Staying Safe in Web3: OTC Scams

If you hold any significant amount of tokens, chances are you'll run into messages like the ones above.

In case it's not clear, in 99% of the cases, this is a scam. But how do they scam you in OTC, especially if you use an escrow?

"Lucas" (who deleted our chat too fast for me to screenshot it), contacted me offering 1m USD for 20k RMRK. This was the third such offer this past week - for the same amount too! - and so I decided to try it out, take this opportunity all the way to its bitter end. Don't worry, it's a happy ending :)

So how does this unfold?


Step 1: Go for it

They try the old fashioned way.

"Would you mind sending first and then we pay?"

To this, even with very legit customers, you should only say "LOL".

Step 2: Make a group

"Then we need an escrow"

They were totally open to anyone I bring in, so I brought in a friend and colleague: Beler. He confirmed my suspicious immediately and we committed to taking it all the way.

"Can you make a group", Lukas asked.

So I made a group with Beler, Lucas, and myself in it.

Step 3: DMs

The next stage is Lucas DMing each of us separately to ask us to add him on Discord. I refused, Beler complied.

You will see soon why Discord is important to them in this process.

We both knew he was asking us to add him on Discord, but neither one of us asked about it in the common group, to keep the ruse going.

Step 4: The Deal

Lucas proposes. (He keeps calling Beler Lukas because his name is Luka)

Naturally, we accept. It is quite a generous deal.

Meanwhile, Lucas has begun creating Discord groups (while at the same time asking me for tips on how to make a RMRK wallet - he had never scammed anyone before in the Dotsama ecosystem 🙃)

Step 5: Escrow is ready

I send the RMRK to Beler, and we're ready to proceed. What will Lucas do?

Step 6: Discord

By creating groups on Discord, Lucas can pretend we just moved platforms.

But... isn't this really stupid of the seller?

Well, when you're excited about getting a good deal, especially if overworked, your brain can fart in these critical moments and if they set up the mirror account really well they can fool a lot of people.

In this case too, they were targeting the escrow, not the seller, and an escrow usually makes money from taking a cut on the total amount. To them, it's "money for nothing", so unless they're experiences, their hungry eyes may get the best of them.

Step 7: Dissolution

Lucas immediately disappeared. Nice try tho!

Mitigation

So what can one do to avoid this?

  • vet people: no phone / username / credentials, no trade.
  • do not accept the "You send to escrow, I send to you" deals, because this makes it easy to impersonate one side. Always ask escrow to accept BOTH tokens. That is literally what they are for.
  • before releasing any funds to/from the escrow, verify the ownership of each wallet with a phone call or any messaging medium outside of the group you are already communicating in, preferably one the client is not aware of.
  • immedaitely be extremely suspicious of anyone trying to change platform or group.
  • use smart contract platforms so that OTC escrow is not necessary. By putting tokens into a smart contract, you can just execute a swap trustlessly - whoever takes up the opportunity is the buyer.

On Telegram and Discord, people DMing you are guilty until proven innocent. Never think it's the other way around, no matter how interested, impressed, flirty, or trustworthy someone seems.

0 comments