By Coinbase Security Team
As part of our mission to build a safe and open financial system, we actively monitor for security threats not only to Coinbase but to the crypto ecosystem as a whole. As we have discussed in our previous blog posts on industry-wide crypto security threats and airdrop phishing campaigns, malicious activity against any crypto user or business is bad for the industry. That’s why it’s important to have a community mindset when we see security threats in the wild. As they say, rising tides lift all boats.
Recently, our security teams have uncovered ongoing mining pool scams targeting users of self-custody wallets. These scams have primarily leveraged malicious smart contracts on the Ethereum network. Based on blockchain research into known scammer wallets, Coinbase estimates these have resulted in the theft of over $50 million in crypto assets from a variety of non-custodial wallet applications. These scams target those using any decentralized wallet browser (e.g. Coinbase Wallet, Metamask, Trust, etc).
The scam typically follows this chain of events:
- Victims are contacted via social media and/or other messaging services by scammers claiming to offer an attractive crypto investment opportunity to stake USDT (Tether) in their wallet for a guaranteed return
- Victims are directed to visit a fraudulent website that can only be accessed via a crypto wallet browser or extension. These websites generally contain fake reviews, endorsements, live-feed payouts, and partner lists to add an appearance of authenticity
- Scam sites will often fraudulently claim to be sponsored by or partnering with recognizable crypto brands such as Coinbase, Binance, and MetaMask
- Example mining pool landing page
Source: Scam Site
- Clicking the ‘Receive’ button displays a pop up similar to this
Source: Scam Site
- Clicking this ‘Receive’ button will then display a fake pop-up designed to impersonate the Coinbase Wallet interface. The permissions that are displayed are not the true permissions that are actually being requested and are intentionally displayed in a way to attempt to trick users into clicking ‘Connect’
Source: Scam Site
- Viewing the smart contract via a trusted token approval checker shows the true permissions being requested. The scammer gains delegated transaction approval status with an unlimited transaction allowance within the victim wallet, meaning the scammer can approve USDT sends of any amount on behalf of this wallet.
Source: etherscan.io
- Attackers will remove USDT from the victim’s wallet and the scam site will show that their balance is increasing. Scammers will frequently reassure victims that if they add more funds, they will get more USDT in returns by mining.
- At the end of the period, the funds are not returned to the victim and no profits will be received.
- If the victim contacts customer support via the fraudulent website, the attacker may indicate they detected irregular activity on the account and that in order to fix that issue, the victim would need to pay additional USDT to ‘release’ the funds. However, no funds are ever returned regardless of whether or not the victim makes payment.
The following security steps can be taken to defend your assets:
- Be wary of investments that claim a guaranteed return
- Be wary of investment advice and opportunities from unknown or untrusted sources
- Do not visit or connect self-custody wallets to any unknown site
- Do not hold high value assets in the same wallet used to regularly interact with dapps. Use cold storage or custodial solutions such as the freely available Coinbase Vault.
- Use a token approval checker to validate actual permissioning on self-custody wallets and revoke approvals that you did not knowingly authorize.
Coinbase is working with industry partners to take down these sites and developing ways to warn users when visiting known scam sites in order to help limit the damage caused by this type of scam.
Security PSA: Mining Pool Scams Targeting Self-Custody Wallets was originally published in The Coinbase Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.