Security Research

An In-Depth Exploration of the Recently Discovered “Sleepdrop” Scam

September 28, 2023

Forta is a real-time detection network for security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on wallets, DeFi, NFTs, bridges, governance and other Web3 systems. When issues are detected, Web3 infrastructure can respond to prevent attacks via transaction screening and incident response.  

The Forta Network and Blockfence recently discovered a new type of sophisticated scam flow triggered by NFT sleepdrops. There are already over 500K addresses who received the drop, and over 20K confirmed victims. The verified amount of stolen funds crossed $11.5M, however, looking at the broader money flows associated with scammer contracts, could be as much as $32M in stolen assets. The attackers did an outstanding job leaving almost no traces behind, however it was discovered that over 100 different smart contracts involved in this scam that can be tied together based on deployment patterns. 

About NFT Sleepdropping Scams: Sleepdropping is a deceptive tactic where scammers send ERC-1155 tokens to a user's wallet, making it seem like they're coming from a legitimate contract address. While this doesn't directly risk user funds, it acts as a bait, directing users to a scam website. Once there, they're often tricked by ice phishing attacks into signing transactions that look genuine, but instead transfer their assets to the attacker's wallet.

Web3 offers a world of opportunities but also brings challenges, notably scams that can mislead even the most vigilant users into irreversible transactions. Understanding and addressing these threats is crucial.

Blockfence and the Forta community recently undertook a detailed study of a new type of scam campaign on Ethereum Mainnet. The campaign was unearthed by a Forta alert of the Scam Detector:

The campaign had a considerable reach, affecting over 500,000 users, with more than 20,000 becoming victims, resulting in a loss of about $11.5M. This likely represents a tip of the iceberg and funds in the amount of $32.3M have been associated with the scammer addresses. Most of the funds have been laundered through Tornado Cash. This campaign was illuminated across all three stages usually associated with a scam: 

The Lure: An airdrop operation that delivered NFTs, which appeared to be coming from credible sources (aka sleepdrop)

The Hook: Websites designed to lead users to initiate potentially harmful transactions.

The Catch: Deceptive contracts that solicited direct transfers from unsuspecting users.

Fortunately, in the last two years, the ecosystem has evolved tremendously in understanding these threats and giving users the tools to protect themselves: from browser plugins, wallet integrations, to automated threat intelligence feeds. As security measures advance, however, scammers are also adjusting their methods, so they can continue to reap a return on their investment.

Furthermore, as these malicious actors recognize their activities are being monitored, they modify their strategies, often rotating addresses and web sites to avoid detection. This shifting landscape highlights the importance of real-time threat intelligence.

Collaboration remains key in addressing these issues. Forta’s Threat Intelligence, for instance, feeds into Blockfence’s systems. Here it is combined with additional data to create a protected end-user experience. This Threat Intelligence is also available for the broader ecosystem through the Forta App, while users can install it for free via the open-source Blockfence’s browser extension.

Forta is an open protocol where developers and security researchers obtain rewards for the threat intelligence value they generate on the network. Blockfence is a security aggregation and orchestration layer that helps users (directly and via wallets and VASPs) to stay safe while interacting with digital assets and websites. Join the fight and make Web3 a safer place for all. 

Campaign Details

To dive into the campaign in more detail, research is broken up into the three stages (lure, hook, and catch) and followed by interesting techniques observed associated with this campaign. All indicators of the campaign can be found in the appendix.

The Lure

The Lure of this campaign consists of an NFT airdrop. In the example below, a Lido NFT token is airdropped.

A savvy user may review the transfer in more detail only to see that the token is being transferred from the legitimate Lido:Early Stakers Airdrop account. Unfortunately, this is a deception the scammer executes taking advantage of the implementation of ERC token contracts. This deceptive technique has been coined sleepdrop.

The sleepdrops first appeared in December 2022 were dropped to more than 500,000 wallets! They have imitated a broad range of crypto projects from Lido to Uniswap; from Bored Apes to Native Punks. Reviewing your transaction history may reveal such a sleepdrop as well. Scammers are analyzing blockchain data to reach users in the most effective way possible and can target users to a high degree. For instance, several BAYC holders received the BoredApeLuxury.club (BALC) NFT. 

A complete list of sleepdrop names are as follows:

AlienSwap.Fi : Genesis Pass
AlienSwap.Fi : Waitlist Pass
Apecoin Airdrop Recipient
ApeStakeDao.io : Genesis Staker
EthersFi: Genesis NFT
Lido Airdrop Recipient
Lido Reward NFT
Nativepunk Mint Pass
Noox : Lido Airdrop Recipient
Noox : Uniswap Airdrop Recipient
Noox.Fi : Uniswap Airdrop Recipient
Noox.finance : Uniswap Airdrop Recipient
Noox.tech : Uniswap Airdrop Recipient
Nooxbadge.Pro : Uniswap Airdrop Recipient
Unisocks NFT
Unisocks.Fi: Genesis Airdrop
Unisocks.fi : Genesis Item
Unisocks.org: Genesis Airdrop
Unisocks.org : Genesis Item 

The Hook

The NFT, on its own, does no harm to a user’s digital asset. Ignoring them is the safest bet. However, if a user believes the airdrop is actually coming from a legitimate source, they may be curious to see whether there is something there. Airdrops can be very valuable. The two examples below show two urls (one in the image associated with the token; one with the description). In either case, the text entices the user to visit the web page to unlock access or to claim airdrops. 

The web site encourages users to perform some action, such as clicking on a button to claim another airdrop, access, exchange the NFT for other tokens, etc. 

The Catch

Once the user engages with the web site, the hook is set and the scammer is working on reeling in the catch. Once connected using walletConnect, two functions getNFTData and getTokenData (line 680 and 681) are called. Both are using Moralis’s API to retrieve NFTs owned by the user.

The subsequent call to the mint function (line 682) evaluates the attack surface, the worth of the attacked account, prioritizes the attack by value and then tries to execute it.

Usually it results in the user being prompted to connect their wallet and perform a ‘Security Update’ or ‘Claim Rewards’ to their wallet. 

The ‘Security Update’ / ‘Claim Rewards’ is another deceptive technique, so-called native ice phishing, used by the scammer. The scammer has deployed a smart contract with a function called SecurityUpdate. When the transaction is created by the malicious Dapp, the user thinks they are performing a security update on their wallet whereas in fact they are invoking the scammer’s smart contract. As part of this transaction, the scammer configured the transaction to transfer a certain amount of ETH (in this case about $5.45 USD worth) to the smart contract as shown below. Note, the amount stolen is likely dynamically adjusted based on how much ETH resides in the wallet. Other transactions are associated with hundreds of USD:

The implementation of the contract (it is source code verified on EtherScan) shows this is a dumb payable function, which merely accepts the ETH sent to it:

The owner of the smart contract (0x649bE2b67628FFa5D a in this instance) can withdraw any deposited ETH when sufficient funds have been accumulated. For instance, in the transaction below, the scammer transfers 8.455 ETH from the contract to the scammer EOA.

Reviewing the contracts associated with the Hook received more than 20K transactions with a total of $11.5M stolen. Following the funds further reveals assets in the amount of $32.3M. Most of the funds were laundered through Tornado Cash.

Technical Details

Now that we understand the campaign at a high level, let's dive into some interesting technical details of the campaign. What these details show is that the scammer heavily invested in evasion techniques (both on-chain and off-chain).

Evasion Techniques (On-Chain)

The sleep drops were first observed in December 2022. The scammer utilized a non-standard proxy pattern in which they deployed two contracts. The first contract (e.g. 0x85a8747ceacc31c1c1c8c8439faaffa623129f9c) is the ERC-1155 contract. It is source code verified on EtherScan. Being source code verified is one way users may check whether a contract is legitimate or not without going deeper into the source code.

However, reviewing the source code shows that the contract is fairly sparse. It actually just passes the call to the implementation contract (e.g. 0x475524DE13F635CbBcA065C3B70C35cDEb6125ea) This contract is not source code verified, but contains all the token logic. 

Utilizing a combination of code similarity and deployment patterns allows to flesh out the magnitude of this scam. Almost 150 contracts are utilized in this scam. Visualizing the proxy and implementation contracts reveal the following graph. The scammer tried to keep the deployers (red) and proxy contract (green) isolated, but there are groups of contracts that all point to the same implementation contract (blue).

Equipped with these contracts at hand, a time-based view shows an interesting pattern. The scatter chart below maps the daily transaction activity per contract. Blue denotes implementation contracts and green proxy contracts. As can be seen, contracts are active only for short periods of time and then rotated by the scammer. The patterns changed slightly from earlier this year where several contracts were deployed at the same time whereas more recently one active contract is being used for a few days before the scammer creates a new contract.

Evasion Techniques (Off-Chain)

Similarly to what is happening on-chain, the scammer is trying to evade detection for their off-chain assets, namely the web sites associated with the Hook stage of the scam. Overall dozens of web sites were observed, which are rotated over time similar to the contracts. 

The web sites themselves employed several evasion techniques:

Bot Detection: This feature obstructs automated scans originating from tools such as Puppeteer and Chromium

Anti-Debug Protection: This functionality prevents the debugging of the website's code using tools like Chrome Development Tools.

Geolocation/IP Detection: Although its precise functioning is still unclear, it has been observed that the websites behave differently when accessed from different geographical locations.
For instance, when these sites are accessed from some countries, their behavior differs from when they are accessed from other countries - where the scam actually establishes a connection with the wallet.

Wallet links was done using WalletConnect service:

The common thread linking these websites is the utilization of the same script, which originates from: https://jquerymin[.]live/jquerymin.js. This usage suggests that they could potentially be part of the same scam operation. File was obfuscated using some external obfuscation tool, most likely with this one.

The obfuscated code

Similar to the on-chain contract addresses, the attackers reuse, but also rotate addresses aggressively over time. For instance, addresses retrieved on July 24th were completely different to the addresses retrieved on July 31st. 

By leveraging unique Web3 mapping and data extraction capabilities, researchers were able to associate all the websites under the same campaign, and find additional related assets. In the following example assets are presented in relation to each other, the suspicious URLs (on the left) mapped to the suspicious blockchain addresses (on the right):

Scammers are economically incentivized. They try to maximize their return on investment. In this deep dive the campaign is able to be observed from start (the sleepdrop) to finish (native ice-phishing). The campaign has run for 9 months now unimpeded. The scammer has set up automation to rotate indicators and protect its indicators through evasion techniques, such as non-standard proxy implementation, anti-crawling technology and aggressive rotation of indicators. The scammer has employed deceptive techniques such as sleep dropping and verified source contracts to deceive end-users into believing they received a legitimate airdrop. The campaign targeted at least 500,000 users; succeeded in scamming more than 20,000 users out of $11.5M USD. 

End-users will not be able to counter these threats by themselves. They are difficult to spot, constantly in flux. The Web3 ecosystem needs to protect users from these scams, be it through security plugins, wallet integrations, or real-time threat intelligence. If you would like to join the fight, please join Forta’s Threat Research Initiative, develop Forta Detection Bots, integrate with Blockfence Security Aggregation Layer, deep dive into campaigns, share your insights to make Web3 a more secure place. 

Share