Massive scam pool group uncovered

The IOG delegation results were confusing enough before this

Hello, before this gets out of the hand:

When I opened this thread I didn’t know anything about FIMI or the pool service they run and the fact that some of these pools like TIGER are no longer associated to them and that some of these pools belong to “separate owners”, despite they are still behind same infrastructure. To be honest I believe this is something that this FIMI operator should be more transparent about, there were no easy ways to contact anyone, all WHOIS information for IP addresses and domains registered for individual pools were PRIVACY REDACTED with no contact information, just saying it’s registered in Hanoi / Vietnam.

I was running google translate on fimi.vn/ada but couldn’t find any names or contacts.

Some people blame me here for causing fuzz without contacting individual operators - but how was I supposed to contact them if most of them provided no contact whatsoever and if they didn’t appear on this forum we wouldn’t have any contact still?

By scam pools I mean the imposter pools, like MELD4, EVE, EMURGO, PIGY that pretend to be part of project they are not. Other pools I mentioned in this thread were just associated with these scam pools through shared infrastructure I don’t think or say they are scam pools (I did think they belong to scammer in past because I thought there is only 1 person or group behind all these pools, but that was explained already, so it’s clear to me now).

For me personally, I am happy with the outcome where all imposter pools were retired, that is much more than I expected from this. I am personally OK with people using some shared services of operators who provide pools in SaaS model and despite I don’t think it’s good for decentralization, I don’t think it’s any worse than Binance pools for example, so I am fine with that.

I would still recommend to other shared pool owners to improve the ways to contact them, many of these pools don’t have any website, domain associated with their relays doesn’t contain any website either, WHOIS information contain no personal information, many of these pools just have some github page or twitter link instead of URL. Most of them don’t have any contact information filled in on adapools. This all makes your pool look less legitimate.

That’s my few lovelaces, otherwise I am fine with the current situation and outcome of this thread and I don’t expect any further actions to be taken.

20+ pools operating behind the same set of infrastructure is not “fine”. Not with respect to network performance, security, and decentralization. But it sure gives these pool operators a leg up with respect to ongoing operational costs. I appreciate that you put a bit of a flashlight on the issue. It’s just one more thing where the protocol isn’t sufficient to solve every problem. Education is important. SPOs do what you will with your topology config.

ADA01
ADAUP
ADPL
BIDO
BIDU
BIMI
FIBOT
FIDA
FIMI
GRAB
KID
KIRIN
MEKON
OSCAR
SAIGO
SODA
SONLA
TRALO
TROFI
YOGA

|relay1.bidu.online|14.248.132.20|
|grab0.grabpool.site|14.248.132.20|
|grab2.grabpool.site|14.248.132.20|
|relay1.fimi.vn|194.163.135.82|
|relay1.hudo.online|194.163.135.82|
|relay2.wefin.vn|194.163.135.82|
|relay1.forkid.site|194.163.135.82|
|r1.saigo.online|194.163.135.82|
|relay1.sonla.online|194.163.135.82|
|relay1.tralo.online|194.163.135.82|
|relay3.hudo.online|194.163.152.66|
|relay3.wefin.vn|194.163.152.66|
|relay3.forkid.site|194.163.152.66|
|r3.saigo.online|194.163.152.66|
|relay3.tralo.online|194.163.152.66|
|relay.amzpool.xyz|194.163.175.178|
|relay1.santapool.site|194.163.175.178|
|relay2.santapool.site|194.163.175.178|
|relay2.sonla.online|194.163.175.178|
|relay3.sonla.online|194.163.175.178|
|relay2.fimi.vn|194.163.177.187|
|relay2.hudo.online|194.163.177.187|
|relay2.forkid.site|194.163.177.187|
|r2.saigo.online|194.163.177.187|
|relay2.tralo.online|194.163.177.187|
|relay.bidenpool.site|222.254.90.96|
|relay2.bidu.online|222.254.90.96|
|relay3.bidu.online|222.254.90.96|

This is probably not the first or last “stake-pool as a service” entity that is going to exist on Cardano. So maybe the way to handle this is for these pools to be more transparent as to who is operating vs owning a pool as well as how many BPs share any given relay, This way delegators can make informed decisions, and our community will not devolve into scams and dishonest marketing.

At the end of the day it is paramount that our current and future delegators do not look at the offerings in our community and technology and find dishonesty or deception.

I’m not technically understanding what it is that they are doing that makes them fake?

Are they not operating producers and relays? Do they have access to other people’s relay configurations? How are they using the Cardano network architecture improperly?

If a pool is maliciously spoofing or it’s spoofing an ITN ticker then it could be delisted from SMASH. More info here https://docs.cardano.org/explore-cardano/cardano-architecture/smash-handbook#delistingastakepool.

They are pretending they are part of project they are not. For example pretending they are one of MELD staking pools, copying ticker name (MELD4), using same description, URL etc. and margin 99% except they don’t give any MELD tokens because they are not MELD. And same for other projects. In my book this is a scam.

If the Cardano network protocol allows it then why is this considered a scam? How do you know this is not by IOHK design?..or lack of design maybe? Lot’s of academic papers but no thought given to managing the Cardano network from an infrastructure governance perspective?..smacks of technology immaturity where there shouldn’t be given all the PR behind “peer reviewed” and adequate time for design and testing arguments. From a technical standpoint, they are operating normal pools with registered tickers. If the users get themselves into using these pools without first investigating them then who’s fault is it? Maybe the delegators want to use them for some reason maybe? So now a band of vigilantes will request that these normally operating (from a Cardano network infrastructure perspective) pools be delisted? What about people who staked? I mean, you can’t even run a pool with any regular success without first having a few million staked. That to me is a bigger problem then some delegators not doing their homework. I’m all for anti-scam vigilance but the Cardano network allows what’s happening by design…so is it a scam?

Hi All,

I just wanted to share my 2 cents and hopefully get some feedback from you as I might not think properly maybe…

The only scammy behaviour here is using tickers that refer to a product/entity/project that one doesn’t own.

Also, if there are 30 pools using the same 3 relays it is indeed a bad practice, but that can’t be called a scam. Binance have many pools and I’m pretty sure they do use a limited set of relays.

Those are the issues worth mentionning for me:

1. The IOG and CF delegation are a powerful help for pools who gets it and an amazing incentive to be a bad actor: the process must be refined, indeed pool BIDEN have received delegation thanks to votes it received and not for having a website or a clear statement of some kind of utility for the ecosystem.

2. Ticker names stolen from other projects. The only way to control this is by delisting them from SMASH as mentionned by @benohanlon

3. 99% margin: if a pool is set to 99% margin and delegators falls for it, it is a problem of education. If someone delegates to MELD thinking he will receive MELD but actually does not, then it is up to him to do his research and change to another pool.

Finally, decentralization will be reached only if the protocol is well written.
The issue is not the bad actors, we should let them exist, and again, if the protocol is well written, they will disappear.
Simply put, if Ouroboros by its design, doesn’t lead to enough decentralization then Cardano might fail.

Ultimately, what I want is decentralization to succeed and to happen by protocol and not thanks to good human behaviours. The whole idea is to remove the bad human side of the equation using a protocol.

If one has 3 relays servicing 30 block producers…that’s not necessarily bad practice. Best practice is to have at least two relays in front of block producers where the secondary relay is simply a backup so relays can be taken down one at a time to be updated when necessary without service disruption. The fact that the organization in question has three instead of two is likely more then what most so called “legitimate” pool operators are running. There is no best practice I’m aware of out of IOHK that suggests there can’t be 30 block producers behind the same set of relays. I don’t see that as weird at all, maybe unusual versus what you as a pool operator is doing but not necessarily inappropriate or “scammy” from an infrastructure configuration perspective. The configuration of the network services allows for it. It’s more of a runtime resource question…if the resources exist on the server to support relaying to 30 block producers then there is no argument against doing it. I don’t believe it would take more then typical memory/CPU allocation to relay to 30 producers based on resource capacity/consumption I’ve seen with cardano-node services.

Regarding ticker names…there is a limit of 50 characters I believe and there is no rule about what you can use as a ticker name so as long as one does not use the same exact ticker as someone else. I get that they used a ticker name in close relationship to some other pool system…if that ticker name is not already claimed they have 100% right to do so…scam or no scam. Some people create DNS names like yahoooo.com to get accidental hits for ads, etc…I see it as a similar thing…it’s more of a douchbaggy thing to do then a scammy thing…so maybe that’s the worst thing they have done. People who fall for that is more of the issue…

The network allows for the freedom to configure ones cardano-node service any way they wish according to current release feature capabilities.

Personally, I think the ticker thing is stupid and the way Cardano delegation works in general. I believe people who delegate should have their stake evenly distributed among all currently on-line pools in a given epoch that meet specific resource requirements automatically validated by the cardano-node service. Human configuration of their individual cardano-node service in regards to reward distribution and fees should not be a factor. All operators should always get a specific percentage based on their own private stake on their own pool. That would level the playing field and not require all this silly configuration crap we have to go through to bring up pools. Then have it so that if a pool goes off line for a set period of time it’s delegation get’s redistributed across current operating pools during that given epoch. No private pool operators, rewards always shared equally according to delegation. Maybe it’s to simplistic…but seems to be a more fair way to do it and would basically result in the same rewards % for all users. I don’t get why it needs to be tied to whoever is most popular socially…that has nothing to do with technological reliability or whatever. The cardano-node service should decide technological reliability in an automated fashion so the human element is removed from the equasion.

Was this info released somewhere?

It’s not just about the ticker name, they replicated everything, description, metadata, URL for project etc. If this is not a scam and legitimate in your book, then people asking on YouTube “send us N ADA and we will send 2x back” are also not scam, but a legitimate project. In both cases people end up losing money and reputation of project suffers.

Just because it’s technically doable doesn’t mean it’s correct.

With POW miners extract value, however, with POS people have a stake in the ecosystem. SPOs need the ability to differentiate both themselves and through other means. Agree?

yes agree but has nothing to do with the case, if one person will run many pools and he can manipulate votes

Hi,
It is true that I didnt find this information somewhere, I made an assumption because that new round of delegation was done thanks to votes.
Also, I have concluded it must votes because I don’t see how their support come from: they have only 8 delegators, low pledge and a dead website.

I meant bad practice in term of “serving the common good”.
A good practice, as you say, is a minimum of 2 relays per producer nodes.

The reason why pools with less staked are not doing better has nothing to do with some people being douchbaggs (however, I agree with you, it’s not right that they are copying website content in an attempt to bait and switch, it’s just used car sales person like tactics). The issue is that it takes millions of ADA to run a productive/ROI stake pool. The reason for this is Cardano’s algorithm for deciding on which pools generate blocks. The system favors the rich by design. This factor is likely what is compelling douchbaggs to be douchbaggy. We can request that these “scammy” pools be taken down but due to the unfairness the algorithm creates those same people and others will just do the same kind of thing again the next day. Cardano’s design is what is causing this.

In IT “best practice” is a term for describing the best way to technically do something or how best to govern data/configuration.

The system is designed to allow one person to operate more then one pool. This is by Cardano design.

ok and can you propose to us technical implementation of a system that allows 1 person to run only 1 pool? Because nobody knows how to accomplish that. Maybe you know better design than that one Cardano has right now?

We notified the community about the dishonest behaviour and outcome was that the scammer shut all their pools down. I would say that we have achieved more than anyone expected. So I don’t think there is any problem with design.

Yes in stake based ecosystem like Cardano you need to keep community of delegators aware of frauds, scams and similar problems, so they can reconsider who they support, but I don’t see that as a design flaw. Dishonest pool operators, if uncovered, will always end up losing delegators, but if nobody points to the problems, then you can’t expect any action to be taken.