[HN Gopher] "Crypto Drainer" Template Facilitates Tens of Millio...
___________________________________________________________________
"Crypto Drainer" Template Facilitates Tens of Millions of Dollars
in Theft
Author : eliya_confiant
Score : 92 points
Date : 2022-06-15 19:57 UTC (3 hours ago)
(HTM) web link (blog.confiant.com)
(TXT) w3m dump (blog.confiant.com)
| PragmaticPulp wrote:
| Absolutely baffling that the crypto community normalized this
| process of connecting your wallet to a random website and letting
| it access all of your money.
|
| I see a lot of victim-blaming suggestions that it's the fault of
| the person who didn't set up a new crypto wallet for every
| interaction they might want to make and then transfer enough
| money into said wallet to cover unpredictable gas fees (while
| also paying gas fees to transfer the money) and then, presumably
| pay even more gas fees to transfer everything back out of the
| wallet if it turns out to not be a scam. It's incredible that
| crypto has reached a point where some people seem to think this
| is all totally reasonable and natural to expect the average user
| to know.
| nubb wrote:
| you're right. the unreasonable complexity of crypto is why
| people fall for phishing scams. thanks.
| mushbino wrote:
| Right? It's a good thing our monetary system and financial
| instruments aren't complex, phew!
| giaour wrote:
| It's one thing to have complex payment instruments where
| innocent mistakes are reversible. Having them in a world
| where everything is permanent is another situation
| entirely.
| melony wrote:
| Yeah they should pay Plaid a grand a month for that privilege
| instead.
| MomoXenosaga wrote:
| Banking the unbanked lol.
| dcolkitt wrote:
| That's not how it works at all. When you connect a wallet, the
| only unrestricted access it gives the app is the ability to see
| your public address.
|
| The app _does not_ have the ability to sign transactions on
| your behalf without your explicit approval.
| zeven7 wrote:
| It depends on the website and the wallet, but either way the
| wallet app tells you what permissions it's giving the
| website. My guess is people don't pay attention or think
| about it. But it's not as parent described "the way the
| crypto community designed it". It's actually the opposite.
| The crypto community designed wallets that give you control
| over what third parties are allowed to do with your accounts.
| It's a lot more than what debit cards offer (I say debit
| cards because credit cards do of course offer a good rollback
| system).
| gowld wrote:
| What does a user see? How should a user investigate a
| transaction to check what it does? Is there any good
| automated explanation/visualization of the effect of a
| transaction?
| bko wrote:
| This is what I do:
|
| When a site initiates a transaction, you can see the
| address you're interacting with. You should then look up
| the address on etherscan to see if it has public code and a
| lot of transactions. Then you should search that address in
| google and see if the main site links to it. A lot of
| projects have a list of addresses in their github. You can
| also inspect the function code. Once you're comfortable,
| you should add it to your saved addresses on your wallet
| and next time you'll see the name of the address.
|
| Also you can create a new throw away address, transfer just
| a little bit of coins to it and interact with the contract.
| If it does what you think it should do, then you can create
| a new account and do it again.
|
| It's not perfect. It could be a proxy, so you're not
| guaranteed the contract you're interacting with.
|
| There's no easy way to "see what a transaction does". You
| just need to do risk management.
| happyopossum wrote:
| > When a site initiates a transaction, you can see the
| address you're interacting with. You should then look up
| the address on etherscan to see if it has public code and
| a lot of transactions. Then you should search that
| address in google and see if the main site links to it. A
| lot of projects have a list of addresses in their github.
| You can also inspect the function code. Once you're
| comfortable, you should add it to your saved addresses on
| your wallet and next time you'll see the name of the
| address
|
| Oh, that's it? So simple.
| giaour wrote:
| Users might think to themselves, I give my credit card number
| to all kinds of sites; how is this any different?
|
| The internet has kind of conditioned all of us to be OK with
| passing around complex payment instruments without paying too
| much attention. If you're a hardcore believer in cryptocurrency
| as a political project, you almost certainly understand the
| difference and see the "code is law" dark forest as a feature,
| not a bug. But if you started buying crypto and NFTs because
| Matt Damon and Larry David told you to, then you're in for a
| world of hurt.
| scoofy wrote:
| Regulation can be bad, but it can also be good.
|
| People think of history like it was wonderful, but it was full of
| cons and scams. Reputation matters, and people with reputations
| charge a premium for it.
|
| Some of the best aspects of regulations is exactly to remove the
| reputation tax by mandating everyone follow the same practices as
| the trusted institution.
|
| The real sad aspect is that the crypto-libertarians of today are
| repeating some of the exact same _clear_ scams from the
| wildcatting era, and when it 's brought up, it's just mocked
| because, honestly, who is going to read a book about 19th century
| finance when you can just watch the new star wars show instead.
| rory wrote:
| How exactly would regulation help in this case? Most countries
| already regulate pretty strongly against theft.
| JumpCrisscross wrote:
| > _Most countries already regulate pretty strongly against
| theft_
|
| Financial theft has been recognised as a special case since
| at least the Romans. It leaves less physical evidence. And
| it's strongly motivated by greed on the victim's side and
| exit simplicity on the conman's.
| scoofy wrote:
| Again, the purpose of blockchain-as-capital is exactly to
| escape regulatory requirements. One of the main reasons why
| we are able to use the banking systems like we do, is the
| ability, generally, to unwind translations that were
| fraudulent. There are also disclosure forms that must be
| presented as a double-check, to transactions that cannot be
| unwound.
|
| With most blockchains, this is entirely not feasible. The
| irony is that many of the brokers will likely be swamped by
| regulation going forward exactly because people will be
| unhappy with the lack of these types of disclosures.
| r00fus wrote:
| btw "bad regulation" is usually due to regulatory capture [1]
| whether in legislation (ie, regulation without teeth, designed
| to fail) or in practice (ie, revolving door/corruption).
|
| Which usually points back to the companies/industries being
| regulated.
|
| [1] https://en.wikipedia.org/wiki/Regulatory_capture
| scoofy wrote:
| Again, this can be true, but regulatory capture is a problem
| of democracy, not of regulation powers themselves.
| r00fus wrote:
| The problem with democracy and regulations both come down
| to essentially sovereign financial powers
| (wealthy/corporate) that have interests that don't align
| with the people or the state that is supposed to represent
| the people.
|
| These corporations control us if we don't control them.
| scoofy wrote:
| The problem with democracy is the dunning-kruger effect
| more than the principle-agent problem. People think
| highly-complex problems are obvious and easy. They care
| more about big sweeping theory than they do about local
| technocracy.
|
| The idea that anti-intellectualism even exists is
| testament to this.
| r00fus wrote:
| Gonna say something that would likely be downvoted but a
| functioning society does not need democracy. A governing
| body needs legitimacy because it's power springs from the
| people, but democracy and voting are not necessarily
| requisite.
|
| e.g. China/CCP (which isn't really communism, but
| definitely not democratic).
| reydequeso wrote:
| >who is going to read a book about 19th century finance
|
| What recommendations do you have?
| scoofy wrote:
| epgui wrote:
| > [...] when it's brought up, it's just mocked because,
| honestly, who is going to read a book about 19th century
| finance when you can just watch the new star wars show instead.
|
| Modern-day anti-intellectualism FTW! I know, I know, commenters
| will argue that this is mainly a laziness problem... But when
| has it ever been "cool" to read (in the sense of being socially
| incentivized broadly speaking)? To quote a modern day (retired)
| twitter poet: "Sad!"
| mjcohen wrote:
| Best way to make money from crypto.
| Barrera wrote:
| > Victim connects their wallet to "mint".
|
| It's not clear exactly what's going on here. The word "connect"
| by itself implies two modes: (1) present public keys; or (2)
| present private keys. But the loss of property suggests it's (2).
| If so, then the people falling for this are hopelessly
| incompetent.
|
| Of course, this has been a problem from the start of Bitcoin.
| Users "buy" something they have no clue how to secure. They don't
| understand at all how public key cryptography works, or worse,
| they bring truly bad mental models from their experience with
| their online bank or Facebook. Then they get burned. Nothing new
| here.
|
| It's for this reason that central bank digital currencies are one
| the the worst ideas ever to come out of central banks. The
| average person is in no position to even think about managing
| cryptographic material let alone securing life-changing amounts
| of money with it. Idiot-proofing CBDC will mean that the central
| bank just becomes an actual, central, bank. No crypto required. A
| real one where people actually keep their money. So long to
| private banks.
| rattlesnakedave wrote:
| No it doesn't suggest 2. Google "token approvals." Or just look
| at metamask for like 30 seconds.
| dcolkitt wrote:
| All connecting a wallet does is allow the app to see your
| public keys. Private keys are _not_ directly exposed. The app
| can then request the user sign transactions, but they must be
| explicitly approved by the user.
|
| Where fraud typically happens is when a user thinks they're
| signing an innocuous transaction, when in fact they're signing
| a malicious one. This is generally a hard problem, but it's
| very clear from the wallet the address of the smart contract
| your transaction interacts with.
| spinny wrote:
| the wallet in question is probably metamask, a browser
| extension. it injects a web3 provider in `window.ethereum`.
| connecting the wallet is done by calling
| `window.ethereum.enable()`, this pops up a dialog asking you to
| connect an address to the website. it just tels the extension
| that the website is allowed to interact with the extension
|
| This article is about phishing in the context of cryptos.
|
| Silent signing doesn't happen (unless there is some kind of bug
| in metamask). the user is always presented with the contract
| address and call data (the args to the contract call)
| mrep wrote:
| I have a CS degree and have worked at FAANG for 6 years and
| that was straight gibberish to me. I guess maybe because I
| have only worked at FAANG using traditional tech and not
| crypto startups?
| AgentME wrote:
| I think that explanation was just a little too jargony.
|
| If you have the Metamask browser extension (or another
| compatible web3 extension) and press its browser button to
| enable it on a webpage, then the webpage can see your
| wallet address and suggest transactions for you to make.
| When that happens, the browser extension then shows a
| window under its own control explaining the transaction and
| allows you to choose to sign or reject the transaction.
| gowld wrote:
| CBDC has never been about blockchain or cryptocurrency. That's
| what the first "C" means, and why the "D" isn't a C". It's
| Venmo or Zelle but run by the government bank.
| astoor wrote:
| This sort of thing is as old as crypto itself - see e.g. "How to
| steal Bitcoins" with some excellent HN comments (including from
| one of the thieves referenced in the original article) from 8
| years ago: https://news.ycombinator.com/item?id=7365663
| walrus01 wrote:
| am I a bad person if I think that people buying the latest hyped
| NFT deserve to have their 'crypto' drained?
|
| NFTs of art images are such an absurdity.
| xwdv wrote:
| Crypto is a net negative for the world, so anyone should feel
| free to pillage crypto assets and redistribute them to other
| more noble causes.
|
| People must learn to avoid crypto. We can teach them why.
| politician wrote:
| What other things do you disapprove of that absolve people of
| the crime of theft?
|
| PS: Read your HN profile: Submitting stories is by far the
| best way to earn karma. Comments are small potatoes.
| nkrisc wrote:
| I don't know if they "deserve" it but I sure hoped they learned
| a valuable lesson about cryptocurrencies.
| hourago wrote:
| Not necessarily a bad person. But to think that people that may
| not have the education to understand NFTs deserve to be robbed
| seems to justify to prey on people.
|
| NFTs are an absurdity, but millions are spend on advertising
| them to an unprotected public. That are the real culprits.
|
| Scammers do not deserve to get any money, that's for sure.
| kareemsabri wrote:
| I don't think they "deserve" to be robbed but I do think at
| this point the sketchiness of the defi sector is pretty
| apparent.
| cinntaile wrote:
| I think DeFi and NFT are different sectors?
| kareemsabri wrote:
| you're probably right. swap DeFi with NFTs and the
| sentence still holds though.
| uoaei wrote:
| You don't need to have the education to understand NFTs to
| have the knowledge not to put bets down on things you don't
| understand.
| pcthrowaway wrote:
| Most people don't understand things they invest in/buy.
|
| Most people buying stocks don't understand the company as
| well as someone who works in the sector.
|
| Most casual art appreciators don't know how to tell if a
| painting they're buying is a forgery.
|
| Most people buying a house don't know how to assess the
| foundation, and even if they get a professional assessment,
| they don't have the same knowledge of the housing market as
| professionals. Maybe that neighbourhood is slated for
| rezoning in 5 years that would devalue the property.
|
| Heck, even people buying gold/diamonds get ripped off on
| fakes/synthetics.
|
| Outside of investments, most people here have probably
| bought a car. Do people who buy a car deserve to get ripped
| off if they don't understand how every component works well
| enough to inspect it themselves?
| drc500free wrote:
| If every transaction required perfect understanding by both
| parties, there would be no markets. We have regulations to
| reduce the amount of understanding needed to participate in
| markets without getting fleeced, which makes the markets
| function.
| BobbyJo wrote:
| I feel the same way about it I do when I see someone blasting
| down the freeway on a motorcycle in shorts and t-shirt.
|
| If something happens, then we should try to help, but I'm not
| showing up for the candle lit vigil and pretending it's crazy
| that 1+1=2.
| gowld wrote:
| Seems more like someone walking down the sidewalk at 1am
| and stopping to buy a drink from a lemonade stand, and
| getting jumped by a gang and mugged.
| aleksiy123 wrote:
| Yes, people who spend their money on things you don't approve
| of deserve to lose their money.
| woodruffw wrote:
| It's clear the GP isn't making a categorical claim about
| disapproval.
|
| It's more likely they think that the victims here had _every
| available opportunity_ to exercise basic diligence. I 'm not
| sure I actually agree with that (I think a lot of the people
| getting scammed here are being predated on by a market that
| _thrives_ on misinformation), but that 's a far cry from how
| you've interpreted the comment.
| aleksiy123 wrote:
| To be honest I'm more concerned with the "deserve to be
| scammed" part. The "because I don't like it" is cherry on
| top.
|
| My point is if you read that comment it takes a second of
| introspection to come to an answer.
| rvnx wrote:
| Please disapprove real estate, buying a house is really too
| expensive and it makes it difficult to find decent housing.
| onesafari wrote:
| Seriously tho, how are people affording these mortgages? Is
| everyone living paycheck to paycheck or what?
| walrus01 wrote:
| the percentage of american wage earners who are living
| paycheck-to-paycheck is probably a lot higher than you
| think it is.
|
| even couples with dual six figure salaries.
| efitz wrote:
| Lifestyle often expands to consume available income. And
| sometimes more.
| walrus01 wrote:
| hey let's buy a $60,000 pontoon boat on a 60-month loan,
| and a jetski, what could possibly go wrong
| walrus01 wrote:
| patiently waiting for a "vancouver real estate market
| drainer" phishing service that can cause a real world
| market crash.
| bombcar wrote:
| There we go, a use case for NFTs! If Vancouver real
| estate was all on the block chain then people could steal
| it and so people wouldn't want to own it because it'd get
| stolen, and prices would drop!
| rvnx wrote:
| Thank you anon. You are my hero.
| jdtang13 wrote:
| People don't deserve to be scammed. Imagine if your own grandma
| or teenage cousin fell victim to this.
| mbreese wrote:
| Teenagers have been getting scammed for years. Not that they
| deserve it, but advertising the impossible to the gullible
| has a long history.
|
| https://en.m.wikipedia.org/wiki/X-ray_specs
| kareemsabri wrote:
| lol who's grandma is buying NFTs? my teenage cousin doesn't
| have any money so better they get scammed now and learn.
| nathias wrote:
| yes
| [deleted]
| willcipriano wrote:
| TacticalCoder wrote:
| > am I a bad person if I think that people buying the latest
| hyped NFT deserve to have their 'crypto' drained?
|
| I'll tell you this: the scummy thieves who drain these deserve
| it _even less_.
| [deleted]
| googlryas wrote:
| If you truly believe that? Then yes.
| cvccvroomvroom wrote:
| When a scam is nearly indistinguishable from another scam,
| something else is inherently wrong.
| walrus01 wrote:
| it's like a turducken of scams: crypto, NFT, NFT-drainer-siphon
| cvccvroomvroom wrote:
| My next billion dollar apps will be disposable crypto wallets and
| currently obscure website accreditation.
| bogwog wrote:
| My next billion dollar app will be a service that unlocks
| anyone's doors and gives you directions to their valuables
| (with augmented reality ofc). That way, you can directly steal
| from people without the complexity and carbon footprint of
| traditional cryptocurrency and NFT projects.
| Animats wrote:
| "Connecting a wallet" makes it vulnerable to Javascript from a
| web site? Who designed that?
| davidcbc wrote:
| Have you seen the rest of crypto? It's not very surprising
| mNovak wrote:
| Unless I'm misunderstanding something, I don't think it can.
| Your ownership of NFTs and ETH balance is public info on chain,
| and the site can construct a malicious transaction giving them
| away, but it ultimately has to trick the user into signing it.
| Not really sure what leeway they have to manipulate how the
| wallet UI presents the tx to the user though.
| rattlesnakedave wrote:
| Metamask presents a big red warning when it requests a
| signature for a hex ETH transaction. But most people don't
| read. Or they request token approvals users don't bother to
| modify.
| renewiltord wrote:
| So let me get this straight. You just connect your Wallet to a
| random website and let them run arbitrary smart contracts? That's
| wild, man. Surely there's gotta be some concern here that someone
| could take your shit.
|
| I'm just surprised there isn't a privacy.com equivalent for this,
| like a limited-view wallet that lets you create sub-wallets for
| interaction with various services. Or if there is, perhaps it's
| not famous yet. Worthwhile product, I think, but hard to build
| because you'll be the target of everything. I think it would be
| easy for me to make a mistake somewhere while building it.
| mNovak wrote:
| It's just plain and simple phishing -- the user still has to
| authorize the transaction, nothing gets stolen just for
| visiting the site or connecting the wallet.
|
| Not to say it's the user's fault entirely. What they're taking
| advantage of, is that generally people are less familiar with
| what to look for in a crypto transaction vs say an online
| credit card form (and/or wallet UI is worse than a typical
| stripe checkout)
| bombcar wrote:
| You _can_ create a different wallet for each transaction, and
| do all sorts of complicated things, but nobody does.
|
| Just like you could pay your phone bill with a prepaid Visa
| each month just in case they overcharged you.
| gowld wrote:
| But why isn't it fully automated, like Apple Pay or
| privacy.com?
| jancsika wrote:
| > Surely there's gotta be some concern here that someone could
| take your shit.
|
| Sure.
|
| Keep in mind though that crypto is battling the status quo
| where some arbitrary user could initiate an arbitrary
| chargeback through the use of a third party. Good luck building
| a smart contract around _that_!
|
| With crypto there's no confusion or anxiety-- your coins are
| provably gone in the example you're citing.
|
| In a way it's like the old error-prone analog computers vs. the
| new binary-logic-based digital ones. Yeah, rampant theft is
| bad, but it is _discrete_ theft. And that is the point-- we can
| measure it in ones and zeros to build upon and compose the
| digital infrastructure that will become web4.
|
| It's mostly zeros but you get the idea.
| technion wrote:
| Nothing stops a person making a new wallet with limited assets
| for interaction with less reputable websites. Web3 culture has
| made this quite difficult in practice. For example, it's quite
| normalised to say "new exciting nft project, only available to
| existing owners of expensive nfts". This sort of thing is
| considered an ownership perk. And it's why those discord hacks
| were so damaging, a statement like that was made and it did not
| sound out of character. So in order to use this service, you
| must be using the wallet with your expensive nfts, so ownership
| can be verified, but also because it's a phishing site.
|
| Edit: and if you wanted to routinely transfer small funds to a
| hot wallet, gas fees will put a stop to the idea.
| [deleted]
| gowld wrote:
| Why is the MetaMask UI so dumb that it can't say "This
| transacation is sending your NFT to address X. Address X has
| [reputation stats of some sort]. Is that what you want?"
| ChrisClark wrote:
| The people being scammed here aren't looking at what they are
| doing, at all.
|
| They go to the website, click "mint NFT", then their wallet
| pops up and says, "Sending [your expensive NFT] to [address],
| confirm?"
|
| And then the user says, yeah, I want to send them my NFT.
|
| There are more subtle ways to scam though. But the people
| losing them here are the type of users that confirm everything
| without reading.
| IanCal wrote:
| Signing transactions used to iirc just show hard to interpret
| bytes. The user is not executing the transaction.
| rattlesnakedave wrote:
| Metamask presents a large red warning when a user is
| prompted to sign a raw transaction, and they're planning on
| deprecating that part of the API, so hopefully that helps.
___________________________________________________________________
(page generated 2022-06-15 23:00 UTC)