Scammers use memecoin ‘trending’ list to lure victims – researcher

According to a post from security researcher Roffett.eth on September 25th, scammers are using the “trending” list on memecoin analysis site GMGN to lure unsuspecting victims and steal their crypto.

The attackers create coins that allow the developer to transfer any user's tokens to themselves. They then pass the token back and forth between multiple accounts, artificially increase the volume, and place it on GMGN's “trending list.”

Once a coin is on the trending list, unsuspecting users buy it thinking it is a popular coin. But within minutes, their coins are wiped from their wallets, never to be seen again. The developer then puts the coin back into the liquid pool and sells it to another victim.

Roffett listed Robotax, DFC and Billy Dog (NICK) as three malicious coins on the list.

GMGN is an analytics web application that hosts memecoin traders on Base, Solana, Tron, Blast and Ethereum. The interface contains several different tabs including “New Pair”, “Trend” and “Discovery”, each listing coins based on different criteria.

Roffett said he discovered the scam when his friends discovered that they had bought coins on the list and then mysteriously disappeared. A friend believed his wallet had been hacked, but he created a new wallet and repurchased the coins, again draining them from the wallet.

Magazine: Bank Network DeFi Hacked, $50M Phisher Moves Crypto On CoW: Crypto-Sec

Fascinated by the mystery, Roffett analyzed the attacks using BlockBrowser and found them to be phishing attacks. The attacker apparently provided what he called an “authorization” function and provided the user's signature, which would have been impossible unless the user had been tricked by a phishing site. However, the friend denied having linked to any suspicious websites before both attacks.

One of the stolen coins was NICK. And after examining Nike's contract code, Roffett found it “somewhat strange.” Instead of having the usual stock code found in most token contracts, it had “very unusual and hidden mechanisms.”

As evidence of these unconventional methods, Roffett posted images of NICK's “performance” and “fictional” activities with vaguely purposeless text.

Eventually, Roffett discovered that the contract contained malicious code in one of its libraries. This code allowed the “recovery” (developer) to call the “authorize” function without providing the token owner's signature. Roffett said:

“If the caller's address fixes the recovery, he can get permission from any token holder by manually building a specific signature and then transfer the tokens.”

However, the recovery address is also hidden. It is specified as a 256-bit, positive, non-zero number. Below this number was the function that the contract used to retrieve the address from this number. Rofet uses this function to determine if the malicious “recovery” address is a contract ending in f261.

According to blockchain data, this “recovery” contract involved more than 100 transactions transferring NICK tokens from token holders to other accounts.

After discovering how this scam works, Roffett researched the “trending” list and found at least two other tokens with the same code: Robotaxi and DFC.

Related: What is a honeypot crypto scam and how to spot it?

Roffett concluded that fraudsters have probably been using this technique for some time. It warns users to stay away from this list, as using it can cause you to lose money. And so he said.

“Malicious developers first use multiple addresses to fake trades and holdings, then put the token on the trending list. This attracts small retail investors to buy, and eventually, the ERC20 tokens are stolen, completing the scam. The presence of these trending lists is extremely dangerous for novice retail investors. It's harmful. I hope everyone realizes this and doesn't fall for it.

Scam tokens or “honeypots” continue to pose a threat to crypto users. In April, a scam token developer took out $1.62 million from victims by selling BONKKILLER tokens that would not allow users to sell them. In the year In 2022, a report from blockchain risk management company Solidus warned that more than 350 fraudulent coins would be created during the year.