Essential Anti-Scam Guide for On-Chain Operations

  Blockchain technology is one of the most important innovations of the current era, making decentralization truly possible. Anyone has absolute control over their on-chain assets, and no outside interference or manipulation is possible.

This right is accompanied by responsibility, which means that users need to be 100% responsible for the security of their assets , and they need to pay special attention to the storage of private keys and daily operations. Once the private key or mnemonic phrase is stolen, all assets will be at risk of being stolen. Although many project parties (such as Tether) can theoretically control on-chain assets and recover stolen assets through smart contracts, they usually only provide assistance when hackers deliberately attack and cause large losses. It is difficult for project parties to provide assistance for asset losses caused by personal mistakes.

It is foreseeable that more and more trading activities will be transferred to the chain in the future, but unfortunately, chain scams are still appearing in large numbers and have spawned many new forms. Many readers have reported to Chain Catcher that they have encountered chain scams and lost tens of thousands of yuan, but they are all irreversible. In order to help more beginners in the crypto industry understand some industry common sense and avoid pitfalls, Chain Catcher summarizes some common scam methods in this article, as follows:

Author | Gu Yu

01

Counterfeit currency scam

Case: The project Xiao Ming is following is undergoing an IDO. Xiao Ming sees someone publish the token smart contract address in the Telegram group. After Xiao Ming inputs the address into Uniswap, he finds that it is already tradable and has liquidity worth hundreds of thousands of yuan. He then buys 1 ETH, but when it rises more than 100% and he is ready to sell it, he finds that the system prompts that it cannot be sold, which is equivalent to zero.

Analysis: This is a fake currency scam. Some fraud groups will issue currencies in batches and use high-profile currencies as their names, establish Uniswap trading pools, and inject a certain amount of liquidity in an attempt to mislead users into thinking they are real currencies. They then spread the smart contract address on some social media channels. However, the smart contract code of this token actually stipulates that only the issuer is allowed to sell tokens, and other users can only buy but not sell. If users see the address on social media and believe it to be true, after buying the tokens, they can only watch them rise and eventually return to zero.

According to Chain Catcher's observation, most of the fake coins on Uniswap are issued by a specific fraud group. Each token issuer's address can be linked through transfer records. At least 70 types of fake coins have been issued in the past two months, with profits of at least 4,000 ETH.

In terms of specific methods, they will also transfer some fake coins to addresses marked as Binance, Vitalik and 0x-b1 to attract the attention of followers of these addresses; each issuance activity cycle is about 3-5 days. First, they will add hundreds of ETH liquidity to Uniswap, and then withdraw all liquidity when there are few purchasing users. Then, they will transfer all ETH to the new address and reissue new coins. They will also transfer funds through Tornado.cash from time to time.

What is even more misleading is that these fraud groups will also create the illusion that some whales are buying these currencies. As shown in the figure below, this address is widely believed to be owned by Justin Sun, with billions of dollars in assets. In the past ten days, Etherscan shows that this address has purchased several new currencies from Uniswap. Some whale address trackers may "follow orders" when seeing these records, but if you click on the specific transaction records, you can see that the transaction behavior is not initiated by the owner of the address, but by the fake currency issuer address using smart contracts to purchase directly from Uniswap and set Justin Sun's address as the receiving address.

In addition to Justin Sun’s address, similar situations have occurred with many large ETH addresses shown on Etherscan.

Therefore, when trading on Uniswap, be sure to use the officially announced contract address or the currency in the Uniswap recommended list. Be wary of smart contract addresses seen in other channels, otherwise it is likely to cause huge losses.

02

Fake APP scam

Case 1: Xiao Ni bought a new mobile phone and saw a WeChat group where a user who showed himself as an imtoken staff member posted a flash picture with an APP download link. It happened that the new phone had not downloaded imtoken yet, so he scanned the code to download its APP, entered the private key and imported it into the wallet, but soon found that all the assets in his address had been transferred out, with a loss of nearly 20,000 yuan.

Case 2: According to The Washington Post, earlier this month, when two users searched for the name of the encrypted hardware wallet Treznor in the Apple App Store, an APP appeared that used a logo and color that was extremely similar to the real Treznor. Although Treznor did not launch a mobile APP at the time, they mistakenly believed that Treznor did launch a mobile version, so they downloaded and imported the private key, and eventually lost 17.1 bitcoins and ETH worth $14,000 respectively.

Analysis: Private keys and mnemonics mean absolute control over wallet assets, so many scams are trying to obtain user private keys, and fake official apps are the most common method. Such fake apps may pretend to be official news to induce users to download, or pay search engines to rank fake websites higher, or launch fake apps with the same name on Apple/Android official app stores. They will highly imitate official website information and picture information. Once users download the app and import mnemonics, wallet assets will be transferred away immediately.

Therefore, when downloading wallets and exchange apps, remember to download them from official channels and check whether the website domain name and other information are correct.

03

Fake Customer Service Scam

Case: Xiao Zhan encountered a problem when using a DApp product, so he went to the Telegram group to try to ask the official staff. Then a user privately chatted with him to ask about the situation and told him that he could privately chat with an official staff to solve the problem and sent the account name to Xiao Zhan. So Xiao Zhan directly clicked on the account name to enter the private chat interface. The official staff enthusiastically asked Xiao Zhan what situation he encountered, saying that it was due to a problem with the project database and was being solved, but in order to avoid further errors, the account needed to be reset and asked Xiao Zhan what wallet he used. Then he gave a link and asked Xiao Zhan to enter the mnemonic to import the wallet for further operation, but Xiao Zhan did not take the next step out of vigilance at this moment, thus avoiding the leakage of the mnemonic.

Analysis: Nowadays, almost all major social networks such as WeChat and Telegram have accounts disguised as official customer service, which deceive users' trust in various ways, try to lead the topic to wallets and induce users to enter mnemonics or private keys. Once the user enters the information, all assets will be transferred away quickly.

Therefore, when seeking help in various communities, everyone must confirm the identity of the other party. If you are unsure of the identity, you can take a screenshot and post it in the group and ask other active users to help identify it. Usually, official staff will not take the initiative to privately chat with users and ask users to enter private keys, but will let users take the initiative to privately chat in group chats.

04

Airdrop Scam

Case: Xiaoxi saw someone post an airdrop information about a well-known project in a WeChat group. As long as he completed several specific social media tasks in the Telegram group, he could get hundreds of dollars in token rewards. Xiaoxi completed all the tasks according to the prompts of the Telegram robot, but then the robot prompted that he needed to send a small amount of tokens to the contract address before he could receive the airdrop tokens. Considering that the cost was not high, Xiaoxi deposited the coins as required but did not receive the airdrop tokens afterwards. Instead, he lost more than ten dollars in vain.

Analysis: There are indeed a large number of token airdrops based on social media tasks, which can easily reduce users' vigilance. However, this is also why many scammers take advantage of users' laxity to commit scams, using airdrops to induce users to deposit coins into smart contracts. Although the single amount is usually not large, the accumulation of a small amount is still considerable.

At present, there is no real airdrop activity that requires users to deposit coins to an external wallet address in order to receive them. Everyone should simply ignore airdrop activities that require coin transfers.

05

A few points to note

In addition to the aforementioned deliberate scams that need to be guarded against, on-chain operations still face many security risks caused by potential operational errors, mainly the following:

First, avoid over-authorization to DApps and clean up authorizations regularly. Users need to authorize when they interact with a DApp for the first time, but there are hidden dangers. If the DApp is attacked later, its permissions can be used to steal user assets. Therefore, you need to regularly clean up infrequently used DApp permissions or set a limit on the amount of token transfers.

Second, try to avoid using DApps whose codes have not been audited by security companies , especially DApps that claim to have high APY. Their security risks may result in huge losses of principal.

Third, it needs to be emphasized again that you should pay attention to saving the address private key and mnemonic phrase. It is best to save them on hardware or laptops that are not connected to the Internet. Do not disclose the private key and mnemonic phrase to any third party. This is the most important point of all security measures.

The huge imagination space and larger-scale applications derived from blockchain technology all rely on more users having higher on-chain operational literacy and knowledge, so that the chain does not become a lawless place where scams are rampant, causing a large number of users to suffer huge losses for no reason. Therefore, the significance of the aforementioned popular science and education is particularly prominent.