By using this site, you agree to our use of cookies, which we use to analyse our traffic in accordance with our Privacy Policy. We also share information about your use of our site with our analytics partners.

MetaMask

Understanding and Avoiding Crypto Honeypot Scams

by Oliver RenwickAugust 12, 2022
MetaMask Logo with fox

“Honeypot” is a term that cybersecurity professionals use often. It’s a metaphor that refers to something that is designed to attract someone: in other words, it’s a trap. Sometimes security professionals actually deploy their own honeypots to try and catch bad actors. Today, we’re going to take a look at a specific type of honeypot scam: the one that looks like a delicious pot of cryptocurrency, and all you have to do is reach out and take it.

Step 1: First Contact

The scam begins with someone making contact, asking for help. In this case, the platform was Twitter, but it could be anywhere. We’ve also seen cases of scams happening on Discord, through peer-to-peer messaging apps, etc. Anywhere you can contact someone, really, can be the place where a scammer fishes for their next mark.

I got a number of direct message requests like this one on Twitter: 

A typical scam initiation.

On its face, it’s a bit weird. But in the end, it could be read like a newcomer to the space who needs help, and is naïve enough to send me, a stranger, their twelve-word Secret Recovery Phrase in a direct message. In other words, they unthinkingly gave me ownership over all their tokens.

To be clear, never share your Secret Recovery Phrase with anyone unless you want them to have total control over everything in your wallet.

I wanted to get a closer look at how the scam works, so I created a few new browser profiles that I will use for nothing else, and imported the Secret Recovery Phrases. That gave me access to the public address of the wallet, so I could use a block explorer to see the contents of the wallet.

The first one I opened was from a message I received about a month and a half back. The wallet had no meaningful value in it. The chain that had the most activity was Binance, and it had a zero balance in BNB, the gas token of the Binance chain. However, I noticed a very distinctive pattern in the last transactions made on it: 

Suspiciously small, and fast, transactions in and out of the wallet

Tiny fragments of BNB that leave the wallet as soon as they arrive, each time from different addresses. And they always go to the same two addresses as every other outgoing transaction in the wallet’s history. Remember this pattern–we’ll come back to it.

Step 2: The Temptation of the Honeypot

The second wallet I opened up was a much more tempting prospect than the first. Again, this wallet had the most activity on the Binance chain, but this time, it had $1600 USD worth of tokens sitting in it. Sixteen hundred dollars, and I own the private keys to it.

Not Your Keys, Not Your Coins

Mind you, this value isn’t held in BNB; it’s in some tokens I’ve never heard of:

Looks like I’m going to be Terk-rich

Now that’s no problem, as long as the tokens have value. The most important thing now is to get those assets out of that wallet and into mine, right? All I need to do is send them to my own wallet, then I can swap them for whatever I want. The assets are on the Binance chain, which means I’ll need some BNB tokens in my wallet in order to move them. I won’t need much, so I’ll just send a bit in to pay for gas.

Small up-front expense, big honeypot payoff, right?

Step 3: The scam

Remember the little transactions, earlier? Now you understand how they got into the wallet in the first place. Those are little bits of BNB that someone sends into the wallet to try to get something out. As soon as the transactions land in the wallet, they are swept out to other addresses. This is done through automated scripts that are listening for incoming transactions to the address, called sweeper bots. While fascinating, this topic gets technical quickly; for more in-depth information, see our resource on fighting back against sweeper bots.

If I deposited some BNB into the wallet, either sending it from another wallet I control or buying it directly through MetaMask, the bots would send it back out so fast I might not even see the value reflected in my wallet change. I would have no chance of manually executing a transaction to transfer that $1600 of tokens anywhere. They’re that quick.

Instead, the bots sweep my gas money off to someone’s wallet, along with everybody else’s who has tried to make off with the honeypot.

Does the scammer make a lot of money off of me? No. A few dollars at most. But it’s a pure numbers game. If the scammer spins up enough of these honeypot wallets and sends out enough direct messages then over time, the continuous trickle of money adds up to a stream of “passive income”. At the very least, the scammer has enough BNB to pay for whatever they want to do on chain.

So, if it seems like someone’s just handed you the keys to a small fortune, or even a modest one, think again. The most likely result of messing with these scams is you waste your time and lose some money. And if you aren’t safe about the environment in which you’re doing it, you risk exposing your own wallet and keys to whatever else is lurking out in the dark forest.