CertiK has been closely monitoring a serial scammer who is orchestrating honeypot schemes across at least five Telegram channels. In these channels, paid actors are used to post trading videos, before viewers are gradually steered towards investing in honeypot scams.

The nature of the tokens and their promotional tactics strongly indicate that these channels are linked, and are likely operated by the same scamming entity. Honeypot contracts with certain shared characteristics have been pivotal in these schemes, leading to approximately $3.2 million in losses.

The Telegram Channels

We have identified at least five Telegram channels that are actively promoting tokens featuring certain shared honeypot mechanisms. Among these, the AltLex group stands out. Established in February 2023, AltLex utilizes the likeness of an actor to promote fraudulent versions of Linea, Paxos, and Circle tokens.

The AltLex channel showcases numerous videos featuring an individual named Alexander. Notably, recent posts include him discussing the purchase of a fraudulent Linea token, which was identified as a scam in October. Below are screenshots of three separate videos which contain “trading” updates on the fake token. Of the 27 videos uploaded to the channel, three are dedicated to promoting scam tokens. The remaining 24 videos are centered around general technical trading discussions, which we explore further in the 'Promotion of Scam Tokens' section of this blog.

Further analysis reveals a connection to another Telegram channel, DON CRYPTON, which also promotes similar scam tokens. This channel is linked to the Telegram user @royweather. The relationship between AltLex and DON CRYPTON was corroborated by a telegra[.]ph link initially titled “How To Trade Paxos With MetaMask” but later revised to “How to trade $X1 using TrustWallet”. This edited post displayed the @royweather handle, solidifying the link between the two channels.

Telegra[.]ph, a web publication tool under Telegram's umbrella, allows users to easily create and edit their online posts. The ability to edit these posts is restricted to the original publisher. This exclusive editing right further cements the connection between AltLex and DON CRYPTON, suggesting they are likely operated by the same entity.

Similar to AltLex, the DON CRYPTON channel employs the image of an actor, whose profile can be found on a casting website.

This actor also appeared in videos endorsing a scam Manta token, as shown in the following screenshot.

A third Telegram group we've identified is SZ Trades – 加密貨幣, which has been involved in promoting two fraudulent Venom tokens in December. This channel, too, employs an actor for its promotion. Similar to the AltLex and DON CRYPTON channels, SZ Trades features Makhambet discussing trading updates related to a fake Venom token.

While SZ Trades doesn't explicitly connect to the previously mentioned channels, the patterns observed on the blockchain, the coding similarities in the tokens, and their promotional strategies point towards a common scammer behind AltLex, DON CRYPTON, and SZ Trades.

Analysis of the scam contract addresses via TGStat reveals previously active but now closed Telegram channels that also promoted these honeypot tokens. These include Roger’s Academy, which advertised the same fraudulent Circle Coin as AltLex, as illustrated in the screenshot below. Another channel, Insider Lui, promoted the same fake Paxos and Circle Coins as seen in the AltLex channel.

The use of paid performers by malicious actors to steal from investors in the Web3 space is common. CertiK has seen multiple instances of scammers employing the services of performers to knowingly or unknowingly promote scams resulting in the loss of millions of dollars. For example, the fraudulent Harvest Keeper project employed an actor on Fiverr to play the role of the CEO and the Fintoch / Standard Cross Finance fraud employed American actors to promote a scam.

Promotion of the Scam Tokens

The Telegram groups we've unearthed didn't start out promoting scam honeypot contracts right away. Channels like AltLex and SZ, for instance, spent several months posting legitimate content before introducing their scams. Initially, these channels focused on sharing generic technical trading insights, particularly on major cryptocurrencies like BTC and ETH.

It was only after these channels had garnered a substantial follower base that they shifted their focus to introducing new tokens such as Linea, Paxos, Circle, and Venom. In an apparent strategy to earn trust, they would initially express skepticism about these tokens' legitimacy, possibly to give an impression of conducting thorough due diligence. The scammers would then share manipulated screenshots showing these tokens being “minted” to reputable wallets and transferred to well-known exchanges. However, these displayed transactions were fraudulent, crafted to mislead potential victims.

Subsequently, the channels would start disseminating positive news about these tokens, like alleged exchange listings and fabricated token purchases. They also began sharing telegra.ph links with instructions on buying these tokens via popular wallets like MetaMask and Trust Wallet, suggesting that many of their targets might be newcomers to the Web3 environment. Once enough victims were lured into buying the tokens, the scammers would create excuses as to why users couldn’t sell, while discreetly draining the liquidity and funneling the funds into Tornado Cash.

This cycle of deceit would then be repeated: promoting a new fraudulent contract either in the same or a different Telegram group, and replicating the entire process.

The Contracts

CertiK has established a connection to at least 10 scam contracts linked to this threat actor, cumulatively leading to losses of approximately $3.2 million. The counterfeit Venom token alone accounts for roughly $800,000 of this amount. A common characteristic of these tokens is their pairing with WETH and the inclusion of an unverified function B6a44d65a608 which serves as a signature trait of these contracts. This function, when executed, invokes a two-step process:

First transaction:

• Removes liquidity from the pool.

• Burns scam tokens.

• Re-adds WETH to the pool.

Second transaction:

• Removes WETH from the LP

• Mints new, but fewer scam tokens than the amount removed

• Re-adds the WETH

This process is illustrated below with an example of how the function is called in the case of a fake Circle token.

Such maneuvers dramatically affect the price dynamics of these tokens. By removing and burning scam tokens, and then minting new ones in much smaller quantities, they manipulate the price ratio. As unsuspecting victims exchange their WETH for these scam tokens, the price ratio skews even more, creating an illusion of a surge in the token's value. However, this is not indicative of genuine market demand but rather a carefully orchestrated price manipulation scheme.

These are showcased in the Telegram channels to convince potential victims of the rapid increase in the token's value, enticing them into the scam.

Associated Wallets

The telegra[.]ph articles shared in the Telegram channels offer crucial clues for identifying some of the scammers' wallets. These articles also reinforce the connections between the channels based on their on-chain activities. Typically, these posts guide users on how to buy and sell the tokens on Uniswap. For instance, in an article about a fake Paxos token, a trade is shown where 1.91M fake Paxos tokens were bought for 0.88 ETH.

By examining the liquidity pool data for these tokens, we've traced this transaction to the externally owned account (EOA) 0x644810393De83BC2C95a2867430e344a8767901b. This aligns with the scammers’ “Account 5”, which starts with 0x6448…

By analyzing the telegra[.]ph content used by the scammers, we have been able to map out several of their wallets that aren't directly linked to the creation of the scam contracts. The connections we've uncovered are detailed below.

One identified wallet, 0x655Fb01B505c124f753C6d99123e88fDa62e4155, received funding from Binance 16. This wallet is featured in a step-by-step guide on purchasing a fake Venom token using a Binance wallet, revealing that not all scam wallets are funded through Tornado Cash.

The Scammer's Location

Currently, CertiK cannot conclusively determine the identity or location of the scammer behind these fraudulent tokens. However, clues in the promotional material for the scam tokens hint at their geographical location, though we remain cautious of potential misdirection. Many Telegram channels include tutorials on buying the scam tokens using MetaMask, showing screenshots with instructions for setting up MetaMask with the location set to the United Kingdom.

In the AltLex and SZ Trades – 加密貨幣 channels, there are videos of someone purportedly buying the scam tokens, an act likely intended to reassure potential victims of the tokens’ validity. In line with the UK's Financial Conduct Authority (FCA) marketing regulations, organizations offering crypto services must include disclaimers about investment risks. These disclaimers are only present for individuals in the UK (or those using a UK VPN server).

While it's possible this could be a deliberate misdirection, it's noteworthy as it may provide clues about the scammer’s location. If they are based in the UK, promoting tokens in this manner, regardless of their legitimacy, would contravene FCA regulations.

Adding to this, we’ve discovered a telegra[.]ph article, in Russian, promoting a fake Polygon token linked to this group, suggesting a more complex, international dimension to this operation.

Conclusion

These incidents illustrate the strategies scammers use to gain the trust of unsuspecting victims before promoting their malicious tokens. The first line of defense against such deceptive practices is to conduct comprehensive due diligence. If you encounter a token sharing a name with a recognized brand, it’s wise to consult with the social media moderators of the actual project for confirmation.

The next line of defense is understanding the characteristics of a honeypot scheme. A key indicator of potential fraud is a price chart that shows only positive trends, often misleadingly depicted as an all-green graph. Additionally, using online tools to scan contracts can reveal signs that a token might be non-tradable.

These scams also highlight the growing trend of using paid actors to lure investors into fraudulent schemes. We have observed multiple instances where actors are hired to impersonate traders, CEOs, and other pivotal roles. Major cases like the Harvest Keeper exit scam, the Fintoch/Standard Cross Finance exit scam, and a scam MEV bot promoted on YouTube all utilize this tactic. Despite emerging concerns about generative AI in sophisticated scams, the employment of paid (human) performers remains a concern. A simple Google image search can go a long way in helping users do their due diligence into individuals promoting coins or tokens.

Appendix: Scam Contracts

Fake Linea: 0x00000000fEB6A772307C6aA88AB9D57b209aCb18

Paxos Coin: 0x100000b0235B10f5C7eb874296Ae1975AC9c0f4D

Polygon Token: 0x00000000F9fd50c832d79FaCFe6f4E8Ce90A5efb

Fake Venom 1: 0x777777770f62B50C6c93d2ACE413254561dB3884

Fake Venom 2: 0x77777777b79f2FA437Bf526169F98aA0C884c4B7

Fake Manta: 0x0000000f8750fD622863F6b4075DDB0011dFc730

Circle Coin: 0x00000008Ff6439F99A481BFBC401c2E525B9AaA8

X1 (1): 0x1111111BEcAb3C8866712eBf23fc4741010b8dCE

X1 (2): 0x1111111931f081EEC2188a6a9248677084e36cD7