Crypto Twitter Honeypotting: My Private Keys Are Yours

A honeypotting scam is doing the rounds on Twitter, luring victims with free crypto. 

The scam attempts to convince victims to import the phrase to an address/wallet. These messages are being sent to many and have been doing the rounds for the past month.

The message reads as follows:

One of Coinfirm’s top data analysts received more than 20 of these messages in the past week alone, with even Coinfirm’s official Twitter account having received them.

The messages are being sent in multiple languages.

The messages are very similar, with the senders giving access to a private key or a seed phrase to an address. Typically done on the Tron blockchain – due to the low fees and high speed of transactions on that chain – and with the scammer asking the potential victim to use their online wallet.

The direct messages are sent utilising bots to multiple Twitter accounts.

But why would a bad actor be seeking unsuspecting victims to give them private keys to addresses? Usually, it is the other way around. There are a number of reasons bad actors would do this. 

Diluting Transaction Tracing

One reason is a bad actor could be seeking a ‘mule’ to dilute the tracking of funds. In this case, the given address contains some crypto (but a small fraction of the original stolen funds from a hack for instance).

The bad actor hopes the victim imports the seed phrase/private key to use the funds – originally obtained via illicit means – to send to the victim’s own other addresses. The goal is that this confuses blockchain tracing algorithms utilised by investigators and FIUs.

Confusing Location Tracing

Another could be that the accounts are empty or near-empty, but the bad actor still wants victims to import the private key or seed phrase. Victims, using their mobile wallet logs onto the servers with their IP address. Thus this blockchain address is now active in a new physical location. This way the authorities tracing a hack or other criminal activity are now seeking the new jurisdiction that address came online in. 

Cyber hackers are heavy users of VPNs, therefore their location is unlikely to be easily found out.

So if 7 people across different countries use the address or simply just import the private key, authorities from 7 jurisdictions will now be involved.

However, both of the reasons cited above are unlikely due to: a) the high attention that this scam is garnering on crypto Twitter, b) the more efficient method of sending funds to random addresses scraped from a blockchain explorer and c) the sophistication of blockchain tracking algorithms such as those run by Coinfirm.

Honeypotting

The third, confirmed scenario, is the ‘honeypot’. Below we take a quick look into a method of skimming many victims of small sums.

First, the scammer sends bulk DMs to potential victims, asking for ‘help’ in transferring the scammer’s USDT funds. Victims receive the message, restore the seed in a wallet, and view that it contains 580 USDT.

The victim thinks they’re smart and attempts to steal quickly move the USDT to a wallet the victim controls. However, as the address does not have enough TRX/ETH – depending on the chain – to pay the gas fee to move the 580 USDT, the victim thinks that if they send enough gas to the address in question they can quickly move the funds. The victim purchases enough TRX/ETH for the gas – $10 worth for instance – and ships it to the address.

But the scammer is either – depending on the blockchain in question – utilising a smart contract and only a dedicated address can access the funds from the account (ETH) or it’s the address itself that has an owner (the scammer) with full privileges to that address on Tron so nobody else but them can move the funds (TRX).

The scammer then uses a bot to detect the $10 in TRX or ETH arriving in the address and sends the funds to another address before the victim can do anything.

Victims (green) send funds directly to wallets controlled by a scammer (gold) that is then sent on to other addresses (orange/yellow) for the purpose of beginning the money laundering process with layering (blue).

In the direct above example the honeypot scam – so-called because the receiver of the message ostensibly believes they have spotted an opportunity and follows the instructions of the bad actor when in reality they are the victim – is quite sophisticated, due to the scammer employing both Twitter and blockchain-based bots.

If it sounds too good to be true, it usually is.