Categories
Blockchain Rant

How I Nearly Became a Victim of a Crypto Scammer

The crypto space is one I am extremely passionate about. Like the web, it moves at breakneck pace and given that it’s still in some early stages as an industry, many people find opportunities to prey on those that might not know how to protect themselves yet.

Here is a story of how I nearly fell victim to a crypto scammer over Telegram.

About 2 years ago, I took part in an airdrop for a token called DAG which was issued by the team at Constellation Network. They issued me 1,000 DAG tokens to my ETH wallet. At one point, they underwent a token swap and I had to send my tokens to a portal they dubbed “Orien”. I spent about $5 in ETH gas fees to execute the transfer and my tokens remained locked there. When the unlock period was over, I went to claim my swapped native DAG tokens, but the portal was broken and today it no longer exists. Constellation Network continues to exist and so does the token, but for whatever reason, they killed off that portal and a bunch of us lost our tokens. I thought I might be able to get them back, but I asked in their Telegram community and they confirmed pretty quickly that I should kiss my tokens goodbye. It sucks, but I got over it pretty quickly. I mean, they were only worth about $10.

In Come the Scammers

About an hour later, I get a private message from “CONSTELLATION OFFICIAL”. Their part went like this:

CONSTELLATION OFFICIAL, [04.10.20 04:11]
CONSTELLATION COMMUNITY

Hello,

Administrative support on to you

DAG now has it’s own blockchain, the swap window of erc20 DAG to mainnet DAG tokens is now closed. The swap process was made available for a long period of time,we informed community,gave a deadline date and re-opened the swap window for a second time.

Why did you fail to undergo the swap process?

[I explain my situation to them in detail]

Speak with the technical director @ANATOLLY_DONTWORRY

Explain to him and follow the instructions he’ll be guiding you through.

So nice, here I thought my $10-worth of shitcoins was forever lost, but these kind support folk are willing to invest me in me to get back what’s rightfully mine! Let’s talk to Anatoly.

The conversation with “ANATOLY” was much longer and involved, so I’ll just give you the tl;dr. Basically, I describe to him what I had told “support” already and tell him that it had been escalated to him. He kept asking me for more about the account I had sent my airdropped tokens from, and each time I made sure to provide him with whatever info I can to help move things along.

Finally, he tells me that in order to recover the tokens I “will have to generate the account extended public keys of this wallet”. He went on:

To proceed with the extend public keys for the first, you have to go to the public keys page: www.publickeysindicator.com

ANATOLY the Scammer

He tells me to follow his instructions and was kind enough to send me this professional-looking guide of how to fill out the form:

He tells me:

Firstly change words to the number of phrases you have
The second part of it, you are to input your mnemonic phrase of that of the first wallet
Third part, change to eth
After completing stage 1-3 your account extended public keys will be generated below
Which you will be required to provide and send to the constellation email

ANATOLY the Scammer

I reply:

This tool will actually process my recovery phrase? That seems super risky, unless I’m missing something

Me, finally starting to wake up

He replies:

No it is only required to generate your extended public keys below which you are required to send to the constellation mail address after completing the process. You have nothing to worry about

ANATOLY the Scammer

I examine the website. I don’t want to link to it here since it’s obviously malicious, but the hostname is www.publickeysindicator.com. While I’m looking it over, he starts checking in to see if I’ve completed the form. I started to feel bad. I’m mean how lucky was I that their Technical Director was taking the time out of his busy day to recover my tokens and I’m holding him up! I tell him:

Sorry I was just trying to educate myself. I wasn’t aware of BIP39 and the concept of XPUB key. I just get sketched out whenever I need to provide a recovery phrase somewhere

He reassures me:

I have assured you, that you have nothing to worry about, it is just confirm your transaction and you are sending to our official mail. There is no way we will want to spoil our reputation. So you have nothing to worry about

ANATOLY the Scammer

I continue reading to make sure I know what I’m doing. I see this at the bottom of the page:

I check out the source code and at a glance it seems legit. I realize I can just run it locally. I download a local copy, disable my network card, try it with a fake seed, see that no network calls are attempted, try with my real seed, and alas it generated the value he wanted me to email them!

I go back online, and let him know I’ve compiled it from source and ran it offline just as a precaution. I told him this to justify why it took longer, and he replied: “Oh! I understand, not to worry it’s all fine”

The segment after this is lengthy, boring, and I’ll spare you the technical detail. In essence, he keeps telling he my account is invalid. I keep trying to communication that he only has my ETH public key and I hadn’t sent anyone my generated XPUB key and don’t understand what he is checking. This is when he tells me I need to run the tool “online”:

Are you doing the steps offline? Because it can’t give you same extended public keys as when you are online. You have to do it online.
So it generate the accurate extended public keys

ANATOLY the Scammer

I entered a fake mnemonic phrase into the online tool and examine the network calls. Sure enough I see requests made to Google Firebase which include the Mnemonic phrase in the payload!

Now, I’m 99.9% certain it’s a scam. I look up his user details, and see this:

I don’t see much there that is problematic. So I check the support chat details:

Now, funny thing, I already denounced these people in the community channel and warned the room about them. Right before I grabbed the screencap above, the above user removed our chat history and changed their avatar. Before it was the Constellation Networks logo. Notice however, that their telegram username ends in “0124”. Sketchy. Why wouldn’t their real support not be able to get a more original username… I go back to the community chat and examine the pinned message:

Hmmmm… The guy I was talking to is actually listed as an admin. Odd… I click on his name to make sure it’s the same guy, and sure enough it took me to a fresh new chat with the real Anatoly! The one I was talking to had two “L” in Anatoly while the real one has one “L”. Easy difference to overlook when you’re just looking to quickly get back $10.

I provided a warning to the community and sent this to the scammer:

I hope that your life situation improves to the point where you won’t feel the need to waste your limited time on this planet trying to swindle others.

My victory speech

Now, I’m writing this because I have many years of experience in tech and still came pretty close to being duped. Crypto and blockchain can be difficult to navigate sometimes and the UXs for the user-facing functionalities can be rather raw and require some technical skill to use intelligently. When the guy started throwing technically details at me I wasn’t familiar with, I started to think I was just in over my head in this case and considered just “trusting the expert” to move on with my day. Boy, am I glad I didn’t. Unfortunately, I feel quite confident the average crypto investor would fall for something like this, so I feel the obligation to share my experience in case it might help others. That website didn’t turn up any results of Google when I looked it up, so hopefully my article will surface now and help protect others.

What Did We Learn?

  1. On Telegram, look up the profile of the person you are speaking to and examine their username. Check with the communicate to make sure they are an official representative. Misspellings are easily overlooked
  2. Don’t use any online tools that ask for your private key or mnemonic phrase unless it’s software provided from an official trusted source
  3. If you need to run operations on sensitive data like this, try running an offline copy you run yourself first. Examine the network requests made and try with dummy data first
  4. Remain vigilant! There’s a lot of money in crypto and that attracts a lot of bad actors. Many of them are smart. Keep your guard up. If you are feeling lazy and ever find yourself tempting to forego doing your due diligence, pause and come back to it when you have more time and energy

Stay safe out there!

Now let’s have a moment of silence for my 1,000 lost DAG.

Update 2020-10-04

An awesome member of the Constellation team reached out to me and thanked me for working to protect the community and send me the amount of tokens I lost plus interest! That was very much appreciated. I look forward to see what comes of this fairly unique project in the space.