Anatomy of a Web3 Scam

Article by Forta Network Aug. 1, 2023

Forta is a real-time detection network for security monitoring of blockchain activity. The decentralized Forta Network scans all transactions and block-by-block state changes, leveraging machine learning to detect threats and anomalies on wallets, DeFi, NFTs, bridges, governance and other Web3 systems. When issues are detected, Web3 infrastructure can respond to prevent attacks via transaction screening and incident response.

Web3 scams have proliferated rapidly over the last few years. Thousands of users have been targeted through various means, from solicitation on social media apps to unexpected tokens appearing in their wallets, and even to digital assets vanishing without a trace. Even more concerning, social media is rife with distressing accounts of individuals who have lost their life savings. These scams are not merely inconvenient—they can lead to considerable financial loss, damage trust in the Web3 ecosystem, and potentially jeopardize the entire Web3 vision.

Scams vary in scope and scale, spanning from targeted attacks on specific high-value assets—colloquially referred to as “pig butchering”—to large-scale deceptions like ice phishing and rug pulls. To build robust defensive measures, it’s crucial to understand the typical stages of these scams. Broadly speaking, a scam unfolds in three phases: the Lure, the Hook, and the Catch.

Phase 1: The Lure 🎣

The Lure is the stage where scammers cast their bait. This could be an off-chain or on-chain event, automated or manually executed, designed to attract a wide audience or a specific individual. Examples include a Discord bot promoting a new meme coin (off-chain, automated, mass), an NFT token airdrop targeted at Bored Ape Yacht Club holders (on-chain, automated, targeted), or a personal interaction on a dating app with someone known to own digital assets (off-chain, manual, targeted).

Figure 1: Example of a Lure – an airdropped NFT targeting BAYC holders

The objective of the Lure is to pique interest, enticing potential victims to take a specific action. This action could be visiting a certain website or searching for a specific DEX pool to purchase a token. The bait must be appealing enough to prompt action but not so conspicuous as to scare away the prey.

Phase 2: The Hook 🪝

Following the Lure comes the Hook. This phase typically involves the user visiting a website or engaging more deeply with the scammer. The Hook can be implicit. For example, a rising price of a new rug pull meme coin might entice a user to seek out DEXes to purchase the token.

Figure 2: Example website where users can claim their free tokens

Phase 3: The Catch 🐟

The last stage is the Catch. At this juncture, the user is not just hooked, but completely reeled in. The scammer successfully monetizes their victim, siphoning off digital assets. This could happen through direct asset transfers (as seen in native ice phishing, pig butchering, or rug pulls), or indirectly by gaining control over the victim’s assets (as in fraudulent NFT orders or ice phishing).

Figure 3: Screenshots of a transaction that give a scammer control over a user’s digital assets

Distinguishing a legitimate opportunity from a scam in Web3 can be a challenging task. Scammers are continuously honing their techniques and investing efforts into making their scams appear legitimate. Therefore, staying updated about scams is essential for safe navigation.

That’s where the Forta Network can help. Real-time threat intelligence feeds offered on the Forta Network identify threats across all three scam stages. The Spam Detector helps identify suspicious airdropped tokens—a common Lure—while the Scam Detector offers wide-ranging threat intelligence, monitoring off-chain components (the Hook, such as scammer websites) and on-chain monetization strategies (the Catch, scammer EOAs, and contracts), including fraudulent NFT orders, ice phishing, native ice phishing, and more. The Solidus Rug Pull feed exposes a comprehensive set of rug pull token contracts.

To protect yourself and your end users from these scams at all three stages, subscribe to a free trial of these threat intelligence feeds today.