Image: Jakub Porzycki/NurPhoto via Getty Images
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
Cryptocurrency scammers are sending custom tokens that lure victims into visiting a phishing site designed to steal crypto from their wallets, according to reports made by observers and people targeted by the scam.
A woman who goes by “Shegenerates,” who is a Solidity developer, was among the first to raise the alarm about this new scam. In a tweet on Thursday, she wrote that someone sent her “airdropped” tokens supposedly worth $30,000, but in reality it was a “sophisticated scam.”
Shegenerates told Motherboard in an online chat that the scams work like this: scammers send a useless token, which can’t be rejected by the recipient due to the nature of blockchains. This kind of token “airdrop” has become a popular way for web3 projects to reward early users and investors when, say, a protocol launches a governance token. The token Shegenerates highlighted was named after a website, which is very odd. According to Shegenerates, that website is a phishing site that asks victims for permission to access their Metamask crypto wallet. If the victim approves, then the scammers can drain their funds.
With the value of cryptocurrency climbing over the course of 2021, scammers and hackers have increasingly targeted not only crypto exchanges and organizations, but also individuals who own Bitcoin, Ethereum, or any other cryptocoin or token.
“We’re seeing an increasing number of phishing scams that attempt to take control of peoples’ web wallets. This one is novel because people are being sent (“airdropped”) tokens, and directed towards a website that claims to be a decentralized exchange,” Tom Robinson, the co-founder of blockchain analysis firm Elliptic, told Motherboard in an email. “[The scam is] luring them to a site where they’re told they can sell the tokens they’ve been given—but the site actually steals whatever is in their wallets.”
Do you have any information about any hacks or scams against cryptocurrency owners or companies? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email firstname.lastname@example.org
Interestingly, the scammer appears to have added their own liquidity to the token to make it look like it’s worth something when the victim attempts to swap it on a decentralized exchange like Uniswap.
According to Shegenerates, attempts to swap the tokens have resulted in failed transactions, which are posted to the blockchain forever and may indicate to scammers which victims are willing to interact with tokens of unknown provenance for a quick profit. It would also mean that the scammer would reap a fee reward in the event of a successful swap.
It’s unclear how many people have been targeted, or have actually fallen for this scam. Jonathan Levin, the co-founder of blockchain monitoring firm Chainalysis, said that this kind of scam “is gonna be something hard to combat.”
In her tweets, Shegenerates warned people to never interact with tokens or smart contracts that get sent out of the blue, and to never go to custom websites that are specific to a token.
“If a token name has a domain name in it, that is a big red flag not to go to that website and get phished,” she wrote.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.