I recently wrote about a sophisticated XLM scam I came across. For those that didn’t already read this article, you can review it here: https://www.publish0x.com/protect-your-crypto/beware-of-this-sophisticated-xlm-scam-stay-safe-xojpng
Today I came across an ingenious new EOS scam. Or maybe I just thought it was ingenious because I fell for it! In hindsight, there were obvious red flags that I should have seen, but in a momentary loss of concentration, I didn’t. I thought it was a genuine Airdrop and wanted to quickly deal with it, so that I could return to what I was doing. I wanted to take this opportunity to warn others, while this scam and others like it are still live, so that you don’t fall for this too.
EOS Voice Platform scam
The scam relates to the EOS Voice platform, which is the social network platform launched by EOS Block producer Block One, and currently undergoing Beta testing. The ‘hook’ to reel you into this scam is a spam transaction that you see in your EOS account transaction history.
Fig 1. The ‘hook’
At first blush, it looks like you have received multiple Airdrops of VOICE tokens. This is not a big surprise as we have frequently received Airdrops directly to our EOS account. When I looked at my account token balances to see how many VOICE tokens I had received, I didn’t see any and so I explored further. I looked more closely at the transaction an upon reading the transaction memos, I saw instructions to go to a website to claim the VOICE tokens – this should have already raised the ‘spidey’ senses. The number of tokens I was entitled to was is in line with the EOS balance in my account, so it seemed to add up. Again, I have received many EOS Airdrops before today and often you will receive 1 token for each EOS you hold.
The next red flag (and a massive one at that) should have been the website I was asked to visit. It’s a bit.ly address which should have been very suspicious. My rush to quickly claim the Airdrop and continue with my day meant I didn’t stop to think. I actually hadn’t looked at my EOS transaction history for some time and I saw that I had been sent a message about this Airdrop for the last seven days. The message for today said that it was the last day to claim the Airdrop and so I got sucked in. When you go to the website, you see a very professional looking site which looks exactly like the Voice website. The fonts, colours and overall page design and layout are all very genuine-looking.
Fig 2. Landing site for the scam
When you go the site you are directed to the page in Fig 1. The page directs you to connect to your Scatter wallet to claim your voice Airdrop. Unfortunately, I went ahead and did this but if I have waited a little while and poked around the site, it would be obvious that this is a scam. Huge red flag is that when you click on ‘FAQ’, ‘Blog’ or ‘Get to know Voice” or ‘Claim Voice’ you end up back at this landing page. If you click on ‘Company” you are directed to Block One’s website. Taking just a few seconds here to look around before jumping in to claim tokens would make you suspicious but unfortunately, I went ahead and claimed my tokens. ☹
Fortunately, I had the very latest version of Scatter installed and not the Chrome extension, otherwise this could have been much worse (more on this in a moment). When you connect your Scatter wallet, you are asked to confirm that you wish to proceed and receive your VOICE tokens. When you approve the transaction, a strange thing happens, your EOS wallet is emptied.
The second saving grace was that I had almost all my EOS staked. It was not freely available in my wallet and so my loss was small (~3.8 EOS), but still bloody annoying and I felt really stupid when I realised what I had done! At first, I had no idea what had happened. I didn’t receive any VOICE tokens and only then started dug deeper….then it dawned on me that I had been scammed!
The scam attempts to swap the private keys of the scammer’s account with your private keys and swaps the zero balance of their account with your balance. You will see a pair of entries in your EOS transaction history. One is a fake transfer from the scammer to you (of whatever balance you had in your EOS account) and the other transaction, a transfer from your wallet to theirs. If you have the latest version of Scatter then it seems that they are not able to take control of your private keys but they can still get any unstaked EOS in your account.
HireVibes EOS Scam?
In Figure 1 above, you will see that I also had a spam transaction in my EOS history about the Hirevibes Airdrop. Newly wise, and a little poorer after a visit to the Voice site, I decided to check out this site too (see Fig 2). This site again looks legitimate and even had a legitimate looking URL (hirevibe.co). If I had gone to this site first, I may have also fallen for it.
Fig 3 Hirevibe Airdrop
From the landing page, I took a moment to look around the site and found a few dead links which looked suspicious. Also, three of the four links from the landing page funnel take you straight back. This time I had seen enough and knew immediately it was a scam!
Again, I am amazed at the creative efforts that are being invested into the latest crypto scams. It is an alarming trend and I am sure they will only get better at this. They are already very slick and professional-looking and I am sure that they manage to get a steady flow of tokens from unsuspecting newbies and from more experienced crypto enthusiasts alike. I am mortified that I fell for this but there are a few key learnings for EOS and for crypto holders to take from this:
- Make sure you have the latest versions of the software for your preferred wallet. For EOS holders, ensure that you have the very latest version of Scatter. As wallets are developed, more security is continually added to protect against known exploits. With an older version of Scatter, this scam would have been catastrophic. They could have taken possession of my private keys, locked me out of my account and taken all of my EOS.
- Stake all of your EOS tokens. If mine had not been mostly staked and available in my wallet, I would have lost them all. If somebody for some reason does manage to get access to your account and they try to unstake the account, you will have three days before they become available in your wallet and can be transferred out. This provides sufficient time to take the matter up with the Block Producers or to take action to re-stake the tokens.
- Never trust spam memos in your EOS transaction history. We can all be fooled by a chance to make a quick buck and crypto Airdrops can look attractive. Genuine Airdrops just land in your wallet without you having to go through some elaborate claim process. Just ignore the spam and don’t be tempted to visit any suspicious looking URLs provided. Even if they are genuine, the potential reward does not justify the risk.
Thank you for your time and I hope that you enjoyed reading this article. If you want to help me recover the tokens I lost, then I would be happy and grateful for any small contributions you might like to make.