Check Point Research (CPR) revealed how scammers modify smart contracts to create fraudulent tokens. They then use methods to “pull” money from people with modified smart contracts, which leads to money theft.
The findings come after CPR’s cryptocurrency research last October, where the research firm identified crypto wallet theft on OpenSea, the world’s largest NFT market. In November last year, CPR also found that hackers were using search engine phishing campaigns to steal half a million dollars in just a few days.
The company says hackers will continue to set traps and shares four security tips on how to avoid scam coins.
What Fraudulent Coins Look Like
The CPR states that some tokens contain a 99% buy-in fee, which will steal all your money in the buy-in phase. He says that some tokens do not allow the buyer to resell, so only the owner can sell. Some tokens contain a 99% sell fee, which will steal all your money in the sell phase. And some allow the owner to create more coins in their wallet and sell them.
How It’s Done – The Misconfiguration of Smart Contracts
Smart contracts are programs stored on a blockchain, they execute when predetermined conditions are met. To create fraudulent tokens, hackers misconfigure these smart contracts.
The CPR outlines the steps hackers use to take advantage of smart contracts:
- Leverage scam services: Hackers usually use scam services to create the contract for them, or they copy an already known scam contract and change the token name and symbol and some of the function names if they are really sophisticated.
- Manipulate the functions: they will then manipulate the functions with the money transfer, prevent you from selling, increase the amount of fees, etc. Most of the manipulations will take place when the money has been transferred.
- Build hype through social media: Hackers then open social channels, such as Twitter, Discord, or Telegram, without revealing their identities or using fake identities. They’ll start promoting the project, so people will start buying.
- “Rug and pull” the money: After reaching the amount of money they want, they pull all the money out of the contract and delete all social media channels.
- Ignore Time Locks: You typically won’t see these tokens lock a large amount of money into the contract pool or even add time locks to the contract. Deadlines are generally used to delay administrative actions and are primarily considered a strong indicator of a legitimate project.
Tips to avoid fraudulent coins
Having a wallet is the first step to using bitcoins and, by extension, any other cryptocurrency. A key to protecting them is to diversify and have at least two different crypto wallets. Use one to store purchases and the other to trade and exchange cryptocurrencies. This way, they will keep their assets better protected because the wallets also store each user’s passwords. It is a fundamental part of cryptocurrency trading and having a public key, allowing other users to send cryptocurrencies to your wallet.
Check Point Research indicates that people often search for bitcoin wallet platforms through Google, and that’s when they can make one of the biggest mistakes – they click on a Google ad. Cybercriminals frequently use these links, creating malicious websites, to steal credentials or passwords. It is safer to go to web pages under Google Ads. According to the CPR, people generally err on the side of caution and cybercriminals take advantage of this. Before sending large amounts of crypto, first send a “test” transaction with a minimum amount to avoid these pitfalls. This way, if the transaction is sent to a fake wallet, it will be easier to detect the deception and much less will be lost. The company also claims that enabling two-factor authentication is one of the most important measures that can be taken against any cyberattack. Thus, when an attacker tries to connect, he will receive a message to verify its authenticity, preventing him from accessing it. With two-factor authentication, instead of only requiring a password for authentication, logging into an account will require the user to submit a second piece of information, making it more secure.
“Check Point Research invests significant resources in studying the intersection of cryptocurrencies and security,” says Oded Vanunu, Check Point Software product manager, Vulnerabilities Research.
“Last year, we identified the theft of crypto wallets on OpenSea, the world’s largest NFT marketplace. And we also alerted crypto wallet users to a massive search engine phishing campaign that resulted in taking at least half a million dollars in days.. Our latest post shows what real smart contract fraud looks like and exposes real token fraud in nature – hiding 100% of fees and gate functions stolen,” he said.
“The implication is that crypto users will continue to fall into these traps and lose their money. This posting aims to alert the crypto community that scammers are creating fraudulent tokens to steal funds. To avoid fraudulent coins, I recommend that people crypto users to diversify their portfolios, ignore ads and test their transactions.”