We at GASO are seeing more and more victims of fraudulent dApps (decentralized apps running "smart contracts" on a blockchain) that started from online relationships and have the same impact as the "pig butchering scam." We first saw this in late October and immediately alerted the community and Coinbase. Now, the majority of victims who come to GASO talk about fake mining pools. Our inside sources within these scam companies say that almost all of them are switching over their scripts to this new mode of scamming because it is more lucrative and requires less work on the part of the scammer. This is just the latest version of online relationship-investment frauds, or "pig butchering scam." Instead of a deceptive website or app, the relationship scammers now direct victims to a deceptive dApp, often through the Coinbase Wallet app.
Here is a more in-depth explanation of the scam.骗局”具有相同的影响。我们在 10 月下旬首次看到这一点,并立即提醒社区和 Coinbase。现在,来到 GASO 的大多数受害者都在谈论假矿池。我们在这些诈骗公司中的内部消息人士说,几乎所有人都将他们的脚本转换为这种新的诈骗模式,因为它更有利可图,并且需要骗子的工作更少。这只是最新版本的在线关系投资欺诈,或“杀猪骗局”。现在,关系诈骗者不再使用欺骗性网站或应用程序,而是将受害者引导至欺骗性 dApp,通常是通过 Coinbase 钱包应用程序。
这是对骗局的更深入的解释。
We at GASO are seeing more and more victims of fraudulent dApps (decentralized apps running "smart contracts" on a blockchain) that started from online relationships and have the same impact as the "pig butchering scam." We first saw this in late October and immediately alerted the community and Coinbase. Now, the majority of victims who come to GASO talk about fake mining pools. Our inside sources within these scam companies say that almost all of them are switching over their scripts to this new mode of scamming because it is more lucrative and requires less work on the part of the scammer. This is just the latest version of online relationship-investment frauds, or "pig butchering scam." Instead of a deceptive website or app, the relationship scammers now direct victims to a deceptive dApp, often through the Coinbase Wallet app.
Here is a more in-depth explanation of the scam.
Background
The cryptocurrency Ethereum is currently supported by several computers (specifically, Graphics Processing Units or GPUs) called "miners," which validate transactions between different Ethereum wallets. The miners get rewarded for validating the transactions by a small payment of Ethereum, and this model of validation is called Proof-of-Work. This model of using GPU miners is set to change, however, with the arrival of "Ethereum 2.0" (the name of the update). In Ethereum 2.0, transactions are validated by wallet owners, and the wallet owners will make a small profit with every validation. This model is called Proof-of-Stake. However, in a Proof-of-Stake model, not every wallet owner is eligible to validate transactions and make a profit. Only wallets with 32 ETH or higher are eligible, and wallets with a greater amount of ETH will be more likely chosen to validate a transaction and earn a profit.
Mining Pools
Some groups are attempting to allow people with less than 32 ETH to make a profit by advertising new "mining pools," where basically users will deposit a portion of their earnings to combine into a single collective wallet with other users that has at least 32 ETH, and then this collective wallet is supposed to validate transactions. Then, any profits made from this collective wallet should be spread to all contributors.
Here's the catch: The "Ethereum 2.0" upgrade is not yet complete and Proof-of-Stake has not begun. This means that currently, all Ethereum mining pools which work in this manner without a GPU and which require authorization into your Coinbase Wallet are scams.
The Scam
How does the mining pool scam really work? The mining scams we see are actually more like phishing attacks that require you to click a button to join the pool, but instead tricks you into authorizing an invisible "smart contract" that liquidates all of your assets. Everything scammers claim about the actual mining pool is a lie.
For people scammed through the Coinbase Wallet app, here is what happens in detail:
When you create a crypto wallet account, you obtain what is called a public key and a private key. The private key is intended only for you, the owner of the account, and it is safeguarded or encrypted with your password. When you use an app like Coinbase Wallet, you allow Coinbase to hold your password as well as your public and private key. So now, you and Coinbase both have access to this private information. When a victim clicks on the link to join the mining pool, she clicked a button which will request her to make some initial purchase to join the mining pool (somewhere between $10-$50 I've heard). This initial purchase is a front for the smart contract, and it's a way to obtain your digitally signed signature to authorize the smart contract. Coinbase, if they were implementing reasonable security measures, would ask you to authorize the transaction before submitting your information to the blockchain. However, in Coinbase Wallet, they do not do this, which I wrote earlier was a serious security vulnerability. Coinbase actually authorizes the transaction for you, unbeknownst to the user of the account. Coinbase Wallet has essentially "signed" the contract for you, without telling you.
Who placed the deceptive smart contract? Do scammers own it?
In this case, the scam group has established the smart contract on the block chain. Technically, no one "owns" it. The smart contract is a set of code instructions that could really be anything...it takes some good subject-level expertise to try to uncover exactly what the terms of the contract are. Likely, the contract stipulates the withdrawal of funds from your account for either a fixed period of time or until your wallet is empty. And the funds will transfer to another unknown account, to which they have the password and from which they can withdraw funds. The money flows are achieved through this contract, which is essentially a set of instructions that you have unfortunately pre-agreed to, outlining how the money will flow from your account to theirs.
Advice
After the Ethereum 2.0 upgrade, there may be real legitimate mining pools that work in the manner described above. However, it will be extremely difficult to discern a legitimate mining pool from a scam one. If you are interested in the Ethereum 2.0 mining pools, I should tell you that the update is set to occur next summer. However, I would advise you not to join a mining pool for some time until there is clear evidence of which ones are legitimate and which are not. If you can avoid them, I would suggest to invest in a different way and avoid mining pools altogether. I certainly will not be using them.
If anyone has better knowledge they'd like to contribute, I'd also be happy to hear from them.
--doctorpurr
Comments