Plenty of Phish

The tide may be turning, but crypto’s waters remain as treacherous as ever.

In the high-stakes world of crypto phishing, where each bite could be worth upwards of a million dollars, innovative strategies and updated equipment may provide the edge needed to reel in a victim.

Be they bored zoomers funding a Roblox habit or nation-state level threat actors, those conducting phishing campaigns show no signs of letting up.

As we wrote in our last phishing roundup:

crypto is providing especially bountiful waters lately

Since then, a slew of incidents have targeted minnows and whales alike, aided by an ever-expanding range of delivery mechanisms, and novel ways of avoiding detection.

Until it’s too late.

Inexperienced newbies and risky FOMO-chasers are a staple for simple scams, but now veteran users and even team multisigs are falling victim.

A good phisherman is always keen to try out the latest tackle, and get their hands on the most tempting lures…

Scam-as-a-service is clearly a lucrative business.

The infamous Inferno Drainer decided they'd made enough to retire recently, after having siphoned off a total of $70M from over 100k victims.

But out-of-the-box wallet drainers continue to evolve.

A new approach plays cat-and-mouse with efforts to flag suspicious addresses, relying on the CREATE2 opcode to deploy a fresh contract address for each phished signature.

This ensures that a potential victim’s wallet UI is unable to alert them of any previously known suspicious activity on the address, as it is not associated with past scams. ScamSniffer explains:

With create2, the Drainer can easily generate temporary new addresses for each malicious signature.

After the victim signs the signature, the Drainer creates a contract at that address and transfers the user's assets.

The motivation is to bypass wallet security checks.

As detailed in the blog post, in the case of malicious signature phishing, the freshly-approved address is deployed and assets are transferred within the same transaction.

This vector has been used in the wild recently, including over $900k lost (via an open-sourced drainer contract), as well as during the front-end compromise of Velodrome (round one of two), in which over $100k was lost.

Another technique also uses CREATE2, but to pre-generate large numbers of potential addresses for use in address-poisoning attacks.

These addresses can then be used to contaminate transaction histories with spam transactions to addresses which appear similar to genuine past transfers, in the hopes that a copy-paste error leads to sending funds to the scammer instead.

Generating contract addresses via CREATE2 (instead of standard EOA addresses) has the advantage of not needing to top up gas for each successfully used address, nor having to store private keys for each of the millions of addresses generated.

This kind of attack has long lain in wait, hoping for a fat finger to slip.

However, a recent spate of attacks on Safe multisig wallets has seen over $2M lost in a week, to an experienced attacker who has netted over $5M in four months.

One such victim was the Florence Finance team who admitted to an ‘operational oversight’ resulting in a $1.45M loss from their multisig (tx).

It’s hard to believe that multiple signers would fall for such a well-known vector, however, this case involves an extra layer of deception.

It appears that, while Etherscan has been hiding these spam txs since April, the ‘History’ tab of the Safe UI could be tricked into displaying the fake token as genuine, by using the Unicode for ‘USDC’ as the token tracker.

The UI appears to have since been updated to hide such spoofed transactions and avoid further incidents.

Innovation is not just for the scripts themselves, however. Enticing delivery mechanisms are the bait that keep the victims biting.

Greed is the main motivator, especially when presented as FOMO-inducing alpha.

A fake staking programme hidden within a Snapshot proposal, hiding malicious URLs in supposed transfer addresses, and even attempting to appear legitimate by plugging VC backing.

Guess it paid off for Blast’s ‘deposit now, build later’ strategy…

Scare tactics can also prove to be powerful traps, relying on panic taking over and clouding judgment.

Accounts impersonating web3 security researchers (Peckshield, ZachXBT and others) managed to drain over $300k by prompting worried users to ‘revoke approvals’ via a malicious link, based on supposed incidents at Uniswap and OpenSea.

And muddy waters make it ever more difficult to know who to trust.

Twitter’s verification shitshow is worse than ever. Shameless influencers take advantage of perceived legitimacy whilst remaining negligent of even basic protections for their followers. Those that are eventually banned had free reign for months to make their millions.

Even mainstream accounts can be untrustworthy when it comes to securing their profile.

Deeper lures may lead to a bigger catch, but more work is required, and chances of detection are higher.

More persistent individuals are targeting known figures in the crypto community, posing as investors, and attempting to deliver payloads via Calendly links or whilst organising an online meeting.

Alternatively, would-be security researchers dressing up a DDoS attack as a critical security incident, can be a way to extort projects for high fees to 'fix' the vulnerability.

With seemingly endless ways to get rekt, as the markets pick up we’re bound to see a corresponding uptick in victims.

When front-end attacks seem to come almost every week (Frax, SpookySwap and Trader Joe have all been affected recently), standard advice such as bookmarking URLs just doesn’t cut it.

When it comes to excitable apes chasing new opportunities, maintaining an in-wallet address book and vetting each new contract address against a block explorer and project docs is perhaps a tall order.

Although some wallets contain warnings for flagged addresses, new interactions, etc., the above examples show that it’s still necessary to remain vigilant. However, some appear to be putting their money where their mouth is.

Despite being one of the obvious problem areas to work on during the bear market, UX/UI has remained stagnant and not exactly newbie-friendly.

Much talk of account abstraction has led to no clear winners and, as hype takes over, incoming retail will likely stick with the same tools as last cycle.

Until they learn the hard way.

Tracing those responsible occasionally does yield results, but even when deposited directly to exchanges, some don’t seem to care. Others still appear to be in on the scam themselves.

Even when courts are presented with an open and shut case, they can’t be relied upon to punish those responsible.

Existing legal systems have clearly not caught up on all the innovative ways crypto allows us to steal from one another.

But when the legacy system, which often equates this industry with criminal activity, fails to prosecute a clear example, it feels somewhat hypocritical.

It is, however, heartening to remember that, for all the innovation on display, those responsible aren’t always geniuses; October’s FTM wallet hacker could have sent the ERC-20 token to zero, worth $170M at the time.

Almost as big an oversight as ‘reassigning’ a wallet with an admin token to the FTM contract to a team member in the first place…

When not funding almost half of the supreme leader’s military budget, the proceeds of phishing campaigns often end up on the roulette table, where ironically it finds it’s way back to Lazarus, anyway.

As the bear gives way, there’s sure to be plenty more phish in the sea.

While stoic hopium turns into green-candle induced euphoria, and the FOMO begins to set in…

…will you manage to avoid taking the bait?

REKT serves as a public platform for anonymous authors, we take no responsibility for the views or content hosted on REKT.

donate (ETH / ERC20): 0x3C5c2F4bCeC51a36494682f91Dbc6cA7c63B514C

disclaimer:

REKT is not responsible or liable in any manner for any Content posted on our Website or in connection with our Services, whether posted or caused by ANON Author of our Website, or by REKT. Although we provide rules for Anon Author conduct and postings, we do not control and are not responsible for what Anon Author post, transmit or share on our Website or Services, and are not responsible for any offensive, inappropriate, obscene, unlawful or otherwise objectionable content you may encounter on our Website or Services. REKT is not responsible for the conduct, whether online or offline, of any user of our Website or Services.