Bitrace: Beware as Trading Platforms Launch Web3 Wallets

Author: Bitrace

Source: https://mp.weixin.qq.com/s/gXWYpevDJQrkb26cx96XUg

As the gateway to the onchain ecosystem, wallets serve not only as storage for digital assets but also as the primary space for users to interact with various decentralized financial products (DeFi). Traditional Web3 wallets, such as MetaMask, imToken, and TokenPocket, often operate independently of centralized trading platforms. However, with mainstream trading platforms introducing built-in Web3 wallets to seize future user traffic, the boundaries between centralized exchanges and decentralized Web3 are gradually becoming blurred.

The launch of Web3 wallets by platforms like OKX and Binance signifies the integration of Centralized Finance (CeFi) and DeFi as an industry trend. However, while breaking down the barriers between on-chain and real-world assets, it also shortens the path for cryptocurrency criminal groups, reduces the cost of trust-building, and exacerbates fraud risks. This article aims to reveal the fraud risks inherent in built-in wallets by citing several fraud cases, cautioning industry practitioners to ensure asset protection while embracing new trends.

Web3 Wallet Fraud Cases

While integrated wallets on trading platforms provide users with one-stop on-chain services, they also open Pandora’s box for unsuspecting users — investment and financial scams, approval phishing for token theft, and fraudulent token sales.

1. Fake BNB Yield Fraud

In the BNB yield fraud scheme, fraudulent groups impersonate official exchange personnel and conduct promotional activities for what they claim to be the platform’s mining pool contract (ETH/BNB). They assert that depositing ETH into the liquidity pool contract address will generate profits. Users are promised automatic acquisition of BNB and 8%-15% returns based on the sent ETH quantity. However, the actual contract returns fake tokens, making them unexchangeable within the exchange.

In such a fraudulent environment, users easily become engrossed and eager to participate. They might engage in conversations with official administrators in the group, as evident from the chat screenshots provided by victims. The wallet, serving as the interface between the exchange and on-chain finance, plays an indispensable role in the fraud process.

In the past, fraud schemes often had loopholes, such as questioning why users needed to download a third-party wallet to participate in yield activities if it was an official exchange promotion. Today, with official exchanges embedding Web3 wallets, the logic for platform token yield scams is more reasonable, and the operation is more straightforward. Fraud groups no longer need to impersonate the official exchange, as they can guide users to phishing websites directly.

2. Holding USDT Mining L1 Token Scam

In the Holding USDT mining scam, perpetrators promise high returns in stablecoin mining, offering BNB/OKB/HT/TRX and other public chain tokens in exchange for holding a certain amount of USDT in the wallet. However, this is merely a lure to trick users into interacting with maliciously authorized contracts, leading to opportunistic theft.

As an example, victim TXa97T was recommended to participate in the UTK Miners liquidity mining protocol. The protocol claimed that holding USDT in the address would yield continuous TRX interest without the need for locking funds. In the early stages, users did receive regular TRX returns. Encouraged by the initial success, victims further invested, only to find all funds in the address transferred a few days later. The fraudster, by disguising the approve contract as a mining approval, tricked users into transferring their asset permissions to the hacker’s address during the initial interaction with the protocol website.

Fraudulent websites often prompt users to install wallets. Novice users may, in the face of unfamiliar Web3 concepts, choose to be conservative, affecting the conversion rate of fraud activities. However, the official integration of wallets by trading platforms eliminates the need for fraudsters to guide users through the steps of downloading wallets and making deposits, instilling a certain level of confidence in users.

3. Selling Fake USDT Scam

Similar to the real world, the blockchain world is filled with “counterfeit currency” scams. Fraud groups sell fake tokens through various channels, posing as a discounted sale of USDT and other tokens. This type of fraud has resulted in widespread user losses. Due to the lack of admission mechanisms for on-chain tokens, the funds and technical barriers required to issue the same-name fake tokens are not high, making it common for fake tokens to circulate. Among stablecoins with large circulation and a broad audience, USDT is most susceptible to being impersonated.

We found that the sale of fake USDT scams has appeared in the C2C section of a trading platform’s integrated Web3 wallet. The screenshot above shows that for $659.53, users can buy 745 stablecoins anchored 1:1 with the US dollar. However, this “USDT” is a false token issued by scammers, and as of writing this article, the contract address of this fake U (0x…9855) has transacted with 42 counterparties. For novice users entering the crypto world, this is a significant blow.

Increased Fraud Risk in Trading Platform Integrated Wallets

From the above cases, it is evident that trading platforms’ integrated Web3 wallets have, to a certain extent, intensified cryptocurrency fraud risks. This is primarily due to the following reasons:

1. Built-in wallets have an official background. Traditional fraud processes targeting cryptocurrency novices are lengthy and face trust issues, resulting in low conversion rates for on-chain scams. However, with the current inclusion of Web3 wallets within exchange apps, users not only can create wallets with a single click without the need to download third-party wallets, but they also inherently trust wallets that can transfer assets between centralized platform accounts. This significantly reduces the difficulty for fraud groups to convert users.

2. New crypto users lack effective guidance. Integrated wallets bridge exchanges with on-chain activities, and new users often lack understanding of the risks associated with on-chain interactions. In the absence of sufficient education and guidance, users exploring the “dark forest” of cryptocurrencies alone become easy targets for phishing attacks, arbitrage scams, and other fraudulent schemes. They also struggle to securely store, trade, and manage digital assets.

3. Cryptocurrency wallets are inherently permissionless. The fraud risk behind Web3 wallets is not from the operators but the inherently permissionless nature of cryptocurrency wallets. Open and highly anonymous online spaces are easily exploited by illegal activities. Trading platform Web3 wallets, backed by massive user traffic, will face more severe security challenges in the future.

Conclusion

Binance has recently launched its own Web3 wallet, and OKX has already matured and operated related services, streamlining the cumbersome wallet operation process, significantly optimizing user experience, and opening the door to the decentralized ecosystem for a massive number of crypto users. However, the subsequent on-chain security issues cannot be ignored. Bitrace calls on related trading platforms to:

1. Add more tutorials and guidance within the app. Before users create Web3 wallets, require them to watch tutorials and related videos, educate them on on-chain security knowledge, and complete risk investigation questionnaires on common on-chain interaction scams.

2. Temporarily restrict certain functionalities for new users. For example, newly registered exchange users should not have the ability to transfer assets from the exchange to the Web3 wallet with a single click. Large fund transfers should require identity verification and secondary confirmation.

3. Integrate third-party threat intelligence data. Share threat intelligence data with third-party security organizations like Bitrace, enabling features such as risk authorization reminders for integrated Web3 wallets, cancellation of risky contracts, and new threat pop-ups to enhance new users’ ability to deal with threats. This will help create a more transparent and user-friendly crypto environment.