Malicious token sale social engineering attacks in Layer-2 scaling ecosystem

Introduction

Airdrops have become a popular trend in the past 1 year in crypto community space. Several popular DeFi platforms such as Uniswap and 1inch have done retroactive airdrops for users who interacted with their protocol in order to reward the community for their engagement and support.

Due to this, these days the crypto community often speculates on possible upcoming airdrops.

Unfortunately, the malicious actors are aware of this trend too and they prey on users who anticipate such airdrops. The malicious actors set up websites spoofing to be a legitimate token sale platform for a DeFi project which does not have a token yet. They lure the user with themes such as presales and give them an option to claim a non-existent token by sending them Ethereum. This is a form of social engineering technique.

One of the ecosystems quickly growing in the blockchain space is the layer-2 scaling solution ecosystem being built on top of Ethereum. There are several popular L2 scaling solutions such as Zksync, StarkNet, Arbitrum and Optimism. So far, none of these L2 solutions have launched a token. There is a high level of speculation among the users of this ecosystem that a token airdrop might happen in the near future.

In this article, I will highlight some of the ways the attackers are trying to exploit the airdrop speculation to steal the funds from innocent users. I hope this article will help alert the wider community and they will exercise a lot of caution when they see such fake websites and messages from malicious attackers.

At the end of the article in the “Indicators of compromise” section, I share the list of domains registered by the malicious actors for attacks.

Social engineering attacks through Discord

Discord is one of the most popular online platforms used by crypto communities. There are official channels for almost every L2 scaling solution on Discord. One of the tactics used by malicious threat actors is to send a message in bulk to every member of the Discord server and lure them for a “fake airdrop”.

Let’s look at a few examples for various L2 ecosystem projects.

ZkSync

Below is a message I received from a user who identified my account from the zkSync Discord server. The message is a fake announcement about a token sale. They make it look convincing since they are aware of the community’s anticipation of a token announcement.

Message sent on Discord for a fake zkSync token sale

ZigZag Exchange

Below is a similar fake announcement token sale message I received from a user in the ZigZag exchange project’s Discord.

Message sent on Discord for a fake ZigZag Exchange token sale

Optimism

Below is a similar fake announcement token sale message I received from a user in the Optimism project’s Discord. The message even shows that the user shares a common Discord server. In some cases, the attacker can use two different accounts. One account shares a Discord server with the victim while the other account is used to send a message.

Message sent on Discord for a fake Optimism token sale

Malicious sites analysis

Now let’s look at some of these websites and do a quick analysis of them.

As an example, we’ll look at the site — zksync[.]claims which is live even at the time of writing.

Malicious website — zksync[.]claims conducting fake token sale

As I have highlighted in the image above, the website pretends to be a live token sale page of a non-existent token called ZKSYN. I say non-existent because there is no such token announced by the official zkSync project.

The site asks the user to send a certain amount of ETH to receive a certain amount of ZKSYN tokens in exchange.

To identify the ETH address used by the attacker for receiving the funds in a static way, we can just check the source code and grab the address from the JavaScript as shown below.

The JavaScript code with attacker’s ETH address configured

This same threat actor has also set up similar malicious web pages targeting users of other L2 scaling solutions such as Arbitrum as well.

The domain: arbitrum[.]link was set up by the attacker and it asks for funds from the users in a similar way as shown in the example above for zksync[.]claims

Another malicious site — arbitrum[.]link set up by attacker for a fake token sale

Conclusion

The malicious threat actors monitor the ecosystem and new projects carefully and prey upon their users using various social engineering techniques as highlighted in this article.

Users must exercise caution while receiving any unsolicited message and not click on any links received from untrusted sources.

Also, please follow the official Discord servers of the project because in some cases attackers can also set up fake servers. Users of projects can also follow the official Twitter account and the announcement channels in official Discord servers about any news related to official token releases.

If you found this article useful, please share this with other users in the L2 scaling solutions community as well to keep everyone safe.

Indicators of Compromise

Below is a list of domains which have set up fake airdrop sales for L2 scaling solutions.

ZigZag

claim-zigzag[.]exchange

zigzag[.]claims

zigzag-token[.]exchange

Optimism

optimism[.]claims

optimism[.]promo

Arbitrum

arbitrum[.]claims

arbitrum[.]link

zkSync

zksync-sale[.]top

zksync[.]net

zksync[.]claims