Unmasking Crypto Scammers: Evasion Techniques and Countermeasures

Scams, malicious breaches, hacks, and cyber attacks have emerged as a significant bottleneck for the crypto industry. It has been a headwind in its trajectory to achieve super-exponential growth at par with its potential. 

In fact, between 2021 and mid-2022, more than 46,000 people together reported a loss of US$1 billion in crypto to scams. This volume refers to those reported to the United States Federal Trade Commission alone. 

According to Matt O’Neill, deputy special agent in charge of cyber for the United States Secret Service, in 2022, consumers in the United States lost US$2.6 billion in the scams, and crypto scammers are on track to surpass this number by 2023. 

These frightening numbers give birth to two critical questions: how do crypto scammers evade authorities and go unchallenged, and what can we do to stop them? 

How Crypto Scammers Evade Authorities

Over the years, crypto scammers have come up with several evasion techniques, such as Spoofing, Morphing, Obfuscation, Poisoning, and Redirection, which cybersecurity network Forta highlights in its comprehensive research. 

In the following segments, we will look at each technique summarily, figure out how they work, whom they target, and how to nip in the bud. 

Spoofing

Spoofing, which can occur through methods such as fake standard implementation, variable shadowing, bug exploits, and SYBILS, seeks to elude a diverse group of stakeholders like users, block explorers, reviewers, and security tools.

To thwart these attempts, we can implement a range of strategies, such as monitoring multiple sources based on the specific standard being spoofed. Additionally, advocating for the deployment of tools that can scan the sources for duplicate definitions and polymorphisms is advised.

For challenges like keyword shadowing, specific tools such as Slither Shine come equipped with specialized detectors. Similarly, when combating bug exploits, recommended strategies include symbolic testing, fuzzing, and pattern matching.

Morphing 

In Morphing, contracts change their behavior depending on the context. As such, they usually tend to replicate benign functionalities when under scrutiny. 

Morphing has different sub-genres, including RED-PILL, lateral movement, logic bomb, etc. It targets to evade wallets, security tools, user tools, block explorers, etc.

To protect from Morphing attacks, one must parse the flow of each function, use historic transactions as invariants, index the signatures of an attacking contract in a database, implement graph analysis methods, carry out fuzzing exercises, and scan the bytecode for unusual opcodes. 

Obfuscation

Obfuscation is the process where scammers make their malicious codes hard to find and comprehend, employing various tactics such as hiding the code in plain sight, concealing it behind proxies, creating a hidden state, payload packing, and more. 

This technique is strategically used by scammers to bypass code reviewers, security tools, block explorers, users, and even security reviewers.

To detect obfuscation, one approach is to look at the size of the bytecode. Further strategies include searching for proxy patterns, checking for the absence of verified sources, and analyzing the bytecode of the logic contract.

And since storing data on a blockchain requires gas, obfuscation efforts can also be detected by studying changes to the storage through gas consumption. Measuring the entropy can also lead to detecting potential obfuscation schemes. 

Poisoning

Poisoning happens when scammers hijack legitimate contracts to appear authentic and trustworthy using methods such as event poisoning or a technique known as Living off the Land! 

By doing so, hackers seek to elude users and multi-layer defense mechanisms. As a counter-strategy, parsing the logs and decoding them from transaction topics and data is recommended. 

The constraints should be set on the arguments of all standard events. Additionally, building the referential is advised, where the reference serves as a database indexing the selectors of all the standards and aligning them with the event signatures.

Redirection

The redirection efforts of scammers utilize techniques that change the execution flow from legitimate functions to hidden malicious code, often through methods like hidden proxies or selector collisions. These redirection evasion methods primarily aim to bypass block explorers, security tools, etc.

To stop redirection scams, compare the selector from the transaction data with the contract’s interface and also compare it with known interfaces. Identifying selector collisions involves comparing the bytecodes of both the proxy and its implementation. 

Remedies and Recourse

To sum up, addressing scams is a must for the uninhibited growth of crypto. Forta’s comprehensive research report provides insights and countermeasure techniques that, when effectively deployed, may play a significant role in this effort.

However, only having adequate knowledge often falls short when it comes to combating crypto scammers, who are much more sophisticated in their operating network and attack strategies. Effectively countering them requires the support of efficient tools. 

And one such tool is Forta’s updated Scam Detector. It offers an API-based data feed with real-time intelligence on a variety of Web3 scams and entities involved therein. 

Powered by machine learning and a collective of Forta contributors, the updated version incorporates malicious URL data, expanded threat coverage, and valuable inputs from leading development teams like BlockSec and Nethermind. 

Intelligence is available for each stage of the scam and can be leveraged by Web3 wallets, centralized exchanges, AML compliance platforms, and a range of Web3 security tools as a complementary source of threat intelligence.