SCAMS SECURITY

Cybersecurity team Blockfence: One scammer created over a thousand tokens within a year, successfully executed a Rug Pull scam worth over 30 million euros

2024/1/22

The security firm Blockfence has revealed that they have uncovered a sophisticated and ongoing scam scheme where the fraudster has been creating over 1,300 tokens across multiple chains, and through market manipulation and malicious code modifications, repeatedly executed Rug Pulls to profit nearly $32 million.

Table of Contents

Scam Team Makes Millions in a Year

The cybersecurity team at Blockfence released a report on the 18th, stating that their employee Pablo Sabbatella discovered a token named "Blockfence" issued by a fraudster on the blockchain.

Investigations revealed that this was part of a massive and highly automated scam operation involving over 1,300 Rug Pull incidents since April 2023, occurring on the Ethereum, BSC, and Arbitrum networks. It is estimated that there are around 42,000 victims, with a total stolen amount of up to $32 million.

In theory, the token contracts of Rug Pull projects should have been flagged for serious risks in some markets' monitoring alerts or fraud detectors; however, scammers managed to evade detection using the following tactics.

How the Scam Works: Initial Setup and Funds

Initially, scammers would send 10 to 20 ETH from a self-owned wallet that had been dormant for 3 months to a "newly created and never interacted with" wallet, then use that fund to create a fraudulent token.

Scammer creating token contract, deployer receiving full supply

Typically, the token name would be highly related to current trends or unreleased crypto projects, such as project names like DreamFi or meme coin trend AIPEPE, aimed at exploiting victims' FOMO and irrational desire to participate early, showing clear characteristics of a "Honeypot scam."

Subsequently, scammers would relinquish ownership of the contract to mislead RugPull monitoring tools into marking their token contract as "safe," luring victims into the trap.

Ownership of token contract transferred to 0x00, also known as burn address

How the Scam Works: Market Manipulation and Deception

Next, scammers would deploy the token contract on UniSwap and inject liquidity. At the same time, they would manipulate the market through wash trading, simulating real trading activity to deceive victims into believing it's a popular token about to surge.

Victims buying the fraudulent token in Uniswap liquidity pool

Furthermore, scammers also utilized the "lock" function to lock LP tokens until December 30, 2024, to make monitoring tools and victims believe their investment was secure, ensuring scammers wouldn't redeem their LP tokens and execute a Rug Pull.

However, once the scam had accumulated enough funds, scammers would drain all liquidity from the market and sell the token value close to zero.

Specific Malicious Tactics

Despite relinquishing contract ownership and locking LP tokens, scammers managed to dump a large amount of tokens. Specifically, they did this through the following methods:

User balance manipulation: When someone bought the fraudulent tokens, scammers would alter the victim's account balance to 1 programmatically destroyed using another unauthorized malicious contract, preventing them from selling the tokens. This malicious contract was highly associated with all fraudulent tokens issued and rug pulled.

Scammer setting victim balance to 1 via an external malicious contract

Unlimited token minting: Scammers also called another malicious contract's "dissort" function, falsifying the scammer's token holdings to evade detection tools, allowing token holders to sell large amounts of tokens and profit.

External contract falsifying scammer's token holdings

Hidden malicious contract: Scammers utilized a special and hardcoded number and total token supply in the code, dynamically converting these data to generate the address of the malicious contract to evade checks.

Scammer hiding and obfuscating malicious contract in token contract

Lower profit targets: It is worth noting that scammers, to avoid detection and attention, did not aim to make too much money at once but set profit targets of approximately 5 to 20 ETH per fraudulent token.

In essence, despite passing through various security tools' monitoring, each token contract of this scammer retained malicious functionalities that could destroy user tokens, even forge the deployer's token holdings and supply.

Blockfence: Likely the Work of One Person

Regarding the aforementioned scam tactics, Blockfence observed that most interactions and operations occurred within a close time frame and amount, leading them to believe that this scam project might have been the work of one person through automated programs. Investigator Sabbatella warned and reminded:

I suggest not relying solely on one contract and fraud detection tool but using multiple different tools and evaluating the results comprehensively. Also, I would never buy assets I don't fully understand.

RugPull Projects Continue to Emerge

Rug Pull scams are prevalent in the cryptocurrency world, from last year's meme coin craze in April, the "BALD" rug pull incident on the Base chain in August, to the token speculation with AI "Grok" named after Musk, highlighting the high risks and prevalence of market manipulation and illicit activities in the crypto market.

Previously, there have been multiple reports of repeat Rug Pull offenders, indicating that the same team, once successful, may continue creating multiple Rug Pull projects to deceive further.

Repeat Offender! Magnate Finance on Base Chain Exposed for Third Rug Pull, Raking in 6.5 Million Euros

Repeat Offender Strikes Again! Lendora Protocol Team Behind Rug Pull, Pulling in Over 10 Million USD

Therefore, investors should remain vigilant, especially with any trending hotspots, as exaggerated marketing tactics and the lure of high returns may cloud the judgment of the majority; making informed decisions and managing risks rationally is the only solution.