Check Point Research reveals how hackers run token scams and 'Rug Pull' money - and how to avoid them
Check Point Research (CPR) has revealed how scammers are altering smart contracts to create fraudulent tokens. They then use methods to "rug pull" money from people with altered smart contracts, leading to money heists.
The findings come after cryptocurrency research from CPR last October, where the research company identified crypto wallet theft on OpenSea, the world's largest NFT marketplace. In November last year, CPR also found that hackers were using search engine phishing campaigns to steal half a million dollars in only a few days.
The company says hackers will continue to set traps, and it shares four safety tips on how to avoid scam coins.
What scam coins look like
CPR says some tokens contain a 99% buy fee, which will steal all your money at the buying phase. It says some tokens don't allow the buyer to resell, so only the owner can sell. Some tokens contain a 99% sell fee, which will steal all your money at the selling phase. And some allow the owner to create more coins in their wallet and sell them.
How it's done - The misconfiguring of smart contracts
Smart contracts are programs stored on a blockchain, they run when predetermined conditions are met. To create fraudulent tokens, hackers misconfigure these smart contracts.
CPR outlines the steps that hackers use to take advantage of smart contracts:
- Leverage scam services: Hackers are usually using scam services to create the contract for them, or they copy an already known scam contract and modify the token name and symbol and some of the function names as well if they are really sophisticated.
- Manipulate functions: They will then manipulate the functions with the money transfer, prevent you from selling, increase the fee amount, and more. Most manipulations will be when money has been transferred.
- Create hype via social media: Hackers then open social channels, such as Twitter, Discord, or Telegram, without revealing their identity or using fake identities. They will start hyping the project, so people start buying.
- "Rug and pull" the money: After they reach the amount of money they want, they pull all the money from the contract and delete all the social media channels.
- Skip timelocks: You usually won't see those tokens lock a large amount of money in the contract pool or even add timelocks to the contract. Timelocks are generally used to delay administrative actions and are mostly considered a strong indicator of a legitimate project.
Tips to avoid scam coins
Having a wallet is the first step to using bitcoins and, by extension, any other cryptocurrency. A key to keeping them safe is diversifying and having a minimum of two different crypto wallets. Use one to store purchases and the others to trade and exchange cryptocurrencies. In this way, they will keep their assets more protected because the wallets also store the passwords of each user. These are a fundamental part of trading cryptocurrencies and having a public key, making it possible for other users to send cryptocurrencies to your wallet.
Check Point Research says people often search for bitcoin wallet platforms through Google, and this is when they can make one of the biggest mistakes – they click on a Google Ad. Cybercriminals frequently use these links, creating malicious websites, to steal credentials or passwords. It is safer to go to the web pages below the Google Ads. CPR says people typically err on the side of caution, and cybercriminals take advantage of this. Before sending large amounts of crypto, first, send a "test" transaction with a minimum amount to avoid these traps. This way, if the transaction is being sent to a fake wallet, it will be easier to detect the deception and much less will be lost. The company also says activating two-factor authentication is one of the most significant steps that can be taken against any cyberattack. So when an attacker tries to log in, they will receive a message to check their authenticity, preventing them from gaining access. With two-factor authentication, instead of requiring only a password for authentication, logging into an account will require the user to submit a second piece of information, making it more secure.
"Check Point Research is investing significant resources into studying the intersection of cryptocurrencies and security," says Check Point Software head of products, Vulnerabilities Research, Oded Vanunu.
"Last year, we identified the theft of crypto wallets on OpenSea, the world's largest NFT marketplace. And we also alerted crypto wallet users of a massive search engine phishing campaign that resulted in at least half a million dollars being taken in a matter of days. Our latest publication shows what fraud of actual smart contracts looks like and exposes real token fraud in the wild - hiding 100% fees and backdoor functions," he says.
"The implication is that crypto users will continue to fall into these traps and will lose their money. This publication aims to alert the crypto community that scammers are creating fraudulent tokens to steal funds. To avoid scam coins, I recommend crypto users to diversify their wallets, ignore ads and test their transactions."