The Threat of Fake Deposit Attacks

Posted on jun. 1, 2021 | BLOG

Source

The unprecedented growth of the nascent cryptocurrency market, buoyed by advances in blockchain technology and the economics around it, has seen the emergence of both good and nefarious actors. 

Hundreds of cryptocurrency exchanges have cropped up to facilitate the trading of the nearly 10,000 cryptocurrencies in existence. Conversely, this growth has also attracted hackers and cybercriminals, who among their arsenal of exploits, have taken advantage of this new wealth by launching what is known as fake deposit attacks.

Attacks in the cryptocurrency sector, including areas such as decentralized finance (DeFi) have resulted in losses amounting to millions of dollars, mostly at the expense of retail traders. The need to constantly beef up cybersecurity cannot be overstated, and despite this fact, not many people are aware of fake deposit attacks and their dangerous impact.

What are fake deposit attacks?

A fake deposit attack is a security threat linked to tokens and exchanges. This kind of attack has been observed on Ethereum and other blockchain networks such as EOS.io.

The fake deposit attack can only be successful if a token flouts the technical implementation rules and an exchange has flaws in its verification processes. 

For example, a token may be created without fully implementing the requirement of a token standard. The non-standard implementation of token standards coupled with the vulnerabilities found in exchanges - both centralized and decentralized - could result in security loopholes that may be exploited via fake deposit attacks.

Bitcoin, as the first blockchain in existence, showed the world the potential of distributed ledger technology. However, due to limitations posed by performance and scalability issues, it became impossible for the first blockchain network to support complex applications.

It is for this reason that Ethereum was created. Ethereum supports smart contracts - which is one of its major selling points - and allows the creation and issuance of cryptocurrencies through the ERC-20 technical standard. However, bugs have the potential to undermine the security of ERC-20-based tokens, especially if token standards are not strictly adhered to.

How do fake deposit attacks happen?

During a fake deposit attack, a bad actor deposits tokens in an exchange and takes advantage of vulnerabilitiesbugs in smart contracts when they make the deposit. The user tampers with the exchange’s verification mechanism to make a fake deposit which allows the attacker to deceive the exchange. The attacker’s token account balance will be inflated and show a transfer amount that is larger than the deposited amount.

In the end, the attacker ends up with more tokens, without spending any capital, except as part of  their hacking efforts, at the expense of his victims.

Why are the thwarting of fake deposit attacks important?

The manipulation of the smart contract code for tokens listed on exchanges has an overall impact on the exchange itself, token holders, and to some extent, the broader cryptocurrency market.

When the hacker drains fraudulently obtained tokens from an exchange, there is a possibility of crashing the marketplace. This, in turn, leads to token holders losing all their assets unless measures are put in place to recoup the losses.

Hacks have historically resulted in price slumps for the crypto market. Although, this could be likened more to a speed bump as the market can recover quickly, but it could heavily affect traders who made risky crypto bets.

A 2020 report published by Peking University, Beijing University of Posts and Telecommunications, Zhejiang University, and the University of Queensland stated that about 7,772 tokens have security vulnerabilities that could lead to fake deposit attacks. 

Furthermore, the report found out that $1 billion in tokens on the Ethereum blockchain have software bugs that leave them vulnerable and at the risk of being siphoned from cryptocurrency exchanges.

How do Fake Deposit Attacks Work?

ERC-20 smart contracts that don’t rely on the blockchain software standard EIP-20 use a programming conditional statement to verify if there are sufficient token balances.

In programming, conditional statements are control structures that handle decisions. If the conditional statement returns a “false” statement, the transaction will not be able to be completed.

But this is not the case when it comes to a fake deposit attack. The “false” statement is used in the attack on exchanges that have security check protocols.

The research report showed that more than 99% of tokens vulnerable to fake deposit attacks are listed on major centralized exchanges.

To make matters worse, it was estimated at the time that there were 25 million contracts that use the Ethereum network, and only 0.36% of them have publicized their source code.

This means that the rest of the smart contracts have not been seen and checked publicly, and if no smart contract audits have been conducted, they could be at risk of being attacked.

Similar attacks or scams to fake deposit attacks

Criminal activities within the cryptocurrency ecosystem have evolved over the years. Brazen hacks of exchanges used to dominate headlines, until hackers changed their tactics to dupe unsuspecting token holders and exchanges. The list of scams similar to fake deposit exploits are on the rise. Here are some examples:

Fake Cryptocurrency Exchanges

Fake exchanges are created to pose as legitimate bitcoin trading marketplaces but with an ulterior motive of scamming users. In 2017, a scam cryptocurrency exchange called BitKRX piggybacked on the reputation of Korean Exchange (KRX), one of the largest financial trading platforms in the Asian country.

BitKRX posed as an arm of KRX and used this false legitimacy to lure investors.

Phishing

Phishing is a cyberattack in which the attacker mimics or falsely represents a reputable brand, website, exchange, or person to retrieve sensitive information from unsuspecting victims. The targeted sensitive information includes credit card details, private keys, passwords, usernames, and many more.

Phishing attacks usually rely on fake emails to get users to give up their sensitive information to the bad actors. In the crypto sector, attackers may overwhelm a legitimate website and change the wallet address to their own so that they can collect all the proceeds from the incoming transactions.

Users would be convinced that they are sending funds to a real website when in reality, their cryptocurrency is being stolen. 

There are different kinds of phishing attacks: clone phishing, spear phishing, pharming, whaling, website redirects, scam giveaways, and impersonation. 

In July 2020, bad actors hacked the Twitter accounts of high profile individuals and companies - such as Bill Gates, Coinbase, Binance, Jeff Bezos, Barack Obama, Joe Biden, Apple, Warren Buffet, and Elon Musk, among others - to promote a bitcoin scam.

The attackers made off with nearly $110,000 in bitcoin.

SIM Jacking

SIM jacking is more an example of social engineering than a hack. This is a type of identity theft that occurs when the attacker remotely swaps a victim’s SIM card to gain access to crypto wallets, bank accounts, or other private information.

If the hacker gets into someone’s mobile wallets, they can transfer all positive balances of cryptocurrency to wallet addresses of their choice. 

Final Thoughts

Cryptocurrency cybercriminals are getting more creative and brazen as they seek to capitalize on the growing digital assets market, where the reward often outweighs the risk thanks to lax security and outdated regulations. The crypto market, still in its infancy, is littered by bugs that black hat hackers are working daily to exploit whenever opportunities arise.

In the case of fake deposit attacks, there is a need to have smart contracts audited and cryptocurrency exchanges should actively beef up their security protocols and verification processes. 

There is no guarantee that exploits will be completely eradicated in the crypto sphere, just as offline crime pervades the real world. What’s important is that token holders, exchanges, and smart contract developers work together to minimize the risk and impact of exploits such as fake deposit attacks, and follow industry best practices where possible. 

About CYBAVO

CYBAVO is a digital asset security company founded by experts and pioneers from the cryptocurrency and security industries with more than 20 years experience in cybersecurity at the highest level.

CYBAVO’s mission is to provide the most technologically advanced security to digital asset custodians. Through our expertise in cybersecurity and decentralized technology, we empower blockchain companies with enterprise­-ready cryptocurrency wallet management services, secured with the best technology available.