Hackers Run Token Scams to “Rug Pull” Money

Check Point Research shows how scammers misconfigure smart contracts to create fraudulent tokens. The report details the method scammers are currently using to “rug pull” money from people and provides examples of smart contract misconfigurations that can lead to money heists. Last October, Check Point Research identified theft of crypto wallets on OpenSea, the world’s largest NFT marketplace.

And last November, it revealed that hackers were using search engine phishing campaigns to steal half a million dollars in a matter of days.

In a new report, Check Point Research (CPR) exposes how hackers are creating malicious tokens to steal money.

· Some tokens contain a 99% buy fee, which will steal all your money at the buying phase.

· Some of tokens don’t allow the buyer to resell and only the owner may sell

· Some tokens contain a 99% sell fee, which will steal all your money at the selling phase.

· Some allow the owner to create more coins in his wallet and sell them.

To create fraudulent tokens, hackers misconfigured smart contracts. Smart contracts are programs stored on a blockchain that run when predetermined conditions are met.

The report outlines the steps that hackers take advantage of smart contracts:

1. Leverage scam services. Hackers are usually using scam services to create the contract for them, or they copy an already known scam contract and modify the token name and symbol, and some of the function names as well if they are really sophisticated.

2. Manipulate functions. Then they will manipulate the functions with the money transfer, they will prevent you from selling, or increase the fee amount and more. Most of the manipulations will be where money is been transferred

3. Create hype via social media. Then they will open social channels, such as Twitter/discord/telegram, without revealing their identity or using fake identity of other people, and they will start hyping the project in order for people to start buying

4. “Rug and pull” the money. After they reach the amount of money they want, they will pull all the money from the contract, and delete all the social media channels.

5. Skip timelocks. You usually won't see those tokens lock a large amount of money in the contract pool, or even add timelock to the contract. Timelocks are mostly used to delay administrative actions and are generally considered a strong indicator that a project is legitimate

The implication is that crypto users will continue to fall into these traps, and will lose their money. It alerts the crypto community that scammers are, indeed, creating fraudulent tokens to steal funds. To avoid scam coins, the research report recommends crypto users to diversify their wallets, ignore ads and test their transactions.”