Site icon Sophos News

Liquidity mining scams add another layer to cryptocurrency crime

The ongoing hype about cryptocurrency trading and the vast sums of digital wealth some have made (and lost) in crypto markets is a strong lure for some would-be investors. But the complexity of cryptocurrency and decentralized finance (DeFi) schemes based on it have also created an environment where criminals can draw victims in, using the complexity as camouflage for fake apps, malicious contracts, and other schemes that make the victims think they’re on the road to wealth while getting them to turn over more and more currency.

We’ve already reported on one type of scheme, which we’ve labeled CryptoRom­–in which potential targets are approached on mobile dating applications and lured into messaging with someone posing as a romantic interest, and then brought into a fake cryptocurrency investment scheme bolstered by fake trading applications and websites. But while we were investigating that scheme, another practically dropped into my lap: a Twitter direct message invited me to join in “liquidity mining research”.

This interaction led to an investigation uncovering a number of fraud rings based on “liquidity mining,” a form of cryptocurrency-based decentralized finance (DeFi) that even in its legitimate form is a highly complex endeavor. The mechanics of liquidity mining in its legitimate form provide the perfect cover for old fashioned swindles re-minted for the cryptocurrency age.

Criminals have used the complexity of the real thing to provide cover for a variety of scams, luring victims with the promise of extraordinary returns on investment. We found a number of these rings, operating primarily from China and using a mixture of fraudulent blockchain contracts, websites and applications to raid victims’ crypto wallets while making them believe they were making daily profits. Like the other crypto scams we follow, these have evolved from being focused on Asia into a global phenomenon. As we were researching one scam, the Washington Post reported about the victim of another liquidity mining scam that closely followed the pattern of the CryptoRom sha zhu pan scams we’ve reported about in the past.

What is Liquidity Mining?

Legitimate liquidity mining exists to make it possible for decentralized finance (DeFi) networks to automatically process digital currency trades. DeFi is an emerging financial technology that uses a blockchain-based distributed ledger similar to that used by cryptocurrencies to adjudicate trades between different types of crypto—governed by trading protocols built into the ledger itself.

Centralized cryptocurrency exchanges act as “market makers” for trades out of their deposits. Coinbase and other exchanges often reward larger investors (with reduced trading fees and other benefits) for allowing portions of their deposits to be used to guarantee the exchange has enough of popularly-traded pairs of cryptocurrency to assure trades can be handled. For example, if someone wants to cash out of Ethereum and exchange it for a “stablecoin” such as Tether (USDT), the exchange needs to have enough USDT available in reserves to make that trade and fulfill the transaction. The same is true in the other direction.

DeFi exchanges do trades differently—they’re executed by a protocol built into their networks known as Automated Market Makers (AMMs). Smart contracts built into the DeFi network have to rapidly determine the relative value of the currencies being exchanged and execute the trade. Since there is no centralized pool of crypto for these distributed exchanges to pull from to complete trades, they rely on crowdsourcing to provide the pool of cryptocurrency capital required to complete a trade—a liquidity pool.

To create the liquidity pool—which usually handles transactions between a single pair of cryptocurrencies—investors commit equal values of both cryptocurrencies to the pool, tying them on the blockchain to the smart contract.   In exchange for lending that crypto to the pool, the contributors get a reward based on a percentage of the trading fees associated with the DeFi protocol.  The “mining” part comes from liquidity pool tokens (LP tokens)—a representation of the share of the liquidity pool contributed by the investor.

The LP tokens themselves are in essence another cryptocurrency,  pegged to the value of the percentage of the pool they’re associated with.

Holding the tokens usually comes with benefits: a percentage of trading fees, and other rewards. There is also risk of loss—for example, the value of the pool of crypto may fall, and therefore the cashout value of the tokens could drop below the initial buy-in cost.  But as long as the people behind the tokens don’t take the assets in the pool and run, there is at least a way for investors to get off the merry-go-round.

Unfortunately, there are several ways things can go awry if the people behind the liquidity pool are unethical—or flat-out criminal. There is no regulation of DeFi exchanges, and the only thing guaranteeing they’re on the up-and-up is the smart contract code built into the DeFi network’s (usually Ethereum-based) blockchain. But if the tokens get cancelled—or there was never really a pool backing them at all—that all goes out the window. There is ample opportunity for digital Ponzi schemes, fraudulent tokens, and flat-out theft.

Building a bank of falsehoods

Unfortunately for the crypto-curious, there are plenty of unethical and criminal “liquidity mining” schemes out there. Like the CryptoRom rings we’ve tracked, they use a variety of social media and messaging tools to approach potential victims (as well as spam emails). In some cases, they also use fake mobile applications and websites that emulate or fake connections to better-known organizations in blockchain-based trading.

One of many spam messages in a campaign promoting a liquidity mining scam site.

But the pitches we’ve seen have not leaned heavily on the romance angle—though they do in some cases use manufactured profiles with young women to strengthen an emotional appeal.

For example, there is the constructed profile used in the unsolicited offer I received.

The person behind this Twitter account claimed to be a young woman in “America”:

“Catherina”, now “Linna” , one of many identical accounts used to lure victims in a liquidity mining scam.

The account was set up just a few weeks before the initial direct messages I received. The timeline of the profile is packed with selfies and videos of the woman, who based on the content of some of the images and posts is in Russia. The images of the woman are used on multiple Twitter accounts with identical content.

Further interaction with “Catherina” led to an invitation to continue the conversation on WhatsApp or Telegram:

Over the course of conversation on Telegram, the fraudster tried to guide me to set up a Coinbase wallet and deposit Tether (USDT), a “stablecoin” allegedly backed by securities that roughly follows the value of the US dollar.

The Binance app store screen shot sent by the criminals showed artifacts of automatic translation and showed Chinese versions of the app. No link was provided, so this appears to be the legitimate Binance app in this case.

The screenshot of the CoinBase Wallet (another legitimate app) from the Google Play store was in Turkish:

During the course of our interaction, I managed to get “Catherine” to open a canary link—a URL tied to a server I had set up. Logs showed the person’s IP address was in Hong Kong.

Eventually, “Catherine” pointed me to a Telegram channel called “US Coinbase Investment Trading” for more details on connecting to the “pool.” The same Telegram channel was promoted in a Twitter direct message group called “Liquidity mining part time exchange group”:

The Telegram channel shares “news” of big rewards being shared, as well as admonishments not to believe any direct messages from other forum members because of the risk of fraud. In messages purporting to be from a CoinBase administrator (@Coinbase_CarlM), the scam group directs potential victims to a URL to register their wallets on the “official block”:

That link, coinbase-udt[.]cc, presents a mobile format website and pops up a QR code containing a link formatted specifically for crypto wallets compatible with the WalletConnect protocol. If a browser wallet extension such as MetaMask is present, it will automatically ask the user if they want to connect their wallet.

The site claims to have generated over 2 billion USDT  (roughly equivalent to $2 billion US) in “user revenue,” with 2,300 “valid” wallet “nodes” in the pool. The site is hosted on Alibaba Cloud in the US, but much of its text away from the front page is in Chinese.

Once a wallet is linked, the site promises, users can invite other people to receive additional rewards. But to join, users must pay a “blockchain miner’s fee” to receive a “blockchain certificate” for their wallet to be configured as a node. Once registered, however, the user’s wallet contents can be withdrawn by the scammers at any time. The user is encouraged to deposit more and more into the wallet to increase returns, but will eventually find that they can neither withdraw their crypto nor actually cash out any alleged rewards.

An examination of domain records found a host of similar domain names pointing to the same server:

Wwv[.]trxusdt.vip

eth-usdt[.]group 

trxusdt[.]vip 

coinbase-usdt[.]cc 

ercusdt[.]vip 

cyth-usdt[.]com 

We have shared details of this particular scam with Coinbase and other organizations. But this is hardly the only liquidity mining scam out there.  We are continuing to collect information on other scams, including several we’ve identified that use fake mobile applications on both Android and iOS to offer a more convincing front to their fraud.

Protecting potential victims

Success has bred copycats in the crypto scam world, and each new variant of the schemes developed by those trying to expand on the CryptoRom/ sha zhu pan playbook tries to expand the pool of potential victims in different ways.

A lack of protections, regulation, reliable information on cryptocurrency investment and international cooperation by law enforcement in ending these schemes has created the perfect cover for well-run scams. With much of the world relying on social networking sites, WhatsApp and Telegram as a source for information, the scammers have turned to these platforms to lure victims and keep them engaged until as much money as possible is extracted from them—particularly targeting more vulnerable people who use these services in search of friends and companionship as well as ways to extend their wealth.

To prevent even more widespread fraud, user education is vital. People need to be made aware that these scams exist, and how to spot them.  Cryptocurrency exchanges, wallet providers, and others can move to rapidly block domains and wallets associated with scams.

Unfortunately, while law enforcement can take action in some cases, it is highly unlikely that these international scams can be shut down or interdicted by law enforcement alone. International cooperation, including cooperation with the nations where these rings operate from (such as China) would be required to significantly disrupt them, and others will undoubtedly spring up to replace any that are caught. And with entire ecosystems of web and app developers available to aid criminals’ entry into these scams, the only thing that will eventually lead to their end is better defenses and education.

Exit mobile version