CoinTool and Disperse.app Exploited for Wash Trading in Rug Pulls

Bot-driven wash trading is not only a powerful technique used by deployers of large-scale exit scams but also a scheme applied for money laundering.

A washing machine filled with Bitcoins
CoinTool and Disperse.app are platforms that facilitate cryptocurrency transfers to multiple users.

Last week, CertiK shared its report on the recent cases of exit scams using bot-driven wash trading, a technique described by the cybersecurity team as "subtle yet effective" and "a strategy that sometimes slips under the radar of security assessments and exit scam post-mortems."

Read also: Drainer Steals $91 Million Memecoin with Zero Liquidity: Major Incidents from Past Week

Wash trading, despite its illegal nature, is prevalent in less regulated sectors like the cryptocurrency market. It aims to manipulate the market, particularly the price or trading volume of an asset, by creating an illusion of increased trading activity. Traders engage in rapid buying and selling of the asset across multiple exchanges, without changing their market position or incurring market risk.

In August 2022, Forbes published the results of an investigation into Bitcoin's trading volume reported by popular crypto exchanges. According to Javier Paz, the article’s author, 51% of the reported daily bitcoin trading volume, totaling $262 billion on June 14, was likely fake or non-economic, attributed to manipulative techniques like wash trading.

Wash trading is a favored strategy of pump-and-dump projects aiming to lure cryptocurrency users into investments. Scammers often utilize bots and platforms like CoinTool and Disperse.app to transfer funds across different tokens, creating a complex web of transactions that evades detection by security assessments and post-mortem analysis. By shuffling coins between bot-operated addresses, scammers obscure the flow of funds, making fraudulent activity harder to identify.

Once funds are shuffled between addresses, the scam's initiator or associated address can extract liquidity from the scheme and potentially reset it for further wash trading.

Bot-driven wash trading algorithm
Source: CertiK

The role of CoinTool and Disperse.app in exit scams

Disperse.app, while lacking an extensive description, serves the purpose of distributing Ether or tokens to multiple addresses, potentially for legitimate use in sending cryptocurrency to different recipients.

In contrast, CoinTool offers a range of features for cryptocurrency users across various networks such as ETH, Solana, Aptos, BSC, Polygon, and others. These features include a token batch sender, token creation, exchange bulk withdrawal, token and NFT holder scanners for Solana, approval checker, token batch collection, and more.

CertiK's investigation has identified CoinTool, Disperse.app, and other similar solutions as key applications involved in many cases of bot-driven wash trading. In the complex strategy employed by scammers, instead of targeting a large victim base, transactions leading to purchasing wallets often originate from funds distributed by a wallet associated with fraudulent activities. CoinTool, Disperse.app, and similar software facilitate this distribution.

The typical process utilized by malicious actors includes the following steps.

The process is often initiated by significant withdrawals from anonymity-enhancing services like Tornado Cash, and transfering funds to a designated wallet (Wallet A). Simultaneously, another wallet (Wallet B), also funded through Tornado Cash, creates an ERC-20 token and injects liquidity into the market. Wallet A then disperses funds to various addresses, which proceed to acquire the newly established token from Wallet B.

Read also: Crypto Crooks Celebrate Valentine’s Day: Duelbits Casino and Miner Exploited

This process is followed by the extraction of liquidity from the market after a predefined time, executed by either Wallet B or an affiliated entity. These funds are then redistributed into fresh wallets, enabling the repetition of the entire cycle.

CertiK reports, "We have identified this pattern of behavior on both Ethereum and BNB Chain, with every likelihood that similar schemes are underway on other networks too."

The new complexity of rug pull scams and advanced money laundering techniques

Unlike basic exit scam projects, the scheme described by CertiK features much greater complexity with multiple interconnected fake tokens, allowing scammers to operate on a larger scale.

CertiK assumes that scammers inflate the value of their primary focus tokens by luring a small number of investors into purchasing other fake tokens. The invested money is then withdrawn and used to manipulate the market, creating an illusion of high demand that tricks both human investors and automated trading bots on social platforms like Telegram and X.

"They continue this scheme until they've siphoned a certain amount of real money or until the token's trading activity declines," CertiK explains, adding that "At that point, the scammer drains all the funds from the token's liquidity pool and proceeds to launch a new scam token." The cybersecurity team also lists some scam tokens operating according to this scheme, such as XDoge, GROKAI, fake Gemini, and Moon Token.

Fortunately, these malicious tokens are not without red flags, noticeable even by inexperienced investors. CertiK states, "The scammers take only basic steps to make these tokens look real at first glance, such as setting up an X account, creating a Telegram channel, and designing a simple website."

X accounts of scam tokens
Source: CertiK

These websites usually share the same template and offer minimal information beyond the token's contract address and logo, while associated X accounts typically have a small number of followers. Advanced research using the URLscan tool reveals that the IP addresses of websites dedicated to fake tokens investigated by CertiK are often located in Singapore.

CertiK also detected common traits among scammers using bot-driven wash trading techniques. For instance, criminals deploying fraudulent tokens often receive initial funding through transactions facilitated by automatic cryptocurrency exchanges like recently hacked FixedFloat and transfer assets from externally owned accounts (EOAs) to deployer wallets on networks like Ethereum.

Furthermore, the CertiK team suggests that such a strategy might be applicable for money laundering, as it can help criminals obfuscate the origin and destination of illicit funds, especially when coupled with cycling funds through cryptocurrency mixers. Furthermore, the tactics can deceive investigators into believing they are dealing with exit scams channeling stolen money, while "the background activities of the so-called 'victims' might go unchecked."

Meanwhile, AegisWeb3, a cybersecurity team formed by PeckShield, warned the X community of a high possibility of an upcoming exit scam involving the PIXEL token. Whether the deployer of the fraudulent asset utilizes the technique described by CertiK or not, they are actively engaged in price manipulation. AegisWeb3 specifically mentions trading large quantities using multiple addresses. Furthermore, AegisWeb3 reports that "the funds used by the scammer are derived from another token with the same name, which has already executed a rug pull."