Crypto Scammer Steals $3.2 Million through Honeypot Scheme

CertiK has exposed a persistent deployer of honeypots who collaborates with paid actors to promote scam tokens through Telegram channels.

Honeypot with Bitcoins
One of the most active deployers of honeypots, detected by CertiK, managed to create nearly 1,000 malicious contracts in just two months.

In its January report on honeypot scams, cybersecurity team CertiK revealed the activities of this particular scammer, responsible for deploying at least 979 honeypot contracts within a mere two-month period. Additionally, at the start of 2023, CertiK reported an address associated with the deployment of nearly 200 honeypot tokens in just four months.

Recently, CertiK has investigated ongoing instances of honeypot scams facilitated through Telegram channels. The on-chain security firm has identified at least five Telegram channels promoted by paid actors who assist the perpetrator in directing potential victims to invest in malicious projects.

Read also: Solana Army Won't Help - Rainbow and Node Drainers on the Rampage

"Honeypot contracts with certain shared characteristics have been pivotal in these schemes, leading to approximately $3.2 million in losses," CertiK reported on February 8, unveiling the success of the honeypot schemes.

What is a honeypot scam?

As the name suggests, a honeypot is a scheme used to lure individuals into certain activities. A honeypot scam, in the context of the cryptocurrency space, is a malicious tactic targeting investors who are attracted by fraudulent projects promising fake earning opportunities. Enticed by the potential for profit, cryptocurrency users interact with such projects, which then trap the transacted funds.

Typically, scammers utilizing the honeypot scheme put effort into creating the illusion of profitability for their projects. Many of these schemes involve cryptocurrencies, with their prices often artificially inflated through various means, including false marketing claims, volume manipulation, or fabricated trading activity.

Read also: What is a Bull Trap: Understanding Market False Signals

However, this is only one of the possible scenarios. A honeypot deployer can also promise other types of rewards or just pretend to provide crypto users with useful services.

Whether the interaction with the malicious projects includes the purchase of scam tokens or the use of a wallet, it results in a complete loss of funds for victims. As the Coinbrain platform explains, "The purchased tokens usually can’t be sold at all or only with extremely high tax (90-100%), resulting in a complete loss of funds," which is achieved by "a special malicious code included in the token’s contract."

Fake Circle coin
Source: CertiK

Common types of honeypot scams

Earlier in January, CertiK explained the differences between popular types of honeypot scams including the blacklist, the balance change, and the minimum sell amount.

The first honeypot technique is regarded as the most basic as it simply blacklists victims who purchase the scam token. "The token's sell function will check to see if a wallet attempting to sell has been added to that blacklist, if they have been, they are prevented from selling," CertiK explained.

Usually, scammers who utilize the blacklist honeypot strategy do not put any effort into attempting to hide the fraudulent nature of their tokens, however, there are numerous ways to hide a blacklist. One of them is the use of a seemingly innocuous "approval for all" function which in reality adds a specified wallet address to a hidden "snapshot" list, which prevents the contract from selling the token.

The balance change method utilizes a different approach to prevent token sale, usually by manipulating the token value balance, often making it as low as a single token, which restricts the victim’s ability to sell, while the user can still see an unchanged balance.

Finally, the minimum sell amount technique makes token sale virtually impossible due to stringent conditions, even though victims still preserve the technical ability to sell. In practice, honeypot deployers usually set an extremely high threshold for selling tokens which is unachievable as "the amount will often be more than the available supply."

Fraudulent Telegram channels

CertiK reports at least five Telegram channels involved in the active promotion of tokens with the help of paid actors, all of which share certain mechanisms used in honeypot schemes.

"Among these, the AltLex group stands out. Established in February 2023, AltLex utilizes the likeness of an actor to promote fraudulent versions of Linea, Paxos, and Circle tokens," CertiK gives an example, emphasizing the deceptiveness of this channel, which has only three videos promoting scam tokens of a total of twenty-seven uploaded videos.

CertiK stresses that the fraudulent Telegram groups it has identified initially appeared innocuous, focusing on sharing genuine technical trading insights on major cryptocurrencies like BTC and ETH. DON CRYPTON and SZ Trades, as well as now-inactive Roger’s Academy and Insider Lui, are more examples of the Telegram channels set up to steal money from investors with the help of paid performers.

According to CertiK, some of these channels, including AltLex and SZ, have adopted the strategy of expressing initial skepticism about the malicious tokens they were planning to advertise in the future "possibly to give an impression of conducting thorough due diligence."

Next, they provided their audience with manipulated screenshots to mislead potential victims, showing fake transactions to reputable cryptocurrency exchange platforms as proof of the legitimacy of the fraudulent tokens. Subsequently, they disseminated fabricated positive news about these tokens and shared links guiding users to buy them through popular wallets.

"Once enough victims were lured into buying the tokens, the scammers would create excuses as to why users couldn’t sell, while discreetly draining the liquidity and funneling the funds into Tornado Cash," CertiK adds.

The CertiK team warns the crypto community of "multiple instances of scammers employing the services of performers to knowingly or unknowingly promote scams resulting in the loss of millions of dollars," including notorious Harvest Keeper and Fintoch/Standard Cross Finance.

Unfortunately, CertiK has not been able to identify the location of the scammer yet. However, based on certain clues, including the configuration of settings visible in the screenshots shared by paid actors on Telegram, the United Kingdom appears to be a possible location. Meanwhile, the discovery of a telegra[.]ph article in Russian promoting a fake Polygon token associated with this group suggests an international dimension of operations.

Mechanism behind scam contracts

The scam contracts associated with this threat actor, as identified by CertiK, have been used to steal over $3.2 million. The counterfeit Venom token itself allowed the criminal to gain roughly $800,000 of this sum.

A key feature of these fraudulent tokens is their pairing with WETH and the inclusion of an unverified function B6a44d65a608, which triggers a two-step process.

First, it removes liquidity from the pool, burns scam tokens, and then re-adds WETH to the pool. Then, in a second transaction, the function removes WETH from the liquidity pool and mints new scam tokens in a smaller quantity than the amount removed. Next, the function re-adds the WETH.

Removing and burning scam tokens and subsequent minting of new ones in smaller quantities drastically impact the price of fake tokens, creating an illusion of value surge.

How to avoid honeypot scams?

"The first line of defense against such deceptive practices is to conduct comprehensive due diligence," CertiK recommends crypto users, adding that in the case of tokens that utilize the same or similar name to the one used by a recognized brand, it is necessary to get confirmation of the legitimacy of a token from the representatives of the actual project.

Too-good-to-be-true offers usually turn out to be lies, and in the case of honeypot scams, along with aggressive promotion, you can also see token charts representing only a growth trend. Such projects, while appearing quite alluring for investment, require extra research.

On top of that, you can use one of the tools for analyzing token contracts to understand whether they hide any honeypot functionality, which can prevent investors from selling. For example, Token Sniffer can provide crypto users with detailed information such as deployment dates, contract codes, and audit scores.

Yet, even if you use one of the tools for token analysis, you should still conduct your own research, as the results may not be accurate.