Deleting Token Spam with Forta

Article by Forta Network Oct. 24, 2023

Forta is the largest network of security intel in Web3. The decentralized Forta Network leverages machine learning to detect exploits, scams and other threats.   

Scam token deception may be at an end with the introduction of Forta’s Spam Detector, a novel detection implementation created by Forta community member Artem Kovalchuk. This tool is engineered to address the prevalent issue of spam tokens on EVM blockchains, enhancing security and promoting a safer user environment.

Spam tokens have become a notorious issue since the advent of permissionless token creation and scammers will often distribute them en masse on cheaper blockchains like BSC and Polygon. The ease of permissionless deployment and minimal gas cost associated with these activities have led to an influx of spam tokens, muddying the blockchain networks’ waters.

A significant portion of spam tokens leverage a method known as passive airdrop for distribution, reaching multiple recipients in a single transaction and thereby saving on transaction fees. This technique, termed SleepDrop for ERC20 tokens and SleepMint for NFT tokens, enables malefactors to execute token transfers on behalf of unsuspecting accounts.

Spam Token Categories

Based on their nefarious intentions, spam tokens are typically segmented into four categories:

1. Scams

This category includes tokens whose purpose is to use fraudulent techniques such as Rug Pull, Token Impersonation. The purpose of these tokens is to get the victim to buy their token on DEX or marketplaces if it is NFT. Spamming these tokens is used as a tool to blur the eyes of potential victims about the alleged ownership of these tokens by other accounts. Recipients of these tokens are often accounts of famous NFT artists, project deployers, foundation addresses, and hot wallets of exchanges.

Scammer created a fake token, most of which he sent to the Three Arrows Capital account.
Then the scammer has removed all liquidity after the victims bought the tokens  

2. Phishing

The majority of spam tokens are phishing tokens. The goal for them is to entice users to visit their link. This is accomplished by providing deceptive text inside the tokens’ metadata. 

For example, among ERC20 spam tokens, it is common to specify the estimated value of the tokens received in the name metadata, such as “$212.03”. The victim, seeing this token name in his wallet, trying to understand how to get this amount, goes to the phishing site specified in the token symbol metadata. On the site itself, a wallet drainer, ice phishing, or other deceptive techniques to drain funds from the victim’s wallet.

An example of phishing tokens on the balance of one of the MEV bots

A typical “confirm to receive” scam site that’s mentioned in the phishing tokens

NFTs allow for more sophisticated approaches. The attacker mint NFTs to victims and, using the Wash Trading technique, manipulates the price of these tokens. The victim sees that tokens have been distributed to them, the price of which can be quite impressive. However, the victim cannot sell these NFTs, as the transaction ends in a revert when trying to confirm the transfer of the tokens.

The point is that the attacker has specifically limited access to operations on tokens in the code of the smart contract. Only special addresses have access to their execution.

The victim, tempted by the price of the tokens, begins to investigate further and discovers in the description that it turns out to activate access to these tokens via a phishing link. The victim goes to the site and confirms the transfer of the tokens to the attacker.  


3. Address poisoning

The attack aims to trick victims into transferring their assets to a fraudulent address that is designed to look very similar to their own. The attacker creates a “vanity address” which can be a custom address with a specific set of characters made to look similar to the intended recipient’s address.

When the victim carelessly copies the address from a previous transaction, they may accidentally send their assets to the fraudulent address instead. It’s important to carefully confirm the address before making a transfer to ensure that assets are not accidentally sent to the wrong account.

After most services and wallets began to flag or ignore such transactions, attackers began to take a different approach, in which they create their own tokens with token metadata to fake the real ones: USDT, USDC, DAI, ETH etc.

Picture – Address poisoning attack with fake ETH, USDT, and USDC tokens 

4. Promotional spam

The last category of spam is the most harmless, as the purpose of this spam is to promote a token. Very often such tokens are distributed to a small number of people and tend to have low or no value. 

Picture – An example of such an NFT collection that was passively minted to 102 recipients.   

Functionality of the Spam Detector

Spam Detector is designed to detect all these spam categories. To detect spam, the bot uses advanced algorithms that analyze multiple indicators. These indicators include token metadata analysis, compliance with declared token standards, distribution rationality and analysis of creator and recipient behavior.

Here is a set of the indicators utilized in the Spam Detector:

A passive airdrop with no claim by the recipient of the mint (or transfer). The airdrop indicator considers the number of unique recipients, both within a single transaction and across multiple transactions during a specified time period.

A very few of the accounts that received a token had any interaction with the token after a massive distribution of the token. This behavior often indicates that the value of the token is low.

There is a redundancy in the massiveness and duration of an airdrop. For instance, an airdrop that lasts for several months and affects many accounts, given the low token activity, is likely indicative of spam.

A significant portion of the tokens in the airdrop were distributed to accounts that are Honeypot, indicating an unwarranted airdrop.

The significant presence of Honeypots, such as Binance, Pranksy, vitalik.eth, among the token holders, which is a strong indication of unwarranted airdrops.

A token creator generated a vast quantity of unique tokens within a brief timeframe, a conduct commonly associated with spammy behavior.

A single token in the ERC-721 collection has been transferred to multiple owners indicating fraudulent transfers. This action constitutes a direct violation of the ERC-721 standard.

An ERC-721 NFT collection contains numerous duplicate tokens indicating fraudulent behaviour.

A token contract lies about its token supply, as there is a substantial difference between the value obtained by running totalSupply() on the contract and the actual number of tokens in circulation.

An account has somehow managed to spend more tokens than they possess. This may indicate an inadequately operating token contract that fails to emit Transfer events upon the mint of new tokens.

As part of the airdrop, a fraudulent technique is used to create events supposedly about the transfers of tokens from some well-known account, such as Binance, OpenSea or accounts like vitalik.eth.

The metadata of an airdropped token contains a link to a website, and the token uses deceptive techniques to lure users to follow the link. These techniques include the use of keywords like “claim,” “reward,” and “activate,” as well as incorporating an alleged token price into its name.

The metadata of the airdropped token replicates the name and symbol of an existing token identically.

With these robust features, the Spam Detector stands as a formidable shield against spam tokens for the Forta community. This initiative represents a monumental stride towards fostering a secure and flourishing blockchain ecosystem. The Spam Detector is now available for use by protocols, infrastructure projects, and individuals within the Forta App for $49/month.