Beware of Geeks Bearing Gifts: Autopsy of an Ethereum Based Scam

A few days ago, I stumbled upon the following Tweet, claiming that this is the best cryptocurrency scam the author has ever seen

Well if this scam is so brilliant, then it surely deserves a full-blown inquiry. In this post we will go through the details of this scam and hopefully we’ll learn a thing or two about Ethereum, private keys and scams.

The Scam

The scam is presented from the victims’ point of view, quoting their potential thoughts as they go through the steps of this scam. To make things even more entertaining, I encourage the readers to actually follow the steps on their own, but obviously refrain from sending money to any of the mentioned addresses.

Part I: The Discovery

The scammers have posted their private key in several public forums and chats.

When other members of the forum had seen it, they probably thought:

“Such a newbie IDIOT posting his private key: 716560d7fb3c7b937d9af8a532ff154e583320fc42abc46dfc29e0171a6a38e2!”

A screenshot of one of the public forums in which the private key was disclosed https://tgwidget.com/widget/?id=5a04632283ba88122a8b4567

Disclosing a private key is of course a big no-no, as the private key is the only information needed to spend cryptocurrency. It’s the equivalent of leaving your wallet in the main street unattended.

Part II: Looking inside the Wallet

The next step for the more curious members of the forum was probably to find about the contents of this seemingly unattended wallet, left in the main street.

“Well, let’s take a look what’s in the wallet.”

Viewing the wallet contents and effectively taking control over it is achieved by importing the wallet through feeding the private key to a wallet app. For example, we can use the popular wallet app MyEtherWallet (MEW)

Importing a wallet using its private key in MEW https://www.myetherwallet.com/#send-transaction

“I’m pressing “unlock”… to find the public address associated with the private key 0x4F805BF6843b6dBd10F9066f27c0cd10fdB444ac and I’m very disappointed to see that the wallet has 0 Ether (ETH).”

The public address of the wallet: 0 ETH, but may contain tokens

“However, since I know that MEW does not excel in supporting tokens, I follow its suggestion and take a deeper look on the address using EtherScan”

EtherScan view of the address. It contains $5K of coins https://etherscan.io/address/0x4f805bf6843b6dbd10f9066f27c0cd10fdb444ac

“Ooh-La-La! Although there’s no Ether in the wallet, it holds more than $5000 worth of other Tokens!”

Part III: Taking the Money out of the Wallet

“Now let’s transfer the money from this poor fellas’ wallet to my wallet quickly, before someone else will get a hold of this treasure.”

To do the transfer the account must pay fees, or “Gas” in the Ethereum lingo. MEW suggests the Gas amount to be paid is 21K, which is about 0.0005 Ether or $0.25.

“Well, $0.25 is a very small amount, compared to the $5000 I can earn. So I transfer a small amount of Ether for the Gas to the wallet I’m about to empty its contents. Now I’m ready to make the transfer…

But wait! I have no Ether in the address again! How did it happen?”

Part IV: The Realization

“Oh No! Someone had transferred the money I just sent to another address!”

Taking a deeper look into the wallet’s history, we can see that it’s not the first time it happened. In fact there are many pairs of incoming transaction followed by an immediate transfer of the same amount (minus Gas) to another address 0x3f3eacb691462d3d067f031f88c9a8bc54fabc79

Taking a deeper look in the history of the address reveals multiple pairs of subsequent transactions https://etherscan.io/address/0x4f805bf6843b6dbd10f9066f27c0cd10fdb444ac

“Damn! I was tricked! That poster in the public forum was not the IDIOT in this story, I was!”

The scammers have probably written a script (just a regular script, nothing fancy or specific to Ethereum such as smart contract) to monitor their address before disclosing its private key, and whenever Ether is sent to the address, the scammers’ process creates a transaction, signed using the private key and transfers the money to another wallet of the scammer. That other wallet’s private key is not disclosed, naturally.

Viewing this address’ history reveals that the scam had earned its creator a nice sum of almost $400

The scammers target address in which they store their loot https://etherscan.io/address/0x3f3eacb691462d3d067f031f88c9a8bc54fabc79

BTW, there’s even more technical depth to it, as the $5K worth of Tokens isn’t really spendable, but that’s a topic for another post. If you would like to dig deeper, please check Adam Hadar’s tweet

The Social Engineering Elements in this Scam

Although the scam has is interesting from the technical perspective, I think it’s even more intriguing from the psychological point of view.

It’s basically an elegant version of the “Nigerian Prince” scam applied to cryptocurrency. In the original Nigerian Prince scam, the scammer persuades the victims that they can earn a lot of money, but just need to pay a relatively small amount before. When the victim pays, the scammer disappears with the loot.

All the elements of the Nigerian Prince scam are present:

• Easy money, that the victims feel that they already won, just need to pay a small amount to take care of some bureaucracy. In this case the Gas for the Ethereum transaction.
• Sense of urgency: Since the private key is “a wallet left in the main street” (i.e. posted in a public forum) it creates a potential race between the potential takers, as the winner takes it all. Sense of urgency is a common element of effective scams as it disrupts the victim’s better judgement.
• Accomplice in crime: Nigerian prince scams try to involve the victims in a shady operation, to make sure the victim will hesitate to report to the authorities. Similarly, in this case since the victims originally thought they are scamming the scammer, therefore they are not likely to protest as much.

What makes this cryptocurrency version of the Nigerian Prince scam even more elegant than the original, is the fact there is no dialogue between the scammer and the victims to persuade them to do anything. It’s just an inevitable slippery slope once the victims start with it.

Summing Up

Once more it’s proven that honesty is the best policy. Don’t do shady things, even if you think that you know what you are doing. Private keys should be private. If you are using a private key that may have been published, you are at risk as you don’t know what others may do with the account and what they will do might eventually surprise you.