How to prevent Token phishing by SCAM Reward Tokens?

Today I got to experience first-hand the vulnerability of hot wallets. It breaks my heart, but I share this in the hopes that no other victim like me will ever happen again.

Lately, there has been a surge in a phishing technique known as ‘Reward Token/Ticket’ Phishing. Scammers target addresses with relatively high balances and associated tokens by sending them reward tokens/tickets for phishing. Therefore, wallet owners with substantial funds must exercise heightened caution at this time.

SCAM Tokens:

Please check and share: Scam Tokens List : https://pool.pm/$scamexamples

Don’t connect your wallet!!

Scam Token-warning
Fake site: https://sundaelabs. org
(Don’t be fooled by *.org)

Scam Token-warning 2.png

If you come across any scam tokens, please report and share them in this community and your local community.

Phishing damage caused by scam tokens, etc. is temporary. Even I, who pride myself on having some knowledge and attention to blockchain, suffered from this. It cannot be prevented by the wallet owner’s caution alone.

Phishing prevention ideas:

  1. Wallets such as Eternl and Yoroi must include a function to warn before sending assets(ADA, tokens) about scam tokens and scam addresses.

  2. Supports “delayed transfer” functionality in the wallet: for example, the ability to put a delay (10 seconds, 30 seconds, etc.) between clicking to send funds and sending the actual transaction to the blockchain.

  3. Additional verification procedures, such as warning messages, are required for certain transfers of large amounts of assets.

Beware of phishing scams disguised as reward tokens (17 Fungible Tokens, 7 Rich Fungible Tokens, 3 NFTs, etc).
More details: pool.pm

Add policy id here: cardano-shield/blacklists/policy-blacklist.json at main · adabox-aio/cardano-shield · GitHub

There are many, many more:

https://pool.pm/$scamexamples is one account that tries to collect them.

1 Like

Thank you for your reply.
Is there any possible way to freeze or retrieve funds from the phishing address below?

No, there is not.

Once you have signed the transaction that says “send all my funds to that address”, the owner of that address has full control over them.

Some wallet apps are working on better warnings. Vespr has even denylisted some of the scam addresses. … but they can switch to new ones quite fast and such warnings will always only work after the first victims have reported a new scam scheme.

In the end, the crypto slogan of “be your own bank” means that every user is responsible themselves for not falling for scams. And for that, it seems we need much more education in onboarding.

The cryptocurrency self-custody wallet, as a user’s own bank, imposes too much responsibility on users, reflecting the immaturity of the cryptocurrency ecosystem. This implies a significant vulnerability for users. To give birth to a truly decentralized self-custody wallet, essential security measures need to be established. Similar discussions on this issue seem necessary in the context of Cardano’s Voltaire governance as well.

Thank you so much, @HeptaSean !!

Have a look at cardanoshield.com where a solution is in progress

I just caught out by this, I’m gutted. It looked like an airdrop from Liqwid. Aquafarmer LQ Bonus ticket. Only after I noticed my mistake. I’d realised I’d been sent more from other sites I use.

Screenshot 2024-01-21 at 01.04.22

Sorry, I’m understanding, but thank you for sharing and your courage!

Thank you for sharing! Unfortunately, it is not applied on time in our ecosystem. I am concerned that when we rely solely on user attention, the number of victims now and in the future will increase.