How We Gave Money to Binance Scammers to Uncover Their Scheme

[Man]

Thanks to the game Hamster Kombat, even children have started mining cryptocurrency. As of August 2024, 300 million people are "tapping the hamster" - this is twice the population of Russia. Inexperienced users quickly become interested in cryptocurrency and go with questions to thematic Telegram chats, where they are met by scammers under the guise of friendly experts.

We often discuss new phishing attacks with colleagues from the information security departments of large companies. Usually, people come to us for recommendations or descriptions of fraudulent schemes, but this time we were offered to conduct an investigation together and play along with one of these crypto scammers on Binance. Who would refuse that?

We tell you how a new phishing scheme works on crypto exchanges, how we identified the fraudster and how much money we spent. In the end, we will give advice on how to protect your wallet and not get caught by scammers on exchanges.

To preserve anonymity, we will refer to the colleague by another name and change some details of the story.

Once, Sasha, an information security expert at a financial organization, had problems accessing one of the crypto exchanges. He went to a specialized Telegram chat and noticed that there were a lot of questions from newcomers who came from the Hamster Kombat game. And on the very first day, he came across scammers.

In case you don't know what Hamster Kombat is
This is a game in Telegram, where participants control a virtual hamster in the role of the director of a crypto exchange. Players earn coins by clicking on the screen. The game also releases daily ciphers in the form of Morse code - if you decipher it and "tap" it correctly, you can get a million coins.

The creators promise that virtual coins can be exchanged for digital tokens in the future, and then for other cryptocurrencies. The game's official Telegram page has 53 million subscribers.

Sasha wondered - what if the game developers did not just create another time killer, but inadvertently opened a portal to the world of crypto-phishing for 300 million people, most of whom will come to the exchange with zero knowledge about cryptocurrency.

What makes people fall for scammers?

See for yourself: the app plays on the feeling of greed, pushes to invite friends, feeds the excitement daily with the help of codes, while maximally simplifying the process of "earning" - all these are good conditions for reducing criticism. At some point, the "hamster" seems not enough, and the person goes to chats for advice from experienced crypto investors. And believes them.

Fraudsters "come to the aid" of newbies under the guise of experts​

When Sasha asked a question about access in the exchange's Telegram chat, 20 people answered. Of them, one turned out to be the most suspicious. His name is Nikita, he lives in Moscow, often flies to Dubai, loves to ride SUPs and earn millions on crypto. At least, that's what he said in lengthy voice messages.

Nikita really helped Sasha with access to the exchange, but at the same time persistently lured him to register on Binance. Allegedly, his good friend from the US - a premium member of Binance - can participate in airdrops even before the token starts trading on the exchange. According to Nikita, you can easily earn thousands of dollars on this - as proof, he sent plausible screenshots from the wallet.

What benefit does this give Nikita? Legend has it that he gets referral payments from each new investor he brings in — that's why he's so interested.

So, what do you need to participate:

• wallet on Binance Smart Chain;
• the ability to constantly invest from $50 in USDT;
• some Binance Coin (BNB) for transactions;
• email in Gmail (we will explain later why other mailboxes are not suitable).

Sasha decided to play along with Nikita and see where it would lead.

Nikita generously helped Sasha register on the exchange and set up the Trust Wallet crypto wallet

At this point we join the game and begin to unfold the scheme.

Binance Exchange Scam Scheme​

Nikita connected Sasha to a closed airdrop of a new token on Binance.US and told him to wait for a letter from the exchange.

Now let's analyze the scammers' scheme step by step.

Step 1: Sending a Phishing Email​

Phishing email mimics invitation from Binance

In the mobile app, everything looks convincing: the address matches the address recommended for whitelisting on Binance.

In the browser you can see a suspicious host in the sender field in the format Oxqhnfrmeuyyp58.click.

Phishing email easily passes mail filters

Even Gmail, one of the largest email systems, has security issues.

Log of letter from Nikita

To automate mailings, scammers use the malicious SaaS service spoofer.tech. They deploy their mail server, set up an SPF record, and easily pass Gmail's DMARC protection — the letters end up in the inbox, not in spam. With these settings, the sender field displays a legitimate address.

Step 2. Connecting a smart contract​

The letter describes the scheme for connecting a smart contract and authorization in Binance Verify DeFi.

Following the instructions, we added tokens to the wallet and went to the site to confirm via a malicious link:

You need to log in using your wallet, let's go:

Select Trust Wallet or WalletConnect and connect via a crypto wallet.

We receive a notification about the connection of a smart contract and subscribe to a scam.

We confirm!

Success! We just gave the scammers full access to our wallet.

We couldn't resist and found out Nikita's IP address. The result is in the chapter "Investigation Summary".

Step 3. Token hijacking​

USDT are debited from the wallet and two new tokens and airdrops are credited - a real one and a fake one.

During the airdrop, Sasha received the same letters after each write-off, three main points in them:

• notification about increasing allocation - supposedly it guarantees a higher percentage of reward from each new USDT deposit;
• Token Approval request - with this function, the user allows another contract to manage tokens in the wallet. In this way, fraudsters get the opportunity to write off tokens from the victim's wallet without confirmation.
• instructions on how to deposit more money and information about the new percentage of the reward - this motivates the victim to invest more money into the platform and replenish the wallet before the end of the airdrop.

After the end of the airdrop, the fake token is automatically replaced by the real one. Nikita tries to persuade Sasha to contribute more money to the next airdrop to earn more. He convinces Sasha that he has already taken out a loan and mortgaged his property to become a dollar millionaire by the end of the year, and recommends doing the same. He even promises to help fill out a loan application to make sure it is approved.

Then the tokens go to intermediate wallets from where, having reached certain amounts, the scammers send the money further:

But that's not all.

Step 4. Blocking the account and extorting money​

When Nikita had enough money in his wallet, he lured Sasha to the final airdrop - after which Sasha's account was blocked.

An email arrives stating that Binance has questioned the transactions and that in order to confirm the account and withdraw funds, the wallet needs to be topped up with 2,000 USDT.

Phishing letter about blocking

All this time, Sasha was looking for victims of such schemes and found one of them in the Bybit exchange chat. It was a postal service employee who was looking for a quick buck. He fell for another "Nikita" - he replenished his wallet by $ 100 and successfully participated in the airdrop. Then he took the maximum loan that the bank approved, invested in a new airdrop and after its completion received a letter about the account being blocked. Then a second loan to unblock and a new block. And then a bitter realization.

Of course, we didn't deposit 2000 USDT into the account. Sasha cited salary delays and general disappointment in crypto, which made Nikita very angry. The scammer ended the conversation with the phrase "well, live in poverty".

How to Block Scammers' Access to Binance Smart Chain Wallet​

If you look at the transaction history of tokens in your wallet, you can find smart contracts that give other people access to your wallet:

Click on the View on block explorer button to go to the bscscan.com website, where all the transaction information is stored.

On the website the transaction will look like this:

You can use the link to see who you have allowed to do what and revoke permissions.

If your wallet does not have this data, you can find it on the tokenapprovalchecker page.

1. Enter your wallet number and click on the search button.

2. Link your wallet via QR code to the bscscan.com website using the Connect to Web3 button.

3. Start the revoke operation via the Revoke button and confirm it in the wallet.

We did all this with Sasha's account and revoked the permissions. It was risky, but in the end we spent $0 on the investigation.

Investigation Summary​

After some time, Nikita's account was noticed by Binance's automatic monitoring and marked his smart contract as phishing. But nothing prevents him from registering again and continuing to scam people.

The fraudster himself turned out to be not from Moscow or even Dubai.

The creators of the game Hamster Kombat say their mission is to attract 1 billion users to the game. Given the ease of entering crypto communities through the game in Telegram, one can only imagine how many more victims will encounter “friendly experts” in chats and lose hundreds of thousands of rubles.

In their posts, developers address players as "dear CEOs" - this creates a false sense of success and status among ordinary people. This same feeling is reinforced by scammers, who bombard newcomers with stories about a rich life, the prospect of leaving employment forever and providing for a family.

Checklist: How to Protect Yourself from Fraud on Crypto Exchanges​

1. Don't trust strangers who are unreasonably interested in your success. If you are told about easy money-making schemes, rich friends who "got it all right" and are constantly pushing you to top up your wallet with a new amount - most likely, you are dealing with a scammer.
2. Don't trust "exclusive" activities on the exchange. You are offered participation in closed airdrops or promotions "for insiders", especially if this requires entering personal data or giving access to the wallet.
3. Check the sources of emails. Phishing emails may look official, but if you expand the email in the web version, you can always see suspicious traces: a host name made up of letters and numbers, or domain names that differ by one character.
4. Check token permissions. Regularly check and revoke your token permissions on sites like BscScan.
5. Be careful with requests to top up your wallet. Never send money in response to requests related to blocking an account or confirming transactions that came from unverified sources.

Recognizing fraud in the "good" intentions of people in a chat can be difficult if a person is not familiar with the specific working tools of the scammers. And we are not talking about technical means, but about psychology - the success of a scam depends on how well the scammers exploit the "bugs" of thinking, such as gullibility or a sense of urgency.

Source