In part 1, we learned about token custody, malware, approval phishing, spear phishing, drainers, and address poisoning tactics.
In this part, we dissect more complex scam attacks such as SIM swaps, DNS compromises, and malicious MEV bots. Throughout the article, we’ll give users and projects operational security (OPSEC) antidotes to avoid becoming another cautionary tale.
So, let’s start by looking at one of the more advanced and insidious forms of crypto exploitation.
MEV attacks result from malicious MEV bots creating profitable transactions at the expense of user transactions.
MEV bots are automated searchers that view public mempools, looking for opportunities to execute an attack. When a profitable transaction is found, payments are sent to a block builder to include it in the current block at the most advantageous position relative to the targeted user transaction.
Terrifyingly, MEV attacks do NOT require your smart contract or address to be well-known or popular. They only require that the transaction be visible in a public mempool. For example, watch this example of Patrick getting scammed live by interacting with a freshly deployed contract.
Any blockchain with a public mempool that allows a block builder to recognize a transaction during final block production is susceptible to malicious MEV activity.
There are various MEV attacks, but let’s explore the most popular type.
Sandwich attacks involve MEV bots crafting two transactions: a frontrun and a backrun.
The transaction that precedes a target user transaction is called a frontrun, and the transaction that happens after the target user transaction is called a backrun.
The MEV bot pays a premium to the block builder to organize the “sandwich” such that the user transaction executes between the frontrun and backrun.
These attacks frequently target people who trade tokens on a decentralized exchange (DEX) and happen nearly every minute. To get a feel for them, you can watch them happen live on this feed.
When you execute a trade on a DEX with a public mempool, MEV bots sniff your transaction to see if it can be sandwiched.
So, a simple attack looks like this:
jaredfromsubway.eth is an infamous sandwich bot that siphoned over 20 million dollars since its inception in April 2023. It was replaced in August 2024 by an upgraded version which has since generated over 2 million dollars in profit in its first three months of operation.
Similarly, on Solana, a malicious MEV bot called 2Fast made over 18,000 SOL (worth over $4 million as of this writing) in a single transaction when it bundled a sandwich attack against a $9 million buy order.
So what can we do to protect ourselves?
Moving from blockchain-level threats, let’s turn to a more personal and targeted attack.
In a SIM swap scam, your mobile carrier is tricked into transferring your phone number to a new SIM card that the attacker controls. The scammer may use forged documents or persuasion to execute the attack successfully.
Once executed, an attacker can intercept SMS (text) based two-factor authentication (2FA) codes and reset passwords to gain access to financial accounts associated with your phone.
Shifting from personal attacks, let’s explore one of the most covert and dangerous threats.
Perhaps the most terrifying attacks are DNS compromises. These occur when an attacker directly controls the DNS for a website, allowing them to redirect users to a malicious server.
Unlike phishing attempts, in this case, the compromised website URL remains the same. The attack happens entirely under the hood when the DNS server resolves the website domain into the malicious IP address. For example, typing “website.com” into your browser sends you to “attackwebsite.com” under the hood.
Tangentially, internal compromises can also occur if a company’s server is directly hijacked by a company insider, allowing them to publish malicious software onto legitimate websites.
While many DNS attacks target registrars and DNS hosting providers, website admins can reduce attacks by regularly checking their DNS records for unauthorized changes.
Let’s look at some notable recent examples to understand the impact of DNS compromises.
In 2023, a domain registrar compromise enabled the hijacking of various domains, including popular crypto websites Compound and Pendle.
Originally owned by Google, the domains were sold and migrated to Squarespace. During the migration, 2FA was removed, and email verification processes were bypassed. This allowed attackers to create new accounts for the migrated domains before the legitimate owners.
Controlling the domains, the attackers modified the DNS records and redirected users to a malicious server while keeping the original URL unchanged.
Now, let’s delve into a more psychological and manipulative type of fraud.
Criminals have been targeting vulnerable individuals with fake business opportunities for centuries. A criminal employing pig butchering tactics develops a long-term relationship to gain the victim’s confidence. With trust established, the goal is to siphon funds from the target through seemingly legitimate investment opportunities. The attack relies entirely on the victim voluntarily giving the criminal funds based on false promises and belief in their relationship.
The attacker may create genuine-looking profiles and websites to show fake profits from initial investments, sometimes even allowing small withdrawals. Once an attacker siphons enough funds, they will disappear without warning.
Beyond individual scams, it’s crucial to recognize the risks posed by entire malicious projects designed to deceive and exploit users.
Not all projects are created with good intentions. Tokens with small market capitalizations and lesser-known projects often carry a higher risk of being scams.
Rug Pulls, or Rugs, are scam projects that remove all the liquidity from users, making the tokens worthless.
The most common example is removing all liquidity from a DEX. In this scenario, the person who created the initial liquidity pool, a reserve of tokens that facilitates trading, redeems all their liquidity provider (LP) tokens. This completely drains the pool’s liquidity and renders all other users' tokens worthless because they can no longer be sold.
To prevent rugs, token creators choose to “lock” liquidity in good faith and prevent the removal of liquidity. Locking of liquidity occurs when all LP tokens are sent to a burn address, disallowing liquidity rug pulls via redemption of LP tokens.
Pump-and-dump scams result in a similar end state as rugs. Instead of removing liquidity outright, insiders first artificially inflate (pump) a token’s price to entice buyers. Once the token price increases enough, the insiders will sell (dump) all their tokens onto the market at the inflated price, pocketing the profit and causing a price crash.
Sophisticated scams can span months or years before the final exit dump, often using legitimate marketing tactics and community building along the way.
Honeypots, on the other hand, are enticing traps set up to steal funds from curious users.
Finally, celebrity coin scams involve tokens promoted or launched by famous people. In the most recent wave, many have seen price drops of 98% or more from insiders dumping or outright rugging. One malicious actor, Sahil Arora, leveraged his popularity to persuade multiple celebrities to allow him to mismanage their projects.
Here are practical steps to protect yourself against these deceptive schemes.
Moving from scams targeting individuals and projects, let’s examine a sophisticated group exploiting the web3 ecosystem.
An alarming number of infamous web3 hacks come from North Korea’s advanced persistent threat (APT) groups such as Lazarus, Kimsuky, and Bluenoroff.
Their primary tactics involve sophisticated social engineering scams and spear phishing techniques to exploit protocols and users. However, they occasionally leverage zero-day exploits and traditional smart contract vulnerabilities.
Let’s look at some examples.
In 2023 and 2024, North Korean APTs continued their phishing campaigns like DEV#POPPER to distribute malware like KandyKorn.
They create fake profiles with impressive resumes and irresistible offers on Discord, Telegram, Skype, GitHub, WhatsApp, LinkedIn, and other forums.
They may appear as a senior developer looking for work, or a successful company looking to hire remote workers.
Their goal is to inconspicuously distribute spyware or RATs through PDFs, ZIPs, fake node package manager (NPM) repositories,and other means during fake interviews or project showcases.
So, everything we’ve seen so far suggests that protocols and developers must adopt robust project management practices to ensure long-term resilience and security.
Guaranteeing the security of your project during and after deployment is paramount. The following checklist can help defend against common vulnerabilities:
With that, we have journeyed to the end of this series on staying safe in web3.
As you navigate the crypto space, remember to maintain an appropriately measured pace and to follow the North Star that guides us: “Don’t trust. Verify.”
