Beware of Trading Bot Scams

By Keir Finlow-Bates [ Join Cybersecurity Insiders ]

By Keir Finlow-Bates, passionate blockchain enthusiast and technologist, Resonance Security

TL;DR — do not deploy smart contract code that you do not understand, and do not send tokens or ETH to contracts that are not managed by an entity that you trust.

I can’t believe that trading bot scams on Ethereum and Ethereum-like chains are still going on. But they are. Today I had to deliver the bad news to someone that they had lost a significant amount of ETH to such a trading bot scam. And unfortunately, YouTube, Telegram or Discord, and Remix aren’t doing much to prevent them.

These scams have been going on for years now, and people are still falling for them.

The core of the scam consists of:

1. some Solidity code that the scammer claims is a trading bot smart contract that will make you money while you sleep, and

2. a tutorial video showing you how to deploy the smart contract using Remix

The reason the scam works is because in crypto there are people who don’t have enough underlying technical knowledge to determine that what it promises is nonsense or assess the code competently to see that it is designed to steal your crypto-assets, but they do have enough technical knowledge and confidence to follow the instructions given.

They also often made significant profits by buying crypto earlier on, making them excellent targets.

What part does Remix play?

Remix is an online tool provided by the Ethereum Foundation, which allows you to write, debug, and deploy smart contracts from your browser.

Remix warns you about trading bot scams on its front page, but the warning is easily overlooked, as the main screen is full of moving adverts for projects, templates for contracts, and other distracting information.

The warning should be in a large pop-up that you have to dismiss before you get to use Remix, and it should list all the possible names the scammers may be using for the scam.
The scammers call their contract a “trading bot”, or an “MEV bot”, or a “liquidity front runner bot” or something else that sounds intriguing, but in reality it is just obfuscated code that transfers any ETH the mark deposited into the contract to the scammer’s address.
There is a second warning when you paste code into Remix.
Ultimately, the fact that there are warnings doesn’t matter. The scammers often use the open-source repository for Remix to deploy their own copy at their own URL, and remove the warnings.
It doesn’t help to have a message saying “Only use Remix at” on the genuine site if people are being directed straight to something like by the tutorial video.
(Note: do not use the site!)
What part does YouTube play?
The scammers post tutorial videos on YouTube.
The tutorial videos are pretty slick. They often have an articulate gentle-spoken person with an ASMR-type voice walking you through the process of deploying the contract, together with a lot of nonsense that sounds plausible about how the trading bot works and what features of Ethereum, Binance Smart Chain, Polygon, or some other Ethereum compatible blockchain the smart contract exploits.
The instruction part of these videos is remarkably clear. It just goes to show you that when there is sufficient motivation (unfortunately evil motivation in this case) people can create really simple, clear instructions for the most complicated of things.
The videos have lots and lots of comments from people claiming that they’ve made small fortunes using these scammy contracts. The people are fake — the scammers have registered many accounts leaving these glowing testimonials to create a sense that the bot really does work.
YouTube is not very diligent in removing the videos, even if notified.
What part does Discord or Telegram play?
If the scammers are doing particularly well, they may even pay for a “support person” to moderate a Telegram or Discord channel, for that extra touch of legitimacy.
Furthermore, if someone reaches out for support because their bot isn’t making them any Ether or Matic, the support person can examine their address, see how much native cryptocurrency they are holding, and recommend that more be added to the contract because it needs X ETH or Y Matic to kick in and work.
As part of stringing along the mark, they may even refund a small amount to give the impression that the code isn’t locking up or stealing the assets. This is the crypto equivalent of a pool hustler or card sharp allowing the victim to win small amounts early on, only to clean them out on the big final con.
If you can even get Discord or Telegram to do something about closing down the channel (which they won’t), the scammers can immediately open another one.
How does the code work?
A link to the code is always provided in the video and the description for the video, and the code is supplied using a public file-sharing service like Pastebin, Github, or Ghostbin.
I have looked at about four different versions, and they all follow the same structure:
  1. Make it look like the contract has something to do with a token-swapping contract like Uniswap or Pancakeswap by including imports of one of those contracts at the top of the code. Clue #1: the functions in these imports are never called.
  2. Include lots of comments that make it look like the functions are for finding instances of the swapping contracts. Many of these functions aren’t even called anywhere in the code. Clue #2: the comments are technobabble.
  3. Use obfuscated code blocks in nested misleadingly named functions to construct the scammer’s address. Clue #3: running these functions always returns the same value.
  4. All publicly callable functions in the contract contain a transfer of the ETH (or chain native cryptocurrency) balance of the contract to the scammer’s address. Clue #4: the transfer code has no comments.

Lessons learned

The aphorism, “If it seems too good to be true, it probably is” holds everywhere, even for crypto. The problem with crypto is that many people have made a lot of money by buying low in a way that seems too good to be true, and that softens them up for scammers to come along and relieve them of what to many seems like not-so-hard-earned cash.

I’ve personally lost 0.1 BTC and about 3 ETH to scams over the last decade. It’s nothing to be ashamed of, but it is something to be angry about. And it does teach you to be more careful.

The key thing is to avoid acting on that irrational initial impulse that combines the emotions of fear and greed — fear that you’re going to miss out if you don’t strike while the digital iron is hot, and greed for the possibility of making easy money.

Instead, look at the offer being made rationally.

Does it make sense that someone who has invented a trading bot that can turn 3 ETH into a perpetual stream of 6 ETH every week would spend a fortune making a video explaining to total strangers how they can do it too? What would they gain from that? Is it even possible to have a system where, no matter how many people join, magical internet money will flow to all of the participants?

No, of course it doesn’t make sense.

It’s as crazy as believing a tweet that if you send Bill Gates one bitcoin or Vitalik Buterin one ETH, he will send you two back. And here’s his Bitcoin or Ethereum address.

Except … people have fallen for that scam too.

[This article was written by Keir Finlow-Bates, a passionate blockchain enthusiast and technologist, who represents Resonance Security]


No posts to display