A fake Metamask token and a token named $YEAR in reference to the new year have managed to take money from many users. Unfortunately, this practice has come back into fashion in 2021.
A MetaMask token scam
Scammers have managed to scam almost 400 people for around $1.8 million.
The perpetrators took advantage of rumours about a future official MetaMask wallet token by announcing a token called MASK and offering interested parties to put their money on a wETH/MASK pair on the Uniswap exchange platform. The pair is still visible here.
Some users reported that they were able to resell their tokens for a while, something that was probably made possible by the scammers to avoid arousing suspicion among buyers.
Then the sale became impossible once the total cash value of the pool reached $1 million, depriving the buyers of their property.
According to a Twitter thread by user coby.eth, the scammers managed to exploit a flaw in the frontend code on the DexTools website, displaying the MASK token as verified and secure to the platform’s users:
Captures of the verification pop-up and capture of the verified token (Source: Twitter)
According to etherscan, a tool that tracks transactions taking place on the Ethereum blockchain (ETH), the person(s) who set up the fraud managed to transfer 475 ETH (equivalent to $1,594,575 at the time of writing) and also had nearly 10 million $MASK tokens.
Both transactions were made from the liquidity pool hosted on the Uniswap platform and then transferred to a digital wallet.
The money was then transferred to Tornado Cash, a platform that allows the “mixing” of coins to make the transactions completely anonymous. This means that the person who received the profits cannot be traced.
As of today, Dextools has not yet released a response to the security holes in their code that were the main driver of the scam’s success.
The first scam of 2022
Unfortunately this is not an isolated case as a project calling itself “EtherWrapped” emerged on December 31, posing as an airdrop for users of the Ethereum blockchain.
The initial announcement was made from a Twitter account named @etherwrapped but which has since been deleted.
Users were invited to go to the scam site and connect their MetaMask wallet to receive a reward of tokens called “YEAR” in proportion to their investments on the blockchain.
Capturing the rewards offered by the YEAR token airdrop (Source: Twitter)
The YEAR token’s smart contract first appeared unverified with the Ethereum Virtual Machine (EVM), then the token’s creator made its code public so that everyone could check it for malicious code, which is standard procedure.
According to Twitter user meows.eth, it was a seemingly harmless code that made the theft possible.
The person behind the scam would have used this line of code to prevent owners of the token from selling it, so there was an upward curve without any resale and based on purchases only.
Then, after 30 minutes, the crook would have withdrawn all the cash from the pool, i.e. 30 ETH (equivalent to $100,410 at this very moment), thus making the YEAR token drop to a value of $0.
It should be noted that despite the fact that the buyers linked their MetaMask wallet to the scam site, there has been no direct theft from the buyers’ wallets. The thief would have “only” benefited from the 30 ETH of the liquidity pool, obtained thanks to the buyers of the fraudulent token.
A “Meta” scam is circulating on Facebook
Some scams dare to do anything: for example, there is currently an advert for a “Meta” token, in reference to the change of name of Facebook.
Only, the ad is featured… on the Facebook site itself.
This may seem extraordinary and that’s the problem, it’s easy to fall for it as it can be hard to believe that a scam could be broadcast on the platform it’s spoofing!
Examples of scam ads (Source: Facebook)
In this case you can use the Scam Detector tool. Here, this site scores 0.6/100 in terms of reliability, which is the minimum. It’s a simple trick that can save you a lot of trouble.
The rug pull method
The scams described above use the so-called rug pull method, a procedure that is unfortunately all too common in the cryptocurrency world.
Simply put, the scammer will bet on the FOMO (Fear Of Missing Out) effect.
He will launch a token by taking care of his image, notably by spending money on advertisements or even convincing people with notoriety that his project is safe and that it will work every time.
Some also advertise on popular social networks such as Instagram, Facebook or Twitter, often by sending private messages to users promising them attractive airdrops or giveaways.
Thus, once the project is launched, the value of the token will skyrocket, creating the famous fear of missing the opportunity to have one’s tokens at a reduced price in order to resell them at a higher price.
Once the scammers have reached the desired amount, they can just walk away with the cash register.
Rug pull example (Source: ByBit)
There are a few basic steps to take before investing in a new project:
The first is to check the project white paper. Although it is not a 100% guarantee of safety, it gives you an idea of the reliability of the project, see if it is consistent and if its writing seems serious. Between a 5-page white paper and a 50-page one, it is obvious that the latter will probably be more reliable.
Then you can look at who is behind the project: have they been involved in other well-known projects? Do they have experience in the blockchain or technology sector? Is the project supported by well-known personalities or companies in the sector?
A more technical check is to see how the funds for a project are shared. For example, for the Ethereum blockchain, you can use etherscan and check whether few or many people hold the tokens: if very few people hold all the tokens, beware.
Another common scam method is the “Honey Pot”, working on a slightly more complex method but which you can avoid by taking the same precautionary measures.
In order to trick the victim, the scammer will issue a smart contract with a security hole to make them think they can exploit it to make money.
For example, the victim may believe that a smart contract will allow him to earn money on a regular basis, while going completely unnoticed. Except that in order to get the loot back, the victim will have to advance money.
Money that, of course, they will never see again, since the fake flaw was coded in a totally voluntary way. This is a version of the more popular “4-1-9 fraud” but adapted to cryptocurrency.
You can also use the honeypot detection tool for Ethereum or for the Binance Smart Chain.
Be aware that for the year 2021, it was more than $7.7 billion that was stolen via unscrupulous methods like these in the cryptocurrency universe, 81% more than in the year 2020.
Volume of cryptocurrencies obtained by scammers (Source: Chainalysis)
We can only recommend you to be extremely careful with new projects especially if they promise you the moon. Always be very careful
