Crypto Trading Bot Scams — A trip down Twitter’s dark side
I am not the most active person on Twitter, but no one is unfamiliar with the large number of bots on the platform. Every time I read the comments on anyone’s tweets, there is a flood of “bots” trying to redirect me to a scam. From Elon Musk terminating his contract to buy Twitter because of the misreporting of the number of bots to Elon Musk tackling the problem head-on, we have gone round circle.
I always find it amusing to deconstruct these scams on my free Sundays, One of the more interesting ones is the recent crypto trading bot scam that makes $800/day by “frontrunning” smart contracts by monitoring “mempools”
It started with the not-uncommon comment on a celebrity VC post that directed me to a profile that had retweeted a page from another person's account regarding the scam.
Following this link takes you to a recently released YouTube video from a supposed Web3 training channel with a reasonable 3.5k subscribers. The video is made extremely professionally with a “clear white male voice”, starting with talking about how frontrunning works and explaining it in simple layman terms.
In brief, frontrunning is a real technique where you can pay a slightly higher gas fee and get your transaction prioritized to be a part of an upcoming block to be mined. Mempool is like a waiting room where the transaction is kept until it is confirmed. Frontrunners will observe for any significant transactions that have been broadcasted but are still in the mempool, then place transactions with slightly higher gas fees so they profit. It is almost like insider trading but within a timespan of a few seconds to a few minutes.
The issue here is that frontrunning as a technique has existed for a very long time, and it is a very valid (sometimes)working technique, so even if an informed digital native person tries to google it, they will be able to verify its legitimacy.
The scammer then tells the person to copy and paste some code into the remix IDE, teaches them how to deploy the smart contract, deposit ETH into it and run the function to start it. I believe once the person has established their legitimacy with the formal video and channel alongside the 100+ comments saying that it is real, people tend to believe them and “try it out” for the sake of it.
There needs to be more awareness around running code written by other people in organisations and among everyone in general. What is the point of 0-day highly technical RCEs (Remote Code Executions) when the weakest link in your organisation, a human literally runs a piece of code they find online on their computer, giving the attacker remote code execution 😆
As informed security researchers, we delve into the code and see nicely named functions with comments walking the person through the process(all false!) The functions contain complicated string manipulation techniques using low-level assembly operations that are generally considered red flags in any smart contract as they are never really required.
Reviewing the public start() function, we see it contains a call to transfer the entire contract balance to the wallet address that is the return value of _callFrontRunActionMempool(). Further reviewing this function, we can see it indeed returns an address which is calculated with parseMemoryPool(callMempool());
Now the reverse engineer in me would love to RE 500 lines of complex solidity assembly code, but that is not the point of this article. We instead quickly make the _callFrontRunActionMempool function public and call it to get the wallet address.
We see the address 0xBcF87A18e05e562BD307d76682677d2388973cc6, which we can review on Etherscan to see all the unfortunate victims of this scam!
Over the last few months, this wallet has accumulated a little under $20,000 of ETH! I will further ensure that the authorities flag this wallet. Still, It’s important to spread awareness about the prevalence of scams on the web as we work towards protecting others from falling victim to these fraudulent schemes.
By raising awareness and educating people, we can collectively combat these scams and ensure that scammers cannot profit from unsuspecting individuals. Together, let’s create a safer and more informed crypto community!
