Decentralized Finance (DeFi) applications involve a large volume of funds and exhibit diverse user behaviours, including malicious activities such as smart contract exploits and financial scams. Existing approaches struggle to capture complex behaviours. To address this gap, we propose a general Blockchain User Behaviour Analysis (BUBA) pipeline for DeFi security. The pipeline presents an automated action formation process that takes blockchain transactions as inputs and outputs user actions. In addition, BUBA introduces a dual Graph Neural Network (GNN) model that jointly captures user action features, contract and token interactions, and heterogeneous graph structure information to produce rich behavioural embeddings, enabling effective clustering of semantically meaningful user behaviours. We evaluate the proposed pipeline on Uniswap V3, where it outperforms baseline methods in identifying and differentiating suspicious behaviours. A further case study on Sushiswap V2 demonstrates the generalisability of the pipeline across DeFi applications.