Crypto Conmen Go Corporate: Scam Service Registers as a UK Company

The Crypto Grab team registered as a UK business to cloak their phishing operations in legitimacy, while a quick thinking user saved the Blueberry Protocol Foundation from huge losses during an exploit.

The battle between crypto and crime continues. The team behind the infamous scam-as-a-service wallet drainer, Crypto Grab, has controversially registered as a legitimate business in the UK, aiming to enhance its facade of legitimacy to further its phishing activities. Meanwhile, the Blueberry Protocol swiftly responded to an exploit attempt, securing most of the at-risk funds thanks to the quick actions of a vigilant user, despite a loss of 91 ETH. In another scam alert, KuCoin users were targeted by a fake KCS airdrop scam, using a notorious scamming platform's technique to deceive users into compromising their wallets.

When Scammers Turn Entrepreneurs

Jaws are hitting the floor in the crypto community as a development team behind a well known scam-as-a-service wallet drainer, Crypto Grab, has officially registered as a business in the UK. This unusual step was taken presumably to lend an air of legitimacy to their operations, which specialize in the development of the "Nova Drainer" application, a tool designed for phishing and stealing cryptocurrency from unsuspecting victims.

Crypto Grab's move to register as a legitimate business is said to facilitate the acquisition of Extended Validation (EV) SSL certificates, which could certainly boost its appearance as a reliable entity. This, they argue, would allow them to access major suppliers and platforms in the crypto space. The software developed by Crypto Grab, as advertised on its official Telegram group and website, is explicitly designed to steal ERC20 tokens and Ether (ETH), promoting itself under the guise of a tool for "crypto affiliate success."

Despite its official business facade, security firms like CertiK and platforms like Scam Sniffer have highlighted the malicious nature of Crypto Grab's operations. Over $300 million was reportedly lost to similar scams in 2023 alone. CertiK's investigation into the Nova Drainer revealed that it charges around 30% of the stolen funds as a fee, with over 7,000 transactions traced back to the scam.

The legitimacy of the business's registration and the identity of its director, listed as Bradley Robertson, has also been questioned, with claims suggesting the identity might be fabricated. Companies House, while facilitating business registrations, admits it lacks the power to verify the accuracy of the information provided or to investigate allegations of fraud directly. It does, however, forward suspicions of fraudulent activity to the police and encourages victims to report to the Action Fraud hotline.

Rapid Response Saves Blueberry Protocol

Meanwhile, decentralized finance (DeFi) protocol Blueberry faced a major challenge on Feb. 23 when it became the target of an exploit. The Blueberry Protocol Foundation quickly took to X to inform its users of the situation, urging them to withdraw their funds from Blueberry lending markets as it scrambled to pause the protocol to prevent even more damage. Amidst the chaos, users encountered issues withdrawing their funds, compounded by the fact that the protocol's front end had also gone down. The foundation advised those who could to interact directly with the contracts for withdrawal.

About 30 minutes after the initial alarm, Blueberry confirmed that it successfully paused the protocol. The swift action taken by the team ensured that the funds currently deposited were secured against further exploitation. The website and app, which briefly went offline showing a client-side exception error, were also restored to operation.

Further developments saw an unexpected but fortunate intervention when a user known as c0ffeebabe.eth managed to front-run the exploiters, securing all of the drained funds into the Blueberry multisig wallet, with the exception of a 91 ETH validator payment. The initial breach saw a total of 457 ETH being drained, but thanks to c0ffeebabe.eth's actions, 366 ETH were recovered and returned to the protocol's multi-signature wallet. The Blueberry team is now in contact with security and communication professionals, to try and reach out to the validator for the return of the remaining funds.

The incident affected only three of Blueberry's markets, with the majority of the funds already returned to the protocol. The total loss, accounting for the validator payment, amounted to 91 ETH. The protocol, which facilitates lending and leveraged borrowing up to 20x the collateral value, had a total value locked (TVL) of $4.5 million before the exploit, which dropped to $3.15 million afterward. Blueberry, a fork from the Compound DeFi protocol, reassured users that the deposited funds are now safe and that it is working towards a full repayment to the affected users.

Interestingly, just a day before the exploit, Blueberry had published a “security overview” claiming a security-first approach in its development and risk mitigation strategies. The protocol boasted audits by Hacken and Sherlock and had conducted two independent token security audits. However, the tweet promoting the security review has since been removed from Blueberry's X feed.

Fake KCS Airdrop Scam Alert

KuCoin users have also caused quite a stir. In a recent disclosure by a web3 security advocate known as CryptoShields.eth, a scam involving a fake KCS airdrop was brought to light through an X post shared on Feb. 22. The scam was communicated via an SMS message falsely claiming eligibility for a KCS airdrop, despite there being no such offer. The suspicious activity is believed to be linked to Inferno Drainer, a notorious scam-as-a-service platform that announced its shutdown in August of 2023.

The domain used to promote the fraudulent airdrop was registered through Squarespace on Feb. 13, according to Whois data. As of now, KuCoin, the crypto exchange associated with KCS tokens, has not commented on the situation.

The legitimacy of the airdrop is highly questionable, with the website asking users to sign a transaction with their non-custodial wallets as a proof of ownership, a method commonly used by scammers to insert malicious code and drain funds from unsuspecting victims' wallets. The incident raises concerns about the security of crypto assets and the potential of an internal breach at KuCoin, though no conclusive evidence has been presented to confirm such a breach.