Summer of Scammers: PancakeSwap cryptocurrency thieves


Cryptocurrency is experiencing a huge boom. With this explosion in popularity, and people getting rich quick, come the cybercriminals looking to exploit this new technology. Unfortunately, while there may be a large amount of money to be made from cryptocurrecny there are very little controls or regulations preventing scams. Unlike other centralised financial services, such as banks, cryptocurrency users are only as protected as their own personal operational security (OPSEC). While there are long guides on OPSEC for cryptocurrency users, many new users are lacking here and do not use a strong password or two-factor authentication (2FA). This makes them sitting ducks for cybercriminals. This blog will detail how users of a relatively new platform, PancakeSwap, are being highly targeted. 

In their own words "PancakeSwap is the leading decentralized exchange on Binance Smart Chain, with the highest trading volumes in the market". Despite its comical name, PancakeSwap is no joke. The platform launched in September 2020 by its two co-founders Hops and Thumper (consistent with the rabbit theme). As a platform that regularly clocks in over $100 million in 24-hour trading volume, it is one of the most popular decentalized finance (DeFi) apps of all time. Much like Bitcoin, the team behind PancakeSwap is completely anonymous and does not have a helpdesk or any kind of customer support. [1, 2, 3]

Although I am not a PancakeSwap user, I was first alerted to these scams after being targeted myself via Twitter DMs. A scammer, posing as the official @PancakeSwap Twitter account, replied to a Tweet of mine and said to DM them about some made up "technical issue". I decided to explore what the angle of this social engineering attack was. The scammer tried to get me to visit a malicious site (archived here) that posed as WalletConnect. The service is legitimate but can be used to hijack a user's cryptocurrency wallet if the authentication code is given away.

Fig. 1 - Twitter DMs from the PancakeSwap scammer

Fig. 2 - WalletConnect phishing page hosted on NameCheap

After this I visited the scammers accounts and could view their tweets and replies to see who else they have targeted and could see hundreds of other threads the attackers had replied to.

Fig. 3 - Fake PancakeSwap Twitter accounts replying to random threads on Twitter

As a security researcher that looks at this stuff daily, I knew there was going to be more and was naturally inclined to pivot to find new accounts. I was curious to see just how many of these scammers there were. This led me to uncover an additional 24 Twitter accounts posing as PancakeSwap:

Twitter was also not the only source of attacks. Although Twitter is a huge social media platform for cryptocurrency users, the users of other sites and apps such as Telegram and Reddit are also prone to being targeted this way.

Fig. 3 - Scammers targeting users on Telegram (Left) and Reddit (Right)

Tracking WalletConnect phishing proved difficult as I figured out quickly that these types of phishing pages are used to target many different types of cryptocurrency, not just PancakeSwap. However, in Fig. 3, in the Telegram attack, I noticed the scammers had registered a PancakeSwap typosquatting domain. The real domain is being impersonated by adding a "v2" to the front of it. This subtle addition is used to hopefully trick an unsuspecting user into visiting the site and eventually handing over access to their wallets to the scammer.

Using the Certificate Stream (see here) I decided to check just how many PancakeSwap-themed typosquatting domains there are and uncovered hundreds. For a service that only appeared in September 2020, I found there are a high number of malicious domains impersonating it. The findings also show that Summer 2021 has been a boom for the scammers, registered hundreds of domains in June, July, and August.

Fig. 4 - PanakeSwap-themed domains registered per month since launch

Fig. 5 - PancakeSwap-themed domains registered per day since launch

Fig. 6 - Share of which web hosts have the highest percentage of the PancakeSwap-themed domains

In theory, taking down such scams is simple. Twitter has a built-in reporting feature that allows anyone to report an account. I was able to report some PancakeSwap accounts and, to Twitter's credit, they were eventually taken down.

Fig. 7 - Successful takedown requests against PancakeSwap-themed accounts actively scamming

To PancakeSwap's credit, their Telegram channel has a bot which reminds users about scams multiple times a day. Although this may be more indicative of how users struggle to keep themselves secure while using the service, or how limited the security features are in the service is, it is nonetheless obviously clear that there are a lot of scammers targeting its users.

Fig. 8 - Scam warning bot in the official PancakeSwap Telegram channel.

For cryptocurrency users, this issue is not going away. Cryptocurrency has become one of the most targeted verticals inside one of the most targeted sectors: finance. Cryptocurrency users are a soft target for cybercriminals. Stealing and laundering funds from cryptocurrency wallets is simpler than from a traditional bank account. Cryptocurrency wallets are not monitored or protected by anti-fraud protection and it is down to the user to add 2FA and use a strong password, whereas with a bank this is mandatory more often than not. 

The PancakeSwap scammers are using the same tactics, techniques, and procedures (TTPs) that I have seen in other scams, such as SMS phishing targeting UK mobile carriers and UK banks. This includes registering a large amount of typosquatting domains via registrars such as OVH SAS and NameCheap, who constantly allow cybercriminals to register many typosquatting domains in bulk and seem not to care what the domains are used for. 

Lastly, Twitter Security also need to step up here. The issue with Twitter is that anyone can create accounts for free as many times as they want. Twitter should know by now that their platform is rife with cryptocurrency scammers and should implement stronger protections to stop them creating so many accounts so quickly. Although there is no panacea to stop these scammers, as Twitter is one of the biggest sources of these attacks they could make their life harder by enforcing stricter account creation rules. For example, creating a Twitter handle with a known brand, such as "PancakeSwap", followed by "help" or "support" should be an instant red flag in my eyes.

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks