TL;DR: scammers lurk in support channels, impersonate legit support people, and try to get you to transfer funds to them. Suspect and research anyone who contacts you uninvited.
The other day, someone tried scamming me on a Discord support channel.
I’ve been using Aave as one of my preferred DeFi platforms. A withdrawal transaction of mine got stuck for 10 hours. I tried adding gas to accelerate it – no go. Tried cancelling twice – not working either. I tried withdrawing again, now I had 2 stuck transactions.
Finally, I decided to ask for help. I went to Aave’s support channel on Discord, and laid out my problem. Nothing happened for half an hour or so, and then a guy called Pablo Candela DM’d me, offering to help.
The first thing I did, was DuckDuckGo the name (sorry, not using google anymore 😀). I found Pablo easily – he authored several Medium articles about Aave, and had his blog. On LinkedIn, he’s listed as Aave’s “Technical Support and Community Manager”. I finally went to the “About” page on Aave.com, and found Pablo’s picture, and his title of “Head of Support”.
The photos matched, and the fact that the head of support and community manager wants to help a customer aligned well. The fact that he took it to DM also meant he may have wanted to get more info about the issue and protect my privacy.
Things Get Weirder
But then it got weirder. First Pablo asked what my problem was – I explained it again. While typing, a series of events occurred – the site stopped working for me, then the first transaction finally got cancelled, the second transaction finished, and my funds were withdrawn back to my wallet. I tried informing Pablo of the new events.
Pablo asked me for the transaction’s hash – gave it to him. He then asked for my address to check on the issue. I gave him my address, seeing no issue in that – you can see all the addresses interacting with Aave’s contract on Etherscan anyway.
Then he said they had a bug in their smart contract, and he’s going to release a fix, which contains my address in it, to make sure it won’t happen again. I asked what bug, and why would my address be in the contract. He replied that “a bug is an error in a computer program”. I explained that as a developer, that’s hardly news to me.
Finally he said I need to send my funds to the contract to get the problem finally fixed. Several times I tried explaining that my funds have been withdrawn, that I don’t want to send them anywhere, that all is OK. He kept repeating that I need to send the funds again to the “new contract” to make sure this doesn’t happen again.
He kept sending me this address several times: 0x88D288780cBfBc162d410e85807EA342A8b4D925. I went on Etherscan and checked the address:
This was an account, not a contract. It was 10 days old (at the time), had under 10 transactions, and about $14 in USDT.
I Sense It's a Scam
Things started to look shady. I asked him again what he wanted me to do. He started listing instructions on how to use MEW to send funds to his “contract”. I told him I’m using Metamask. He listed instructions on how to use Metamask to send funds to his “contract”. On and on it went, until I finally said “I still do not understand: my funds are out. You want me to send funds to an address I never heard of before (that has $14 in USDT), pay gas, and then, you say, the funds will appear in Aave and I'll be able to withdraw? If I approached you with this, what would your reaction be?”.
At which point, he deleted all his comments, and closed the DM.
Will the Real Pablo Candela Please Stand Up?
I knew whoever that was tried scamming me, but I needed closure. I found Pablo’s account on the support channel and DMd him. This is the screen I saw when he answered:
My first question to the real Pablo was: “did you just chat with me?” He said no. I then informed him of what transpired. He asked me to share the other user’s number so he could block him from the channel. I gave him the number: #7863.
Every user on Discord can create any user name they want, use any profile photo they want, and add a byline. Each user is assigned a number. The user name + the number are your “unique ID”. As a channel admin, you can ban a user by his number. He can always just create another one, sadly.
Short Interview with Pablo
I took the opportunity, and asked real Pablo Candela some questions:
How often do you encounter scam attempts, on Discord, or other social media?
In Discord these have been unlikely to happen. We encountered the first scam attempts in the last few days. In other channels, like Telegram, it happens from time to time, and unfortunately the tools available in these messaging services are not good enough to filter, or avoid these attempts.
If we look at common bot-based scams – that happens a more often, but is way easier to notice, and avoid the risk.
[Added on 4/27/2020]: I now have a new [daily] recurrent task: finding people impersonating me on the [support] channel. Check out what I found this morning, for example:
How would you recommend users protect themselves from such attempts?
If you are contacted by anyone, you need to make sure the person is genuinely who they claim they are. This works the same way for all the different networks and communication channels. In the case of Discord, for example, check that you share the correct channel with that person, then check the label/id from it, and then contact him in the shared channel, to confirm that person is genuine.
Following those steps, it’s quite unlikely that anything would happen. Usually the scammer would disappear as soon as he noticed you are finding out (happens a lot in Telegram – they clear the chat and block you).
Common typical scam bots are quite likely to appear, saying you won a prize, or something similar. Impersonation, at least in my opinion, its rarer, but it happens way more than it should. This is because it requires time or work from the scammer, as opposed to running a bot.
Thanks and Disclosure
I thank Pablo for his time, and advice. And you should check out Aave, one of my favorite DeFi protocols.
I am not compensated, related, or in touch with Aave. This is my personal, unbiased, unpaid for opinion. The first (and only) time I contacted Pablo was following the scam attempt.
Remember: do not assume everyone out to help you is genuine, even if they appear like a real person. Suspect and research. And definitely, never, ever, transfer funds anywhere. If you encounter a spam attempt on a channel, warn everyone else, and make sure the channel admin is aware.