Lesson 31: Whale Watching (Detecting Suspicious Large Transfers & Trader Behaviors)

Aug 12, 2025

Not all threats come from code. Sometimes, it’s about who moves the money, and how. Today’s lesson focuses on tracking whale behaviors: wallets that move large sums, trigger cascading events or indicate manipulative trading.

As a Forta administrator, you're not just watching for exploits, but you are also watching for signals of unusual financial movement.

Why This is important in Blockchain Monitoring

In DeFi:

A single wallet swap can move the market
A whale unstaking can shake market confidence
A concentrated deposit can signal a governance attack

Detecting these movements early is critical for:

Front-running defenses
Alerting communities
Understanding market risk

What Is a Whale?

There is not a fixed definition, but usually means:

Transfers over $100k to $1M+
Interacts with major protocols
Holds large percentages of token supply

Some examples:

Forta Agent Example: Detect Large Stablecoin Transfers

const THRESHOLD = ethers.utils.parseUnits("500000", 6); // 500,000 USDC

async function handleTransaction(txEvent) {
  const findings = [];

  const usdcTransfers = txEvent.filterFunction("transfer(address,uint256)", USDC_ADDRESS);

  for (const transfer of usdcTransfers) {
    const { to, value } = transfer.args;
    if (value.gt(THRESHOLD)) {
      findings.push(
        Finding.fromObject({
          name: "Large Stablecoin Transfer",
          description: `Detected a ${value} USDC transfer to ${to}`,
          alertId: "LARGE-USDC-TRANSFER",
          severity: FindingSeverity.Medium,
          type: FindingType.Suspicious,
        })
      );
    }
  }

  return findings;
}

How to Adjust These Bots

Analyze common transfer sizes using percentiles to set what are big ones
Include whitelists for known CEX wallets (Binance, Coinbase)
Rate-limit the alert frequency (so you don’t flood Slack)

Key Concepts Recap

Large holders influence protocols not through code, but through visible behavior patterns that trigger responses in the market
Detecting large transfers, staking shifts, and swaps can predict moves
Use thresholds, frequency, and context to avoid false positives
Whale monitoring supports threat intel, DAO safety, and early warnings

Next lesson we will address hoe to protect governance and admin functions from abuse.

🙏 Until next meditation,
The Blockchain Security Monk