Chain Analytics on Scam Addresses

In January I created a post listing some of the ETH addresses associated with a set of scams targeting the Guild of Guardians community.  Yesterday night a member of the community reached out to report@gogscamtracker.com as they were a victim of the scam and had performed some research that aligned with our findings, specifically they identified two ETH addresses that were used to move the proceeds of the scam:

  • 0xf319B5047d657c054C73908308E4C22A98dC7C22
  • 0xAcda910E9175E2B174266B9D80ED8be87CC79CB7

If you're new to the cryptocurrency space, it's important to remember that blockchain technology, by default, provides transaction transparency, but in many cases maintains anonymity.  Barring a leak from a centralized exchange or self identifying as the owner of an address, while you can see all transactions on Ethereum, you can't necessarily tie those transactions to a real world individual or group if they are making an effort to remain anonymous.

So what do you do when you have addresses that are associated with a scam?  Let's put the discussion of censorship aside for a moment, as that's a very heated topic, and just pretend that we all agree if we identify an address that has scammed someone from the Guild of Guardians community out of funds we'd like that scammer to own up to what they've done and possibly make it difficult for them to spend the proceeds of that scam.

Depending on the amount of funds and the technical prowess of your local law enforcement, you can and should report the scam, but you might not get a lot of help recovering the funds.  Also, if you yourself are in the crypto space, you might be trying to maintain your own anonymity for personal reasons and might even be in a position where local law enforcement isn't friendly to crypto currency users at all.

The next option is to try and flag the addresses to as many communities as you can, effectively blocklisting the address.  Block listing in this context means ensuring the community blocks interactions with the addresses on the list.  There are some shared tools that many communities, law enforcement and cryptocurrency exchanges subscribe to in order to get lists of addresses they should block.

In some scams, the scammer is looking to cash out their gains, and at some point might try to send funds to a centralized exchange, or some other fiat offramp so they can spend some of their money as in many regions of the world you still can't buy milk and bread with crypto.  When the scammer moves their funds to a centralized exchange (e.g. Coinbase) that exchange can check if that address is on a blocklist and react accordingly.  Each exchange might have a different philosophy, but if an address is flagged as a scam they should at least pause for a moment.  More and more exchanges are required to accept Know Your Customer data (KYC).  Presumably, if the exchange the scammer is sending funds to has done their due diligence then anonymity stops there.  The address that sends the funds to the exchange should now be associated with a real world person.

Now it's up to the exchange, or the local laws that govern that exchange, to decide the next steps. Let's look at an example.  Here is a graph of addresses on Ethereum associated with a set of Guild of Guardian token sale impersonation sites:



There are three addresses labelled as "Guild of Guardians Scam".  These addresses were embedded in fake token websites and in total have received roughly 50 ETH (currently valued at $132,600 USD).  Just take a moment to let that sink in, a value of $132,600 USD is a heck of a return for posting some fake gaming crypto websites.  Scamming in the crypto gaming space is lucrative.

The three addresses funnel, along with other address likely associated with the scammer (labelled "Likely Other Scams" in the graph), to two addresses that together have received a total of roughly 85 ETH.  All of that ETH is then sent along to Gate.io.

This is the transaction transparency part.  We can clearly see where the ill gotten scammer gains have gone, but those addresses have been dormant since around December 2021 after transferring almost all their funds to Gate.io.

How about the anonymity?  Gate.io is one of the oldest Chinese cryptocurrency exchanges founded in 2013 and remains an unregulated exchange.  An unregulated cryptocurrency exchange is an ideal place to funnel stolen crypto as they likely have no or very poor KYC requirements.  I would assume those funds are gone.  Is there any more information we can mine from those Ethereum addresses?  Maybe...

The graph above is a subset of the entire graph, and graph analysis can be tricky.  There may be some connection between these wallets and other wallets associated with the scammer and the rabbit hole can be quite deep.  Importantly, you have to be able to identify at what point "ownership" transfers from the scammer to an unknowing legitimate person.

In an ideal world everyone should be able to remain anonymous.  This is far from an ideal world.  Malicious actors are out there victimizing the crypto community.  If we want to remain anonymous we have to provide at least some level of self policing to make it difficult for bad actors to take advantage of the communities' trust.

That's it for now.  If you come across any GoG related scams don't hesitate to @gogscamtracker on Twitter or email report@gogscamtracker.com.  Stay safe out there.

Comments

Post a Comment

Popular posts from this blog

NameSilo Abuse Reporting

Image
On Sunday I sent a message to NameSilo (abuse@namesilo.com) regarding the following token scam websites: guildofguardianes[.]com guildofguardians[.]net guildofguardian[.]net guildofguardians[.]cc It's hard to predict the response for any given domain registrar.  Some are really responsive, but in my experience if you want to get something done quickly you need some kind of pre-existing relationship with the registrar in question.  This is where companies like Phishlabs (https://www.phishlabs.com/) shine with their brand protection services as they automate the process of requesting takedowns for their clients and invest in maintaining strong relationships with registrars. As an independent researcher, my success with getting sites taken down varies. In this case I received an automated response directing me to their "Report Phishing Form" hosted at https://new.namesilo.com/phishing_report. I can only imagine the volume of phishing reports this registrar gets, and there
Read more

More Sites Taken Down

 Last week I received responses from NameSilo confirming they took action on the following domains: zerions[.]info zerions[.]com guildofguardians[.]org guildsofguardians[.]me guildofguardians[.]top I'm very impressed with NameSilo's response time, they've been very cooperative.  If anyone from NameSilo happens to read this article, thank you so much! I still have several domains to work my way through hosted on the same servers.  It's easy to drown in the amount of scams around crypto, so I try to focus on Guild of Guardians related scams, but it's difficult to leave the others hanging.  I'm hoping to get through reporting the rest of the domains soon. A bit of a short update, but it's been a bit of a crazy week last week.  Will write up a more comprehensive update this week. Stay safe out there, and if you see anything suspicious you can always reach me @gogscamtracker on Twitter or email report@gogscamtracker.com.
Read more

Down MetaMask Impersonation Rabbit Hole

Image
It's Friday night.  I should be doing something else.  I have a VR headset literally two feet away from me collecting dust, and what I am I doing?  I'm scouring the internet for more sites that have implemented a specific MetaMask impersonation technique. I created a short video demonstrating the technique, and if you're curious you can check it out here: https://youtu.be/OJu9HlJ2wsc At first it was just a few Guild of Guardians sites that I found and managed to get taken down, but shortly after I decided to leverage dnstwist to find some additional look-a-like domains, and after adding the tld swap option I uncovered even more. I noticed a pattern though, two IP addresses kept coming up in connection with this particular MetaMask impersonation: 5.61.58.93 and  45.136.50.34 If you want to know what all is hosted on a particular server you can leverage tools like VirusTotal.  In some cases you'll come across IP addresses used by shared hosting providers, in other words y
Read more