Financial crime investigators face the constant involvement of crypto and blockchain in cases. It’s well documented that crypto is used for crime. And the types of scams investigators have to be aware of, grow more and more sophisticated as time goes on.
One sophisticated scam using decentralized applications (dapps) is climbing the charts. Scammers deceive users into granting permission to a smart contract to approve unlimited transactions on their behalf, promising yield or reduced gas fees. This is known as the “dapp approval scam”.
According to stateofthedapps.com, there are over 4,000 dapps, with nearly 3,000 built on the Ethereum blockchain. Dapps are outside the purview and control of a single authority. As such, they leverage the security and control of the user. However, this also makes them prone to scams.
When a user carries out a transaction in a dapp contract, an Approve button appears on the dapp page. To allow transactions, the user must authorize, and this authorization means that the dapp contract has the authority to move your assets, opening the door for criminals to steal the funds in the user’s wallet.
While the user has granted permissions before the scammers can misuse it, it is more difficult for unsuspecting users to avoid when they only anticipate scammers to blatantly demand their private keys.
In this case study, we will look at a dapp approval scam from 2021. This scam resulted in multiple unsuspecting users getting over 500 wallets drained of more than $10m worth of tokens.
What is a dapp?
A dapp is a program or a digital application that operates on a blockchain. It combines a smart contract with a user interface. This user interface can take the form of a website or app that asks users to connect their wallets to use the service.
Usually, when interacting with a dapp, the wallet owner needs to grant 2 types of permissions.
-
- Permission to read the wallet’s public key and balances.
-
- Permission to interact with the tokens inside the wallet.
The second permission enables malicious actors to rob unsuspecting users of their cryptocurrency tokens. Once the permission to interact with tokens is granted to the dapp, the linked contract has the right to transfer its token. Most malicious contracts will ask users for authorization for an unlimited number of tokens.
Ethusdt.buzz dapp approval scam
The Investigation team at Blockchain Intelligence Group first came across this website courtesy of a blog post on the Hive blog by Mark Bailey. The post contained excerpts from a complaint that his friend filed with the FBI. His friend was scammed out of nearly $10,000 by the website ethusdt.buzz
Since the website was offline we investigated an archived snapshot where we concluded that it was a fake mining pool and it encouraged users to connect their wallets.
Archive snapshot from the scam website ethusdt.buzz before it went offline
At this stage, the deceived users granted the scammers permission to transfer an unlimited amount of USDT Tokens from the connected wallets.
To build our analysis, first, we checked the victim’s address: (0xf551b0A616bC4956E02e52Ac704Cd268ECd4aCEc) and discovered that they had given approval for Unlimited USDT withdrawals to address: 0x08F3E1494C673fd9d1536445A3573DAb533cdeAe in the transaction: 0x4162253d65f410b835d6a0db2b1d0124a7fdcaac9991bfca38d2c798a88f4eb7.
We examined 3 other USDT scam transactions that were mentioned in Mark’s article. In all three transactions, we found the address (0x08f3) to be behind the initiated USDT transfers and the withdrawal address to be 0x6302B04e7fF2463491EFE44fAA7cec6fc6969742.
To connect the dots, we decided to investigate further and look at all the transactions approved by the address (0x08f3) where potentially USDT tokens were depleted from a victim’s wallet to an address, likely controlled by the same scammers.
The flow of funds from the victims’ wallets to the withdrawal address.
We found 268 victims whose funds were drained to the following 3 withdrawal addresses in 400 transactions.
-
- 0x6302b04e7ff2463491efe44faa7cec6fc6969742
-
- 0x86aafccdc794c5b7b79c18bb0ceeff630e237abf
-
- 0xff1345fd6e5e23026acf8d6cca47ea5fd5dfc93
On investigating further, we found other incoming transactions to these withdrawal addresses that were initiated by the following 3 new approver addresses.
-
- 0xc25f01a88dd4354e0075eb358acbf0cbff34c00f
-
- 0x7bac92deeaddaa542b6b428847c8ec6f8d74d8f0
-
- 0xfaa9be9d6cc650cc3e577e620781ff8fe7dabded
These approver addresses then led to the discovery of a further 6 withdrawal addresses. A full summary including the number of victims and the funds that were stolen is below.
The addresses highlighted in the table above are addresses that received funds from multiple approver addresses. This hints that multiple approver addresses may belong to the same culprit.
QLUE™ Graph: USDT transfers to consolidation addresses approved by 0x08f3e1494c673fd9d1536445a3573dab533cdeae
Graph showing USDT transfers to consolidation addresses approved by 0xc25f01a88dd4354e0075eb358acbf0cbff34c00f
Graph showing USDT transfers to consolidation addresses approved by 0x7bac92deeaddaa542b6b428847c8ec6f8d74d8f0
Graph showing USDT transfers to consolidation addresses approved by 0xfaa9be9d6cc650cc3e577e620781ff8fe7dabded
Evidently, the scammers convinced a large number of victims to approve access to high numbers of tokens. The scam was brought to light when reports from multiple victims were posted on social media.
“She contacts you on telegram sends you a link and explains how to join the liquidity pool and after you get your whole wallet sucked up because of a smart contract that is in place after your stolen USDT” -one user reported on Reddit.
The scams seemed to prevail for months as the customer reports multiplied until early 2022 on Reddit and Twitter. Our research indicates the following phishing domains were possibly used in this series of scams, based on victim reports:
-
- defi-usdtetc.com
-
- xworldwallet.com
-
- eth-usdt.info
-
- cb-titan.co
-
- Eth-sany.com
-
- Ethbonus-pool.com
-
- etoro.zone
While it’s unclear whether the actor is the same in all the reported incidents, it’s proven that the scammers infiltrate different channels and successfully convince their victims to invest large amounts of funds in fake schemes before draining their wallets.
Millions of dollars were lost over hundreds of transactions in this series of scams and others. Investors ought to be extra cautious about where to connect their wallets and entrust their funds. Are your crypto assets at risk? Check all the token approvals you granted here.
Do you govern cryptocurrency assets? Get crypto-certified in days with self-guided training, and learn the risks and other advanced criminal concepts.
