Objective

There has been an increase in reports of new Anchor users losing funds to fraud or scam copies. Our role is to identify the trend in such transactions and suggest steps to reduce such incidents henceforth. For our benefit, we have been given a set of transaction ids that have been found to be fradulent. Using these, we hope to draw some insights regarding the ways hackers or scammers trick the users. The following are the transaction ids provided -

1. 878ABBCD9B56B87E3F985F32C9DF123CDD0461769D11C30AE6184DDBF3CA957

2. 4CD70119C3511BD1E32E257922D3FC7EAB1FF49676D55E74ADD227B51FD312D7

3. 42DDF088E005419E79E08A3A01321684B15542A727FBF7D9A17DBE7C38BD148B

4. A98CB31B1C2E5FFB0A05AF070E9CCC5C4D07C873E8890DF85A4CE3CF5A3ABFDA

5. 08B5CA181537A4137512B0B632383F3E18696E0A600BBDB658FC7450BE7E57A6

6. 7657331CBE3D94AD99D5D0390B3C8A62334D6EF051EC3038A17BFFE0E31A6799

7. 0E0A5D974414046971582D06BEDB61E2C2D40F7B994265799E46DFA0D2060ACD

8. 71AAC360D53222F18EC7BBED19A3CA2E125BF645CE8D466B1BE6D4DCFAEB3794

Introduction

In order to understand the scams, we need to first understand certain terminologies involved. So we will go through a brief overview of Anchor protocol, phishing campaigns.

Disclaimer : This article is influenced by the vice article on Phishing attacks on terra users. You can read more about it here.

Anchor protocol

Anchor protocol is a savings protocol that is built on the terra ecosystem. It offers a good return (much higher than the tradition banks) while having low volatility on Terra's stable coins ( UST being the major). The protocol is based on a diversified stream of participation rewards from leading proof-of-stake blockchains. To get a more detailed understanding of the anchor protocol, you can go through a medium post here

Phishing

Phishing is a popular form of cybercrime because of how effective it is. Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information -- by impersonating a legitimate website. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.

If you would like to know more about phishing, steps to avoid getting phished, reporting such incidents, then you could read more about it here

Anchor Phishing

We shall now look one of the major phishing incident that occurred in the month of April 2022. The phishing operation was spotted by cybersecurity firms Knownsec Blockchain Labs and SlowMist. According to Knownsec, the hackers have stolen $4.31 million from 52 wallets, which they hacked between April 12 and April 21.

How did the scammer pull it off ?

It appears that one of the ways to phish is to impersonate the official website and buy a google ad to display it above the official link leading to some customers into thinking that the first scam is a legit website.

An example of one the fraud website

On clicking the ad, the website is re-routed to similar website created by the scammer. The URL on the ad appears to match the real Terra bridge URL, which is bridge.terra.money. But once one clicks on it, instead of going to bridge.terra.money, the user is redirected to bridge.terra.momey.biz. According to Slowmist and Knownswx Blockchain labs, the hackers have stolen $4.31 million from 52 wallets, which they hacked between April 12 and April 21. Knownsec posted a Terra address that the company says is linked to the hack.

Analysing the attack outcome

According to the report from Slowmist, the scammer has scammed/phished atleast 53 accounts. The primary address of the scammer is thought to be terra1fz57nt6t3nnxel6q77wsmxxdesn7rgy0h27x30. So in this article we shall now analyse all transactions related to this address.

Number of victims

We first determine how many victims have sent money to that address.

We see that there are 53 addresses that have been phished by this user. Now we shall look at how much amount might have been phished.

A total of 4.3 Miliion USD worth of Luna and UST were phished.

We chose to use the median metric rather than average amount or the max amount to avoid the influence of outliers. We notice that though there are certain peaks ( 6 AM UTC ) there are no agreeableness in the trend.

We shall now look at what the demography of the victims were

Fortunately, we see that the majority of victims were beginners that is user who hold 1-10 UST and octopuses ( 10-50) UST. While the whales and humpback whales are also susceptible to the attacks and make up around 12-13 % of the victims indicating that no one is immune.

Analysis of address provided by Flipside

We now analyse all transaction provided by the flipside. The following are the transaction ids provided -

1. 878ABBCD9B56B87E3F985F32C9DF123CDD0461769D11C30AE6184DDBF3CA957

2. 4CD70119C3511BD1E32E257922D3FC7EAB1FF49676D55E74ADD227B51FD312D7

3. 42DDF088E005419E79E08A3A01321684B15542A727FBF7D9A17DBE7C38BD148B

4. A98CB31B1C2E5FFB0A05AF070E9CCC5C4D07C873E8890DF85A4CE3CF5A3ABFDA

5. 08B5CA181537A4137512B0B632383F3E18696E0A600BBDB658FC7450BE7E57A6

6. 7657331CBE3D94AD99D5D0390B3C8A62334D6EF051EC3038A17BFFE0E31A6799

7. 0E0A5D974414046971582D06BEDB61E2C2D40F7B994265799E46DFA0D2060ACD

8. 71AAC360D53222F18EC7BBED19A3CA2E125BF645CE8D466B1BE6D4DCFAEB3794

We'll be analyzing the transactions based on the destination address and see if there are any pattern in it.

From the analysis we realize that two of the receiver address were a copy of the original one. In detail, if we look at all the transactions and identify the receiver, we can list 8 respective receiver. We then analyse how many transactions have they received (all not just those tx_ids).

1. The address terra1zgrx9jjqrfye8swykfgmd6hpde60j0nszzupp9 appears to be named as astroport generator which is not available in the terra tables indicating that it may be just a fake name
2. Simlarly, the address terra1wmaty65yt7mjw6fjfymkd9zsm6atsq82d9arcd indicates a name of ANC-UUSD-LP which is non existent on the anchor protocol. The closest resemblance is ANC-USD-LP. this is another of the susceptible address.