How Hackers Run Token Scams to “Rug Pull” Money

In a new publication, Check Point Research (CPR) shows how scammers misconfigure smart contracts to create fraudulent tokens. The report details the method scammers are currently using to “rug pull” money from people and provides examples of smart contract misconfigurations that can lead to money heists. The findings build on top of previous cryptocurrency research from CPR. Last October, CPR identified theft of crypto wallets on OpenSea, the world’s largest NFT marketplace. And last November, CPR revealed that hackers were using search engine phishing campaigns to steal half a million dollars in a matter of days.

  • CPR shows what fraud of actual smart contracts can look like
  • CPR exposes real token fraud in the wild that uses the following evasions: a) hiding 100% fee functions b) hiding backdoor functions
  • CPR warns that hackers will continue to set traps and shares four safety tips on how to avoid scam coins

In a new report, Check Point Research (CPR) exposes how hackers are creating malicious tokens to steal money.

What Scam Coins Look Like

  • Some tokens contain a 99% buy fee, which will steal all your money at the buying phase.
  • Some of tokens don’t allow the buyer to resell  and only the owner may sell
  • Some tokens contain a 99% sell fee, which will steal all your money at the selling phase.
  • Some allow the owner to create more coins in his wallet and sell them.

The How: Misconfigure Smart Contracts

To create fraudulent tokens, hackers misconfigure smart contracts. Smart contracts are programs stored on a blockchain that run when predetermined conditions are met. CPR outlines the steps that hackers take advantage of smart contracts:

  1. Leverage scam services. Hackers are usually using scam services to create the contract for them, or they copy an already known scam contract and modify the token name and symbol, and some of the function names as well if they are really sophisticated.
  2. Manipulate functions. Then they will manipulate the functions with the money transfer, they will prevent you from selling, or increase the fee amount  and more. Most of the manipulations will be where money is been transferred
  3. Create hype via social media. Then they will open social channels, such as Twitter/discord/telegram, without revealing their identity or using fake identity of  other people, and they will start hyping the project in order for people to start buying
  4. “Rug and pull” the money. After they reach the amount of money they want, they will pull all the money from the contract, and delete all the social media channels.
  5. Skip timelocks. You usually won’t see those tokens lock a large amount of money in the contract pool, or even add timelock to the contract. Timelocks are mostly used  to delay administrative actions and are generally considered a strong indicator that a project is legitimate

Tips to Avoid Scam Coins

  • Diversify wallets: having a wallet is the first step to be able to use bitcoins and, by extension, any other cryptocurrency. These wallets are the tool with which users store and manage their bitcoins. One of the keys to keeping them safe is to have a minimum of two different crypto wallets. The objective is that the user can use one of them to store their purchases and others to trade and exchange cryptocurrencies. In this way, they will keep their assets more protected because the wallets also store the passwords of each user. These are a fundamental part when trading cryptocurrencies and have a public key, which is what makes it possible for other users to send cryptocurrencies to your wallet. If a cybercriminal manages to access these through any attack, it will be to that wallet with which you are trading and if you have another wallet in which the already acquired ones are stored, the bitcoins will be kept safe.
  • Ignoring the ads: many times, users search for bitcoin wallet platforms through Google. And it is at that moment when they can make one of the biggest mistakes – they click on one of the Google Ads, which appear in the first place. Cybercriminals are often behind these links, creating malicious websites through which to steal credentials or passwords. Therefore, it is safer to go to the web pages that appear lower in the search engine and that are not a Google Ad.
  • Test transactions: there are times when many people err on the side of caution and cybercriminals take advantage of this. To avoid falling into one of their traps, one of the measures that can be put into practice is that before sending large amounts of crypto, you must first send a “test” transaction with a minimum amount. In this way, in case we are sending it to a fake wallet, it will be easier to detect the deception and we will lose much less.
  • Double attention to increase security: one of the best measures to implement to protect against any type of cyberattack is to activate two-factor authentication on the platforms on which you have an account. This way, when any attacker tries to log in to any of them in an irregular way, they will receive a message to check their authenticity, preventing a cybercriminal from gaining access. With two-factor authentication, instead of requiring only a password for authentication, logging into an account will require the user to submit a second piece of information, making it more secure.

Check Point Research is investing significant resources into studying the intersection of cryptocurrencies and security. Last year, we identified the theft of crypto wallets on OpenSea, the world’s largest NFT marketplace. Last year, we also alerted crypto wallet users of a massive search engine phishing campaign that resulted in at least half a million dollars being taken in a matter of days. In our latest publication, we show how fraud of actual smart contracts look like, and expose real token fraud in the wild: a) hiding 100% fee functions and then b) hiding backdoor functions. The implication is that crypto users will continue to fall into these traps, and will lose their money. Our aim with this publication is to alert the crypto community that scammers are, indeed, creating fraudulent tokens to steal funds. To avoid scam coins, I recommend crypto users to diversify their wallets, ignore ads and test their transactions.