Massive scam pool group uncovered

Hello, with cooperation of admins of adapools.org we uncovered a mesh of over 50 pools that seem to be operated by 1 group or person. Many of these pools are obvious red-flag scam pools (MELD4 being one of them).

Few of the tickers are - MELD4, NAMI, ITC3, BIDEN, SODA, PIGY, WMT, ADA01, GRAB, EVE6 and many others.

All these pools seem to originate from pool FIMI - some Vietnamese pool / organization with website https://fimi.vn/ada/ (this pool seems first one that started using these relays).

They all share same set of relays, hosted in Germany by company Contabo, in Dusseldorf, some of the IPs they all share are:

• 194.163.135.82
• 194.163.177.187
• 194.163.152.66

The pattern for these pools is more or less the same - register a new domain such as relaystakepoolservice.site or relaytera.asia, create 3 relay subdomains pointing to these contabo IPs, and create some pool that is supposed to either lure people pretending it is supporting someone they clearly don’t (such as BIDEN pool), or simply fake existing project (MELD, EVE, WMT, PIGY etc) and pretend you get tokens when you stake with them.

So far this group is massively successful, they have combined stake probably of more than 100 million ADA, some of their pools are 99% margin.

Check some of their pools - https://adapools.org/pool/72afe491a962a22e451a706c6e598ad94240a1a2cedfe525a28087ff

https://adapools.org/pool/c92b4b0b58718c240b4d490e580d8ec2456db239e9d1191ac6dac651

https://adapools.org/pool/448956c289caefd1cffa23ca634ec536d86eeae65035845a41d3cb57

https://adapools.org/pool/f68550a5e32875703027dc6318037a618eb91620a109c99194af8fba

https://adapools.org/pool/2cd1d343ca9e16e97261ac6b93c0fade1e1cc3e45408c26f115f3a94

I really would like to hear some explanation by guys behind fimi.vn for all this - at some point the scammer group could theoretically just decide to use someone else’s relays for their producer nodes, but there is just too many red flags pointing to same origin.

I think these relays should be blacklisted by most pools so you don’t peer with them. Delegators should probably also reconsider staking with legitimate pools instead.

hmm… very interesting… indeed all pools are pointing to the same relays…
PS: most of them were labeled as FAKE on adapools.org… but not GRAB SODA

PS: BIDEN it’s using 194.163.152.66 which looks legitim but it’s strange that all are using 3000 PORT

BIDEN’s 194.163.152.66 is also used by this cluster (relay3.relaystakepoolservice.site) this domain is used by fake WMT and MELD pools [WMT] World Mobile Token | Cardano Staking, they actually use more IPs but they are all of Contabo in Dusseldorf

But for example fake EVE6 pool [EVE6] Everstake | Cardano Staking uses different IPs by different providers than Contabo so either it’s part of another group, or it’s all even bigger than I thought

There’s an iohk website where you can report scams, but the question is are there any rules they are violating?
I’m not defending them, I honestly like to know… And what can we do? Blacklist them? Iohk deleting them from topology? What then when p2p launches?
So we have the right to cut off a pool that delegators, unwisely, have chosen to stake to?
Stuff to think about…

No I don’t think there are any rules that can be broken in this area - Cardano is unregulated and rightfully so, but still using such sneaky tactics such as pretending you are a charity pool (KID), or registering many tickers that make it look like you support a cause (BIDEN, YOGA etc.) or simply pretending you are affiliated with a project you are not (MELD, ERGO etc) in order to lure delegators is extremely dishonest and immoral.

It harms reputation of whole project, it harms delegators in case of high margin pools (MELD4 is 99% margin) because they will get nearly 0 rewards when staking with them, it harms decentralization (50+ pools with some ~100M stake behind ~3 relays - come on), it harms honest SPO who lose potential delegators.

And these pools might even participate in IOG / CF lottery or some ISPOs!

So you make your own idea if this is something you want to be OK with or not. I am not. So at least I am trying to spread awareness.

What can be done on technical level? Many things actually - if we can really confirm that all pools behind these few relays are indeed belonging to same group of people then we can at least inform other SPO that they should blacklist them (remove from their topology), and they should probably be also blacklisted by guild tools. This won’t stop these pools, but it would make their life harder.

These pools can also be marked in pool browsers, adapools.org already does that, other pool browsers are more liberal in this aspect and they could also be blacklisted in IOHK moderated SMASH pool server, so that these pools aren’t visible in most of official wallets.

And of course we should spread awareness so that people who delegate to these dishonest pools might reconsidered changing to some other.

FYI it seems they “re-shuffled” the IPs in DNS, MELD4 etc. no longer pointing to relays they did before, now they point to different IPs, that don’t even seem to run cardano-node, hence they are flagged as being down. So the connection between these pools is probably not so obvious anymore.

For example BIDEN’s only relay no longer point to same as FIMI, but to langson.ddns.net. → 222.254.90.96

They clearly noticed that we found about this and are trying to cover it all up.

really sad to see

Of course they noticed

another example of sharing Relays is :
GRAB → “Shared Relays with Pools: ADA01,SAIGO,SANTA,BIMI,MAL3,FIBOT,ADAUP,RAY6,MALX,FIDA,SIMBA,TRALO,SODA,ZZZ6,KID,AWP4,MEKON,BIDU,SONLA,TROFI,YOGA,EMUR5,6d043d8910b0050cd4f497834c7c8a515e62252352c802b4f3458443,AMZ,MELD4,FIMI,OSCAR,RAY7,VIET,ADPL,KIRIN,BIDO,EVE6,e142b621ff2fc440af4d37c979f837c7f9e920cf928f41138522a6a4,ADLTC,0PCT2,COOL7”

continue my previous post,
we find ADAUP pool,
ADAUP has a telegram and they share screenshot to vote his pool and the Tiger,

TIGER Pool is sharing relays with the pools below :
CHIM, 2MIN, CHIM, CAVOI, CAMAP, SWAN, BOLAC

Screenshot 2021-11-18 at 1.53.20 AM1020×1726 150 KB

I am the owner of MEKON pool (I am not the operator) and unfortunately I am right in the middle of this mess. Please allow me sometime to sort this out and I will share what we (group of related pool owners and operator) find and the actions we take. After that, I am willing to meet online if necessary as I think we owe the community some explanations.

We are the owners of the pools on the bottom of your list. Whether they noticed or not, we are taking the actions on our hands to clear this. Besides changing relay information, further changes would be seen are the reduction of margin and the retirement of the pools-epoch 306 (many of the list are scam but many are legitimate who are affected by this). What we try to do is to disassociate (unaware, unintended association from the beginning) with this individual/group. We have no control and can’t prevent this to pop up in other places and in other forms.

There are smaller no scams but bad actors as well.

FIKA and GINGR are sharing all their relays as well. Same pattern on their dns naming to hide the real ip. Indicates that they don’t happen to just use the same provider but indeed share the exact same relays. They are connected in other ways as well

Very bad behaviour, adding risk to the network and definitely not helping decentralization.

Let’s be clear…there is nothing wrong to share the relays between more POs … this is another discussion

Hello,

Thanks for coming out like this, that for sure takes some courage, but there are still things that are unclear to me.

I can totally understand that TIGER pool, which currently has IOG delegation is concerned about this, if it’s a legitimate pool, but I am still not clear on how are all these pools connected. MEKON owner said that he is the “owner” of pool, but not its operator. Who is the operator then? And why all these pools share the same infrastructure? Is there some VN based company that provides Cardano staking pools as a service in some SaaS model?

Why did this company / shared operator allow for creation of these “imposter pools”? didn’t they see any problem with that?

Anyway I am glad to see that these imposter pools are being retired, that is indeed a good step and much more than I expected from this investigation.

BIDEN also received the IOG delegation… URL site information, no social media accounts… etc … wondered who voted for them to receive the IOG delegation… now I think I have an idea :)))

Hello,
If we separate the pool operators from the pool owners, things will be clear. I know that there is a technical managed service for these pools and each pool owner must run their own plan to attract more delegators to their pool. That is the reason why these pools have different visions/purposes and the other did not know what MELD4 doing.
I do not think resigning a pool is a good idea, Keeping this running with 0%fee for a couple of years might be beneficial to delegators and there is no impact to them.
If he resigns this pool, He better keeps all delegators informed and compensate them for this impact.
Thank you all for this investigation.

what you are doing now is the last we care.

from our side it is important to explain us, what is the relationship between you and the pools and the people(owners or operators).

i will give small example of Pool names, and you can answer and speak for the rest of them.

MELD4, MEKON, EMUR5, BIDEN, ADAUP. TIGER, BOLAC
who is the operator :
who is the owner of the pool :
what is the relationship with you :

thank you,
TTS17 pool operator

I was under the impression that IOG at least checks the basic details for the elected pools. As much as those CF and IOG delegations contribute good to single, small pool operators, the same their election and validation process seems to be totally off, in this case contributing to a centralized network of possibly scam pools.

Some one voted for them… maybe the rest of the fake 50 pools?