BitCheck Exchange Earn Clubs About Contact Career Newsroom

Anti-Fraud, AML and Fund tracing

Nine Common Web3 Hacks and Scams

In the previous article, Web 3.0 Information Security Guide — What You Need to Know about Blockchain Threats, we discussed the definition of Web3, damages/losses in Web3 security incidents, intentions and goals of hackers, and three attack methods and their prevention measures.

In this article, we will continue to discuss six other Web3 hacking and scam methods.

Web3 attack methods — Part 2

4. Fake social media giveaway

Social media is a gold mine for scammers, said Federal Trade Commission (FTC) officials.

Many people rely on social media — it’s part of their lives. However, FTC reports indicate scammers are increasingly using social media to con people.

Hacker hotspots include Facebook, Instagram, Twitter, and other popular social media platforms. To lure readers into taking their bait, hackers create bogus official accounts or use well-known accounts to post messages claiming to give away cryptocurrency, such as “give me $1, and I will return you $10”

  • Case Sharing — Indian PM Modi’s Twitter account was hacked with bitcoin tweets.
  • It was reported that Narendra Modi’s personal Twitter account, which has more than 73 million followers, was hacked last year.
  • Using the account @narendramodi, a hacker tweeted, “India has adopted Bitcoin as legal tender and distributed bitcoins to its citizens.” A scam link was included with the tweet to lure readers.

Modi’s office quickly deleted the tweet and declared the safe recovery of the Twitter account, but information security concerns still remain.

Through social media, scammers trick people into clicking fraudulent links or sending cryptocurrency to the scammer’s address. As a victim, this is just the beginning.

Scammers may ask victims to pay an upfront fee — after the victim has already been scammed. This could be money, stock, or warrants for the deal to go through. Of course, it never will.

Figure 4.1 / Hackers using a bogus fan page to share photos from other accounts to attract the attention of account owners.
Figure 4.2 / A fraudulent account leaving a message under an original tweet and then using multiple other bogus accounts to comment and like.
Figure 4.3 / Hackers use compromised official accounts to deceive others.

How to avoid social media giveaway scams? XREX recommends:

  • Verify information validity from multiple sources and ignore any free advertising.
  • Consider twice before sending coins from a promise to get more. If it’s too good to be true, it is usually too good to be true.
  • Beware of pop-ups from wallet apps related to transfers or authorizations.
  • Keep in mind, transactions in decentralized finance cannot be reversed.

5. Ponzi schemes

In Ponzi schemes, funds are collected from new investors and used to pay existing investors. It is common for Ponzi scheme organizers to promise high returns with small or no risk. However, Ponzi schemes are by definition not sustainable.

The name Ponzi scheme originated from Charles Ponzi, who duped investors with postage stamp speculation schemes in the 1920s.

How to identify a Ponzi scheme?

An ambiguous economic model is a common characteristic of a Ponzi scheme. Thus, the project can promise investors an unreasonable high rate of return even though it is challenging to operate. An example is shown in the screenshots below:

Figure 5.1 / A platform provides wealth management products with a daily rate of return of 2.72%, equivalent to an annualized rate of return of 1,000%. Which is, as one would say, too good to be true.
Figure 5.2 / Another platform claims to offer arbitrage opportunities, predictive indicators, market analysis, and insider information to entice users into investing.

How to a avoid Ponzi scheme? XREX recommends:

  • Be sure to choose an exchange that is licensed, compliant with the law, and has a transparent team. XREX has obtained relevant regulatory licenses and permits such as anti-money laundering compliance and others in the following countries: the United States, Canada, Lithuania, Estonia, and Taiwan. XREX is currently applying for licenses in Singapore and Dubai.
  • Do verify the registration and reputation of any adviser and/or trading platform with the appropriate sources or governing bodies before investing with them.
  • Avoid FOMO (fear of missing out) and check if the rate of return makes any sense.

6. Rug pulls

Rug pulls are crypto scams where a team pumps the value of its token before disappearing with investors’ fundsA rug pull occurs when fraudsters create a new crypto token, pump up its price, then abandon it as soon as it is about to collapse.

  • Case sharing — Squid Game (SQUID)
  • Squid Game (SQUID), the cryptocurrency token inspired by the Netflix hit, rose to hundreds of thousands In just one week. Yet it collapsed immediately. Investors lost everything and had nowhere to ask for compensation.

Rug pulls can also occur in unaudited smart contracts through pre-programmed contract backdoors, allowing the fraudsters to control the supply of tokens after fundraising.

Figure 6.1 / Squid Coin, with no official links to Netflix or the “Squid Game” team, the token price surged from $0.01 to $2861 within seven days and then collapsed to $0.0008 instantly.

How to prevent rug pulls? XREX recommends:

  • When choosing a project, you can first understand the project team’s background by searching on LinkedIn. Also search for the research project’s white paper, and other relevant information. Typically, the white paper must contain long-term goals, problems solved, technical descriptions, and the team’s authenticity.
  • To raise funds, most projects will use a centralized or decentralized exchange.
  • By analyzing on-chain data, one can observe the transaction volume of tokens, liquidity, and whether the project tokens are certified by top decentralized exchanges.
  • Verify that multiple information security companies have reviewed the smart contract and that the audit report is open-sourced.
  • See if there are hype social bots on social media regarding the project. Fake hype is typically done with social bots and paid followers, which attempts to engage consumers to be excited and believe in a product that is in high demand and low supply.

7. Seed phrase phishing

A seed phrase is a master key that unlocks access to all your crypto assets, typically in the mnemonic form. A mnemonic is usually a 12 to 24-word phrase that cryptography represents your private key, making it slightly easier to remember and recover. A person with access to the mnemonic is equivalent to having access to the encrypted assets, similar to your bank account username and password. Some phishing scams trick users into divulging their seed phrase, resulting in lost funds stored in crypto wallets.

Figure 7.1 / A fake OpeaSea NFT marketplace with a price significantly lower than the market price, requiring users to enter a mnemonic during transactions.

How to prevent seed phrase phishing? XREX recommends:

  • Never leak the mnemonic phrase. Other than restoring the wallet access, the mnemonic phrase has no other purpose except staying in a safe place.
  • Please store the mnemonic phrase properly. Apps that require you to enter the mnemonic are always scams.
  • Upon encountering suspicious websites, report them immediately! Keep the DeFi ecosystem safe.

8. Malicious wallets and plugins

Malicious wallets or wallet plug-ins will imitate the UI of genuine wallets, tricking users into thinking it is a project’s official wallet. However, a backdoor has already been set up in the backend, and is able to steal the wallet mnemonic and assets.

Figure 8.1 / Malicious MetaMask browser plugin. Image credit / Objective-See
Figure 8.2 / A fake AppStore requires users to download a file, once installed, you can download MetaMask with a backdoor from an untrusted source.

How to avoid fraudulent wallets and plugins? XREX recommends:

  • Never use crypto assets on jailbroken or rooted devices.
  • Be sure to download mobile apps from official sources such as the Apple AppStore or Google Play Store.
  • This one is for Apple iOS only: Do not install or trust profiles from unknown sources, as this may allow you to inadvertently install malicious programs.

9. Approval scam

Unlike traditional fraud, an approval scammer attempts to gain your right of transfer to certain addresses. This is a built-in mechanism in the ERC20 token standard. ERC20 Approve function allows smart contracts to have the right to transfer user crypto assets.

For example, if a user grants approval permissions to an arbitrage contract, it could execute multiple trades to automatically carry out arbitrage on the decentralized exchange.

However, the ERC20 Approve function has inevitably become a tool for hackers. Through phishing, hackers trick users into granting approval permission to hackers, then transfer the victim’s assets to their wallets through the transferFrom function of the ERC20 Token contract.

The most well-known recent cases:

  • The theft of NFT from Jay Chou, a famous Taiwanese singer.
  • Fraudsters used the NFT platform OpenSea to launch a new type of fraud by first randomly airdropping users and then raising NFT prices on the OpenSea to lure victims into a phishing website.
Figure 9.1 / Scammers post QRCodes at seminars claiming to access free NFTs, directing users to phishing sites.
Figure 9.2 / Upon clicking on the link claiming to send free NFT, an approval window pops up asking for permission to transfer assets instead. In this case, it’s setApprovalForAll, meaning anyone can transfer your assets.

How to avoid approval scams? XREX recommends:

  • Regularly check the authorization status of wallet addresses and revoke permissions for unknown addresses. The following are three common tools:
    – https://etherscan.io/tokenapprovalchecker
    – https://revoke.cash
    – https://approved.zone/
  • If you accidentally authorized an unknown address, revoke the authorization immediately to avoid losses.
  • Confirm the transaction content before executing the transaction in order to avoid performing unexpected operations.
  • Report suspicious websites.


This blog is an overview of the common Web3 crypto hacks — from phishing to rug pull — to help us better understand Web3 and avoid becoming victims.

The XREX information security team reminds you to keep an eye out on information security and to stay vigilant. As Web3 applications develop rapidly, hackers and criminals are also improving their tactics.

Co-editors:Sun Huang / Wolf Chan / Seal Cao Yoyo Yu / Helen Lai / Simon Liu

About XREX

XREX is a neo-fintech leveling the playing field by partnering with banks, regulators, and verified individuals to redefine banking together. Our blockchain-driven solutions create a collective financial system that empowers all to participate and contribute to the global economy. Founded in 2018 and headquartered in Taipei, XREX comprises a team of world-leading experts in cybersecurity, fintech, compliance, and cryptocurrency to offer a full suite of innovative products such as BitCheckXREX Clubs, and Risk Level Detector to solve the dollar-liquidity shortage issues faced by cross-border merchants in emerging economies.

More from Anti-Fraud, AML and Fund tracing

Editor’s Picks