[HN Gopher] "Crypto Drainer" Template Facilitates Tens of Millio... ___________________________________________________________________ "Crypto Drainer" Template Facilitates Tens of Millions of Dollars in Theft Author : eliya_confiant Score : 92 points Date : 2022-06-15 19:57 UTC (3 hours ago) (HTM) web link (blog.confiant.com) (TXT) w3m dump (blog.confiant.com) | PragmaticPulp wrote: | Absolutely baffling that the crypto community normalized this | process of connecting your wallet to a random website and letting | it access all of your money. | | I see a lot of victim-blaming suggestions that it's the fault of | the person who didn't set up a new crypto wallet for every | interaction they might want to make and then transfer enough | money into said wallet to cover unpredictable gas fees (while | also paying gas fees to transfer the money) and then, presumably | pay even more gas fees to transfer everything back out of the | wallet if it turns out to not be a scam. It's incredible that | crypto has reached a point where some people seem to think this | is all totally reasonable and natural to expect the average user | to know. | nubb wrote: | you're right. the unreasonable complexity of crypto is why | people fall for phishing scams. thanks. | mushbino wrote: | Right? It's a good thing our monetary system and financial | instruments aren't complex, phew! | giaour wrote: | It's one thing to have complex payment instruments where | innocent mistakes are reversible. Having them in a world | where everything is permanent is another situation | entirely. | melony wrote: | Yeah they should pay Plaid a grand a month for that privilege | instead. | MomoXenosaga wrote: | Banking the unbanked lol. | dcolkitt wrote: | That's not how it works at all. When you connect a wallet, the | only unrestricted access it gives the app is the ability to see | your public address. | | The app _does not_ have the ability to sign transactions on | your behalf without your explicit approval. | zeven7 wrote: | It depends on the website and the wallet, but either way the | wallet app tells you what permissions it's giving the | website. My guess is people don't pay attention or think | about it. But it's not as parent described "the way the | crypto community designed it". It's actually the opposite. | The crypto community designed wallets that give you control | over what third parties are allowed to do with your accounts. | It's a lot more than what debit cards offer (I say debit | cards because credit cards do of course offer a good rollback | system). | gowld wrote: | What does a user see? How should a user investigate a | transaction to check what it does? Is there any good | automated explanation/visualization of the effect of a | transaction? | bko wrote: | This is what I do: | | When a site initiates a transaction, you can see the | address you're interacting with. You should then look up | the address on etherscan to see if it has public code and a | lot of transactions. Then you should search that address in | google and see if the main site links to it. A lot of | projects have a list of addresses in their github. You can | also inspect the function code. Once you're comfortable, | you should add it to your saved addresses on your wallet | and next time you'll see the name of the address. | | Also you can create a new throw away address, transfer just | a little bit of coins to it and interact with the contract. | If it does what you think it should do, then you can create | a new account and do it again. | | It's not perfect. It could be a proxy, so you're not | guaranteed the contract you're interacting with. | | There's no easy way to "see what a transaction does". You | just need to do risk management. | happyopossum wrote: | > When a site initiates a transaction, you can see the | address you're interacting with. You should then look up | the address on etherscan to see if it has public code and | a lot of transactions. Then you should search that | address in google and see if the main site links to it. A | lot of projects have a list of addresses in their github. | You can also inspect the function code. Once you're | comfortable, you should add it to your saved addresses on | your wallet and next time you'll see the name of the | address | | Oh, that's it? So simple. | giaour wrote: | Users might think to themselves, I give my credit card number | to all kinds of sites; how is this any different? | | The internet has kind of conditioned all of us to be OK with | passing around complex payment instruments without paying too | much attention. If you're a hardcore believer in cryptocurrency | as a political project, you almost certainly understand the | difference and see the "code is law" dark forest as a feature, | not a bug. But if you started buying crypto and NFTs because | Matt Damon and Larry David told you to, then you're in for a | world of hurt. | scoofy wrote: | Regulation can be bad, but it can also be good. | | People think of history like it was wonderful, but it was full of | cons and scams. Reputation matters, and people with reputations | charge a premium for it. | | Some of the best aspects of regulations is exactly to remove the | reputation tax by mandating everyone follow the same practices as | the trusted institution. | | The real sad aspect is that the crypto-libertarians of today are | repeating some of the exact same _clear_ scams from the | wildcatting era, and when it 's brought up, it's just mocked | because, honestly, who is going to read a book about 19th century | finance when you can just watch the new star wars show instead. | rory wrote: | How exactly would regulation help in this case? Most countries | already regulate pretty strongly against theft. | JumpCrisscross wrote: | > _Most countries already regulate pretty strongly against | theft_ | | Financial theft has been recognised as a special case since | at least the Romans. It leaves less physical evidence. And | it's strongly motivated by greed on the victim's side and | exit simplicity on the conman's. | scoofy wrote: | Again, the purpose of blockchain-as-capital is exactly to | escape regulatory requirements. One of the main reasons why | we are able to use the banking systems like we do, is the | ability, generally, to unwind translations that were | fraudulent. There are also disclosure forms that must be | presented as a double-check, to transactions that cannot be | unwound. | | With most blockchains, this is entirely not feasible. The | irony is that many of the brokers will likely be swamped by | regulation going forward exactly because people will be | unhappy with the lack of these types of disclosures. | r00fus wrote: | btw "bad regulation" is usually due to regulatory capture [1] | whether in legislation (ie, regulation without teeth, designed | to fail) or in practice (ie, revolving door/corruption). | | Which usually points back to the companies/industries being | regulated. | | [1] https://en.wikipedia.org/wiki/Regulatory_capture | scoofy wrote: | Again, this can be true, but regulatory capture is a problem | of democracy, not of regulation powers themselves. | r00fus wrote: | The problem with democracy and regulations both come down | to essentially sovereign financial powers | (wealthy/corporate) that have interests that don't align | with the people or the state that is supposed to represent | the people. | | These corporations control us if we don't control them. | scoofy wrote: | The problem with democracy is the dunning-kruger effect | more than the principle-agent problem. People think | highly-complex problems are obvious and easy. They care | more about big sweeping theory than they do about local | technocracy. | | The idea that anti-intellectualism even exists is | testament to this. | r00fus wrote: | Gonna say something that would likely be downvoted but a | functioning society does not need democracy. A governing | body needs legitimacy because it's power springs from the | people, but democracy and voting are not necessarily | requisite. | | e.g. China/CCP (which isn't really communism, but | definitely not democratic). | reydequeso wrote: | >who is going to read a book about 19th century finance | | What recommendations do you have? | scoofy wrote: | epgui wrote: | > [...] when it's brought up, it's just mocked because, | honestly, who is going to read a book about 19th century | finance when you can just watch the new star wars show instead. | | Modern-day anti-intellectualism FTW! I know, I know, commenters | will argue that this is mainly a laziness problem... But when | has it ever been "cool" to read (in the sense of being socially | incentivized broadly speaking)? To quote a modern day (retired) | twitter poet: "Sad!" | mjcohen wrote: | Best way to make money from crypto. | Barrera wrote: | > Victim connects their wallet to "mint". | | It's not clear exactly what's going on here. The word "connect" | by itself implies two modes: (1) present public keys; or (2) | present private keys. But the loss of property suggests it's (2). | If so, then the people falling for this are hopelessly | incompetent. | | Of course, this has been a problem from the start of Bitcoin. | Users "buy" something they have no clue how to secure. They don't | understand at all how public key cryptography works, or worse, | they bring truly bad mental models from their experience with | their online bank or Facebook. Then they get burned. Nothing new | here. | | It's for this reason that central bank digital currencies are one | the the worst ideas ever to come out of central banks. The | average person is in no position to even think about managing | cryptographic material let alone securing life-changing amounts | of money with it. Idiot-proofing CBDC will mean that the central | bank just becomes an actual, central, bank. No crypto required. A | real one where people actually keep their money. So long to | private banks. | rattlesnakedave wrote: | No it doesn't suggest 2. Google "token approvals." Or just look | at metamask for like 30 seconds. | dcolkitt wrote: | All connecting a wallet does is allow the app to see your | public keys. Private keys are _not_ directly exposed. The app | can then request the user sign transactions, but they must be | explicitly approved by the user. | | Where fraud typically happens is when a user thinks they're | signing an innocuous transaction, when in fact they're signing | a malicious one. This is generally a hard problem, but it's | very clear from the wallet the address of the smart contract | your transaction interacts with. | spinny wrote: | the wallet in question is probably metamask, a browser | extension. it injects a web3 provider in `window.ethereum`. | connecting the wallet is done by calling | `window.ethereum.enable()`, this pops up a dialog asking you to | connect an address to the website. it just tels the extension | that the website is allowed to interact with the extension | | This article is about phishing in the context of cryptos. | | Silent signing doesn't happen (unless there is some kind of bug | in metamask). the user is always presented with the contract | address and call data (the args to the contract call) | mrep wrote: | I have a CS degree and have worked at FAANG for 6 years and | that was straight gibberish to me. I guess maybe because I | have only worked at FAANG using traditional tech and not | crypto startups? | AgentME wrote: | I think that explanation was just a little too jargony. | | If you have the Metamask browser extension (or another | compatible web3 extension) and press its browser button to | enable it on a webpage, then the webpage can see your | wallet address and suggest transactions for you to make. | When that happens, the browser extension then shows a | window under its own control explaining the transaction and | allows you to choose to sign or reject the transaction. | gowld wrote: | CBDC has never been about blockchain or cryptocurrency. That's | what the first "C" means, and why the "D" isn't a C". It's | Venmo or Zelle but run by the government bank. | astoor wrote: | This sort of thing is as old as crypto itself - see e.g. "How to | steal Bitcoins" with some excellent HN comments (including from | one of the thieves referenced in the original article) from 8 | years ago: https://news.ycombinator.com/item?id=7365663 | walrus01 wrote: | am I a bad person if I think that people buying the latest hyped | NFT deserve to have their 'crypto' drained? | | NFTs of art images are such an absurdity. | xwdv wrote: | Crypto is a net negative for the world, so anyone should feel | free to pillage crypto assets and redistribute them to other | more noble causes. | | People must learn to avoid crypto. We can teach them why. | politician wrote: | What other things do you disapprove of that absolve people of | the crime of theft? | | PS: Read your HN profile: Submitting stories is by far the | best way to earn karma. Comments are small potatoes. | nkrisc wrote: | I don't know if they "deserve" it but I sure hoped they learned | a valuable lesson about cryptocurrencies. | hourago wrote: | Not necessarily a bad person. But to think that people that may | not have the education to understand NFTs deserve to be robbed | seems to justify to prey on people. | | NFTs are an absurdity, but millions are spend on advertising | them to an unprotected public. That are the real culprits. | | Scammers do not deserve to get any money, that's for sure. | kareemsabri wrote: | I don't think they "deserve" to be robbed but I do think at | this point the sketchiness of the defi sector is pretty | apparent. | cinntaile wrote: | I think DeFi and NFT are different sectors? | kareemsabri wrote: | you're probably right. swap DeFi with NFTs and the | sentence still holds though. | uoaei wrote: | You don't need to have the education to understand NFTs to | have the knowledge not to put bets down on things you don't | understand. | pcthrowaway wrote: | Most people don't understand things they invest in/buy. | | Most people buying stocks don't understand the company as | well as someone who works in the sector. | | Most casual art appreciators don't know how to tell if a | painting they're buying is a forgery. | | Most people buying a house don't know how to assess the | foundation, and even if they get a professional assessment, | they don't have the same knowledge of the housing market as | professionals. Maybe that neighbourhood is slated for | rezoning in 5 years that would devalue the property. | | Heck, even people buying gold/diamonds get ripped off on | fakes/synthetics. | | Outside of investments, most people here have probably | bought a car. Do people who buy a car deserve to get ripped | off if they don't understand how every component works well | enough to inspect it themselves? | drc500free wrote: | If every transaction required perfect understanding by both | parties, there would be no markets. We have regulations to | reduce the amount of understanding needed to participate in | markets without getting fleeced, which makes the markets | function. | BobbyJo wrote: | I feel the same way about it I do when I see someone blasting | down the freeway on a motorcycle in shorts and t-shirt. | | If something happens, then we should try to help, but I'm not | showing up for the candle lit vigil and pretending it's crazy | that 1+1=2. | gowld wrote: | Seems more like someone walking down the sidewalk at 1am | and stopping to buy a drink from a lemonade stand, and | getting jumped by a gang and mugged. | aleksiy123 wrote: | Yes, people who spend their money on things you don't approve | of deserve to lose their money. | woodruffw wrote: | It's clear the GP isn't making a categorical claim about | disapproval. | | It's more likely they think that the victims here had _every | available opportunity_ to exercise basic diligence. I 'm not | sure I actually agree with that (I think a lot of the people | getting scammed here are being predated on by a market that | _thrives_ on misinformation), but that 's a far cry from how | you've interpreted the comment. | aleksiy123 wrote: | To be honest I'm more concerned with the "deserve to be | scammed" part. The "because I don't like it" is cherry on | top. | | My point is if you read that comment it takes a second of | introspection to come to an answer. | rvnx wrote: | Please disapprove real estate, buying a house is really too | expensive and it makes it difficult to find decent housing. | onesafari wrote: | Seriously tho, how are people affording these mortgages? Is | everyone living paycheck to paycheck or what? | walrus01 wrote: | the percentage of american wage earners who are living | paycheck-to-paycheck is probably a lot higher than you | think it is. | | even couples with dual six figure salaries. | efitz wrote: | Lifestyle often expands to consume available income. And | sometimes more. | walrus01 wrote: | hey let's buy a $60,000 pontoon boat on a 60-month loan, | and a jetski, what could possibly go wrong | walrus01 wrote: | patiently waiting for a "vancouver real estate market | drainer" phishing service that can cause a real world | market crash. | bombcar wrote: | There we go, a use case for NFTs! If Vancouver real | estate was all on the block chain then people could steal | it and so people wouldn't want to own it because it'd get | stolen, and prices would drop! | rvnx wrote: | Thank you anon. You are my hero. | jdtang13 wrote: | People don't deserve to be scammed. Imagine if your own grandma | or teenage cousin fell victim to this. | mbreese wrote: | Teenagers have been getting scammed for years. Not that they | deserve it, but advertising the impossible to the gullible | has a long history. | | https://en.m.wikipedia.org/wiki/X-ray_specs | kareemsabri wrote: | lol who's grandma is buying NFTs? my teenage cousin doesn't | have any money so better they get scammed now and learn. | nathias wrote: | yes | [deleted] | willcipriano wrote: | TacticalCoder wrote: | > am I a bad person if I think that people buying the latest | hyped NFT deserve to have their 'crypto' drained? | | I'll tell you this: the scummy thieves who drain these deserve | it _even less_. | [deleted] | googlryas wrote: | If you truly believe that? Then yes. | cvccvroomvroom wrote: | When a scam is nearly indistinguishable from another scam, | something else is inherently wrong. | walrus01 wrote: | it's like a turducken of scams: crypto, NFT, NFT-drainer-siphon | cvccvroomvroom wrote: | My next billion dollar apps will be disposable crypto wallets and | currently obscure website accreditation. | bogwog wrote: | My next billion dollar app will be a service that unlocks | anyone's doors and gives you directions to their valuables | (with augmented reality ofc). That way, you can directly steal | from people without the complexity and carbon footprint of | traditional cryptocurrency and NFT projects. | Animats wrote: | "Connecting a wallet" makes it vulnerable to Javascript from a | web site? Who designed that? | davidcbc wrote: | Have you seen the rest of crypto? It's not very surprising | mNovak wrote: | Unless I'm misunderstanding something, I don't think it can. | Your ownership of NFTs and ETH balance is public info on chain, | and the site can construct a malicious transaction giving them | away, but it ultimately has to trick the user into signing it. | Not really sure what leeway they have to manipulate how the | wallet UI presents the tx to the user though. | rattlesnakedave wrote: | Metamask presents a big red warning when it requests a | signature for a hex ETH transaction. But most people don't | read. Or they request token approvals users don't bother to | modify. | renewiltord wrote: | So let me get this straight. You just connect your Wallet to a | random website and let them run arbitrary smart contracts? That's | wild, man. Surely there's gotta be some concern here that someone | could take your shit. | | I'm just surprised there isn't a privacy.com equivalent for this, | like a limited-view wallet that lets you create sub-wallets for | interaction with various services. Or if there is, perhaps it's | not famous yet. Worthwhile product, I think, but hard to build | because you'll be the target of everything. I think it would be | easy for me to make a mistake somewhere while building it. | mNovak wrote: | It's just plain and simple phishing -- the user still has to | authorize the transaction, nothing gets stolen just for | visiting the site or connecting the wallet. | | Not to say it's the user's fault entirely. What they're taking | advantage of, is that generally people are less familiar with | what to look for in a crypto transaction vs say an online | credit card form (and/or wallet UI is worse than a typical | stripe checkout) | bombcar wrote: | You _can_ create a different wallet for each transaction, and | do all sorts of complicated things, but nobody does. | | Just like you could pay your phone bill with a prepaid Visa | each month just in case they overcharged you. | gowld wrote: | But why isn't it fully automated, like Apple Pay or | privacy.com? | jancsika wrote: | > Surely there's gotta be some concern here that someone could | take your shit. | | Sure. | | Keep in mind though that crypto is battling the status quo | where some arbitrary user could initiate an arbitrary | chargeback through the use of a third party. Good luck building | a smart contract around _that_! | | With crypto there's no confusion or anxiety-- your coins are | provably gone in the example you're citing. | | In a way it's like the old error-prone analog computers vs. the | new binary-logic-based digital ones. Yeah, rampant theft is | bad, but it is _discrete_ theft. And that is the point-- we can | measure it in ones and zeros to build upon and compose the | digital infrastructure that will become web4. | | It's mostly zeros but you get the idea. | technion wrote: | Nothing stops a person making a new wallet with limited assets | for interaction with less reputable websites. Web3 culture has | made this quite difficult in practice. For example, it's quite | normalised to say "new exciting nft project, only available to | existing owners of expensive nfts". This sort of thing is | considered an ownership perk. And it's why those discord hacks | were so damaging, a statement like that was made and it did not | sound out of character. So in order to use this service, you | must be using the wallet with your expensive nfts, so ownership | can be verified, but also because it's a phishing site. | | Edit: and if you wanted to routinely transfer small funds to a | hot wallet, gas fees will put a stop to the idea. | [deleted] | gowld wrote: | Why is the MetaMask UI so dumb that it can't say "This | transacation is sending your NFT to address X. Address X has | [reputation stats of some sort]. Is that what you want?" | ChrisClark wrote: | The people being scammed here aren't looking at what they are | doing, at all. | | They go to the website, click "mint NFT", then their wallet | pops up and says, "Sending [your expensive NFT] to [address], | confirm?" | | And then the user says, yeah, I want to send them my NFT. | | There are more subtle ways to scam though. But the people | losing them here are the type of users that confirm everything | without reading. | IanCal wrote: | Signing transactions used to iirc just show hard to interpret | bytes. The user is not executing the transaction. | rattlesnakedave wrote: | Metamask presents a large red warning when a user is | prompted to sign a raw transaction, and they're planning on | deprecating that part of the API, so hopefully that helps. ___________________________________________________________________ (page generated 2022-06-15 23:00 UTC)