This study contributes by integrating Genetic Algorithm (GA) with XGBoost within a layered anomaly detection framework for suspicious Ethereum accounts. While prior works have applied Particle Swarm Optimization (PSO) for feature selection or relied on single machine learning models, our framework uniquely combines PSO-driven feature selection with GA-based hyperparameter tuning. This dual optimization strategy enables the system to both select the most discriminative features and refine model parameters adaptively, resulting in consistently higher detection performance.

Unlike earlier approaches that primarily evaluated small or synthetic blockchain datasets, this work is validated on a large-scale Ethereum transaction dataset with real-world labeling of suspicious and benign accounts. This ensures that the model addresses practical challenges such as class imbalance, noise, and high-dimensional features, which are often overlooked in the literature.

The contribution of this work can be summarized as follows:

• Hybrid Optimization Framework: We present the first integrated framework that applies PSO for feature selection and GA for hyperparameter tuning across three state-of-the-art classifiers (XGBoost, SVM, Isolation Forest).
• Performance Gains on Real Data: Experimental results show that the GA-tuned XGBoost consistently outperforms existing methods, achieving up to 99% accuracy and recall, which surpasses reported benchmarks in recent studies.
• Scalability and Robustness: The proposed approach demonstrates strong scalability to large Ethereum datasets and maintains robustness even in the presence of noise and incomplete features.
• Comparative Validation: A thorough baseline comparison with established methods such as Local Outlier Factor (LOF) and Classification and Regression Trees (CART) illustrates clear improvements, reinforcing the originality and practical utility of the proposed framework.

The rest of this paper is organized as follows: Section 2 reviews the literature, while Section 3 presents the system models. Section 4 discusses the trust models; Section 5 details the proposed model, followed by performance results and a discussion in Section 6.

2. Literature Review

Anomaly detection for suspicious accounts in blockchain can typically be divided into two primary methodologies. First, regarding machine learning methods, Wu et al. [9] have presented XBlockFlow, a framework designed to identify money laundering involving crypto-assets. Initially, the framework identifies the source accounts of scammers, Decentralized Finance (DeFi) exploiters, and exchange hackers. It then monitors downstream transactions and addresses through taint analysis. In the final stage, the framework classifies service providers by utilizing advanced machine learning techniques, including token swapping and the creation of counterfeit tokens not found in the Bitcoin ecosystem. The framework has demonstrated an accuracy of 90% and a recall of 96.2% [9].

Fu et al. [10] proposed a framework for assessing the risk of Ethereum accounts using a suspiciousness metric. This framework detects illicit transactions and accounts through graph-based fraud ratings, achieving a reliability of 86.8% for suspicious accounts and 71.8% for benign accounts with a trustworthiness of 99% [10]. In 2024, Lin et al. [11] developed the DensFlow framework to detect and track accounts involved in money laundering. It utilizes graph-based anomaly detection, incorporating dense subgraphs and the maximum flow concept. This framework was evaluated on four datasets and achieved a precision of 99% [11]. Fangfang et al. [12] have presented an anomaly detection system on the exchange blockchain network to detect suspicious account behavior. Their method uses the Suspicious Money Laundering Account Detection (SMLAD) algorithm. It utilizes the Local Outlier Factor (LOF) and clustering algorithms to identify anomalous transaction behaviors and values. This approach has yielded a 95% accuracy rate in identifying suspicious accounts [12]. Wei et al. [13] have proposed a model using heuristic algorithms to address money laundering in the Ethereum platform, achieving an accuracy of 43.6% [13].

Saxena et al. [14] developed a model using supervised learning to classify malicious and non-malicious transactions, achieving its highest accuracy of 60.9% with Classification and Regression Trees (CART) [14]. Alarab et al. [15] have suggested a way to find fake accounts or transactions on Bitcoin or Ethereum datasets using XGBoost and Random Forest. They achieved 99% accuracy with the edited nearest-neighbor method [16]. Elmougy et al. [16] have proposed an anomaly detection system for identifying suspicious transactions and accounts (money laundering accounts) within the Bitcoin and Ethereum networks. Using Support Vector Machine (SVM), Random Forest, and Logistic Regression, the system has achieved an accuracy of 93% for the Bitcoin network and 82% for the Ethereum network [16]. Farrugia et al. [17] have proposed a model for detecting suspicious accounts using the XGBoost technique. The model has identified the top three features that have the most significant impact on the final output, which are the ‘Time difference between first and last (minutes),’ ‘Total Ether balance,’ and ‘Minimum value received.’ These features have achieved an average accuracy of 96% [17].

Second, regarding deep learning methods, Yang et al. [18] have developed an anomaly detection system to identify unusual money laundering patterns in various transaction datasets. The system utilizes Long Short-Term Memory (LSTM) and Graph Convolutional Neural Network (GCN) for labeled data and Histogram-Based Outlier (HBOS) and Isolation Forest (IF) for unlabeled data. It achieved 85.42% accuracy [18]. Badawi et al. [19] have introduced an anti-money laundering system that analyzes cryptocurrency transactions to identify both suspicious and benign transactions. This system has utilized shallow neural networks and decision trees to construct classification models, achieving classification accuracies of 89.9% and 93.4%, respectively [19]. In Appendix A, Table A1 presents a summary of the related work mentioned.

Despite the constraints of prior research, which often relied on small datasets to construct anomaly detection models, our study aims to enhance performance and precision by utilizing a more robust dataset and advanced techniques. In this study, the proposed model aims to detect suspicious accounts and prevent cryptocurrency money laundering on the Ethereum network. It utilizes the Particle Swarm Optimization algorithm, an intelligent optimization algorithm, to select the best subset of features from the dataset. The genetic algorithm (GA) is used to automate the process of hyperparameter tuning.

3. The Proposed Ethereum System Model

The proposed model in this study is built on the Ethereum blockchain network, which is a decentralized, peer-to-peer computer network based on blockchain technology [15]. In 2013, Vitalik Buterin proposed the Ethereum network as a public, permissionless, transparent, immutable, anonymous, and distributed public ledger that verifies and records all transactions [20,21]. Figure 1 displays the structure of the Ethereum blockchain network, which consists of two types of nodes: miner nodes and Ethereum Virtual Machine (EVM) nodes. The miner nodes are responsible for several key activities, including:

Figure 1. Ethereum blockchain network.

• Incorporating mined transactions into fresh blocks and uploading these blocks to the Ethereum ledger.
• Notifying other miners about newly mined blocks.
• Accepting newly discovered blocks from other miners and keeping their ledger instances up to date.

On the other hand, the EVM nodes are responsible for executing smart contracts and transactions. All nodes in the network are connected via a peer-to-peer protocol [22].

From an application perspective, each node acquires one of two types of accounts: externally owned accounts or contract accounts. The former is used to store transactions, while the latter stores the details of smart contracts. Each account is associated with a pair of public and private keys, where the public key is used for identification, and the private key is kept secret. Generally, the public key consists of 256 bits, but Ethereum only utilizes the first 160 to identify an account [23].

In the Ethereum Network, blocks are linked together and secured using cryptographic tools. To link different blocks, each block contains a cryptographic hash of the previous block to ensure data immutability [24,25]. A block of transactions consists of two components: the block header and the block body. The block header contains metadata of the block, such as the previous block hash, timestamp, nonce, and Merkle root. In contrast, the block body contains a list of transactions that are explicitly transmitted to an application, such as those related to cryptocurrency or smart contracts [26,27]. As illustrated in Figure 2, every transaction applies a hash function to create and store a hash value. The hash values of every two transactions are further hashed to generate another hash value. This process ultimately generates a single hash value from all transactions within the block, referred to as the transaction Merkle root hash value, and stores it in a block header. A change in any transaction will result in a change in its hash value and, consequently, a change in the root transaction hash value, thereby ensuring the immutability of transactions. Additionally, nodes in Ethereum networks utilize consensus protocols to verify transactions and reach a consensus about the current state of the distributed ledger [28].

Figure 2. Ethereum block structure.

Money Laundering Threats in Ethereum Networks

Within Ethereum networks, several types of money laundering attacks exist. This study characterizes money laundering attacks involving suspicious accounts and categorizes them into Money-Mixing, Pump and Dump, Wash-Trading, and Whale Wall Spoofing [29,30,31,32,33,34,35]:

• Money-Mixing attack: In this scheme, a dishonest node leverages a service to blend potentially traceable cryptocurrency funds, masking their origins and rendering them untraceable.
• Pump and Dump attack: A dishonest node artificially inflates the value of an asset or cryptocurrency by creating a false impression of interest.
• Wash-trading attack: A dishonest node rapidly buys and sells a cryptocurrency or asset to create the illusion of market activity.
• Whale Wall Spoofing attack: Similar to wash trading, a large entity (a ‘whale’) places significant buy or sell orders to manipulate the market.

In this paper, the proposed detection model categorizes these attacks as suspicious accounts and recognizes them as variants of money laundering. The utilized dataset comprises 9841 unique accounts, each represented by a node in the Ethereum network [36]. On average each account sends about 5000 transactions and receives about 5081. The network employs Proof of Stack (PoS) to verify transactions [28].

4. The Proposed Detection Model

The proposed detection model, based on blockchain technology and machine learning, aims to identify cryptocurrency money laundering within the Ethereum network. This model utilizes the Particle Swarm Optimization (PSO) to extract an initial optimal subset of features automatically. Furthermore, it introduces a hybrid approach that combines the Genetic Algorithm (GA) with XGBoost, SVM, and Isolation Forest (IF) for hyperparameter optimization, achieving an effective configuration for identifying suspicious accounts on the Ethereum network. The model includes four key stages: data collection, data preprocessing, development of the classification model, and implementation of the learning model. Figure 3 illustrates the proposed detection framework.

Figure 3. The proposed detection framework.

4.1. Data Collection Stage

Data collection is essential for detecting suspicious activity, as it captures the characteristics of the Ethereum blockchain network. The experimental evaluation in this study uses transaction data from the Ethereum blockchain network. The dataset is composed of raw Ethereum transactions that include details such as sender and receiver addresses, transaction values, timestamps, and associated smart contract interactions. This dataset was chosen due to Ethereum’s growing use in financial transactions, where illicit activities such as money laundering are frequently reported [36].

The dataset was collected through Ethereum public ledger extractions and cross-referenced with open-source intelligence platforms, including Etherscan reports, community-driven blacklists, and prior studies documenting accounts involved in fraudulent or suspicious activities. These external repositories provide reliable ground truth for labeling accounts and transactions. The dataset comprises 50 million transactions and 9841 unique accounts: 7663 benign and 2178 suspicious, all from the Ethereum blockchain network. Suspicious labels were assigned to accounts flagged by monitoring services, law enforcement reports, and crowdsourced verification lists. Benign accounts were randomly sampled from Ethereum users with no record of fraudulent activity. This binary labeling ensures that supervised learning models can differentiate between normal and illicit activities. To ensure the reliability of labels, suspicious account lists were validated through cross-checking across multiple sources. Only accounts flagged by at least two independent sources were included in the suspicious category.

Furthermore, duplicate addresses and contradictory labels were removed to ensure consistency. This validation step increases the credibility of the experimental results and reduces labeling noise. In total, the dataset includes 49 distinct features that represent transactional, structural, and behavioral properties of Ethereum accounts. These features are described in detail in Appendix A (Table A2).

4.2. Data Preprocessing Stage

Preprocessing data is a crucial stage in data analysis, as it enhances the consistency, accuracy, and performance of the algorithm. This stage involves five phases: data cleaning, standardization, feature selection using the PSO algorithm, data balancing, and data splitting.

4.2.1. Data Cleaning

Data cleaning aims to identify and correct errors and inconsistencies in the dataset. The dataset, comprising 9841 accounts, contains duplicate, inaccurate, incomplete, and null values. This study identified 851 instances of missing data across 25 features. To address this, missing data was dropped, resulting in a dataset of 8990 accounts.

4.2.2. Standardization

To mitigate biases and inconsistencies from varying values, data scaling is applied as a vital preprocessing step in machine learning. This involves transforming numerical features to a standard scale. Two common feature scaling techniques are normalization and standardization. This model applies z-score normalization, which transforms features to have a mean of 0 and a standard deviation of 1. Z-score normalization involves subtracting the mean of the feature and dividing it by the standard deviation. This technique is preferred when the data is normally distributed or when the distribution is unknown. Standardization preserves the data distribution and does not constrain features to a fixed range. Equation (1) illustrates the standardization formula [37].

$$\mathrm{z}={\displaystyle \frac{X\text{-}\mathit{Mean}}{\mathrm{standard} \mathrm{deviation}}}$$

(1)

where X represents the feature value after standardization.

4.2.3. Feature Selection Using Particle Swarm Optimization (PSO)

For feature selection, PSO was adopted instead of alternative approaches such as Genetic Algorithm (GA), Ant Colony Optimization (ACO), or random feature search. PSO is particularly well-suited for high-dimensional data spaces such as the Ethereum transaction dataset, where feature interactions are complex and nonlinear. Unlike GA, which relies heavily on crossover and mutation operators that may introduce instability in the selection process, PSO employs a velocity and position updating mechanism that converges more smoothly toward optimal solutions. Similarly, ACO is computationally more expensive in large search spaces, and random search fails to exploit dependencies between features. Through iterative optimization, PSO consistently identified subsets of features that retained high discriminative power while discarding redundant or noisy attributes. The final feature set included financial indicators such as transaction values, temporal features such as inter-transaction time intervals, and graph-based features such as in-degree and out-degree connectivity measures. This combination provided a balanced representation of account behavior across transactional, temporal, and structural dimensions, enhancing the robustness of the downstream classifiers. The PSO technique was introduced by Kennedy and Eberhart in 1995 [38]. PSO combines social and cognitive models, enabling particles to learn from local and global exploration [39]. This optimization method involves particles representing individuals in a population, searching through candidate solutions to the optimization problem. Particles adjust their positions by exploring in a multi-dimensional space until a relatively stable position is reached or until the maximum number of iterations, determined by computational limits, is achieved.

In this initial step, each particle $X_i^j$ is initialized as a candidate solution with $n_x$-dimension representing the number of optimization parameters. At iteration or generation j, the ith particle can be represented as:

$$x_i^j=\left\{a_1,{ a}_2, \text{…},{ a}_{n_x}\right\} \text{∈}{R}^{n_x}$$

(2)

The jth population consists of a set of $n_p$ particles, represented as:

$$x_j=\left\{x_1^j,x_2^j,\dots ,x_{n_p}^j\right\}\in R^{n^p\ast n_x}$$

(3)

The PSO has a population of moving particles that collectively move while each particle swarms in a random direction. The velocity of each moving particle $X_i^j$ is initialized as:

$$V_j=\left\{V_1^j,V_2^j,\dots ,V_{n_p}^j\right\}\in R^{n^p\ast n_x}$$

(4)

The particle velocity is constrained by a maximum value $\pm V_j^{max}.$ Let:

$$V_i^j=\left\{y_1,{ y}_2, \text{…},{ y}_{n_x}\right\} \text{∈}{R}^{n_x}$$

(5)

where i = 1, 2…,${ n}_p$.

The maximum velocity is calculated by:

$$V^{\mathit{max}}=\left\{y_1^{\mathit{max}},y_2^{\mathit{max}},\text{…},y_{n_x}^{\mathit{max}}\right\}\text{∈}{R}^{n_x}$$

(6)

$$y_r^{\mathit{max}}={\displaystyle \frac{a_r^{\mathit{max}}-a_r^{\mathit{min}}}{\mathit{SEG}}}$$

(7)

Here, SEG is an assumed number, $a_r^{\mathit{max}}$ is the maximum value for parameter a, and $a_r^{\mathit{min}}$ is the minimum value for parameter a in particles r = 1, 2, … ,$n_x$.

The weight w(t)$\in R$ controls the influence of previous velocities on the current velocity, impacting the trade-off between global and local exploration of the particles. It is initialized with a large value, and its reduction is defined by

$$w\left(t)=\alpha w\right(t - 1)$$

(8)

where $\alpha$< 1 is a decrement constant close to, but smaller than, 1 ($\alpha = 0.99)$.

In the subsequent step, the search is conducted for the best fitness value (individual best) that denotes X^*, followed by the search for the minimum objective function value $x^{\ast \ast }$ for each i = 1, 2, …,$n_p$. The weight and velocity are updated, and velocity limits are checked as displayed in Equations (9) and (10):

$$w\left(j) = \alpha w\right(j - 1)$$

(9)

$$V_i^j=W\left(j\right)V_i^{j-1}+c_1{r}_1\left(x_i^{\ast }\text{-}{x}_i^{j-1}\right)+c_2{r}_2\left(x_i^{\ast \ast }{\text{-}x}_i^{j-1}\right)$$

(10)

where c₁, c₂ are positive constants (cognitive and social coefficients), r₁, r₂ are random numbers uniformly distributed in the interval [0, 1], W(j) is the updated weight, $V_i^{j-1}$ is the velocity of particle i at the previous iteration, $x_i^{\ast }$ is the individual best, $x_i^{j-1}$ is current position of particle i at iteration j − 1, and $x_i^{\ast \ast }$ is the global best.

The next step involves updating the positions of the particles. Subsequently, the limits of each particle are checked, and both the individual best and global best are updated accordingly, as displayed in Equation (11).

$$x_i^j={ V}_i^j+{ x}_i^{j-1}$$

(11)

Finally, the process stops when the number of generations reaches the maximum allowable number. The PSO algorithm, along with the corresponding pseudocode, is illustrated in Figure 4 and Algorithm 1.

Algorithm 1: PSO algorithm
1:	Initialization parameter: $c_{1,} r_{1, } c_{2,}{ r}_2$, W, $V^{max}$
2:	Population Initialization: Initialize the population with particles having random positions and velocities.
3:	For j = 1 to maximum generation
4:	For i = 1 to the number of particles, ${\mathit{n}}_{\mathit{p}}$
5:	if fitness($x_i^j$) > fitness($x_i^{*}$) then
6:	update $x_i^{*}=x_i^j$
7:	$x_i^{\ast \ast }=x_i^{\ast }$
8:	End if
9:	For d = 1 to iteration
10:	Update Velocity:
11:	$V_{i,d}^j(j+1)=W\left(j\right)V_{i,d}^{j-1}+c_1{r}_1\left(x_i^{\ast }-x_{i,d}^{j-1}\right)+c_2{r}_2\left(x_i^{\ast \ast }-x_{i,d}^{j-1}\right)$
12:	$x_{i,d}\left(j+1\right)=x_{i,d}\left(j\right)+V_{i,d}^j(j+1)$
13:	Return new Velocity
14:	If $V_{i,d}\left(j+1\right)>V^{max}$ then $V_{i,d}\left(j+1\right)=V^{max}$
15:	Else If $V_{i,d}\left(j+1\right)<V^{min}$ then $V_{i,d}\left(j+1\right)=V^{min}$
16:	End If
17:	Update Positions:
18:	if $x_{i,d}\left(j+1\right)>x^{max}$ then $x_{i,d}\left(j+1\right)=x^{max}$
19:	Else If $x_{i,d}\left(j+1\right)<x^{min}$ then $x_{i,d}\left(j+1\right)=x^{min}$
20:	End IF
21:	End For
22:	End For
23:	End

Figure 4. Flow chart for PSO algorithm.

4.2.4. Data Balancing

As depicted in Figure 5, the dataset comprises 7662 benign and 1328 suspicious accounts, revealing an imbalance. The Synthetic Minority Oversampling Technique (SMOTE) is employed to address this issue [40]. Figure 6 illustrates the dataset after applying SMOTE, resulting in a total of 15,324 accounts, evenly split between 7662 benign and 7662 suspicious accounts.

Figure 5. Number of Original Accounts.

Figure 6. Types of Accounts after Oversampling.

4.2.5. Data Splitting

It is essential to divide the available data into distinct sets for training and evaluation while working with machine learning models. This phase involves dividing the dataset into 20% testing data and 80% training data. Subsequently, there are 3065 accounts in the testing data and 12,259 accounts in the training data.

4.3. Classification Stage

XGBoost, Isolation Forest (IF), and Support Vector Machine (SVM) are used in this stage to identify and classify accounts on the Ethereum blockchain network. Hyperparameters control the learning process and determine the optimal values for achieving the best model performance. For hyperparameter optimization, a GA-based search strategy was used to tune the parameters of XGBoost, Support Vector Machine (SVM), and Isolation Forest (IF) [41,42]. The search space for XGBoost included learning rate, maximum tree depth, number of estimators, and subsampling ratio; for SVM, kernel type and regularization parameters were considered; for IF, the number of estimators and contamination factor were optimized. GA was selected over conventional grid search and random search due to its superior ability to navigate large, nonlinear parameter spaces without being constrained by exhaustive enumeration or random sampling inefficiencies. Grid search becomes computationally prohibitive when dealing with multiple interacting parameters, while random search may miss promising regions of the search space altogether. GA, by leveraging evolutionary operators, adaptively refined candidate solutions, and achieved higher convergence efficiency. Empirically, GA-tuned models consistently outperformed baseline methods, with XGBoost showing significant gains in accuracy and recall after GA-based optimization [43].

In GA, a random set of hyperparameters, known as chromosomes, is initialized during the initial population phase. Each chromosome consists of a sequence of genes, each representing a decision variable. In the evaluation phase, each population member is assessed using a fitness function that assigns a value based on specified criteria. The selection phase employs the Roulette Wheel method to randomly pick individuals based on fitness values, with higher values increasing the likelihood of selection. In the crossover phase, new individuals or solutions are generated by combining two selected individuals to create offspring. Finally, in the mutation phase, one or more genes within a chromosome are altered [44,45]. The overall process flow of the Genetic Algorithm is depicted in Figure 7 and Algorithm 2.

Algorithm 2: Genetic algorithm for hyper-tuning parameters
1:	Def genetic_algorithm(hyperparameter_bounds, number of generations, number of parents, offspring_size, mutation_rate)
2:	population = initialize_population (number of parents, hyperparameter_bounds)
3:	Def Fitness Function()
4:	While the current generation < J (maximum number of generations)
5:	fitness_scores = calculate_fitness (population)
6:	parents = selection (population, fitness, number of parents)
7:	offspring = Crossover (parents, offspring_size)
8:	Population = parents + Mutation (offspring, mutation rate, hyperparameter_bounds)
9:	best_hyper-parameters = max (population, key = objective_function)
10:	End While
11:	Return the best hyperparameter.

Figure 7. Genetic algorithm (GA) workflow.

Extreme Gradient Boosting, or XGBoost for short, is a robust boosting technique based on the gradient-boosted decision trees algorithm. It creates a strong, accurate forecast by combining the predictions of several weak models. Due to its ability to manage large datasets and achieve cutting-edge results in various tasks, such as regression and classification, XGBoost has emerged as one of the most popular and widely applied machine learning algorithms [41]. XGBoost is illustrated in Algorithm 3.

Algorithm 3: XGBoost algorithm
1:	Initialize parameters: learning rate (η), number of trees (n_trees), maximum depth of trees (max_depth), and regularization parameters (λ, γ).
2:	Initialize the model predictions to a constant value, typically the mean of the target values.
3	For each tree t in range (1, n_trees + 1)
4:	Calculate the gradient: $g_i={\displaystyle \frac{\partial L\left(y_i,{\widehat{y}}_i\right)}{\partial {\widehat{y}}_i}}$
5:	Calculate the hessian: $h_i={\displaystyle \frac{{\partial }^{2}L\left(y_i,{\widehat{y}}_i\right)}{\partial {\widehat{y}}_i^2}}$
6:	Construct a new decision tree (gradient, hessian)
7:	Apply the regularization parameters (λ, γ) to control the complexity of the tree.
8:	Return new_tree.
9:	Update the model predictions: ${\widehat{y}}_i\leftarrow {\widehat{y}}_i+\eta · \mathrm{new}\text{\_}\mathrm{tree} \left(x_i\right)$
10:	Return new_model.
11:	End For

The Support Vector Machine (SVM) is an efficient machine learning technique widely employed for linear and nonlinear classification, regression, and outlier detection problems. Its function is to discover the best hyperplane that separates data into distinct classes, hence maximizing the margin between them. The dimension of this hyperplane is contingent upon the number of features present. Known as the maximum-margin hyperplane or hard margin, it is chosen to maximize the distance from the hyperplane to the closest data points on either side. Hence, the selection focuses on the hyperplane that maximizes the distance to the nearest data points on each side. In cases where the data includes outliers or is not perfectly separable, SVM adopts the soft margin technique. This strategy introduces a slack variable for each data point, permitting some misclassifications while striking a balance between maximizing the margin and minimizing violations [46]. SVM is illustrated in Algorithm 4.

Algorithm 4: Support vector machine algorithm
1:	Initialize parameters: C, γ, max_iter.
2:	Initialize parameters: Weight (w), Bias (b) → small random values.
3:	For iteration k = 1 to max_iter
4:	For each data point ($x_i$,$y_i$)
	margin = $y_i \ast (w \ast x_i+b)$
5:	If  margin ≥ 1 Then
	wnew = w* γ *w
6:	End If
	If  margin < 1
7:	wnew = w − γ *(w − c*$y_i$ *$x_i$)
8:	End
9:	b = b+ γ *c*$y_i$
10:	End For
11:	End For

The Isolation Forest is a simple yet effective algorithm for quickly identifying outliers or anomalies in a dataset. It introduces binary trees that recursively divide the data by randomly selecting a feature and splitting the data points based on the feature’s value until all data points are isolated from other samples. The max depth of the decision tree is one, and the base estimator of an Isolation Forest is a highly random decision tree (Extra Trees) on various data subsets [46]. Isolation Forest is illustrated in Algorithm 5.

Algorithm 5: Isolation forest algorithm
1:	Initialize parameters: n_estimators, max_samples, Contamination, max_depth, threshold (θ)
2:	Initialize an empty list to store all isolation trees.
3:	For t = 1 to n_estimators + 1
4:	max_samples → randomly selected from the dataset without replacement.
5:	Build an isolation tree(data, depth)
6:	If depth ≥ max_depth
7:	Return a leaf node with the current depth
8:	Else
9:	Randomly select a feature f from the data features
10:	Randomly select a split value s within the range of feature f for the current data points.
11:	Partition the data into two subsets:
12:	Left subset = {x|$x_f$< s}
13:	Right subset = {x|$x_f$≥ s}
14:	Left child = BuildTree(Left subset, depth + 1)
15:	Right child = BuildTree(Right subset, depth + 1)
16:	Return a node with the selected feature f, split s, left child, and right child.
17:	End If
18:	Add the root of the built isolation tree to the list of trees.
19:	End for
20:	Calculate path length (data point x)
21:	Path_length = 0
22:	For t = 1 to n_estimators
23:	Increment path_length by one at Contamination
24:	If x moves to a leaf node, add the final path length and stop
25:	End for
26:	Return path_length
27:	Calculate the expected path length $E\left(h\right(x\left)\right)$ for each data point x
28:	$E(h(x))={\displaystyle \frac{1}{n_{\mathrm{estimators} }}}\sum _{t=1}^{n_{\mathrm{estimators} }} h_t(x)$
29:	Return expected path length
30:	Def an anomaly score function s(x) for x
	s$(x)=2^{-{\displaystyle \frac{E(h(x))}{c(n)}}}$
	$c(n)=2\mathrm{l}\mathrm{n}(\max \text{\_}\mathrm{samples} -1)+0.5772-{\displaystyle \frac{2(\max \text{\_}\mathrm{samples} -1)}{ \max \text{\_}\mathrm{samples} }}$
31:	Classify each data point x based on its anomaly score s(x):
32:	If s(x) > θ: classify x as an anomaly.
33:	Else: classify x as usual.
34:	End If

Table 1 outlines an overview of key hyperparameters for XGBoost, Support Vector Machines (SVM), and Isolation Forest (IF). Hyperparameters are settings that determine the behavior of a machine learning algorithm during training.

Table 1. Hyperparameters for the utilized machine learning algorithms.

Algorithm	Parameter	Description
XGBoost	Learning rate (η)	It is the step size shrinkage used in updates to prevent overfitting
	n_estimators	The number of boosting rounds.
	max_depth	The maximum depth of a tree is used to control overfitting.
	min_child_weight	Defines the minimum sum of weights of all observations required for a child.
	reg_alpha	Used in high-dimensionality cases to speed up the algorithm.
	colsample_bytree	The subsample ratio of columns when constructing each tree.
	reg_lambda (λ)	Used for the regularization part of XGBoost.
	Gamma (γ)	Specifies the minimum loss reduction required to make a split, dependent on the loss function.
SVM	C	Used to control the trade-off between achieving low training error and low testing error.
	Kernel Parameters	Include parameters specific to the chosen kernel function, such as gamma for the radial basis function kernel.
IF	n_estimators	The number of trees.
	max_samples	The subset sample was used in each round.
	Contamination	The proportion of outliers in the dataset.

The proposed detection framework is illustrated in Algorithm 6. It uses the Particle Swarm Optimization (PSO) algorithm to extract the optimal subset of features automatically. It combines the Genetic Algorithm (GA) with XGBoost, SVM, and Isolation Forest (IF) for hyperparameter optimization, achieving an effective configuration for identifying suspicious accounts on the Ethereum network.

Algorithm 6: Proposed detection model
1:	Load the dataset
2:	Call the PSO algorithm on the whole dataset
3:	Return the best feature subset
4:	Call XGBoost:
5:	Apply GA for Hyperparameter tuning
6:	Train the XGBoost model using the optimal hyperparameters obtained from GA.
7:	Return accuracy rate and confusion matrix
8:	Call SVM:
9:	Apply GA for Hyperparameter tuning
10:	Train the SVM model using the optimal hyperparameters obtained from GA.
11:	Return accuracy rate and confusion matrix
12:	Call Isolation Forest:
13:	Apply GA for Hyperparameter tuning
14:	Train the Isolation Forest model using the optimal hyperparameters obtained from GA.
15:	Return accuracy rate and confusion matrix
16:	End

A critical aspect of any anomaly detection framework is its ability to remain robust under varying conditions and to scale effectively as the data grows. Our proposed model demonstrates robustness through its ensemble nature, where the integration of PSO-driven feature selection and GA-based hyperparameter tuning reduces sensitivity to noise and improves stability across different runs. Cross-validation experiments confirmed that the framework maintained consistent accuracy and recall even when subsets of the dataset were varied, indicating that the performance is not overly dependent on a specific partition of the data.

Regarding scalability, the framework was designed to handle the high-dimensional and large-volume nature of blockchain transaction data. XGBoost, in particular, is well-suited for distributed training and parallelization, which makes it adaptable to much larger datasets. The incorporation of PSO reduces the feature space without losing important discriminatory power, which further enhances computational efficiency. Similarly, GA optimization is flexible and can adapt its search to larger hyperparameter spaces when applied to extended datasets.

5. Results and Discussion

The dataset in this study shows a clear imbalance, with more benign accounts than suspicious ones. Consequently, classification models often exhibit bias toward the majority class (benign accounts). To address this imbalance, the Synthetic Minority Over-Sampling Technique (SMOTE) was applied only on the training folds during stratified 5-fold cross-validation. The external test set was kept untouched to avoid data leakage. After applying SMOTE to the training data, the total number of accounts used for training increased to 12,259, while the separate test set consisted of 3065 accounts (1544 benign and 1521 suspicious). This protocol ensures that the reported results reflect the true generalization performance of the models.

To improve the efficacy of the proposed detection model, the PSO algorithm has been applied as a feature selection technique to identify the most significant features within the dataset. The optimization process yielded a feature set of 14 from the original 49 features, achieving a Root Mean Square Error (RMSE) of 0.3443 after 50 iterations. Figure 8 displays the PSO fitness values along these iterations. Table 2 outlines the features after applying the PSO.

Figure 8. Convergence of the PSO fitness function.

Table 2. The features of Post-PSO application.

Feature	Description
Avg Min Between Received Transactions	Average time (in minutes) between received transactions for the account.
Time Difference Between First and Last (Mins)	Time difference (in minutes) between the first and last transaction
Sent Transaction	Total number of benign transactions sent.
Received Transaction	Total number of benign transactions received.
Unique Received From Addresses	Total number of unique addresses to which the account received transactions.
Unique Sent To Addresses	Total number of unique addresses to which the account sent transactions.
Avg Value Sent	The average value of Ether ever sent from the account
Total Transactions (including contract creation)	Total number of transactions, including those to create contracts.
Total ERC20 Transactions	Total number of ERC20 token transfer transactions
Total ERC20 sent (in Ether)	The total value of the ERC20 token sent in Ether
Unique ERC20 Sent address	Number of unique addresses that received ERC20 token transactions.
Minimum Value Sent (ERC20)	The minimum value (in Ether) sent from ERC20 token transactions for the account.
Maximum Value Sent (ERC20)	The maximum value (in Ether) sent from ERC20 token transactions for the account.
Average Value Sent (ERC20)	Average value (in Ether) sent from ERC20 token transactions for the account.

Table 2 outlines the most significant features affecting the identification of cryptocurrency money laundering activities. Substantial variations in the volume of outgoing and incoming transactions may indicate efforts to conceal illicit activities. Moreover, significant inflows from multiple sources, particularly when amounts are similar, may indicate structuring or aggregation of funds, both common strategies in money laundering. Money laundering often involves the rapid circulation of funds.

To automatically determine the optimal values for each parameter, the proposed detection model utilized a Genetic Algorithm (GA). Table 3 provides an overview of the essential statistics for each generation. Table 4 shows the progress of the genetic algorithm, illustrating how population fitness changes across generations. The output presented reflects the development and outcomes of the genetic algorithm over 20 generations.

Table 3. Statistics key for GA.

Parameters	Description
Gen_no	The generation number.
N_evals	The number of individuals evaluated in that generation.
Avg	The average fitness value of the population in that generation.
Std	The standard deviation of the fitness values indicates the variability within the population.
Min	The minimum fitness value in the population.
Max	The maximum fitness value in the population.

Table 4. Genetic algorithm’s progress.

Gen_no	N_evals	Avg	Std	Min	Max
0	50	0.878	0.013	0.853	0.8997
1	33	0.890	0.005	0.874	0.9002
2	30	0.894	0.004	0.887	0.9004
3	32	0.897	0.003	0.889	0.9024
4	32	0.899	0.0002	0.893	0.9035
5	29	0.901	0.0019	0.894	0.9063
6	23	0.902	0.0027	0.982	0.9098
7	24	0.905	0.0024	0.901	0.9098
8	20	0.906	0.0019	0.902	0.9104
9	34	0.907	0.0012	0.905	0.9104
10	28	0.908	0.001	0.906	0.9106
11	21	0.909	0.0009	0.908	0.9123
12	31	0.910	0.0012	0.9066	0.9152
13	38	0.911	0.1524	0.9087	0.9161
14	28	0.912	0.0018	0.9088	0.9179
15	27	0.914	0.0018	0.9087	0.9178
16	25	0.915	0.0014	0.9113	0.9174
17	25	0.915	0.0009	0.9126	0.9178
18	33	0.916	0.0007	0.9121	0.9183
19	22	0.917	0.0007	0.9162	0.9183
20	31	0.918	0.0005	0.9162	0.9183

Three machine learning algorithms—XGBoost, SVM, and IF—were optimized by Genetic Algorithm (GA) to fine-tune their parameters. Table 5, Table 6 and Table 7 illustrate the tuning parameters for XGBoost, SVM, and Isolating Forest, respectively.

Table 5. Hyperparameter tuning for XGBoost.

Hyperparameters	N_estimators	Gamma	Min_child_ Weight	Col_sample_ by Tree	Max_depth	Reg_lambda	Learning Rate
Default	100	0	1	1	6	1	0.3
Tuning with GA	79	0.28	1.94	0.58	5	0.77	0.55

Table 6. Hyperparameter tuning for SVM.

Hyperparameters	C	Gamma
Default	0.1	0.1
Tuning with GA	10.92	13.262

Table 7. Hyperparameter tuning for IF.

Hyper-Parameters	Contamination	Max_Samples	N_estimator
Default	0.1	‘Auto’ = 256	100
Tuning with GA	0.3	1000	89

XGBoost, Support Vector Machine (SVM), and Isolation Forest (IF) were employed to detect cryptocurrency laundering accounts within the Ethereum blockchain network. The performance metrics used to evaluate the effectiveness of identifying suspicious accounts included accuracy, mean absolute error, precision, recall, F1 score, and AUC-ROC. The calculation formulas for the fourth metric are presented in Equations (12)–(15) [47].

$$\mathrm{Accuracy}={\displaystyle \frac{\mathrm{TP}+\mathrm{TN}}{\mathrm{TP}+\mathrm{FP}+\mathrm{TN}+\mathrm{FN}}}$$

(12)

$$\mathrm{Recall}={\displaystyle \frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FN}}}$$

(13)

$$\mathrm{Precision} ={\displaystyle \frac{\mathrm{TP}}{\mathrm{TP}+\mathrm{FP}}}$$

(14)

$$\mathrm{F}1 \mathrm{Score} ={\displaystyle \frac{2*(\mathrm{Precision}*\mathrm{Recall})}{\mathrm{Precsion}+\mathrm{Recall}}}$$

(15)

Applying the optimizers (i.e., PSO and GA) to the proposed anomaly detection model has significantly improved the detection of benign and suspicious accounts within the Ethereum network. The confusion matrix values (i.e., True Positives, False Positives, True Negatives, and False Negatives) before and after the application of the optimizers for the three utilized machine learning models are displayed in Figure 9, Figure 10, Figure 11, Figure 12, Figure 13 and Figure 14 and discussed in more detail in Table 8 and Table 9.

Figure 9. Confusion matrix for XGBoost before GA.

Figure 10. Confusion matrix for XGBoost after GA.

Figure 11. Confusion matrix for SVM before GA.

Figure 12. Confusion matrix for SVM after GA.

Figure 13. Confusion matrix for IF before GA.

Figure 14. Confusion matrix for IF after GA.

Table 8. Comparison between the machine learning algorithms before applying GA.

Algorithm	Accuracy	MAE	Precision	Recall	F1-Score	AUC-ROC	TP	FP	TN	FN
XGBoost	0.975	0.03	0.97	0.98	0.975	0.97	1498	46	1491	30
SVM	0.744	0.26	0.826	0.713	0.765	0.71	1275	269	1008	513
IF	0.694	0.3	0.732	0.683	0.707	0.53	1130	414	997	524

Table 9. Comparison between the machine learning algorithms after applying GA.

Algorithm	Accuracy	MAE	Precision	Recall	F1-Score	AUC-ROC	TP	FP	TN	FN
XGBoost after GA	0.992	0.01	0.992	0.993	0.992	0.99	1531	13	1510	11
SVM after GA	0.87	0.13	0.869	0.872	0.87	0.86	1341	203	1325	196
IF after GA	0.824	0.18	0.824	0.827	0.825	0.79	1273	271	1254	267

In Figure 9, the confusion matrix of the XGBoost model before GA optimization highlights moderate performance. The model correctly identified 1498 suspicious accounts (TP) and 1491 benign accounts (TN), but it also produced 46 false positives (FP) and 30 false negatives (FN). These errors indicate that while the model achieved high accuracy overall, misclassification of a subset of suspicious accounts remained a challenge. In Figure 10, the impact of GA optimization on XGBoost is evident. The confusion matrix shows a marked improvement, with true positives rising to 1531 and true negatives to 1510, while false positives and false negatives dropped significantly to 13 and 11, respectively. This demonstrates that GA-driven hyperparameter tuning not only improved detection accuracy but also reduced both types of errors, making the model far more reliable in identifying money laundering accounts.

As shown in Figure 11, the SVM model prior to GA tuning performed less effectively, achieving 1275 true positives and 1008 true negatives, but producing a large number of false negatives (513) and false positives (269). This imbalance reflects the difficulty of SVM in handling high-dimensional blockchain data without optimization. In Figure 12, the optimized SVM model shows substantial gains after GA tuning. True positives increased to 1341 and true negatives to 1325, while false positives and false negatives decreased to 203 and 196, respectively. Although the performance still trails behind XGBoost, the improvements confirm that GA tuning enhanced SVM’s classification power and reduced its error rates.

Finally, in Figure 13, the Isolation Forest model after GA optimization still shows limited effectiveness compared to XGBoost and SVM. While it achieved 1130 true positives and 997 true negatives, the high number of false positives (414) and false negatives (524) indicates difficulty in achieving a stable decision boundary. This suggests that IF, even when optimized, is less suited for this anomaly detection problem. In Figure 14, the confusion matrix of IF before GA tuning further illustrates its limitations. Although it correctly classified 1273 true positives and 1254 true negatives, the error rates remained relatively high, with 271 false positives and 267 false negatives. Comparing Figure 13 and Figure 14 confirms that GA provided some improvements, but the model still lags significantly behind XGBoost and SVM in terms of precision and recall.

In addition, as indicated in Table 8 and Table 9, a noticeable improvement in the performance metrics has been observed. The enhanced XGBoost achieved outstanding performance with an accuracy of 0.992, a mean absolute error (MAE) of 0.01, and near-perfect precision, recall, and F1-score values of 0.992, 0.993, and 0.992, respectively. The AUC-ROC of 0.99 further confirms its robustness in differentiating between benign and suspicious accounts. These results highlight the efficacy of the enhanced XGBoost in providing accurate and reliable detection.

Also, the enhanced SVM showed a considerable improvement with an accuracy of 0.87 and an MAE of 0.13. Precision, recall, and F1-score values stand at 0.869, 0.872, and 0.87, respectively. The AUC-ROC of 0.86 indicates good overall performance. The enhancements in SVM post-GA demonstrate its capability to achieve a balanced detection of suspicious accounts.

Despite the enhanced Isolation Forest having the lowest performance among the three models, it still recorded an accuracy of 0.824, an MAE of 0.18, and precision, recall, and F1-score values of 0.824, 0.827, and 0.825, respectively. The AUC-ROC of 0.79 suggested moderate effectiveness in detecting suspicious accounts.

Figure 15 and Figure 16 present the comparison charts of XGBoost, SVM, and IF algorithms in terms of accuracy, precision, and recall.

Figure 15. Comparative Analysis of the ML Models.

Figure 16. Comparative analysis of the optimized ML models.

These metrics highlight XGBoost’s capability to distinguish values almost perfectly, coupled with the highest accuracy and lowest MAE among the models, demonstrating its robustness and reliability. Additionally, the AUC-ROC score of 0.99 confirms its excellent performance in differentiating between classes. The minimal false positives and false negatives further illustrate its efficiency and accuracy in detecting suspicious activity.

To provide a more rigorous evaluation, we include a baseline performance comparison against widely used anomaly detection methods in blockchain analysis. Table 10 presents the results of our proposed framework compared with existing approaches on the Ethereum dataset. The table demonstrates that the integration of Genetic Algorithm (GA) with XGBoost consistently achieves superior performance across all evaluation metrics, with accuracy, precision, and recall exceeding those of prior methods such as LOF, CART, and standalone XGBoost. This comparison highlights the effectiveness of the proposed framework and supports the novelty of combining GA-driven hyperparameter optimization with feature selection for large-scale blockchain datasets.

Table 10. Comparison of the proposed framework with existing methods on the Ethereum dataset.

Method	Algorithm	Accuracy	MAE	Precision	Recall	F1-Score	AUC-ROC	Standard Deviation of Accuracy
Our Proposed Framework	XGBoost with GA	0.992	0.01	0.992	0.993	0.992	0.99	0.109
Fangfang et al. [12]	LOF	0.949	0.06	0.946	0.954	0.949	0.94	0.103
Saxena et al. [14]	CART	0.810	0.22	0.813	0.810	0.809	0.81	0.035
Alarab et al. [16]	XGBoost	0.975	0.03	0.970	0.980	0.975	0.97	0.107

Table 10 and Figure 17 provide a direct comparison between our proposed XGBoost + GA framework and existing approaches (LOF, CART, and standard XGBoost). Figure 17 illustrates the superiority of our method across all key metrics, particularly accuracy (0.992), recall (0.993), and F1-score (0.992). The smaller error margin (MAE = 0.01) indicates its stability relative to baselines, where CART and LOF exhibit higher variability. Notably, the bar chart shows that even state-of-the-art XGBoost models without GA integration lag in precision and recall, underscoring the effectiveness of our hybrid approach.

Figure 17. Comparative performance of the proposed XGBoost + GA framework against existing methods on Ethereum anomaly detection [12,14,16].

While the proposed framework demonstrates strong performance, it also has limitations. When the input dataset contains high noise, adversarial manipulation, or many missing features, both precision and recall degrade measurably. The framework may also struggle to detect novel money laundering strategies that differ significantly from historical patterns. These scenarios emphasize the need for adaptive feature selection and dynamic model updating.

The computational complexity of the proposed framework was analyzed by considering the cost of the Genetic Algorithm (GA) used for hyperparameter optimization. With a population size of 50 and 20 generations, the GA requires 1000 model evaluations for each classifier. This yields a total time complexity of O(P × J × C), where P is the population size, J is the number of generations, and C is the training cost of the classifier. Although this makes the framework computationally intensive, the integration of the Particle Swarm Optimization (PSO) feature selection step significantly reduces the effective dimensionality and helps to lower the overall runtime. Empirical runtime measurements on our workstation confirmed that the approach remains feasible on modern hardware.

6. Conclusions and Future Work

This study examines an anomaly detection model designed to identify cryptocurrency money laundering accounts on the Ethereum blockchain network. The proposed model uses Particle Swarm Optimization (PSO) to select the optimal subset of features and combines the Genetic Algorithm (GA) with three machine learning algorithms to fine-tune hyperparameters and detect suspicious accounts. The dataset consists of 50 million transactions involving 9841 unique accounts on the Ethereum network.

The results indicate that the XGBoost algorithm yields the highest performance on the Ethereum dataset, achieving an accuracy of 98% and a recall of 0.98. Further enhancement with GA optimization improved the XGBoost algorithm’s accuracy to 99% and recall to 0.99, underscoring its robustness and reliability. In comparison, while Support Vector Machine (SVM) and Isolation Forest (IF) also showed improvements post-GA tuning, their performance did not match the outstanding results of XGBoost. Consequently, XGBoost emerges as the most effective and reliable algorithm for this application.

Although the proposed framework demonstrates superior performance, it is not without limitations. In scenarios where the input Ethereum data contains a high degree of noise, incomplete records, or mislabeled transactions, the framework shows a noticeable decline in both precision and recall. This indicates that the robustness of the model depends heavily on the quality and reliability of the input data. Another limitation lies in scalability under extreme transaction volumes, where the computational cost of GA-driven hyperparameter tuning may become significant. Furthermore, the framework’s reliance on feature engineering makes it sensitive to domain-specific feature definitions, which may limit direct transferability to other blockchain environments beyond Ethereum. Future research will address these limitations by exploring advanced data augmentation methods, adaptive feature selection strategies that can dynamically adjust to noisy or incomplete features, and computational optimizations to reduce runtime. We plan to extend the evaluation to additional blockchain platforms, including Bitcoin and Quorum, in order to further assess the generalizability and robustness of the proposed framework across different environments.