This post will explain one of the latest scams on our blockchain and how we can avoid it. We have thousands more such accounts.
A Fake Proposal Scam!
I learned about this new scam yesterday when I read the chats on the Hivewatchers Discord Server. As you can read from the comment by @hivewatchers, a lot of accounts were used to upvote a fake proposal https://peakd.com/me/proposals/333.
Most of these accounts were new accounts created in the last month and had no HP in them. Then how did they manage to get 14K worth of delegations (207 HP each)?
That's exactly what I am here to explain. I am a moderator at Ecency, so I had an idea but 14K worth of HP seemed a lot, so I had to dig deeper to find out what was happening. This is where my rusty SQL and Python skills helped me. But more on that later.
Ecency Reward System — POINTS
Ecency has a reward system for using its platform (like many other front-end). There is a token (not listed on exchanges) called Points.
You can earn Points in a lot of ways:-
- Creating a post - 15 Points
- Comment - 5 Points
- Upvote (100% Vote) - 1 Point
- Reblog - 1 Point
- Login into Ecency - 10 Points
Etc.
And the subsequent operation will give you fewer and fewer Points. Say, for the first vote of the day, you get 1 Point but for the next upvote, you will only get 0.9 Points and so on. This is a good way to reduce Points farming and it works well.
(You can also buy these Perks with money from the Ecency App)
These Points can be used for some Perks like
- Promoting Your Post on Ecency - 150 Points for 1-day promotion, 250 for 2 days, etc
- Boosts+ - Spend 1500 Points to get ~200 HP delegation for 7 days, 6000 Points for 30 days etc
I love the Promotion perk and used it a lot. But always thought that Boosts+ is a bit too expensive. Earning 1500 Points takes a while if you have just one account and are not too active or engaging. But not if you have thousands of such accounts!
My Findings
8700+ accounts (mostly new accounts created in December + likely some other stolen accounts) were used to earn points for 3 days. Each of those accounts had enough RC to Reblog and Upvote a few posts, which earned them anywhere between 10–20 Points. These points were sent to a few accounts which distributed 1500 Points to those ~70 accounts (mentioned by @hivewatchers) which were used to buy 207 HP worth of delegations for 7 days.
These accounts were able to gather a whooping ~ 170K Points. The total number of accounts involved with these Points transactions is more than 8700. I have uploaded a list of all accounts I found which are connected which this group and involved in sending or receiving Ecency Points to this link: https://filebin.net/esejxc9u7sruml4h
- 'all_names.txt' contains a list of 8735 usernames involved in this Fake Proposal scam.
- 'already_blacklisted.txt' contains a list of usernames already blacklisted by Hivewatchers. (4851 accounts)
- 'not_blacklisted.txt' (3884 accounts) not yet Blacklisted by Hivewatchers. (last checked a few hours ago).
(I can give you these lists on Discord too, if someone is having trouble downloading them. Discord: @pravesh0)
How can we avoid such scams? Possible Solutions.
I would not blame Ecency for this at all. Rather, the blame goes on how they managed to create thousands of accounts within a couple of days. To my limited knowledge, Ecency was not used to create them. It was just used to gain some Points. Regardless, I have a suggestion for the @ecency dev team too which I will convey to them after this post as well.
Giving delegations to only Rep 40 or above? (maybe even 50?) I know 200 HP is not a small amount of beginners who can benefit from it the most, but you can get to 40 Reputations with a few good posts anyway. This will help to cut a lot of such scams in the future.
@good-karma what do you think? And how about blacklisting all these 8735 accounts for earning any more Points?
We need to stop these mass account creations… and I don't think these scammers are buying accounts when creating them. Somehow they keep creating thousands of accounts for free and the genuine users are not able to. (I might be wrong here).
Thanks to @arcange for his amazing work with HiveSQL. It was fun working with it. I was running SQL queries after 4 years, and it was a lot of fun for the most part (and a mess sometimes XD).
I saw that fake proposal a few days ago and it led to nothing when I checked. Surprisingly it had two big supporters. One with over 120k HP, and another with nearly 20K HP, both accounts are familiar to me and are active. I had no idea why they would support a fake proposal other than being careless and ignorant.
The other thing I can't understand is why the scammer is so stupid to create a fake proposal and get on people's radar.
There is a possibility this could have been a test run to maybe see how viable it is to exploit the points system to get a proposal passed.
But a bit of math would have made it clear it's not viable without 100k or more accounts all farming points like crazy.
and even then the exploit is now public and can be patched and mitigated now so generally it seems at least in our eyes completely pointless.
unless the scammer knows of other methods we have yet to figure out that they can now try exploit to a larger extent? Either way it'll get caught quickly regardless so any attempt to get DHF fund illegitimately will not net you all that much maybe 1 or 2 payouts since they happen hourly. depending on the daily pay it could be a lot or nothing.
They would never have got funding, and whenever you do things on such a large scale it's bound to trigger alarms.
It was a fresh idea, but that was bound to fail. Even Ecency account don't have a lot of HP to delegate so the proposal would have never passed without the support of many big whales.
They were never going to get funded, but maybe they though it was worth a try. They have shown their hand now, so people will be onto them.
We have blocked and undelegated those accounts couple days ago. Thanks for hivewatcher and you for doing extra research!
Perfect! Thanks!
Thank you for the mention @pravesh0. I'm glad to read it's helpful and you had fun with it while doing your investigations.
BTW, may I ask you to support the HiveSQL proposal so we can keep it free for the community?
You can do it on Peakd, ecency,
Thank you!
I thought I was already supporting it through a proxy user(which I set a long time ago). Turns out that didn't work, anyway, supported it now. Thank you, again!
Thank you for your support, much appreciated! 👍
When it comes to account creation there are little to no checks done on creations services that prevent mass bot signups.
It's actually very difficult to do any real meaningful verification without making it considerably annoying for real users. email isn't sufficient, phone numbers are not great either, can't filter IPs. It's tricky, it's better to just make people pay to sign up honestly even if it's insanely cheap, the only trouble is there are few to no places where you can pay in other crypto to sign up to hive. (that I know of)
Just a few days ago I checked accounts reported to have been 'onboarded' by Hive on Board. I found one account that appeared to be a sock created to farm Vibes out of the couple dozen I checked that had any account activity at all. It may well have been a cohort of these bots, although I have no recollection of any of the details of the accounts.
There are a lot of substantially staked users that have 10k or more accounts by now. I never bothered to try to find out, but when an account token is claimed and an account created, there must be a record of what account was the source of the account claim, and that should enable attaching the claimed token to the account created because these transactions are recorded on the blockchain. Am I wrong?
One way of knowing is checking the account recovery, it's not perfectly accurate since it can be changed but a lot of the time it never is, it by default is set to the owner of the creation token.
I had thought where was a variable in accounts general account data on chain that mentioned the creator but seems there isn't or at least on hive.hub it isn't shown if such a thing does exist.
Not sure if something like this would get added since there isn't a need to know who created an account other than to perhaps find abuse, I mean it's be a nice data point to have for statistical data.
One could parse the blockchain looking for transactions that spend a creation token and tally them up....
On that note actually, you could find the creation date of an account, grab the block and find the create account transaction that is sent when a token is redeemed, it's sent by the account who owns the token.
This seems a mechanism potential of identifying the scammer that created these accounts, even if the cost of claiming the accounts was somehow gamed or hacked, rather than afforded via the intended stake weighting mechanism. Given the quantity of accounts used in the scam, automating a tool to perform the process would seem recommended. Additionally, this same mechanism would seem potential to resolving the identity of accounts gaining control of accounts whose keys have been phished, or otherwise acquired by hostile actors, such as has been an ongoing issue since the inception of Steem, since the date and time of many such seizures is known and parsing the blockchain data for transactions implementing changes in keys, power downs, and other actions typically undertaken during seizure of accounts would be stored in such archived blockchain data.
I do not have the coding expertise myself to acquire and parse this data, nor to code tools to automate such processes. I am willing to participate in funding such work, however. Is this work you have the capability to perform? If so, can you estimate the cost of performing that work and identifying the criminals involved in these crimes? If not, with appropriate consideration to the fact that the perpetrator of this recent scam apparently possessed nominal stake to fund claiming >7000 accounts in December 2024, can you provide a minumum required stake to claim that many accounts? That would at least enable seeking coders to perform the necessary work that are unlikely to be the scammer themselves, and therefore potentially trustworthy.
I very much appreciate your consideration and substantive comment on this matter.
Edit: upon rereading your response, "the account recovery...by default is set to the owner of the creation token." the account recovery information of each account would inherently be a feature of the account upon creation, that should be included in blockchain data recording the creation of the account.
This would seem to be a sure and certain means of identifying the account responsible for creating the bot army that was used in this scam. Is acquisition and parsing of this data something you have the capability to do? If so the above questions regarding cost of the work would equally apply.
The current minimum stake required to claim a token once every 4-5 days is around 10k HP iirc.
A claim uses about 80% of the RCs on an account that size and takes 4 days to reach 100% again. then claim again.
My account of 23.3k HP a claim uses 27% of my RC so I can claim an account every 1.2~ days recovering 20% rc a day. It'd be safe to say an account of 50k could probably claim 2-3 accounts a day, 100k would be 3-7 a day depending on how the RC costs of the TX are at any given time.
Given enough time you can build a lot of account tokens up, as you can claim then then hold on to them forever until you finally make an account with them.
I currently have 257 such creation tokens myself, Account like OCDB probably have in the 10s of thousands if not more.
I had thought the account recover wouldn't be reliable but of course everything is stored onchain as history so even if they changed their recovery account we can see go back and see what it was previously. finding the first instance would give us the account that redeemed the token.
I probably do have the skills to create a system to parse the blockchain and create a web of account creations stats but I don't generally do work for other people as I just do stuff as a hobby in my own time. (in other words I don't feel I can reliably get something finished as my interests in project flipflops like crazy)
It seems like an interesting project one I'd probably make for fun along with some other ideas I have kicking about but at the moment I'm currently learning more about RUST as a means to do these projects and know a robust language rather than continuing to use javascript/nodejs or other things that just don't vibe with me too well.
EDIT: regarding account claims it's also worth noting that you could very well lease HP i.e pay for a delegation of HP or better yet just RC as it's probably even cheaper and then claim accounts tokens that way. So you could get like 100B RC for example for like 1-2Hive a week and claim tokens like crazy.
My account has a max of 39.3 trillion RC
HW reports that the creator of the accounts has been identified, and used an exploit to create the accounts. However, the recovery account being a feature of accounts created upon creation is a useful thing to remember, and I very much appreciate your sound counsel.
Fraud will increase proportionally to the growth of the cost of #hive
That's an interesting attack. If anything is given away, such as points, then it may be exploited. I do think there should be further requirements to get a delegation. It's pretty easy to build the reputation up a little.
If their plan had worked then they would get a nice chunk of HBD, but the proposal would need a lot more support. Even established projects can struggle to get the votes.
I could create a few hundred accounts for free if I wanted to thanks to my HP. Not that I would use them for evil.
We have to learn from these experiences. As Hive grows we will see more attacks.
Me too, but atleast some miniumum rep would eliminate thousands of new accounts created just for this purpose.
I remember even Ecency having tough time last year to get their proposal renewed. So you are right, it won't be possible this easily.
Amazing work!
Thanks for this great effort, my friend. You don't really think people can do that until they find a loophole in something, but when they do, they exploit it to the fullest. 55 Reputation would be a better idea. I know a lot of users on Hive reached that level after writing a post that was upvoted by a whale.
Yeah, 40 might be too easy nowadays. But what are the chances all of thousands of posts will be upvoted by whales. Plus, if they make posts, they won't have enough RC for more operations that give them Points.
Idk, lots of them getting upvotes from OCD if they are eligible but you are right too. Not everyone is that lucky :)
GG! 💕
A little bit crazy to farm that many points, so fast :D
Thanks for the tremendous effort brother, you discovered one of the big traps they make, I hope that measures are taken to prevent this, and that the people of Value Plan and all the others who have a lot of HP are vigilant with these ill-intentioned people who do what What they want is to steal the hive reward pool.
It's amazing that someone has gone to the trouble of programming a bot that sends multiple accounts to earn Ecency Points, claim HP and use it to vote on a proposal haha. Maybe a solution would be to only allow only allow one boost claim per active IP, however, most of us already have dynamic IP's, but I guess that would complicate the issue a bit more.
I was impressed too. That was smartly done. I think Ecency had a similar IP restrictions on creating free accounts.
Good work mate... you pulled a batman here
Good to know. Many of us read the proposals but do not know what is real and what is not. We may like the idea, but in today's world sometimes we need help to open our eyes and recognize what is true and what is false. Maybe someone has already thought of this idea, but why not add real-time identification with every registration via a selfie video rather than just a photo? Many platforms already use this, and I think it would help reduce the number of fake profiles. Thank you for sharing 🙏☺️
A selfie video? I would have never been here if that was the case.
Many of us are here because you can stay anonymous and still contribute to this chain. I have friends here whose real names/face I don't even know and not even interested to know. I am more interested in what they do!
No, I mean the check should be done upon registration. Not everyone has to see who you are - the platform/system can just check if you are a real user and if you have other accounts, and ext. The video can be temporary, then deleted, or a reverse image search can be used to compare footage from the video to other photos on the platform - introduction post for example. I think that again I'll receive hate because of this idea 😆😅😂
Because some jurisdictions use biometric ID, gaining the biometric data of a person in such jurisdiction enables fraudulently pretending to be that person in other jurisdictions, where financial fraud can be undertaken that will be connected to the ID theft victim, who would have no way of knowing about events ongoing in foreign jurisdictions. Because of such potential fraud I adamantly oppose ever using any biometric data, such as pictures or video of someones face, eyes, fingerprints, and etc, for any purpose on Hive.
Last I heard the biometric data of about half the population of India can be purchased on the darkweb for ~$80K. The incompetence of government and corporate entities to secure data is notorious. Not a day goes by that some new penetration isn't reported. In jurisdictions using biometric ID, people whose biometric data has been acquired by criminals can never, ever change their biometric data, and will be plagued by potential ID theft for the rest of their lives, and nothing can be done about that once their biometric data has been acquired by hostile parties.
Such data used for a temporary purpose might be deleted, or it might be claimed to have been deleted. I am not willing to take the chance that I might be subjected to criminal fraud for the rest of my life for the opportunity to open an account on Hive. I hope the vast majority of people interested in joining Hive aren't either.
You are right. Yet it was just an idea. Besides, we live in a world that already has our data. Phones require a fingerprint or a selfie, and we can't know for sure if that data isn't being uploaded somewhere, haha. Everyone has free will and decides for themselves whether to fake or cheat. There is no way to change that. But if we start attacking and blaming platforms or communities, won't we destroy this online world we've created here?
For example, communities demand originality - Hive Watchers and their rules actually teach us something, much like parents. Ecency and other front-ends give us the freedom to vote, promote and get support through automated systems or Google Pay. Most whales have invested time and money to become who they are. All of this just directs us to be better. But it is our free will that leads to mistakes - just as it does in the real world.
We often get hurt by communities, people or platforms and start making excuses or attacking others. This is the world we live in today. Crypto and Hive give us a chance to earn extra income, meet new people and places, and see the thoughts and creativity of others.
Yes, anonymity is a good thing, but why should we be afraid of who we are? We are different now, but sooner or later we will all end up in the same place - bodily, sorry 😆. Unfortunately this stuff will never change because it is part of who we are. The world is changing and so are we - we are adapting, bringing our personalities and problems from everyday life even online, and searching for easy path, always. It is this change that makes us lose faith in people.
Sorry for the long comment - just thought I'd share an opinion. Online worlds and platforms are no different from the real world because we participate in both. And again sorry if I got slightly off topic, haha. We just need to be a bit more positive, the world is already dark enough 😆😂
Mine don't, and if they ever do, I'll not use a phone. I don't use any form of biometric ID, and I won't ever if I can prevent it in any way. I don't use Google anything, particularly not Google Pay. There are no excuses, there are only reasons. If I get scammed, there is no excuse and it's not the scammer's fault. It's my fault because I was vulnerable.
I have learned to avoid being vulnerable by having a great deal of wealth stolen from me. I was the weak link. I am unwilling to allow what I have to be stolen again, so now I do not do things that can enable thieves to take what I have from me.
It's not being negative, it's being responsible. You lock your door when you leave your home, right? It's just common sense.
You may find it difficult to be more positive if you suffer theft of what you value very highly. On the other hand, if you have things you value very highly, you will feel very positive about having them, so not having what you have stolen from you increases how positive you can be. The best way to keep feeling positive is not to have things stolen from you, or to be victimized by criminals, so I hope you consider carefully before putting information out on the internet that can be used by clever thieves to take things from you.
Be well.
With the advancement of AI and picture/video generation you can fake them too.
But keep those ideas coming haha
Whoa, sometimes I wonder, the effort they put in wrong doings is nearly equal if they want to do something right. Then why the wrong path, lol.
Anyways, good job pravesh Bhai.
@tipu curate 4
Upvoted 👌 (Mana: 35/75) Liquid rewards.
170k points wow! And here I am getting 1 point per day on the free spin 😅. Thank you for this info.
LOL
Well done and thanks for reporting bro 😄👍.
Good job @pravesh0, amazing 🤩
Great work! Its absurd how those accounts were able to farm 170k points in such a short time.
Thanks for this information, one should be really careful so as not to become a victim of this scammers.
Namaste 🙏, nice research bro, your efforts will keep hivers aware of such types of scams. !INDEED !PIZZA
Namaste bhai! Thank you!
Wow crazy… 😱 so that is what they were doing. 5 days ago my post got over 8000 reblogs and likes. I mentioned it in waves when it happened. I saw several of my friends posts had happening the same at that moment. Those accounts were 2 weeks old, no rep or any voting power. I didn’t understand why they went through all the effort. Now I understand what they were after 🫣
Luckily it was picked up.
Congrats, you were the chosen one xD
I never got that many reblogs in my 3+ years on Hive.
Hahaha I rather be not chosen like this. It didn’t do any good to my post, as afterwards it wasn’t seen anymore. 🫣
Have a nice day!
Great content! Thanks for sharing it on Hive.
We’d love to see you join Block Horse Racing and start winning!
There’s a reward waiting in your wallet to kick off your journey in the BHR-Game multiverse !BHRT .
Let’s enjoy building a healthy movement together on the Hive Blockchain!
!HUESO
This post has been manually curated by @bhattg from Indiaunited community. Join us on our Discord Server.
Do you know that you can earn a passive income by delegating to @indiaunited. We share more than 100 % of the curation rewards with the delegators in the form of IUC tokens. HP delegators and IUC token holders also get upto 20% additional vote weight.
Here are some handy links for delegations: 100HP, 250HP, 500HP, 1000HP.
100% of the rewards from this comment goes to the curator for their manual curation efforts. Please encourage the curator @bhattg by upvoting this comment and support the community by voting the posts made by @indiaunited..
This post received an extra 19.12% vote for delegating HP / holding IUC tokens.
Thanks bhai , good job
Thanks, bhai!
welcome bhai
via Inbox
Arey bhai, Bahut gahari Chaan been ki aapne.
And I totally favour your suggested delegation method to more than 40Rep.
Otherwise, such instances will continue to happen.
Waise kitna time laga research par?
3-4 ghanta lage, puri SQL hi bhoola betha tha main or itna bda table ko query krne main bhi bhot time lgta hai. Jis table main ye transactions thi usme 1.4 Billion records pde hai. Bhot saara data free data pda hai yahan pr toh. Or ye sirf ek table ki bta rha hu, aise bhot saare alag alag hai.
Bhai, ye sab mein karta nahi aur karne ki sochta bhi nahi. Mera system jawaab de jayega. 😅
Wow, 170k points? That’s insane! Thanks for breaking it down so well!
That's a conservative estimate, it is likely close to 200k Points
Nice work! fake accounts will become more numerous if $HIVE increases in value.
@tipu curate
I think they are exploiting the points system. You just need to have the page open and you get 0.250 points every 15 minutes(heartbeat points). You don't even have to be on the page for it to count. I just watched a youtube video and got points for having the page open. @ecency you need to get the heartbeat points to only count when you are on the page or eliminate it all together.
As always doing an excellent job, we must put an end to the cheaters who do not play fair
That's some great research, it's crazy how creative people get when trying to scam money.
!PIZZA
$PIZZA slices delivered:
@idea-make-rich(2/5) tipped @pravesh0
Hello.
The accounts were created with Hive on Board.
Thank you for finding the remaining ones and breaking down how Eceny Points farming worked.
The report for 25th December was missing so I suppose that I did not get them because of that.
I have the data involved in this with more info on accounts creation date. I have it in an excel sheet here https://filebin.net/bn1hyysx0ea5denn
The major finding were.... most of the accounts involved were created in Dec 2024 but many hundreds were from before (likely stolen or compromised).
Only December Data ^^
That's like 90% of the accounts involved here.
All the acccounts invovled ^^
But there is a slight problem with some part of the data, the ones which are old accounts. Some of those old accounts have likely transfered Ecency Points to someone whose accounts got compromised in the past. This might introduce some false positives to the early records (before December).
So, I would not blanket blacklist all the accounts created before December.... they are not many anyways. One example of this is the user @olgavita who sends Ecency Points weekly as a contest prize in their community.
Thanks @opravesh0.
I whitelisted olgavita.
It would be great if you to find out which accounts exactly do not fit in that group so there will not be unnecessarily blacklisted.
It is unlikely that this scammer has stolen or compromised any accounts. All he seems to be doing is creating new accounts that exploit HOB vulnerability.
What was most important was to find out which account creation service the scammer used on 25th December if it was not HOB.
I am unfamiliar with the process for claiming free accounts and creating them through Hive on Board. When claiming an account token and creating the account a record of the transaction is preserved on the blockchain, is it not? It seems the perpetrator of this attempted scam was well staked enough to claim >8700 accounts, which should narrow down the potential suspects quite a bit.
Hi.
I had already found the scammer.
The abuser is bgmoha / albro / brook.dev (identity theft)
The vulnerability was the bug with a referral code that was allowed to be endlessly re-used for account creation.
This is excellent news!
Thanks again.