Finance
Specials
On-chain Eco
Entry
Podcasts
API/RSS
Social
Inventory of the 6 most popular crypto scams in 2022
Summarized by AI
Original title: "Inventory of the 6 most popular encryption scams in 2022"
Original author: Sebastian Lim, HashDit
Original compilation: aididiaojp.eth, Foresight News
As early as 2021, the number and amount of fraud cases in the cryptocurrency field are on the rise, causing investors who invest in the cryptocurrency field to suffer huge losses. According to CNBC, more than $1 billion will be lost to crypto fraud in 2021, with the most common types including fake investments and online scams.
And this year, scammers are also upgrading their deception methods and becoming more difficult to detect .
Here are the most popular scams this year:
< /p>
Phishing Links
Phishing is a common deception method used by scammers in Web 2. Fraudsters can create a malicious website, send a large number of links to users, and then try to steal the user's wallet private key through the malicious website, thereby stealing assets.
In Web 3, scammers usually send phishing links through different mediums where the Web3 community is located, Examples include Discord, Twitter, Telegram, and even sending via on-chain channels.
Phishing website Often looks very similar to the real website, but with a different domain name. Phishing websites usually use the FOMO psychology of users to defraud through some giveaway activities or free casting of NFT whitelists.
Scammers may blatantly ask users for their seed phrase or private key. For example, scammers will contact users on social media, falsely send phishing links in the name of wallet software support, and directly trick users into clicking the link and providing mnemonic words or private keys.
Another way is that scammers develop fake chrome extensions like Metamask etc. extensions. Let users let their guard down by mimicking a real application and provide their private key to use the program.
A more interesting type of scam is where scammers try to trick users into thinking that existing apps There are new bugs or vulnerabilities in the program that require a software upgrade. The scammer said in the news that the new upgrade has not been officially launched, so it needs to be manually upgraded. He then issued a set of instructions designed to trick users into providing their Metamask passwords, resulting in the exposure of private keys.
In this case, users should always wait for the official announcement from Metamask and get information from official channels Upgrade their Metamask version. As a friendly reminder, normal application upgrades do not require users to provide sensitive information, such as login credentials.
To upgrade the plugin, just go to chrome://extensions/, click the update button, as shown below:
Ice Phishing
Ice phishing is a type of phishing that tricks a user into signing a transaction that delegates the user's consent request to attacker. Users are tricked into signing transactions without revealing their private keys, allowing attackers to take control of users' wallets, an escalation of phishing techniques.
When users use DeFi applications (such as PancakeSwap) and integrate with major token standards (such as ERC -20, ERC-721, and ERC-1155), approval requests are displayed in the Metamask window. This is to require the user to delegate authorization to a third party to process these interaction requests on that user's behalf. After agreeing to the delegation, the user can perform other actions such as performing an exchange.
Attackers will direct users to phishing sites and trick them into signing some transaction. For example, the interacting contract may not even be a contract, but an attacker's address. Once the approved transaction is complete, the attacker has the power to transfer funds from the victim's wallet.
Usually, scam sites have an algorithm to scan the victim's wallet to check if the wallet exists Valuable assets such as BAYC NFT or cryptocurrencies such as WBTC and WETH. Typically, the site keeps popping up Metamask windows to prompt users to sign another transaction, even though they may have already signed it once.
One way to prevent falling victim to Ice phishing is to stay away from signing eth_sign transactions. They usually look like this:
eth_sign method is an open signature method that allows signing arbitrary hashes, which means it can be used to sign ambiguous transactions or any other data, with a phishing risk.
Arbitrary hash here means that the user usually has approval (approval) or approve for all methods (approve everything) etc. are not vigilant enough, and scammers can make you sign transactions, such as native token transfers or contract calls. Essentially, scammers have almost complete control over user accounts without even having to hold the private keys.
Although MetaMask displays risk warnings when signing eth_sign requests, when combined with other phishing techniques When combined, users with no security experience can still fall into these pitfalls.
Event Attack and NFT Sleep Minting
Event Attack
< p>Event attack is one in which scammers transfer random BEP20 tokens to users and prompt users to interact with them Strategy. Even if the scammer is the one transferring the coins, from a blockchain explorer like BscScan, it will show the source of funds is from a separate wallet like Binance’s hot wallet. Users will then be enticed to interact with these new free tokens, which can direct users to phishing sites through links displayed in the token name or in the code itself, another escalation of phishing techniques.
This method takes advantage of the way blockchain explorers display events.
For example, this screenshot from BscScan shows CHI sending from Null Address to address 0x7aa3… …
area The block explorer blindly uses the emit event parameter. If the _from address is changed to another address, such as 0xhashdit, BscScan will show the CHI sent from 0xhashdit to the receiving address.
Note: This is not an inherent bug of the blockchain browser, but the flexibility to change parameters , because BscScan cannot determine whether the parameters are accurate. Therefore, scammers can use this to falsify the source of funds.
NFT Sleep Minting
Based on the usual BEP20 event attacks, scammers have become more creative. NFT Sleep Minting is when scammers mint NFTs directly into the wallets of well-known creators. However, NFTs have code backdoors where crooks can recover NFTs. This creates an appearance:
1 , Well-known creators cast an NFT themselves
2, Then send that NFT to the scammer.
Source based on on-chain data display , scammers can claim they own NFTs minted by famous creators and sell them for a higher price, falsifying value in the process.
NFT Sleep Minting is deceptive in that you can emit any data in the event log. If a user sends a transaction to transfer an NFT, then your address should appear in the event log as the "sender". However, this is not the case when scammers recover NFTs from well-known creators. Scammers can pull off this scam by artificially putting the address of a well-known creator in the "from" field of the transfer event.
For example, we can view Beeple knows which NFTs were not minted by him.
Crypto Ponzi Schemes
In these scams, Crypto Ponzi Scams are strategies that often have no real reward or profit to be earned. Essentially, the new investor's money is used to pay the old investor in return. Once no more new money comes in, the whole system fails.
A few telltale signs of a cryptocurrency Ponzi scheme:
First of all, the project party charges taxes and fees, which make users stay longer in the ecosystem< /b>
Since there is a fee of some kind for each deposit or compound interest operation, This means users have to compound interest over a longer period of time to break even. These fees are also used for user dividends.
Second, the user’s initial investment cannot be withdrawn
Once a user purchases the initial tokens, there is no way to get back the initial investment funds. The only way for users to get back any funds is to withdraw dividends.
Third, use the recommendation system
This project encourages participants to earn money through active promotion. Whenever the offline performs certain actions, the upline will get extra rewards. Also, in order for a user to start participating, he must have an upline referral address. This creates a cycle where each address is linked to the other, similar to a pyramid structure. At the same time, there may be other incentive promotion methods, such as having more than 5 downline addresses will increase the bonus.
People will see a sharp increase in the funds locked in the contract at the beginning, which is usually caused by Driven by initial hype from the team through marketing or by the team's own infusion of funds. Once the contract balance reaches the inflection point, it means that no new funds will come in, which will slowly cause the plan to fall apart, and new investors will start withdrawing as much dividends as possible, causing panic.
Finally, The project side that earns taxes and fees will be the biggest beneficiary of such Ponzi scheme projects.
CHI Gas Token farming
How scammers take advantage of this is also very clever. First, they will airdrop a bunch of random BEP20 tokens. When users are going to use PancakeSwap to sell these tokens, in the approval code of these tokens, it will hard code the code (hard coded: write the data directly in the code, it will not be changed according to the input), thus consuming A large number (for example, more than 90%) of users' gas is used to mint CHI Gas Token, and the minted Chi Gas Token will become the profit of scammers.
It is recommended to approve the gas fee in the transaction before calling the approve function of some airdrop tokens Consumption.
In general, do not trade airdrop tokens directly.
MEV Scam and Fake Celebrity Scam
MEV Scam
To entice users to participate, scammers use things like MEV (Maximum Extractable Value), "Arbitrage Trading Bots" , "sniper bots," "front-running trading bots," and other crypto terms, and promise passive income of several thousand dollars a day. Relevant promotional ads typically appear on platforms such as Twitter, Tiktok, and Blockchain Explorers.
Scammers will attach video links to posts, taking victims to Youtube and Vimeo and other video platforms.
Example:
The scam video will guide users to deploy using Remix IDE Malicious code, for example they usually serve malicious code in the pastebin URL of the video description.
As the code is deployed on-chain, users will be instructed to prepare some local funds to perform "front-running or arbitrage". The scam video will remind users to prepare more funds in order to make more profits when performing "earning or arbitrage" operations. Once the user injects funds into the contract and "starts front-running," the user will find that instead of making profits for themselves as the scammers claim, the funds will be transferred directly to the scammers.
Another relatively new method is for scammers to provide links to CEX trading bots, as follows picture.
The system will Users are prompted to download malicious files and follow the instructions. Typically users who want to automate trading on Binance Exchange will have an API key. This scam video tricks users into using their trading bot and asks them to give up their API keys and passwords. Once a user has been scammed, the scammers can receive the user's credentials at their terminal and immediately transact with the user's funds.
Virtual celebrity scam
Scammers are also using social media to spread rumors that cryptocurrency exchanges or well-known players in the space are running certain benefits false information.
The system will Prompt the user for a link and instruct the user to "verify" their address first. To do this, they have to send some BTC or BNB to a designated address, and in return they get back 10 times the amount invested. At the same time, the fraudulent website will display the transaction history of the gift, inducing users to think that the gift is real and effective. In reality, however, once the user sends the cryptocurrency, the funds fall into the hands of the scammers, who end up receiving no rewards.
Often, a scammer might use an old video or even fake a popular A persona to trick users into thinking that person is endorsing and promoting a new giveaway. Actually this doesn't exist.
A common feature of these cases is that there will be false interactions in the video comment area, psychologically deceiving users, making them think that this trading robot is really useful.
Also, if you see some of the above descriptions, please stay away immediately, this is a huge red flag.
Summary
Fraud cases will continue to grow in decentralized environments such as cryptocurrencies, So each of us needs to be responsible for our own safety.
Remember the Golden Rule : If something is too good to be true, it's probably a scam. Until then, play it safe!
< a href="https://hashdit.github.io/hashdit/blog/top-6-crypto-scams-2022/" target="_blank">Original link
欢迎加入律动 BlockBeats 官方社群:
Telegram 订阅群:https://t.me/theblockbeats
Telegram 交流群:https://t.me/BlockBeats_App
Twitter 官方账号:https://twitter.com/BlockBeatsAsia
