Shameful! Using war to commit fraud - Analysis of the fake Ukrainian token airdrop fraud incident

Background

Since the outbreak of the Russian-Ukrainian war, the Ukrainian government has been calling on the crypto community to support it by donating BTC, ETH, USDT, etc. and has received more than $30 million worth of cryptocurrencies. On Ethereum, Ukraine's official donation address is:

0x165cd37b4c644c2921454429e7f9358d18a45e14 (abbreviated as 0x165c).

On March 2, Ukrainian officials confirmed on Twitter that they would conduct an airdrop for those who have donated. However, they did not specify what the airdrop would be, and whether the rewards would be tokens, NFTs, or other forms.

As soon as this statement was made, public opinion was in an uproar. Everyone knows what it means for a country to issue and airdrop cryptocurrency. In just a few days, various frauds and terrorist-related chaos occurred frequently. Fortunately, a few days later, the Ukrainian government announced that the plan was cancelled, avoiding a farce.

Although the airdrop plan has been cancelled, speculation or fraud using this event is still happening. The most representative example is the Peaceful World token that will be analyzed below. SharkTeam’s exclusive technical analysis is here. Investors are advised to be vigilant.

Peaceful World Fraud Technical Analysis

On March 3, Etherscan data showed that Ukraine’s official cryptocurrency donation wallet was holding nearly 7 billion Peaceful World tokens, which appeared to be the tokens that would be used for the country’s first cryptocurrency airdrop.

The Peaceful World Token address is:

0x5183f41477c6EE95F88351D9EC17AA415D3F60Ba (abbreviated as 0x5183),

The transaction hash for token contract deployment and minting is:

0xfe1f5ed7277903531f8dd15702604d648eefa787ef4efe7762b5582dbd60b67f,

The transaction content is as follows:

The above transaction creates the Peaceful World Token contract and mints 7 billion Peaceful World tokens for the Ukrainian official donation address 0x165c in the constructor. The contract constructor is as follows:

The constructor parameters are as follows:

When creating a contract, create is initialized to 0x165c and three auxiliary addresses are set:

0xf1874c192cf7a6a65c6e057706b805b9f31ee0b7 (abbreviated as 0xf187),

0xe9af51aaa1782fdc7c39048a81286505125ca303 (abbreviated as 0xe9af),

0xbf7ae6ea0ed53f7ede5bfe1c255c8bf371aa2954 (abbreviated as 0xbf7a).

The airdrop function airDrop contract is as follows:

Only three auxiliary accounts can initiate the airdrop, and the airdropped tokens are Peaceful World tokens, which are deducted from the 7 billion Peaceful World tokens minted by the contract 0x165c. From the above transactions and contracts, we found that:

1. The address for initiating transactions to create contracts and mint tokens is not 0x165c, but 0xed4c5ae400f4764cbffd7848c3f48c4d4641ceea (abbreviated as 0xed4c);

2. The addresses that can initiate airdrop transactions can only be 3 auxiliary addresses. Other account addresses including addresses 0x165c and 0xed4c cannot initiate airdrop transactions;

3. The airdropped tokens are deducted from the 0x165c account, but 0x165c cannot initiate airdrops.

After deploying the Token contract, account 0xed4c initiated a transaction (transaction hash is 0x4cd3779a7117777af36945c1ac0750ab0b88d6f7009871cd4e06a8df976f5140), changing the contract owner to account 0x165c. However, the addresses that can initiate airdrop transactions are still limited to the three initialized auxiliary accounts.

4. Based on the above analysis, we found that Peaceful World is not an airdrop token officially released by Ukraine, but a phishing scam. After the minting was completed, the auxiliary address initiated an airdrop, such as the following transaction:

5. Account 0xb874 created a liquidity pool of Token and other tokens (such as WETH, USDC) in Uniswap V2. Taking WETH as an example, the transaction Hash is:

0x70d66923bf5f08869c95472c0a5717ddc84927801bd65d4be4de7e841a7ffdaf, as follows:

The mining pool address is 0x50CDEEcAD82B0fa3360747A65C666653709CF6A1 (abbreviated as 0x50cd). And there are already multiple accounts and transactions involved in the mining pool business.

6. When other accounts add liquidity to this mining pool, the attacker will use his own Peaceful World tokens to exchange other people's tokens through swap, thus implementing a Rug attack.

Later, Ukrainian officials also stated that the token was a phishing scam using Ukrainian Ethereum wallets.

Safety Tips

This attack reminds us that hackers usually have no bottom line and no moral integrity. Any hot spot may become an entry point for them to commit fraud. They use the Russia-Ukraine war to commit fraud and make money from the national disaster, which is no less serious than arms smuggling and other acts.

Here, we also remind all Chinese citizens to stay sober, take the right stand, selectively participate in valuable projects, avoid blind investment, and avoid losing all your money.

SharkTeam team introduction: SharkTeam, as a leading blockchain security service team, provides smart contract audit services for developers. Smart contract audit services consist of manual audits and automated audits to meet the needs of different customers. It exclusively covers nearly 200 audit contents in four aspects: high-level language layer, virtual machine layer, blockchain layer, and business logic layer, to fully ensure the security of smart contracts.