The security company, Check Point Research, have revealed how fraudsters misconfigure smart contracts to create fraudulent tokens. The study details the method they are using to steal money from users and shows examples of configuration errors of smart contracts that give rise to economic scams. The findings build on previous CPR research on cryptocurrencies. Last October, CPR identified wallet theft at OpenSea, the world’s largest NFT marketplace. And in November, researchers revealed that cybercriminals were using phishing campaigns on search engines to steal half a million dollars in a matter of days.
The same sources indicate that, in 2021, an all-time high of cryptocurrency-related crimes was recorded in which fraudsters They stole 14,000 million dollars. The increase in fraud and threats is related to the immense growth of this activity around the world.
The latest announcements and advances from companies show an increased interest in cryptocurrencies. For example, PayPal is considering launching its own cryptocurrency, Facebook has changed its name to Meta, and MasterCard has announced that its network partners can allow their consumers to buy, sell and hold them using a digital wallet.
What’s more, Disney wants to build a metaverse, Nike bought an NFT company, Starbucks customers can now use the new Bakkt app to pay at the chain’s coffee shops with converted bitcoin. Also, Microsoft is building its metaverse, Visa has confirmed that it is conducting a pilot with Crypto.com to accept cryptocurrencies to settle transactions on its payment network. Adidas joined the metaverse through NFT. Funds are flowing into this format, so it’s no wonder attackers are targeting this new form of payment.
Recently, the BBC reported that a token called SQUID stole $3.38 million from crypto investors in a large-scale scam. A token is a currency similar to bitcoin and Ethereum, but some of the projects are created to innovate and build new technology, while others are there for fraudulent purposes.
How to identify cryptocurrency scams
The investigation looks into how cybercriminals have created tokens to scam consumers and offers advice on how to identify these scams:
- Some tokens they contain a purchase rate of 99% that allows you to steal all the money in the purchase phase.
- Some of the tokens do not allow the buyer to resell (SQUID Token) so that the only one authorized to sell is the owner.
- Other tokens involve a 99% sales commission, which means that at the sale stage all your money will be taken from you.
- And there are others that are not malicious, but instead have security vulnerabilities in the contract source code and lose their funds to cybercriminals who exploit the vulnerabilities.
How to unset the smart contracts
- To create fraudulent tokens: Cybercriminals deconfigure so-called smart contracts, programs stored on the blockchain that are executed when predetermined conditions are met. Check Point Research outlines the steps attackers take to take advantage of these types of contracts.
- They manipulate the functions: with the transfer of money, preventing selling, or increasing the amount of the fee. Most manipulations occur when money is transferred.
- They create a hype through social networks: opening Twitter/Discord/Telegram channels, without revealing their identity or using the false image of other people, and they will start hyping the project so that the public starts buying.
- “Withdrawal of money”: once they reach the amount of money they want, they will withdraw all the money from the contract, and they will delete all the social media channels.
- They omit timelocks: so you won’t see those tokens locking up a lot of money in the contract pool, nor will they add timelocks. Timelocks are mostly used to delay administrative actions and are generally considered a strong indicator that a project is legitimate.