Analysis of 467 stolen forms in the second quarter of 2024: What are the most common tricks used by criminals?

Author: SlowMist AML Team

With the rapid development of blockchain, security incidents such as coin theft, phishing, and fraud targeting users are increasing day by day, and the attack methods are diverse. SlowMist receives a large number of help requests from victims every day, hoping that we can provide assistance in fund tracking and recovery, including many high-value victims who have lost tens of millions of dollars. Based on this, this series statistically and analytically analyzes the stolen forms received each quarter, aiming to dissect common or rare malicious methods based on desensitized real cases, and help users learn how to better protect their assets.

According to statistics, MistTrack Team received a total of 467 stolen forms in Q2 2024, including 146 overseas forms and 321 domestic forms. We provided free assessment community services for these forms. (Ps. This article is only applicable to cases submitted from forms, not cases contacted through email or other channels)

MistTrack Team assisted 18 stolen customers in freezing approximately 20.6641 million US dollars on 13 platforms.

Top 3 Reasons for Theft

The most common malpractices in the Q2 form in 2024 are as follows:

Private Key Leak

According to the statistics of the Q2 form, many users will store their private keys / mnemonics in cloud drives such as Google Docs, Tencent Docs, Baidu Cloud, and Shimo Docs. Some users will send their private keys / mnemonics to their trusted friends through WeChat and other tools. Some even use WeChat’s OCR function to copy the mnemonic to a WPS spreadsheet, encrypt the spreadsheet, enable cloud services, and store it on the local hard drive of the computer. These seemingly secure behaviors actually greatly increase the risk of information theft. Hackers often use the method of “database collision”, by collecting publicly leaked account password databases on the internet and attempting to log in to these cloud storage service websites. Although this is a probabilistic behavior, as long as the login is successful, hackers can easily find and steal information related to cryptocurrencies. These situations can be seen as passive information leakage. There are also cases of active leakage, such as victims being induced by scammers impersonating customer service to fill in mnemonics, or being deceived by phishing links on chat platforms such as Discord, and then entering private key information, etc. Here, MistTrack Team strongly reminds everyone that private keys / mnemonics should never be disclosed in any situation.

In addition, fake wallets are also a major source of private key leakage. This has been talked about for a long time, but there are still a large number of users who inadvertently click on advertising links when using search engines, thus downloading counterfeit wallet applications. Due to network reasons, many users choose to obtain relevant applications from third-party download sites. Although these sites claim that their applications are all mirrored downloads from Google Play, their true security is questionable. Previously, the SlowMist security team analyzed the wallet applications on the third-party app market apkcombo, and found that the 24.9.11 version of imToken provided by apkcombo is a non-existent version and is currently the most counterfeit imToken wallet version on the market.

We also traced some backend management systems related to fake wallet teams, which contain complex digital currency control functions such as user management, currency management, and deposit management. The advanced characteristics and professionalism possessed by this type of phishing behavior have exceeded the imagination of many people.

For example, Q2 has a relatively rare case: a user accidentally downloaded a counterfeit version of the Twitter application while searching for “Twitter” in a search engine. When the user opened this application, a prompt popped up claiming that due to regional restrictions, a VPN was required, and guided the user to download the fake VPN provided by the application, resulting in the user’s private key / mnemonic phrase being stolen. Such cases once again warn us that careful scrutiny and verification should be carried out for any online applications and services to ensure their legitimacy and security.

Phishing

According to the analysis, the reasons for multiple phishing incidents in Q2 were that users clicked on phishing links posted in the comments section of well-known project’s Twitter accounts. Previously, SlowMist Security Team conducted targeted analysis and statistics, revealing that about 80% of well-known projects’ first comments under their Tweets were occupied by fraudulent phishing accounts. We also found a large number of groups on Telegram that sell Twitter accounts. These accounts have different numbers of fans and posts, as well as different registration times, allowing potential buyers to choose according to their needs. Historical records show that most of the accounts sold are related to the cryptocurrency industry or internet celebrities.

In addition, there are websites dedicated to selling Twitter accounts, selling Twitter accounts from various years, and even supporting the purchase of highly similar accounts. For example, the fake account Optimlzm and the real account Optimism have a high degree of similarity in appearance. After purchasing such highly similar accounts, phishing groups will use promotion tools to increase the interaction and number of followers of the accounts, thereby increasing the credibility of the accounts. These promotion tools not only accept cryptocurrency payments but also sell various social platform services, including likes, retweets, and followers. Using these tools, phishing groups can obtain a Twitter account with a large number of followers and posts, and imitate the information release dynamics of the project party. Due to the high similarity with the real project party’s account, many users find it difficult to distinguish between true and false, further increasing the success rate of phishing groups. Subsequently, phishing groups carry out phishing activities, such as using automated robots to follow the dynamics of well-known projects. When the project party tweets, the robot will automatically reply to occupy the first comment, thereby attracting more views. Given the high similarity between the disguised account of the phishing group and the project party’s account, if users are careless and click on phishing links on fake accounts, and then authorize and sign, it may result in asset losses.

In general, phishing attacks in the blockchain industry pose risks to individual users primarily in two core areas: ‘domain names’ and ‘signatures’. To achieve comprehensive security protection, we have always advocated for a dual defense strategy, which includes personal security awareness defense and technical defense measures. Technical defense refers to the use of various hardware and software tools, such as the phishing risk blocking plugin Scam Sniffer, to ensure the security of assets and information. When users open suspicious phishing pages, the tool promptly displays a risk warning, thereby blocking it at the first step of risk formation. In terms of personal security awareness defense, we strongly recommend that everyone read and gradually master the ‘Blockchain Dark Forest Self-Rescue Manual’ (_EN.md). Only through the coordinated implementation of these two defense strategies can we effectively counter the ever-changing and evolving phishing attack methods and safeguard asset security.

Fraud

There are many fraudulent methods, and the most common in Q2 is the honeypot. In legend, the Pixiu is regarded as a magical creature, which can allegedly swallow all things without excreting them. It is said that once treasures such as gold and jewels are swallowed by it, they cannot be taken out from its body. Therefore, the honeypot is used to metaphorically describe digital money that cannot be sold once purchased.

A victim described his experience: “I asked a question in a Telegram group, and someone enthusiastically answered many questions for me and taught me a lot. After chatting privately for two days, I thought he was a nice person. So he suggested taking me to the primary market to buy a new token and provided me with a coin contract address on PancakeSwap. After I bought it, the price of this coin kept soaring. He told me it was a once-in-a-lifetime golden opportunity and advised me to increase the investment immediately. I felt things were not that simple, so I didn’t take his advice. He kept urging me, and when he did, I realized I might have been deceived. I asked others in the group to help me check, and it turned out to be a scam coin. I also found out that I could only buy it but not sell it. When the scammer found out that I was no longer increasing the position, he also blocked me.”

The experience of this victim actually reflects the typical pattern of Pixiu Stock fraud:

1. Scammers deploy smart contracts with traps and throw out bait promising high profits;

2. Scammers try their best to attract targets to buy tokens. After the victim buys them, they often see the token value rise rapidly. Therefore, the victim usually decides to wait until the token appreciates sufficiently before attempting to exchange it, only to find that they are unable to sell the purchased tokens.

3. Finally, the fraudster withdraws the funds invested by the victim.

It is worth mentioning that the transactions mentioned in the Q2 form of Pixiu Coin all occurred on BSC. As shown in the figure below, there are many transactions of Pixiu Coin, and scammers also send the tokens they hold to wallets and exchanges, creating an illusion of widespread participation.

Due to the inherent concealment of the Pixiu Stock, even experienced investors may find it difficult to see the truth. Nowadays, with the prevailing Meme trend, various types of “dog coins” have had a certain impact on the market. As the price of the Pixiu Stock can rapidly pump, people often impulsively follow the trend to buy. Many market participants who are unaware of the truth have been ardently chasing this “dog coin fever”, only to inadvertently fall into the honeypot and find themselves unable to sell after purchasing.

Therefore, MistTrack Team advises users to take the following measures before trading to avoid financial losses caused by participating in Piyao Pan:

• Use MistTrack to view the risk situation of the relevant address, or use GoPlus’s Token security detection tool to identify Pixiu Coin and make trading decisions;
• Check if the code has been audited and verified on Etherscan and BscScan, or read related comments, as some victims may issue warnings on the scam token comments tab;
• Understand the relevant information of virtual money and consider the background of the project party to enhance self-prevention awareness. Be vigilant against virtual money that offers super high returns, as super high returns usually mean greater risks.