“If you hire a fraudster to defraud someone, you’ll have to expect getting defrauded.” - Horst Evers Earlier, I wrote an article for CryptoCoin.News about . What struck me were the sheer lengths some crypto scammers are apparently willing to go, just to rip people off their hard-earned money. frontrunning DEX trades After all, we live in a world where you could just impersonate some famous crypto celebrity, upload one of his videos to a fake YouTube account, drop your wallet address in the video description and promise the viewer to return twice the amount sent to the address. Easy bucks. Typically, crypto scams don’t reward effort. They usually target inexperienced and gullible users in such a way that these schemes can be repeated over and over again. This is how scammers maximize their return on investment. The fake frontrunning bot is not one of these. These are highly sophisticated scams targeting advanced crypto users and boy, does this rabbit hole run deep. Here’s what I found. The Frontrunning Scam Analyzed Over the last two months, quite a few YouTube videos have been uploaded that appear to be tutorials for how to operate a frontrunning bot. These videos instruct the viewer to deploy and fund a smart contract, which will then supposedly carry out the frontrunning transactions. As “proof” that the bot works, the scammer then funds the contract with 0.4 BNB and magically, a few minutes later, his wallet shows a balance of almost 10 BNB. What makes this scam so peculiar is that the scammer actually tells a convincingly believable story. While making an almost 25x return in just a few minutes is still way out there, frontrunning is actually a multi-million dollar unethical activity that is taking place around the clock, which is basically an open secret in DeFi. Also, having the victims deploy their own smart contract gives them a false feeling of security. Here is an example a fake frontrunning bot scam: There’s actually a plethora of these videos out there on YouTube. Somehow, they usually manage to stay online for weeks, so cheers to YouTube’s response speed. I picked this one since that scammer made an extra effort to look legit in his comments, even commenting how all the other bots are scams, but this is finally the true one. Of course, all of the accounts that commented were created on the same day the comment was written. Let’s Take a Look at the Smart Contract Now, I’m not really a Solidity coder, but what immediately sticks out is that most code lines are commented out, which should be a telltale sign that something fishy is going on here. Within the code lines that are not commented out, there isn’t much to see either, except some variable declarations. Then, there is the action() function the scammer prompts us to call in his video. This function consists almost entirely out of comments and several lines that simply state manager;. Also, there is this line, which I guess will ultimately send the funds to the scammer’s address. But there is no address anywhere in the code that would point at the scammer, except the WBNB contract address, which is commented out. The answer can be found in the import statements. Besides three contracts that are imported from Uniswap’s Github, there is also a fourth import from an IPFS URL. Another red flag. On first glance, that contract looks exactly the same, except that there’s now even more lines that are commented out. However, the contract is called “Manager”, so I guess that this is what is called over and over in the original contract. Here, we can also find the scammer’s address in an uncommented line. Great, so we can now take a look at this address on and find that the scammer received a total of more than 40,000 USD in BNB already, oftentimes in tranches of 0.4 BNB, which he advises in the video as the minimum funding amount. Scam confirmed! bscscan So why all This Effort? The question remains though why someone would come up with a scam so elaborate, while it seems far easier and more rewarding to just spam people on social media with fake airdrops or phishing messages. My best guess is that the dubious nature of frontrunning provides an extra layer of security from law enforcement for the scammers. Nobody who loses 250 USD to a scammer will ever go to the police and say “Hey, I got ripped off while trying to engage in some morally questionable and potentially illegal crypto practice”. Also, it might be easier on the scammer’s own conscience if they go after people who are apparently trying to make money using immoral methods. Of course that doesn’t make it OK though. The victims who fall for this scam are still ordinary and mostly inexperienced crypto users. Anyway, if I were to judge which is more morally wrong, using a frontrunning bot or scamming people with fake frontrunning bots, I’d definitely say the latter. Another theory I have, although I think that it’s a lot less probable, is that some of the scammers are actually operating frontrunning bots and plant the scam videos as a decoy to deter other people from actually going into frontrunning and becoming competitors. Also, the real work was coming up with this scam type, but it is extremely easy to replicate. Just take the scammer’s code, swap his wallet address with your own, replicate the video word by word and upload your lure to YouTube. Maybe curate the comments a bit (not everyone does it) and wait for the money to trickle in. This video from Chris Daniels, who also analyzed this new scam type, actually showcases how most of the videos contain exactly the same text that is read by people with different voices, so apparently, that scam has already found its copycats: Are there any legitimate frontrunning bots? Define “legitimate”. I’m not going to comment on the ethics of frontrunning here, but let’s just say that the whole frontrunning scene has quite a few characteristics of organized crime. Exclusivity is one of them. Most of the open-source DEX trading (sniping) bots I’ve seen so far just listen for an external event, like a DEX listing or listing on CoinMarketCap and try to be the first in line for buying a token early on. I would say that this is in fact a legitimate use case for automated trading, but your mileage may vary. Among the bots that claim to be able to actually frontrun DEX trades, I have only seen one that is free, but Windows Defender doesn’t let me execute it, stating that it’s a trojan. I’ve uploaded the files to VirusTotal and they confirmed that the two executables both contain malware, the trojans Wacatac and Uwamson, in addition to a coin miner. Other frontrunning bots are for sale with their supposed developers sometimes charging thousands of Dollars. And of course you cannot be sure that these people won’t either try to scam you as well, or send you a bot that is also laced with malware. Occasionally, you’ll even come across YouTube videos that say “Hey, don’t fall for fake frontrunning bots, they changed the code, here’s the real one” or something like that. But we can definitely rule that out. Conducting frontrunning attacks with just a smart contract is impossible. First of all, in order to pull off a frontrun, you need to have knowledge of an upcoming DEX trade, in other words, you need to have access to the mempool. Smart contracts can only see data that is already published in the blockchain, but they can’t see the mempool. Also, smart contracts don’t really do anything unless one of their functions is called. They’re not actively scanning the blockchain waiting for transactions. Even if you would somehow gain knowledge of a DEX trade and communicate that knowledge to a smart contract which is supposed to carry out the attack, this method would be way too slow for a successful frontrun. At the very least, you’d need to have a script running that actively checks the mempool for incoming swaps and then directly calls the DEX smart contracts at a higher gas price. Could it be? And that brings me back to the the scammers from YouTube present us with, especially the lines that are commented out. phony smart contract code At first, I thought that these are just garbage code to bulk up the contract and make it look like it is actually doing something. Upon closer inspection, I noticed something though. I want to stress once more that I am not a developer, but even with my limited coding knowledge, I can see that this isn’t Solidity code at all. If I were to guess, I would say that it’s JavaScript. And lo and behold, that commented out code actually does make references to frontrunning attacks. It also seems to connect to an Infura node, which indeed has access to the mempool. I can’t say whether this is really true, I hope that someone who can understand what that code does can help me out here, but could it be that these scammers have actually hidden the real frontrunning bot in plain sight? Now that would be too comical, wouldn’t it?
