MetaMask, a cryptocurrency exchange, recently announced that it will soon begin airdropping its own cryptocurrency, $MASK, into the wallets of its existing users. As a result of the news, a rumored fake MetaMask token appeared on the crypto market, and it was quickly available for trading on the Uniswap platform. This MetaMask token, which is based on the Ethereum blockchain, reportedly increased by 2,600% in a short period of time. The sale was locked as soon as the fake tokens worth $1 million were sold, raising suspicions of a rug-pull scam.
The scam, which preyed on traders’ eagerness for a MetaMask wallet token, took advantage of a flaw in the popular DEXTools trading app to persuade users of the token’s legitimacy. A scammer was able to inject code into the DEXTools app front end for the Uniswap WETH/MASK pair, causing a pop-up to appear telling users that the MASK token had been verified when they viewed it.
Unsuspecting users were unable to sell the fake MASK token after purchasing it. This type of scam is known as a “honeypot,” because it allows users to enter only to discover that the smart contract that governs the token’s interactions prevents them from selling.
The scammer appears to have programmed the smart contract for the fake MetaMask token to prevent holders from selling until it has received upwards of $1 million in liquidity. According to transaction data from Etherscan, the scammer took 475 ETH from the token’s Uniswap liquidity pool, worth $1.79 million at press time. The ill-gotten gains were sent to Tornado Cash, a popular coin mixing app, and then laundered to a separate wallet.
The MASK token was first reported as a scam on Twitter Monday evening, with several accounts warning that it was a scam despite a pop-up on DEXTools claiming it was legitimate. Since then, Twitter user @cobynft has detailed how the scam worked, claiming that it was the DEXTools app developers’ “serious fault” that allowed the scam to convince so many people to buy the tokens. DexTools has yet to respond to questions about its role in the platform’s inability to prevent cybercriminals from abusing it.
The current anticipation for a legitimate MetaMask token is another reason why the MetaMask token scam was so successful. The MetaMask team has hinted at issuing a token to decentralize the popular EVM wallet, with many speculating that it could be done via an airdrop.
The MetaMask token scam is the third major crypto-fraud to hit the market this holiday season. MetaSwapMGAS, a Binance Smart Chain project, allegedly stole 1,100 BNB from users on Sunday. Another Ethereum project, MetaDAO, appears to have pulled a rug over its investors yesterday, stealing 800 ETH worth over $3.2 million. According to a recent report by research firm Chainalysis, scammers cheated crypto investors out of $7.7 billion this year. According to the report, the classic rug pull was the most common type of scam. Rug pulls are common in DeFi because it’s cheap and easy to create new tokens on the blockchain and get them listed on decentralized exchanges (DEXes) without a code audit if you have the right technical knowledge.
In November, investors in a new cryptocurrency called “Squidgame Cash” or “SQUID,” which was inspired by the Netflix series Squid Games, were reported to have had their “rug pulled” after the token crashed 99.99 percent overnight. This project is thought to have netted the scammers around $3.3 million. The case’s investigation is still ongoing.
Cases of crypto-focused cybercrime are on the rise in tandem with the global crypto expansion. The Federal Bureau of Investigation (FBI) in the United States said earlier this month that cyber scammers are duping people out of their assets by making them use physical cryptocurrency ATMs and digital QR codes to complete malicious transactions. To avoid being scammed, Hyderabad Police recently issued a warning to investors about transferring assets into unknown, unauthorized wallets.
