Continuing on in my morose vein, today lets look at another pitfall, actually more of a scam, that people who rush into crypto seem to get caught more often than one would reasonably assume.
Honeypots can cause significant financial losses and erode trust in the cryptocurrency ecosystem.
While in old novels a honeypot would be the use of a beautiful femme fatale with the promise of a sexual or romantic relationship to compromise a target, in "traditional" cybersecurity, a honeypot is a system set up to attract and analyse attacks. In the crypto space it has a far more sinister meaning.
Crypto honeypots are malicious schemes that exploit the decentralized and often opaque nature of the blockchain
They are designed to lure unsuspecting victims into parting with their funds.
How do they work?
Honeytraps often come in the form of smart contracts that are executed on legitimate blockchains. These smart contracts can look very appealing, promising high returns or unique benefits. As always, they will tell you that if you put your money in, you'll make a lot more money quickly (in some way or form). But hidden within the code of these smart contracts are commands that make it impossible for you to withdraw once sent it. Usually it will be coded such that only the scammer can withdraw.
Let us now look at a honeypot that you will (or already have been) be inevitably exposed to when traversing the crypto jungle. This typical honeypot scheme will come as a message on Telegram, other social media or even Twitter. Someone will pretend not to know how their Crypto can be withdrawn (or they have some stumbling block) and then proceed direct message their PRIVATE KEYS (or the recovery words) and public keys to their target. When the target actually checks the block chain, he can see that there are in-fact a large number of coins on the public address, and since he has the private keys, he should be able to transfer them out, right?
So now the greedy target sees all the coins in that wallet to which he has the private keys and wants to take them out an transfer it into her own wallet. However, the target coin is on a chain (like BNB or Ethereum) where you need to have some tiny amount of coins in the associated wallet to cover gas fees. Since you are in Publish0x, it will probably be easier to understand, like you having an Optimism and an Optimistic Ethereum wallet. Your Ethereum wallet and optimistic Ethereum wallet are the same and you need to have some balance in one to cover the fees to transfer out from the other. It's only a tiny amount, compared to the value of the transaction, that you need to have in the other wallet.
So now what does our greedy target do? And this is where the scheme relies on the human nature, and greed, in particular. The target transfers a small amount of coin (needed to effect transactions) into the account he has been given, and then tries to steal (yes, the target thinks he's hit it off big) some of the coins. But the transfer won't go through. He checks why not. There is not enough coins to cover the fees. But he just transferred some. So he checks. Then he sees that what he transferred has been immediately transferred out. He could be dumb and transfer some more or realise that, like the Nigerian 419 scams, this was the intended outcome all the time. Promise of huge riches to siphon off insignificant amounts in the reverse direction. Does the target try to beat the transfer out? He will soon find he cannot, because it is not a person sitting on the other end transferring crypto out, but a script that kicks in milliseconds after it sees new money come in. Had he been prudent, the target would have checked the address and seen these small transfers out beforehand. He's been had.
This is one typical way these (lets call them 419) honeypot schemes work. Basically the idea is the same. The promise of something big, but it is thwarted by scripts, hidden code or just plain outright deception. Usually a honeypot scam is basically anything that is a deceptive or malicious smart contract specifically designed to lure unsuspecting target into parting with their funds, whether through their own greed or, other means:
- Fake Token Contracts: A contract that allows users to buy a token but restricts (through a number of different mechanisms) selling it back or transferring it. (don't confuse this with some legitimate exchanges who block transfers until they get their act sorted. in those you can still sell them)
- Staking Schemes: Promises of high returns for staking a token, but the staked amount cannot be withdrawn or is drained by the contract creator.
- Liquidity Pools: Setting up liquidity pools that appear profitable but have secret code that prevents liquidity providers (read us) from withdrawing their funds.
How do I avoid these scams?
The first and most important step, which you have now taken, is to be aware that there are such scams afoot. This is half the battle won. Look at any proposal or scheme or even very legit looking website with suspicion. If it's too good to be true, treat it as a probable scam rather than an opportunity. Scammers are wise now, and they won't make it too good to be true, so even a scheme that provides legitimate looking rewards can be a honeypot. Almost certainly, anyone approaching you directly on social media to get "help" withdrawing "their" funds is a scammer. I have one reaching out to me on Telegram even as I type this.
If you were technically savvy, you would thoroughly analyse the smart contract code before interacting with it using the likes of Etherscan to inspect the code for any potential traps. However if you can do that, you would have smelled the scam from a mile away. With any proposal use community resources, forums, and review sites to check the reputation of the project and its developers before throwing money at it. Remember new coins and sophisticate scams will spend money setting up a social profile, so make sure you are listening to sources you can trust, not a moonstruck buddy with dilated pupils. You could stick to well-known and established platforms for trading and other activities. This is akin to sticking to well known brands when buying shoes. You know you'll be getting a good product, but you will be paying a decent amount for it. Look for projects that have undergone independent security audits by security firms you recognise and check on the security firms site if that is true.
This brings me to the final paragraph of this article. Remember that all financial institutions, be it your bank, your pension fund, or investment program, while they have been set up with a service in mind, have transformed into entities that try to whack as big a portion of your money as possible. Some of them do it legitimately, via fees or percentages they are upfront and transparent about. However these scammers, while they want your money, operate in illegal ways and need your cooperation to succeed. They operate by promising you big outcomes, while they never have an intention of keeping that promise. In both cases you lose money.
Be aware. Be safe. Be suspicious.
Disclaimer: This article (by me, Rumjus) is for informational purposes only. It is based on my personal (and anecdotal) experience. None of the content is financial advice. Readers are strongly advised to conduct their research, exercise judgment, and be aware of the inherent risks with crypto currency (and any other) investments. I am not liable for any financial losses you incur. Cryptocurrency markets are highly volatile and the possibility of investments tanking is higher than traditional investment instruments. The cryptocurrency space is also riddled with scams and actors with nefarious intent, so the possibility of losing your money is very real.I am not liable for any loss you may suffer.