How scammers used FOMO and misleading code to rug 42K victims — Blockfence

Avatar

A group of cryptocurrency scammers have managed to rug pull over 42,000 victims for over $32 million since April 2023 via a novel method that has even fooled some of the industry’s “rug pull detectors,” according to a blockchain security firm.

Like many cryptocurrency rug-pull scams, the scammers create tokens impersonating a soon-to-be-launched crypto project token, using FOMO (fear of missing out) to entice investors.

However, in a Jan. 18 report, Blockfence’s head of security research, Pablo Sabbatella, revealed the scammers used a distinctive method that involved faking the maximum token supply through minting and burning and using a code bait-and-switch tactic that deceived victims and fooled rug-pull detectors. 

How it worked:

According to Sabbatella, the scammers initiate the process by sending somewhere between 10–20 Ether (ETH) to an externally owned account and then use those funds to create fake tokens.

Like many rug-pull scams, fake liquidity is injected into the scam project, creating an illusion of legitimate volume in liquidity pools (LPs) on Ethereum-based decentralized exchanges such as Uniswap.

However, the scammer would then implement a lock() function on the LP tokens to create the illusion that investors won’t be rug-pulled, Sabbatella explained.

Once the price of the fake token has been artificially pumped via wash trading, the scammer calls the setUserBalance function. This updates the victim’s token balance to “1” and makes it impossible to sell the token as the scammer technically burned it.

The scammer sets victim’s balance to 1 via a malicious contract. Source: Blockfence

Despite this, the token can still be viewed in the victim’s wallet, further deceiving them.

“Finally, the scammer removes the liquidity from the LP, dumping the token value to nearly zero,” Sabbatella explained.

Related: Orbit Chain confirms hack, warns of scam repayment offers

Interestingly, the scammers would also return 5–20 ETH from each scam to “avoid attracting too much attention.”

In addition, the scammer’s technique involves the contract owner and creator renouncing ownership of the token contract, which can bypass some detector tools.

“By doing this, the victims buying the token are misled, as some rug pull detectors even miss and mark this token as ‘safe.’”

Sabbatella said the firm has seen 1,300 separate incidents of rug pulls on Ethereum carrying out the same pattern.

The Blockfence security executive said a scammer even created a “Blockfence token” that used these sophisticated techniques to rug pull investors. In that incident, the scammer walked away with 23.6 ETH worth $53,000, Sabbatella noted.

Wisealth, RabbitRun and DreamFi were other tokens impersonated by scammers, he noted.

“Taking advantage of the memecoin trend, the scammers also created tokens with similar names, such as AIPEPE, Purple Pepe, Pepe Chain, Pepe Race, and Baby Pepe,” Sabbatella added.

About $103 million was lost from clearly identifiable fraud schemes, such as rug pulls, in 2023, according to blockchain security platform Immunefi.

Magazine: DeFi’s billion-dollar secret: The insiders responsible for hacks