Scammers are using a “trending” list on memecoin analytics site GMGN to lure in unsuspecting victims and steal their crypto, according to a Sept. 25 X post from security researcher Roffett.eth.
The attackers create coins that allow the developer to transfer any user’s tokens to themselves. They then pass the token back and forth between multiple accounts, artificially inflating its volume and placing it on the GMGN “trending list.”
Once the coin makes it onto the trending list, unsuspecting users buy it up, thinking it is a popular coin. But within minutes, their coins are swiped from their wallets, never to be seen again. The developer then redeposits the coin into its liquidity pool and resells it to another victim.
Roffet listed Robotaxi, DFC, and Billy’s Dog (NICK) as three examples of malicious coins found on the list.
GMGN is an analytics web app that caters to memecoin traders on Base, Solana, Tron, Blast, and Ethereum. Its interface contains several different tabs, including “new pair,” “trending,” and “discover,” each of which lists coins based on different criteria.
Roffett claims to have discovered the scam technique when friends purchased coins on the list and found that they had mysteriously disappeared. One friend believed that his wallet had been hacked, but when he created a new wallet and purchased the coins again, they were again drained from his wallet.
Magazine: Bankroll Network DeFi hacked, $50M phisher moves crypto on CoW: Crypto-Sec
Intrigued by the mystery, Roffett investigated the attacks using a block explorer and found that they appeared to be run-of-the-mill phishing attacks. The attacker called a “permit” function and appeared to have provided the user’s signature, which shouldn’t have been possible unless the user was tricked by a phishing site. However, the friend denied that he had interacted with suspicious websites before either of the two attacks.
One of the stolen coins was NICK. So Roffet investigated NICK’s contract code and found that it was “somewhat strange.” Instead of containing the usual stock code found in most token contracts, it had “some very odd and obfuscated methods.”
As evidence of these odd methods, Roffet posted an image of NICK’s “performance” and “novel” functions, which have unclear text with no obvious purpose.
NICK performance and novel functions. Source: Roffett.eth
Eventually, Roffett discovered that the contract had malicious code inside of one of its libraries. This code allowed the “recoverer” (developer) to call the “permit” function without providing the tokenholder’s signature. Roffett stated:
“If the caller's address equals the recoverer, then by constructing a specific signature manually, one can obtain the permit permission of any token holder and then transfer the tokens.”
However, the recoverer’s address was also obscured. It was listed as a 256-bit, positive, non-zero number. Just below this number was a function that the contract used to derive the address from this number. Roffett used this function to determine that the malicious “recoverer” was a contract whose address ended in f261.
Blockchain data shows that this “recoverer” contract has performed over 100 transactions transferring NICK tokens from the token’s holders to other accounts.
Malicious account draining NICK from a user. Source: Basescan.
Having discovered how this scam worked, Roffett investigated the “trending” list and found at least two other tokens that contained similar code: Robotaxi and DFC.
Roffett concluded that scammers have probably been using this technique for some time. He warned users to stay away from this list, as using it may result in them losing funds. He stated:
“Malicious developers first use multiple addresses to simulate trading and holding, pushing the token onto the trending list. This attracts small retail investors to buy, and eventually, the ERC20 tokens are stolen, completing the scam. The existence of these trending lists is extremely harmful to novice retail investors. I hope everyone becomes aware of this and doesn't fall for it.”
Scam tokens or “honeypots” continue to pose risks to crypto users. In April, a scam token developer drained $1.62 million from victims by selling them a BONKKILLER token that did not allow users to sell it. In 2022, blockchain risk management firm Solidus released a report warning that over 350 scam coins had been created over the course of the year.