Introduction

On 19 March, 2023, CertiK confirmed that a project called Harvest Keeper was a scam responsible for the theft of approximately $933,000. Users assets were stolen through two methods. First there was a transfer of users deposits from the Harvest Keeper contract to the contract's owner's wallet, followed by a series of ice phishing transactions where users were tricked into approving the scammers wallets to spend tokens from the victims' wallets. Since CertiK confirmed the Harvest Keeper scam, all social media accounts related to the project have been deleted.

Event Summary

On 19 March 2023, CertiK confirmed that a project named Harvest Keeper, which promoted an AI trading bot, was a scam that stole at least $933,000 worth of assets. Wallets associated with Harvest Keeper removed all users' deposits from the Harvest Keeper contract, in addition to employing an ice phishing technique that tricked users into granting permissions to malicious wallets.

The theft of assets began on 16 March, when CertiK’s incident response team noticed suspicious ice phishing transfers. When searching for the wallets associated with these transfers, it became apparent that victims were approving the malicious externally owned address (EOA) through the “Harvest” button on the Harvest Keeper website. From 17 March, 2023 Harvest Keeper blocked all comments on Twitter, Telegram, and Discord as reports of theft began to surface on Twitter.

This type of exploit is known as ice phishing in the Web3 community. It differs from classic forms of phishing where scammers interact with victims to trick them into sending confidential information whereas all the malicious actor has to do in this instance is trick a target into approving a malicious transaction. Ice phishing is a technique whereby the scammer tricks a victim into signing a permit or approval the tokens they hold. This is usually done by disguising these approvals as fake airdrops or claims. Therefore, the malicious actor does not require any confidential information to steal your assets. You can read more about ice phishing and how to protect yourself in our blog on the subject which you can find here.

Furthermore, on 17 March, 2023, the Harvest Keeper contract was drained of user funds via a privileged getAmount() function which withdrew approximately 709,000 USDT of user deposits. The funds were then transferred to EOA 0x92288 and then onto 0x0e17a. Funds from the ice phishing incidents also were consolidated into 0x0e17a and were then transferred to multiple EOAs. From there the funds were sent to multiple EOAs including deposit addresses for centralized exchanges.

The Warning Signs

The individuals behind Harvest Keeper went to great lengths to appear legitimate in order to lure victims into the scam. However, warning signs and red flags were present. For instance, the project guarantees a daily profit of 4.81%. Whilst this may seem alluring to some investors it’s important to emphasize how unrealistic these types of returns are. If we consider a hypothetical and invest 1,000 USDT with Harvest Keeper on 1 January and reinvested the daily reward into the contract, by 31 December we would have returned over 29 billion USDT. This means that the annual rate of return for an initial $1,000 deposit is 2,933,566,012% which is impossible to achieve.

Furthermore, there are red flags with the team that Harvest Keeper presents as their key members. For example, we see that an individual named Markus Peters is listed as a founder.

Image: Alleged founder of the the Harvest Keeper project

This individual was present in two YouTube videos on the Harvest Keeper channel where they claim to be the founder and creator of the project. However, a reverse image search of the individual linked them to an actor for hire on Fiverr going by the handle @chasecomstock.

The actor was almost certainly approached by the true founder of Harvest Keeper to play the role of the project's owner. It’s highly unlikely that @chasecomstock has anything to do with the projects implementation. In November 2022, CertiK released a report on the KYC actor industry where scammers are using paid actors to pose as core team members. In this instance, an actor was used to play the part of a founder.

The project also lists an additional three members:

By doing a reverse image search, CertiK was able to assess with a high degree of certainty that the individuals passing as Martin Fabre and Genry Montgomery are Ukrainian nationals. Based on these image searches CertiK were able to place the individual passing as the CEO in Kharkiv based on posts from friends. Additionally, the individual passing as Genry is likely located in Odessa based on the location of his friend's posts. It is also a realistic possibility that “Genry” is a typo and was meant to spell “Henry”.

Additionally, Harvest Keeper’s Telegram account advertised an individual named Trevor Cook as their admin. However, the image presented is of a Russian influencer that goes by the handle @marvilofficial. The image that is used in Harvest Keeper’s admin profile is taken from @marvilofficial Instagram page.

Additionally, a KYC provider named Securi-Lab posted an image of an individual who was KYC’d on behalf of the Harvest Keeper project. A short video was posted of an individual claiming to be responsible for the Harvest Keeper project and is holding up a Spanish ID card with the name Abdeselam Chellaf Yassin. In the video, the individual is speaking English with a Eastern European accent. There is a realistic possibility that the individual is originally from Ukraine or Russia.

On Chain Analysis

CertiK was first alerted to the Harvest Keeper exit scam from suspicious ice phishing transactions. Upon investigation it became clear victims of these detected transferFrom() transactions were interacting with the Harvest Keeper website. Complaints on Twitter began to surface that users could not withdraw their USDT from the Harvest Keeper contract, as well as the website's Harvest button initiating an approval for a malicious wallet to spend victims tokens.

The Harvest Keeper contract contains a centralization issue that allows the owner of the contract to withdraw all users funds. The contract's getAmount() function allows the owner to transfer all tokens from the contract to the owner's wallet.

Image: Harvest Keeper contract function allowing the withdrawal of contract user funds.

The deployer calls this function to withdraw approximately 709,885.57 USDT from the Harvest Keeper contract.

The funds were then transferred through a variety of EOAs and ends up in 0x0e17a, which transferred funds to centralized exchanges.

At approximately the same time as the the Harvest Keeper contract was being drained, users of the Harvest Keeper platform were having assets from their wallets stolen through transferFrom() transactions. Victims of the Harvest Keeper scam were being tricked into signing approvals to a malicious wallet via the ‘Harvest’ button on the project's website. This allows the malicious wallet to initiate a transferFrom() transaction which sends the users assets to a wallet controlled by the scammers. At this point, there was no doubt that the project was a scam and showed that the scammers were looking to extract as much value from victims as possible.

Victims were approving EOA 0x250CE which used the transferFrom() function to send users tokens to EOA 0x15a8a. These ice phishing transactions took place across Ethereum, Binance Smart Chain, and Polygon with the majority of the funds lost being on BSC.

The stolen funds on BSC were transferred to EOA 0x5C67A, the same address where funds from the Harvest Keeper contract were sent to. This demonstrates that not only did Harvest Keeper steal investors deposits, but also actively attempted to steal users assets that were being held in their wallets.

Chart: Flow of funds from the Harvest Keeper contract and ice phisher. Source: CertiK

From the theft of user deposits to the ice phishing transactions, approximately $933,000 was stolen from victims.

Conclusion

A unique aspect of this scam is that the malicious actors not only stole user deposits in an exit scam, but also went after users funds in an ice phishing attack. Scams such as Harvest Keeper demonstrate the importance for robust KYC investigations into projects instead of simple ID verification. The Harvest Keeper project triggered many red flags that CertiK investigators would spot. For example, an actor claiming to be the founder of the project, as well as a fake team. CertiK’s KYC service offers the most robust background investigation in Web3 which gives the community confidence that a projects team have been thoroughly vetted. Check out skynet.certik.com for KYC badges in order to help you do your own research.