FACCT specialists discovered a fraudulent scheme using ENS domains (a domain name system built on the Ethereum blockchain), aimed at employees of crypto exchanges and cryptocurrency enthusiasts.
According to researchers, attacks begin with the use of social engineering: attackers establish a business contact, promising the victim profitable investments in various projects. In fact, this stage is necessary to “warm up” the counterparty, that is, scammers ingratiate themselves into the person’s trust, putting him in a “dependent position.”
Advertisement
During further communication, the scammers ask for help in finding trusted cryptocurrency sellers. They claim they need cryptocurrency to buy diamonds and gold in countries where cash transactions are allegedly difficult. Among such countries, for example, India was mentioned. In addition, in connection with the sanctions, when the Moscow Exchange, the National Clearing Center (NCC) and the National Settlement Depository (NSD) were included in the US SDN list, as well as in connection with the suspension of dollar and euro trading by the exchange, researchers expect an expansion of geography schemes for other countries with which there are trade economic ties.
The theft itself took place on the day when the purchase and sale transaction was supposed to take place: a courier was supposed to arrive with cash from the bank. However, several hours before the appointed time, the attackers requested a video call, during which they said that they needed to make sure that the cryptocurrency was “purity”, that is, to make sure that it was not involved in illegal transfers (this could lead to the freezing of the cryptocurrency on the exchange when attempting to withdraw it, or link the buyer to any pending criminal matter).
The “verification” process involved the cryptocurrency seller having to transfer his funds from one address to another. According to the scammers, this is done to ensure that the cryptocurrency is real and that the seller’s crypto wallets are not blacklisted.
During or after the video call, the victim was convinced under various pretexts (for example, to prove the purity of the origin of assets, or the absence of his wallet on blacklists) to transfer cryptocurrency to a unique address, adding .eth at the end.
Advertisement
To make sure the buyer's request is secure, the seller usually sends a small amount (e.g. 100 USDT, 10 USDT) to his_address.eth, which is actually an ENS domain and actually points to another ETH address. The test amount actually arrives at the original address of the cryptocurrency seller, and he transfers all remaining funds to the same ENS domain. The cryptocurrency transferred in this transaction no longer reaches the seller, but ends up in the attacker’s wallet.
The fact is that after making the first transaction, which showed that the cryptocurrency is real, scammers immediately register an ENS domain identical to the address from which the money was sent.
ENS (Ethereum Naming Service) is a distributed domain name system built on the Ethereum blockchain. Just as DNS associates a domain name with an IP address, ENS associates a domain name with an Ethereum address. The owner of a domain is verified primarily by his address in the blockchain.
The only spelling difference between the merchant's address and the generated ENS domain is the presence of the “.eth” string in the ENS domain. The registered ENS domain will point to the scammer's crypto address, not the seller's. Thus, when the seller sends a test amount of 10 USDT to the ENS address, the attacker receives it instead. Once he receives the money, he transfers the same amount to the merchant's second address in less than a minute.
After making sure that everything is in order, the victim seller begins to trust the buyer and sends the remaining considerable amount. As a result, the money ends up in the attacker’s crypto wallet, indicated in the ENS records. ENS records can be verified by entering the ENS address on the website https://app.ens.domains. The associated crypto address can be seen in the Records tab.
However, this time the scammer, of course, does not transfer the money to the seller’s address. Instead, he sends the funds to one of his crypto wallets, stealing the cryptocurrency.
The researchers note that ENS records, like DNS records, can be changed. That is, the address pointed to by the ENS domain can be changed by the owner at any time.
By examining the ENS records, you can see the scammer’s Ethereum address and, using the mentioned website (app.ens.domains), get a list of all ENS domains that were created using it. Thus, it was discovered that several ENS domains were registered to scammers, which look like real crypto addresses. That is, the attackers allegedly targeted several cryptocurrency sellers at once.
