Scammers are exploiting the “trending” list on memecoin analytics site GMGN to trick unsuspecting investors and steal their funds, according to security researcher Roffett.eth in a post on X (formerly Twitter) on Sept. 25. The scam involves creating coins with malicious code that allows the developer to transfer any user’s tokens directly into their own wallet, without the user’s consent.
How the Scam Works
The scammers first create a new memecoin and insert obscure, hard-to-read code into its contract. This code is designed to transfer the coins to the developer’s wallet without the user’s knowledge. The malicious developers then pass the token back and forth between multiple accounts to artificially inflate its trading volume, making it appear as a popular and trending asset.
Once the coin gains traction and is listed on GMGN’s “trending” list—an aggregation of coins based on metrics like trading volume—unsuspecting investors are lured into buying the token, believing it is gaining popularity. However, as soon as users purchase the coin, their tokens are immediately drained from their wallets by the developer. The stolen tokens are then redeposited into the liquidity pool and resold to new victims.
Examples of Scam Coins
Roffett.eth identified several scam coins that have been featured on the GMGN trending list, including Robotaxi, DFC, and Billy’s Dog (NICK). These tokens were used in the scam to target unsuspecting users.
GMGN is an analytics tool that tracks memecoin trading activity across multiple blockchains, including Ethereum, Solana, Tron, Base, and Blast. It provides various metrics such as “new pair,” “trending,” and “discover,” with the “trending” list showing coins that have recently surged in volume.
The Discovery Process
Roffett became aware of the scam when friends of his purchased tokens listed on the GMGN trending list, only to find that their coins disappeared shortly after. One friend initially thought his wallet had been hacked, but after creating a new wallet and purchasing the same coins, the same thing happened: his tokens were drained.
Intrigued by the situation, Roffett investigated using a block explorer and found that these attacks were likely a form of phishing, where the attackers used a permit function to gain control over users’ tokens without needing their signature. However, upon further investigation, Roffett realized that the victims hadn’t interacted with any suspicious sites—leading him to suspect a deeper, more technical scam.
Malicious Code Found in NICK Token
Roffett focused on one of the stolen tokens, NICK, and examined its contract code. He found that the contract contained strange, obfuscated methods that weren’t part of standard token contracts. These odd methods pointed to malicious code hidden in one of the contract’s libraries, which allowed the developer (the “recoverer”) to bypass the usual token transfer restrictions.
By manipulating the permit function, the developer could construct a fake signature and authorize themselves to transfer tokens from any user’s wallet. This allowed them to steal tokens from users who had bought into the scam. The malicious code also obscured the developer’s address, making it difficult for users to trace the transactions.
Roffett discovered that the recoverer contract (the attacker’s wallet) had performed over 100 transactions involving NICK tokens, transferring them from unsuspecting users to different accounts.
Other Scam Tokens Identified
Roffett’s investigation revealed that the same scam method was being used with at least two other tokens on the GMGN trending list: Robotaxi and DFC. The researcher warned that this tactic could be widespread, with scammers using it to manipulate the trending lists and lure in more victims.
A Growing Problem in Crypto
This scam is just one example of the ongoing risks facing crypto users. In April 2024, a similar honeypot scam involving the BONKKILLER token saw developers drain $1.62 million from victims who purchased the token, only to find they couldn’t sell it. In 2022, blockchain risk management firm Solidus Labs reported that over 350 scam coins were created in a single year, highlighting the growing problem of fraudulent tokens in the cryptocurrency market.
Roffett’s Warning: Stay Away from Trending Lists
Roffett emphasized that users should be cautious when purchasing tokens from trending lists on memecoin sites like GMGN, as they can be manipulated to promote scam tokens. He warned:
“Malicious developers first use multiple addresses to simulate trading and holding, pushing the token onto the trending list. This attracts small retail investors to buy, and eventually, the ERC20 tokens are stolen, completing the scam.”
Roffett urged the community to be aware of these tactics, especially novice retail investors who may not be familiar with how scams like these work.
Conclusion
Scams like these pose a significant threat to the crypto ecosystem, particularly within the memecoin space, where projects can quickly rise in popularity based on hype rather than substance. Roffett’s investigation sheds light on how scammers are exploiting the popularity of trending lists to manipulate the market and steal funds. Users are advised to exercise caution and conduct thorough research before buying any token, especially those that seem to have no clear purpose or come from obscure projects.
As the memecoin market continues to attract new users, the prevalence of scam tokens remains a persistent issue. The broader crypto community must remain vigilant to prevent further exploitation of unsuspecting investors.
