This work proposes Deniable Covert Asset Transfer (DCAT), a novel privacy-preserving mechanism that goes beyond concealing transacting parties’ identities by rendering the very existence of transactions unobservable. Unlike conventional blockchain privacy approaches, DCAT camouflages asset transfers as legitimate Maximal Extractable Value (MEV) activities—such as sandwich attacks and arbitrage—commonly observed in real-world DeFi environments. Empirical evaluations on Ethereum and Arbitrum demonstrate that DCAT transactions are syntactically and semantically indistinguishable from genuine MEV operations, effectively evading detection by standard on-chain analysis tools and preventing linkage between senders and receivers. Furthermore, the paper introduces a multivariate statistical anomaly detection method capable of flagging suspicious transactions for manual review, thereby overcoming the limitations inherent in traditional anonymity set models.

Traditional blockchain untraceability schemes, such as mixers and privacy coins, obscure the sender-receiver relationship by placing transfers within an anonymity set. This paper studies a stronger goal: whether the transfer event itself can be made unobservable by blending into common decentralized-finance (DeFi) activity. We introduce Deniable Covert Asset Transfer (DCAT), a class of transfers that stage common loss-producing events, such as sandwich and arbitrage operations, so that a sender appears to suffer an ordinary loss while the receiver appears to profit from it. We design and validate two DCAT instantiations: a sandwich-based transfer on Ethereum and an arbitrage-based transfer on Arbitrum. Our experiments show that, under the evaluated settings, DCAT transfers are empirically unobservable on both chains. They are syntactically identical to corresponding maximal extractable value (MEV) activities, classified as ordinary extractions by standard MEV detection tools, and leave the sender and receiver unlinked under representative forensic tools. Since syntactic inspection cannot distinguish DCAT from ordinary MEV activity, we examine whether economic semantics provide useful forensic signals. Through a large-scale study of MEV losses on Ethereum and Arbitrum, we show that key semantic features follow power laws. Extreme losses and repeatedly exploited addresses occur in the wild, and thus are not by themselves definitive evidence of collusion. This gives staged transfers plausible deniability and makes fixed-threshold detection prone to false positives. We therefore develop a multivariate statistical method for forensic triage that ranks incidents by the joint rarity of their economic footprint. Applied to real-world DeFi activity, our method narrows a large search space to suspicious cases for manual investigation; we present three such cases to illustrate this prioritization.