Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime
Suspected Cryptocurrency 'Rug Pull' Nets Actors $10 MillionAlso: Library of Congress Says Nations Banning Crypto Have Doubled Since 2018
Arbix Finance, a yield-farming protocol that runs on Binance Smart Chain, has reportedly siphoned user funds in what blockchain security firm CertiK labeled a "rug pull" following its incident analysis. The developments follow a recent report issued by the Library of Congress, the research library for the U.S. Congress and de facto national library, that highlights dozens of nations worldwide that have now directly or implicitly blocked cryptocurrency use.
See Also: Mobile App Friction Report: Crypto Edition - Onboarding
In the latest suspected scheme, the yield-farming project Arbix, a protocol that functions by locking cryptocurrency in exchange for interest, was flagged after 10 million ARBX tokens were "minted," or validated, to eight addresses - including 4.5 million to a single address. The blockchain security firm CertiK says the tokens were later "dumped."
CertiK says that $10 million in user-deposited funds were directed to unverified pools, which an actor subsequently drained. CertiK's analysis tool found that a threat actor moved funds to the Ethereum blockchain via decentralized exchanged AnySwap USDT.
CertiK determined the activity was a rug pull, in which administrators heavily market a fake crypto token, acquire user funds and subsequently take off with the collective sum.
'Do Not Interact With the Project'
In one of its initial tweets on the incident, CertiK wrote, "Privileged functionalities appear in the identified smart contracts. … DO NOT interact with the project!"
And Connie Lam, head of CertiK's Incident Response Team, tells ISMG that other "exchanges can help disincentivize future attacks by blacklisting [the Ethereum address 0x4714A26e4E2e1334C80575332EC9eB043B61a2C4] and any associated with it, making it more difficult for the attacker to wash their funds or cash them out."
"It's quite likely there's more to come [here]," says Christopher Boyd, lead malware intelligence analyst at the firm Malwarebytes, in a blog post. "More digging is required, and it's possible one benefit of this service having been audited is it may help with finding out who's behind this. It's also possible the project owners may appear at the eleventh hour with an explanation."
Boyd points to earlier reports that Arbix had been audited and approved by CertiK in November, affording the project credibility at the time.
"There's a lot of angry people on social media in relation to this one," Boyd says. "We've seen a few links being sent claiming to be forms of 'help' or support from Arbix which resolve to things like Telegram links. With no way to verify, we'd suggest being very cautious around any links sent to offer assistance."
"The decentralized nature of blockchain means any anonymous bad actor can launch a project that was destined to be a rug pull or exit scam from the very start," CertiK's Lam says.
Crypto Crime Report
The incident is part of a maelstrom of crypto crimes that has intensified in recent months.
Scammers earned some $14 billion in cryptocurrency throughout 2021, according to a new report from blockchain analytics firm Chainalysis. Losses attached to crypto crimes rose 79% year over year, fueled by theft and scams. Scams were the most significant form of crypto crime in 2021, climbing to $7.8 billion in cryptoassets, with $2.8 billion from rug pulls, the report states. Not far behind, Chainalysis asserts, was theft - in which cryptocurrency projects, often running open-source software - were hacked. Theft reportedly rose 516% year over year, totaling $3.2 billion worth of tokens, and some 72% were lifted from DeFi protocols.
Decentralized finance, which does not rely on traditional intermediaries and instead runs on peer-to-peer smart contracts across decentralized applications, or DApps, was a clear contributor to the losses, the report notes.
According to DeFi Pulse, which tracks related assets, some $94 billion was locked in DApps at the time of publication.
The meteoric growth in DeFi transactions has left the cybersecurity industry concerned over its level of security, as some projects rush to market amid the surge in investment.
In one 2021 incident, a hacker - infamously dubbed "Mr. White Hat" - breached the Poly Network platform to steal more than $600 million in cryptocurrency. In the days that followed, the threat actor returned all of the funds. The crypto project offered them a bounty for detecting security flaws and reportedly offered the hacker a job as a security consultant. Security experts suggest the return was not as noble as it appears, believing the hacker likely had trouble laundering the funds (see: Poly Network Hacker Reportedly Returns Most of Stolen Funds).
Library of Congress Report
Governments worldwide have cited cryptocurrency's volatility, and market and security risks, as primary drivers to enact sweeping regulations.
According to a recent report from the Library of Congress, the number of nations banning cryptocurrencies has doubled since 2018.
The report states whether a country explicitly or implicitly bans the assets. An implicit ban includes bans on banks or other financial institutions dealing in cryptocurrencies and bans on crypto exchanges. The report also looks at the application of tax laws and anti-money laundering and counter-financing of terrorism laws to cryptocurrencies.
The researchers say: "Since the publication of the 2018 report, the number of countries found to have issued cryptocurrency bans has increased significantly." The report points to nine jurisdictions with an absolute ban on cryptocurrencies and 42 with an implicit ban. Three years earlier, those numbers were eight and 15, respectively.
"Likewise, the application of tax laws, AML/CFT laws … has increased exponentially," the researchers say. As of November 2021, 103 jurisdictions - including the European Union member states, minus Bulgaria - have applied similar laws. In 2018, only 33 jurisdictions were found to regulate cryptocurrencies along those lines, with just five applying both tax and AML/CFT laws.
Jurisdictions banning cryptocurrency outright include: China, Egypt, Iraq, Qatar, Oman, Morocco, Algeria, Tunisia and Bangladesh.
'A Testament of Value'
To blockchain security expert Michael Fasanello, the nations enacting stringent control over cryptoassets are those that typically exercise great control over their people.
Fasanello, who has served in various roles within the U.S. Justice and Treasury departments, including for Treasury's Financial Crimes Enforcement Network, says, "Contrast this with North America, for example, where institutional and retail investors have not been curtailed from venturing into the blockchain and crypto ecosystems, and it's a true testament of the value of these technologies to a free society."
Fasanello, who is currently the director of training and regulatory affairs for the firm Blockchain Intelligence Group, predicts that in 2022 more regions globally will take "an actual position" on whether or not to permit the use of cryptoassets. Conversely, he says, 2021 was "very much a year of fence-sitting."
Outspoken cryptocurrency critics, including Sen. Elizabeth Warren, D-Mass., have continued to voice concern around the proliferation of virtual currencies - citing volatility and security concerns (see: Senators Urge Treasury Department to Address Crypto Brokers).
The U.S. Securities and Exchange Commission, under Chair Gary Gensler, has also indicated it hopes to be further empowered to regulate cryptocurrencies through Congress. Gensler has called crypto markets the "Wild West" and "rife with fraud" (see: SEC to Monitor Illicit Activity on DeFi Platforms).