Cryptocurrency Scams – How Hackers Rip Off Money With Token Scams
In a new publication, Check Point Research (CPR) shows how fraudsters misconfigure so-called smart contracts to create fraudulent tokens. The report describes in detail the method by which scammers are currently stealing money and provides examples. The findings build on CPR’s previous research on cryptocurrency fraud.
Check Point Research previously uncovered the theft of crypto wallets on OpenSea, the world’s largest NFT marketplace, last October. In November, hackers used new search engine phishing campaigns via Google Ads to steal half a million dollars within a few days.
The now forged tokens can have the following properties:
- Some tokens contain a purchase fee of 99 percent, which robs you of money when you buy.
- Some tokens include a 99 percent sale fee, which will rob you of your money when you sell.
- Some tokens do not allow the buyer to sell them, so the seller remains as the owner, and only he can sell them.
- Some allow the selling owner to put more coins in his wallet and sell them.
To create fraudulent tokens, hackers configure smart contracts incorrectly. These are programs that are stored on a blockchain and run when certain conditions are met. CPR outlines the steps hackers use to take advantage of smart contracts:
- Exploitation of fraud services: Hackers usually use so-called scam services to create the contract, or they copy an already known scam contract and change the token name, as well as the symbol and some of the function names, if they are really sophisticated.
- Manipulation of the functions: Next, you will manipulate the functions of the money transfer to prevent the buyers from selling, or increase the fees. Most of the manipulations will always relate to the transfer of money.
- Generate enthusiasm through social media: then hackers open social channels, such as Twitter, Discord or Telegram, without revealing their identity – or they misuse fake identities of other people – and start the hype around the project so that people start buying.
- Rip-off: After the criminals have reached the desired amount, they withdraw all the money from the scam smart contract and delete all social media channels.
- Skip timestamps: Usually, buyers will not see that these tokens lock a large amount of money in the contract pool or even add a timelock to the contract. Timelocks are mostly used to delay administrative action and are generally considered a strong indicator that a project is legitimate.
Here are some tips for avoiding scam tokens
Diversification of wallets
Owning a wallet is the first step to being able to use Bitcoins and any other crypto currency. These wallets are the tool that users use to store and manage their bitcoins. One of the keys to their security is to own at least two different crypto wallets. The goal is that the user can use one of them for his purchases, and the other for trading and exchanging crypto coins. In this way, the assets are better protected, since the passwords of the individual users are also stored in the wallets. These are an essential part of trading cryptocurrencies and have a public key that allows other users to send cryptocurrencies to a wallet. If a cybercriminal succeeds in gaining access to this data through an attack, then in this case the separation only to the wallet with which you are trading. The purchased bitcoins in the other wallet are safe.
Users often search for Bitcoin wallet platforms via Google. At this moment, you can commit one of the biggest mistakes, because you click on one of the Google ads that appear in the first place. Behind these links are often criminals who create false web pages to steal login data or passwords. Therefore, it is safer to call up the pages that appear further down in the search engine and are not a Google ad.
Before sending large amounts of crypto, you should first conduct a test transaction with a minimum amount. In this way, it is easier to detect the scam in case you send it to a fake wallet.
Double attention for more safety
One of the best measures to protect against any type of IT attack is to enable two-factor authentication on the platforms where you have an account. If an attacker tries to log in to one of these platforms in an irregular way, the actual owner will receive a message to verify its authenticity, for example, by means of an SMS code. So he is informed and the hacker does not get access despite the password.
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software
Oded Vanunu, Head of Products Vulnerabilities Research at Check Point Software Technologies, explains the security research: “Check Point Research invests considerable forces in the investigation of the interface between crypto currencies and IT security. Last year, we exposed the theft of crypto wallets on OpenSea, the world’s largest NFT marketplace, and we warned crypto wallet users about a massive search engine phishing campaign that resulted in at least half a million dollars being stolen within a few days. In our new publication, we show what the scam looks like with real smart contracts and reveal a real token scam that allows hiding fee functions in the amount of 100 percent and includes hiding backdoor functions. Because of these two techniques, currently many crypto users continue to fall into these traps and lose their money. With our publication, we want to draw the attention of the crypto community to the fact that scammers can develop fake tokens. To avoid scam coins, I recommend crypto users to diversify their wallets, ignore advertising and test their transactions.“