ARGOS

Local-first system scoring insider trading on cryptocurrency. A LangGraph supervisor with 5 sub-agents evaluates BTC, ETH, and Perps in real-time. 100% private, Docker-native, zero cloud dependency.

Comment

Inspiration

What it does

A local, privacy-first system that scans cryptocurrency markets in real time to detect insider trading, market manipulation, and abnormal whale activity before they become public knowledge.

It monitors Ethereum on-chain transfers, Bitcoin mempool activity, and derivatives markets (Binance perpetuals, Hyperliquid) simultaneously, scoring every significant transaction on a 0–100 suspicion scale. When something critical is detected, it fires a webhook to Slack, Discord, or any HTTP endpoint.

Everything runs locally. No cloud dependency. No data leaves your machine.

What it detects

The system is built around one core question: is this transaction driven by information, or by noise?

A $2M ETH transfer from a 3-day-old wallet with no public news catalyst scores very differently from a $2M ETH transfer from Coinbase's hot wallet during a market-wide rally. The pipeline separates these cases by combining statistical anomaly detection, wallet behavioral profiling, macro context, and market microstructure analysis.

Typical signals it surfaces:

  • Insider accumulation — large position from an established low-frequency wallet, no public catalyst, token not correlated to BTC move
  • Pre-event positioning — smart money entering before a scheduled Fed/CPI/NFP release
  • Derivatives market stress — crowded positioning + funding spike + OI surge simultaneously (squeeze risk)
  • Bear raids — large short against a bullish trend from an unknown wallet
  • Coordinated wallet activity — multiple wallets hitting the same token in a tight time window
  • Token security threats — honeypots, rug pulls, mintable scams (Ethereum)

Architecture

The pipeline has three tiers running as independent Docker services:

┌─────────────────────────────────────────────────────────┐
│  LISTENERS  (5 services, always on)                     │
│                                                         │
│  ETH mainnet     Etherscan API, poll every 5 min        │
│  BTC mainnet     mempool.space WebSocket                │
│  Binance perps   Funding rate + OI + L/S anomalies      │
│  Binance spot    Large trades > $1M                     │
│  Hyperliquid     Perpetuals WebSocket                   │
└────────────────────────┬────────────────────────────────┘
                         │
              ┌──────────▼──────────┐
              │   TIER 1: FILTER    │  ~1-2 seconds
              │                     │
              │  Statistical pre-   │
              │  score (0-100):     │
              │  · Volume z-score   │
              │  · Wallet age       │
              │  · Transaction size │
              │  · Market impact    │
              │  · IsolationForest  │
              └──────────┬──────────┘
                         │ escalate=true
              ┌──────────▼──────────┐
              │   TIER 2: COUNCIL   │  ~5 minutes
              │                     │
              │  6-agent LangGraph  │
              │  council (see below)│
              │                     │
              │  Score 0-100        │
              │  + written verdict  │
              └──────────┬──────────┘
                         │
              ┌──────────▼──────────┐
              │  SQLite + Webhook   │
              │  TUI dashboard      │
              └─────────────────────┘

Roughly 85–90% of transactions are filtered at Tier 1 as noise (dust, whitelisted DEX routers, low z-score, exchange wallets). Only genuinely ambiguous or suspicious transactions reach the agent council.

The Council: 6 Specialized Agents

When a transaction is escalated, six agents investigate it in sequence. Each agent answers a specific question. The Supervisor cross-references all answers into a final score.

Security Sentinel (Ethereum only)

Checks the token and sender address against GoPlus and DEXScreener. Detects honeypots, mintable scams, blacklist functions, proxy contracts, low liquidity. A confirmed honeypot or malicious address immediately terminates the investigation with a score of 95 — no further agents run.

OnChain Profiler

Classifies the sending wallet into a behavioral archetype using Etherscan transaction history (ETH) or UTXO patterns (BTC):

Classification Profile
Insider Old wallet (> 180d), low tx count (< 200), large move
Smart Money Old wallet (> 365d), moderate activity (100–5000 txs)
Whale Old, high-volume wallet (> 500 txs)
Retail FOMO Young wallet (< 30d) chasing a move
Bot / MEV High-frequency wallet (> 5,000 txs in < 30 days)

The classification is the single most important input to the final score. An Insider move with no public news is the canonical high-signal event.

Macro Strategist

Fetches global macro context in parallel: Fear & Greed index, traditional markets (SPX, DXY, VIX), yield curve, commodities, news headlines. Determines whether public news exists that could explain the move (has_news). Results are cached 12 hours — the macro agent calls the LLM at most twice per day.

The has_news field is critical: an Insider move with no news scores 80/100. The same move with news scores 60/100. The system distinguishes "someone knows something" from "someone is reacting to something."

Micro Analyst

Extracts token-specific market KPIs: 24h price action, BTC correlation (Pearson r over 30 days), funding rate, open interest, long/short ratio. A whale move that correlates strongly with BTC (r > 0.7) is likely just beta exposure — market noise, score 20. A whale move decoupled from BTC is potentially informational — score 55.

Quant Analyst (pure Python, no LLM, ~50ms)

Computes statistical features from OHLCV data and on-chain transfer distributions:

  • Shannon entropy of volume distribution (< 0.4 = trading concentrated in few candles)
  • Gini coefficient of transfer amounts (> 0.7 = few addresses dominate)
  • Hurst exponent (H > 0.5 = trending regime — adds conviction)
  • GARCH(1,1) volatility regime forecast
  • IsolationForest ML anomaly score on the 4-feature filter vector

The Quant report adds up to +10 points to the final score when an ML anomaly is confirmed with high confidence.

Supervisor (deterministic Python + LLM narrative)

Cross-references all agent reports through a scoring matrix loaded from config/scoring_rules.yaml. Zero randomness — the score is fully reproducible for identical inputs. After the score is fixed, a local LLM (qwen2.5:3b) writes a 6-section investigation narrative:

ACTOR:    wallet profile and behavioral classification
POSITION: transaction value, token, direction
MARKET:   price action, BTC correlation, funding rate, OI
SIGNAL:   top scoring reasons, news context
RISK:     macro regime, Fear & Greed, macro context
VERDICT:  risk level, score, main reason

If the LLM times out, a deterministic fallback generates the same format from the structured data.

Score Scale

Score Verdict Interpretation
0–20 noise Automated pattern, BTC-correlated move, exchange routine
21–40 low_signal Weak or ambiguous signal, monitor
41–60 medium_signal Notable activity, contextually ambiguous
61–80 high_signal Strong signal — warrants close attention
81–100 critical Highest-confidence signal — webhook always fires

Worked Example: $500M BTC Short on Hyperliquid

Context (February 28, 2026): BTC is up +5.2% on the day. Fear & Greed is at 72 (Greed). At 14:23 UTC, a 1-day-old wallet opens a $500M short on BTC perpetuals via Hyperliquid — directly against the trend.

What the listeners detected:

  • Pattern: HYPERLIQUID_SELL — large taker short
  • Anomaly tags: CROWDED_SHORT_3.2x, HIGH_FUNDING_SHORT, FUNDING_SPIKE_VS_BASELINE, OI_SURGE_18pct

Tier 1 Filter — Derivatives fast path (no wallet/volume check needed):

Base (large directional trade):   55 pts
Size premium ($500M > $1M):      +10 pts
Pre-score:                        65/100  →  escalate=true

Tier 2 Council — Derivatives scoring path:

Futures base (sell into crowded short):       55
+ selling into crowded short (L/S=0.31):     +10
+ large sell during risk-on regime:           +8
+ high OI market ($8.2B):                    +5
CROWDED_SHORT_3.2x:                          +12
HIGH_FUNDING_SHORT:                           +8
FUNDING_SPIKE_VS_BASELINE:                    +5
OI_SURGE_18pct:                               +7
Interaction: crowded + funding spike:         +8
Interaction: crowded + OI surge:              +5
4 simultaneous anomalies (systemic stress):   +5
                                             ----
                           Capped at:      100/100  →  critical

Why 100/100? A $500M position is ~6% of total BTC perpetual open interest. A 1-day-old wallet. No news catalyst. BTC trending up. Crowded short with 3.2x the normal short concentration, funding spiking, OI surging 18% in one hour — four simultaneous independent anomaly signals. This is the exact pattern of a coordinated bear raid or a large actor with advance knowledge of a price-moving event.

Full annotated trace: docs/demo.md

Terminal UI

A Rust TUI (tui/) provides a live dashboard of the pipeline without any web server:

┌─ Services ─────┐ ┌─ Raw Transactions ──────────────┐ ┌─ Scored + Logs ──────┐
│ eth-listener ✓ │ │ [RED]    0xabc... BTC $500M SHORT│ │ 0xdef... ETH  95/100 │
│ btc-listener ✓ │ │ [GRAY]   0xdef... ETH $1.2M SWAP │ │ 0x123... BTC  42/100 │
│ filter-worker✓ │ │ [YELLOW] 0x123... BTC $50k  UTXO │ │                      │
│ agent-worker ✓ │ │ [GREEN]  0x456... ETH $200k BUY  │ │ [agent logs...]      │
│                │ │                                  │ │                      │
│ Scored: 1,247  │ │                                  │ │                      │
│ Critical: 12   │ │                                  │ │                      │
└────────────────┘ └──────────────────────────────────┘ └──────────────────────┘

Color coding: Red = flagged, pending council. Orange = investigated suspect. Green = scored, normal. Yellow = filtered out (noise). Gray = below threshold.

Webhook Alerts

When a transaction scores above the threshold (default: 70), the system fires a POST request to any configured URL. Works with Slack incoming webhooks, Discord webhooks, or any custom HTTP endpoint.

SCORING_WEBHOOK_URL=https://hooks.slack.com/services/...
SCORING_WEBHOOK_THRESHOLD=70   # fire on high_signal and critical

Payload includes tx_hash, token, chain, score, verdict, value_usd, and the top scoring reasons.

Local-first design

The system uses Ollama to run LLMs locally (qwen3.5:4b for the council pipeline, qwen3.5:9b for macro analysis). No API keys for LLM inference. No transaction data sent to external services.

External API calls are limited to:

  • Etherscan / mempool.space — on-chain data (public)
  • CoinGecko (free demo tier), Binance (public), GoPlus (free tier) — market data
  • FRED (optional, free) — US economic event calendar
  • Yahoo Finance — market indices and news (via yfinance, no key required)

Getting Started

See docs/start.md for setup instructions, configuration reference, GPU options, and development commands.

Documentation

Document Contents
docs/start.md Setup, configuration, Docker, GPU variants, tests, ML model training
docs/architecture.md Pipeline internals, LangGraph topology, SQLite schema
docs/scoring.md Every scoring formula and threshold with rationale
docs/agents.md Per-agent tools, classification rules, output schemas
docs/providers.md Per-provider API reference and constants
docs/demo.md Full annotated trace of a $500M BTC short through the pipeline

Tech Stack

Component Technology
Pipeline orchestration Python 3.11, LangGraph, asyncio
LLM inference Ollama (qwen3.5:4b / qwen3.5:9b)
ML anomaly detection scikit-learn IsolationForest
Persistence SQLite + aiosqlite (WAL mode)
Containerization Docker Compose (8 services)
Terminal UI Rust + Ratatui
Data validation Pydantic 2
Structured logging structlog

Built With

Share this project:

Updates