Yufeng Xu,Lun Zhang,Turan Vural,Peng Qian,Yanbin Wang,Yuqing Fan,Ming Li,Xueyan Tang,Zheng Cao

DOI: https://doi.org/10.1145/3650400.3650499

2023-01-01

Abstract:Due to the decentralized and transparent characteristics of the blockchain ecosystem, malicious activities such as phishing scams on the Ethereum platform result in significant financial losses for users. The current methods for detecting phishing largely rely on analyzing original transactions, which makes uncovering hidden transaction patterns challenging. To tackle this limitation, we introduce the Spatio-Temporal Fusion Network (STFN) designed to identify phishing scams on the Ethereum network. Specifically, STFN incorporates two key components: the transactions subgraph encoder for formalizing spatial features, and the transaction sequence BERT encoder for capturing temporal features. By fusing these spatio-temporal features, we facilitate their integration into a machine learning algorithm for classifying phishing accounts. The experimental outcomes underscore the effectiveness of the STFN, achieving an AUC of 93.26% and a Recall of 94.53%, outperforming previous methods for Ethereum phishing detection.

Bowen He,Yuan Chen,Zhuo Chen,Xiaohui Hu,Yufeng Hu,Lei Wu,Rui Chang,Haoyu Wang,Yajin Zhou

DOI: https://doi.org/10.1145/3576915.3623210

2023-01-01

Abstract:The prosperity of Ethereum attracts many users to send transactions and trade crypto assets. However, this has also given rise to a new form of transaction-based phishing scam, named TXPHISH. Specifically, tempted by high profits, users are tricked into visiting fake websites and signing transactions that enable scammers to steal their crypto assets. The past year has witnessed 11 large-scale TXPHISH incidents causing a total loss of more than $70 million. In this paper, we conduct the first empirical study of TXPHISH on Ethereum, encompassing the process of a TXPHISH campaign and details of phishing transactions. To detect TXPHISH websites and extract phishing accounts automatically, we present TxPhishScope, which dynamically visits the suspicious websites, triggers transactions, and simulates results. Between November 25, 2022, and July 31, 2023, we successfully detected and reported 26,333 TXPHISH websites and 3,486 phishing accounts. Among all of documented TXPHISH websites, 78.9% of them were first reported by us, making TxPhishScope the largest TXPHISH website detection system. Moreover, we provided criminal evidence of four phishing accounts and their fund flow totaling $1.5 million to aid in the recovery of funds for the victims. In addition, we identified bugs in six Ethereum projects and received appreciation. Based on the detection results, we perform a comprehensive study of TXPHISH websites and phishing accounts. Our study reveals that TXPHISH websites have a short lifespan, low cost, and fast update frequency. Besides, Our analysis of phishing fund flow demonstrates that 54.0% of phishing funds ($43.7 million) flowed into centralized exchanges, where the identity of owners could be traced. Our research can serve as a valuable reference for Ethereum service providers to safeguard their users against TXPHISH and assist in the recovery of victims' crypto assets.

Pengcheng Xia,Haoyu wang,Bingyu Gao,Weihang Su,Zhou Yu,Xiapu Luo,Chao Zhang,Xusheng Xiao,Guoai Xu

DOI: https://doi.org/10.48550/arXiv.2109.00229

2021-11-11

Abstract:The prosperity of the cryptocurrency ecosystem drives the need for digital asset trading platforms. Beyond centralized exchanges (CEXs), decentralized exchanges (DEXs) are introduced to allow users to trade cryptocurrency without transferring the custody of their digital assets to the middlemen, thus eliminating the security and privacy issues of traditional CEX. Uniswap, as the most prominent cryptocurrency DEX, is continuing to attract scammers, with fraudulent cryptocurrencies flooding in the ecosystem. In this paper, we take the first step to detect and characterize scam tokens on Uniswap. We first collect all the transactions related to Uniswap V2 exchange and investigate the landscape of cryptocurrency trading on Uniswap from different perspectives. Then, we propose an accurate approach for flagging scam tokens on Uniswap based on a guilt-by-association heuristic and a machine-learning powered technique. We have identified over 10K scam tokens listed on Uniswap, which suggests that roughly 50% of the tokens listed on Uniswap are scam tokens. All the scam tokens and liquidity pools are created specialized for the "rug pull" scams, and some scam tokens have embedded tricks and backdoors in the smart contracts. We further observe that thousands of collusion addresses help carry out the scams in league with the scam token/pool creators. The scammers have gained a profit of at least \$16 million from 39,762 potential victims. Our observations in this paper suggest the urgency to identify and stop scams in the decentralized finance ecosystem, and our approach can act as a whistleblower that identifies scam tokens at their early stages.

Cryptography and Security

Enze Liu,George Kappos,Eric Mugnier,Luca Invernizzi,Stefan Savage,David Tao,Kurt Thomas,Geoffrey M. Voelker,Sarah Meiklejohn

DOI: https://doi.org/10.1145/3646547.3689005

2024-09-17

Abstract:Scams -- fraudulent schemes designed to swindle money from victims -- have existed for as long as recorded history. However, the Internet's combination of low communication cost, global reach, and functional anonymity has allowed scam volumes to reach new heights. Designing effective interventions requires first understanding the context: how scammers reach potential victims, the earnings they make, and any potential bottlenecks for durable interventions. In this short paper, we focus on these questions in the context of cryptocurrency giveaway scams, where victims are tricked into irreversibly transferring funds to scammers under the pretense of even greater returns. Combining data from Twitter, YouTube and Twitch livestreams, landing pages, and cryptocurrency blockchains, we measure how giveaway scams operate at scale. We find that 1 in 1000 scam tweets, and 4 in 100,000 livestream views, net a victim, and that scammers managed to extract nearly \$4.62 million from just hundreds of victims during our measurement window.

Cryptography and Security

Dan Lin,Jiajing Wu,Qishuang Fu,Yunmei Yu,Kaixin Lin,Zibin Zheng,Shuo Yang

DOI: https://doi.org/10.48550/arXiv.2305.14748

2023-05-24

Cryptography and Security

Abstract:With the overall momentum of the blockchain industry, crypto-based crimes are becoming more and more prevalent. After committing a crime, the main goal of cybercriminals is to obfuscate the source of the illicit funds in order to convert them into cash and get away with it. Many studies have analyzed money laundering in the field of the traditional financial sector and blockchain-based Bitcoin. But so far, little is known about the characteristics of crypto money laundering in the blockchain-based Web3 ecosystem. To fill this gap, and considering that Ethereum is the largest platform on Web3, in this paper, we systematically study the behavioral characteristics and economic impact of money laundering accounts through the lenses of Ethereum heists. Based on a very small number of tagged accounts of exchange hackers, DeFi exploiters, and scammers, we mine untagged money laundering groups through heuristic transaction tracking methods, to carve out a full picture of security incidents. By analyzing account characteristics and transaction networks, we obtain many interesting findings about crypto money laundering in Web3, observing the escalating money laundering methods such as creating counterfeit tokens and masquerading as speculators. Finally, based on these findings we provide inspiration for anti-money laundering to promote the healthy development of the Web3 ecosystem.

Jintao Huang,Pengcheng Xia,Jiefeng Li,Kai Ma,Gareth Tyson,Xiapu Luo,Lei Wu,Yajin Zhou,Wei Cai,Haoyu Wang

DOI: https://doi.org/10.1145/3589334.3645566

2024-01-01

Abstract:Unlike fungible tokens (e.g., cryptocurrency), a Non-Fungible Token (NFT) is unique and indivisible. As such, they can be used to authenticate ownership of digital assets (e.g., a photo) in a decentralized fashion. Given that NFTs have generated significant media attention since 2021, we perform a large-scale measurement study of the NFT ecosystem. We collect over 242M transfer logs and over 97M marketplace transactions until Aug 1st, 2023, by far the largest NFT dataset, to the best of our knowledge. We characterize the on-chain behavior of NFTs and their trading across five major marketplaces. We find that, although the NFT ecosystem is growing rapidly, it is driven by a relatively small set of dominant centralized players, with suspicious trade activities, e.g., over 23% of the monetary volume is generated by malicious wash trading and the ecosystem has experienced over 157K cases of NFT arbitrage, with a total sum of over \25M profit. Our observations motivate the need for more research efforts in the NFT security analysis.

Dabao Wang,Hang Feng,Siwei Wu,Yajin Zhou,Lei Wu,Xingliang Yuan

DOI: https://doi.org/10.1145/3545948.3545963

2022-01-01

Abstract:The prosperity of decentralized finance motivates many investors to profit via trading their crypto assets on decentralized applications (DApps for short) of the Ethereum ecosystem. Apart from Ether (the native cryptocurrency of Ethereum), many ERC20 (a widely used token standard on Ethereum) tokens obtain vast market value in the ecosystem. Specifically, the approval mechanism is used to delegate the privilege of spending users’ tokens to DApps. By doing so, the DApps can transfer these tokens to arbitrary receivers on behalf of the users. To increase the usability, unlimited approval is commonly adopted by DApps to reduce the required interaction between them and their users. However, as shown in existing security incidents, this mechanism can be abused to steal users’ tokens. In this paper, we present the first systematic study to quantify the risk of unlimited approval of ERC20 tokens on Ethereum. Specifically, by evaluating existing transactions up to 31st July 2021, we find that unlimited approval is prevalent (60%, 15.2M/25.4M) in the ecosystem, and 22% of users have a high risk of their approved tokens for stealing. After that, we investigate the security issues that are involved in interacting with the UIs of 22 representative DApps and 9 famous wallets to prepare the approval transactions. The result reveals the worrisome fact that all DApps request unlimited approval from the front-end users and only 10% (3/31) of UIs provide explanatory information for the approval mechanism. Meanwhile, only 16% (5/31) of UIs allow users to modify their approval amounts. Finally, we take a further step to characterize the user behavior into five modes and formalize the good practice, i.e., on-demand approval and timely spending, towards securely spending approved tokens. However, the evaluation result suggests that only 0.2% of users follow the good practice to mitigate the risk. Our study sheds light on the risk of unlimited approval and provides suggestions to secure the approval mechanism of the ERC20 tokens on Ethereum.

Haaroon Yousaf

DOI: https://doi.org/10.48550/arXiv.2203.14684

2022-03-28

Abstract:This thesis presents techniques to investigate transactions in uncharted cryptocurrencies and services. Cryptocurrencies are used to securely send payments online. Payments via the first cryptocurrency, Bitcoin, use pseudonymous addresses that have limited privacy and anonymity guarantees. Research has shown that this pseudonymity can be broken, allowing users to be tracked using clustering and tagging heuristics. Such tracking allows crimes to be investigated. If a user has coins stolen, investigators can track addresses to identify the destination of the coins. This, combined with an explosion in the popularity of blockchain, has led to a vast increase in new coins and services. These offer new features ranging from coins focused on increased anonymity to scams shrouded as smart contracts. In this study, we investigated the extent to which transaction privacy has improved and whether users can still be tracked in these new ecosystems. We began by analysing the privacy-focused coin Zcash, a Bitcoin-forked cryptocurrency, that is considered to have strong anonymity properties due to its background in cryptographic research. We revealed that the user anonymity set can be considerably reduced using heuristics based on usage patterns. Next, we analysed cross-chain transactions collected from the exchange ShapeShift, revealing that users can be tracked as they move across different ledgers. Finally, we present a measurement study on the smart-contract pyramid scheme Forsage, a scam that cycled $267 million USD (of Ethereum) within its first year, showing that at least 88% of the participants in the scheme suffered a loss. The significance of this study is the revelation that users can be tracked in newer cryptocurrencies and services by using our new heuristics, which informs those conducting investigations and developing these technologies.

Cryptography and Security

Arianna Trozze,Toby Davies,Bennett Kleinberg

2023-05-27

Abstract:Fraud across the decentralized finance (DeFi) ecosystem is growing, with victims losing billions to DeFi scams every year. However, there is a disconnect between the reported value of these scams and associated legal prosecutions. We use open-source investigative tools to (1) investigate potential frauds involving Ethereum tokens using on-chain data and token smart contract analysis, and (2) investigate the ways proceeds from these scams were subsequently laundered. The analysis enabled us to (1) uncover transaction-based evidence of several rug pull and pump-and-dump schemes, and (2) identify their perpetrators' money laundering tactics and cash-out methods. The rug pulls were less sophisticated than anticipated, money laundering techniques were also rudimentary and many funds ended up at centralized exchanges. This study demonstrates how open-source investigative tools can extract transaction-based evidence that could be used in a court of law to prosecute DeFi frauds. Additionally, we investigate how these funds are subsequently laundered.

Cryptography and Security

Jingjing Yang,Jieli Liu,Dan Lin,Jiajing Wu,Baoying Huang,Quanzhong Li,Zibin Zheng

DOI: https://doi.org/10.1109/tifs.2024.3463541

IF: 7.231

2024-10-11

IEEE Transactions on Information Forensics and Security

Abstract:With the popularity of Non-Fungible Tokens (NFTs), the high value of NFTs makes them a target for phishing scammers, which harms the security and reliability of the Web3 NFT ecosystem. Despite the significance of this issue, there is a lack of systematic research in the area of emerging NFT phishing scams. To address this gap, we are the first to conduct a case retrospective analysis and empirical measurement study of real-world historical NFT phishing scams on Ethereum. We collect and publicly release the first NFT phishing dataset which includes 1,625 NFT phishing accounts and transaction records as of August 2023. We further categorize the existing scams into four phishing patterns and investigate their distinguishable behaviors. Then, we reveal the modus operandi preferences and economic impacts to characterize NFT phishing scams. We find that NFT phishers stole 67,188 NFTs, with a total direct selling profit of 20.92 million. We also observe that scammers favor certain categories and collections of NFTs, coupled with signs of gang theft. Furthermore, we design a variety of account features for the classification task of NFT phishers based on empirical conclusions. Experimental results on real-world NFT transaction data demonstrate the effectiveness of these features in detecting NFT phishing accounts, and outperform traditional phishing detection methods with 41% average Precision and 44% average Recall.

computer science, theory & methods,engineering, electrical & electronic

Jiajing Wu,Dan Lin,Qishuang Fu,Shuo Yang,Ting Chen,Zibin Zheng,Bowen Song

DOI: https://doi.org/10.1109/tifs.2023.3346276

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:With the overall momentum of the blockchain industry, financial crimes related to blockchain crypto-assets are becoming increasingly prevalent. After committing a crime, the main goal of cybercriminals is to obfuscate the source of the illicit funds in order to convert them into cash and get away with it. Many studies have analyzed money laundering (ML) in the field of the traditional financial sector. However, in terms of the emerging blockchain crypto-asset ecosystem, there is currently only one public anti-money laundering (AML) dataset for Bitcoin– the Elliptic dataset, whose binary labels (licit vs. illicit transactions) cannot cover the ML behaviors in the evergrowing crypto-asset market. To fill this gap, in this paper, we propose a framework named XBlockFlow which identifies ML addresses starting from Ethereum heist incidents and obtains the first detailed Ethereum ML dataset named $\textit {EthereumHeist}$ , and then conducts a comprehensive feature and evolution analysis on the $\textit {EthereumHeist}$ dataset according to the three main phases of ML. We first search for the source cybercriminal accounts including exchange hackers, DeFi exploiters, and scammers. Then, employing the idea of taint analysis, we track the diverse downstream transactions and addresses layer by layer. At the end of tracking, we identify and categorize service providers, and go a step further to investigate advanced ML methods that do not exist in the Bitcoin scenario, e.g. token swap and counterfeit token creation. Based on the ML identification results, we obtain many interesting findings about crypto-asset money laundering, observing the escalating money laundering methods such as creating counterfeit tokens and masquerading as speculators.

Vahidin Jeleskovic

2024-03-06

Abstract:This article presents an empirical investigation into the determinants of total revenue generated by counterfeit tokens on Uniswap. It offers a detailed overview of the counterfeit token fraud process, along with a systematic summary of characteristics associated with such fraudulent activities observed in Uniswap. The study primarily examines the relationship between revenue from counterfeit token scams and their defining characteristics, and analyzes the influence of market economic factors such as return on market capitalization and price return on Ethereum. Key findings include a significant increase in overall transactions of counterfeit tokens on their first day of fraud, and a rise in upfront fraud costs leading to corresponding increases in revenue. Furthermore, a negative correlation is identified between the total revenue of counterfeit tokens and the volatility of Ethereum market capitalization return, while price return volatility on Ethereum is found to have a positive impact on counterfeit token revenue, albeit requiring further investigation for a comprehensive understanding. Additionally, the number of subscribers for the real token correlates positively with the realized volume of scam tokens, indicating that a larger community following the legitimate token may inadvertently contribute to the visibility and success of counterfeit tokens. Conversely, the number of Telegram subscribers exhibits a negative impact on the realized volume of scam tokens, suggesting that a higher level of scrutiny or awareness within Telegram communities may act as a deterrent to fraudulent activities. Finally, the timing of when the scam token is introduced on the Ethereum blockchain may have a negative impact on its success. Notably, the cumulative amount scammed by only 42 counterfeit tokens amounted to almost 11214 Ether.

Trading and Market Microstructure,Econometrics

R. Phillips,H. Wilder

DOI: https://doi.org/10.48550/arXiv.2005.14440

2020-05-29

Cryptography and Security

Abstract:Over the past few years, there has been a growth in activity, public knowledge, and awareness of cryptocurrencies and related blockchain technology. As the industry has grown, there has also been an increase in scams looking to steal unsuspecting individuals cryptocurrency. Many of the scams operate on visually similar but seemingly unconnected websites, advertised by malicious social media accounts, which either attempt an advance-fee scam or operate as phishing websites. This paper analyses public online and blockchain-based data to provide a deeper understanding of these cryptocurrency scams. The clustering technique DBSCAN is applied to the content of scam websites to discover a typology of advance-fee and phishing scams. It is found that the same entities are running multiple instances of similar scams, revealed by their online infrastructure and blockchain activity. The entities also manufacture public blockchain activity to create the appearance that their scams are genuine. Through source and destination of funds analysis, it is observed that victims usually send funds from fiat-accepting exchanges. The entities running these scams cash-out or launder their proceeds using a variety of avenues including exchanges, gambling sites, and mixers.

Guoyi Ye,Geng Hong,Yuan Zhang,Min Yang

DOI: https://doi.org/10.1145/3589334.3645348

2024-01-01

Abstract:Cryptocurrencies, while revolutionary, have become a magnet for malicious actors. With numerous reports underscoring cyberattacks and scams in this domain, our paper takes the lead in characterizing visual scams associated with cryptocurrency wallets---a fundamental component of Web3. Specifically, scammers capitalize on the omission of vital wallet interface details, such as token symbols, wallet addresses, and smart contract function names, to mislead users, potentially resulting in unintended financial losses. Analyzing Ethereum blockchain transactions from July 2022 to June 2023, we uncovered a total of 24,901,115 visual scam incidents, which include 3,585,493 counterfeit token attacks, 21,281,749 zero-transfer attacks, and 33,873 function name attacks, orchestrated by 6,768 distinct attackers. Shockingly, over 28,414 victims fell prey to these scams, with losses surpassing 27 million USD. This alarming data underscores the pressing need for robust protective measures. By profiling the typical victims and attackers, we are able to propose mitigation strategies informed by our findings.

Bingyu Gao,Haoyu Wang,Pengcheng Xia,Siwei Wu,Yajin Zhou,Xiapu Luo,Graeth Tyson

DOI: https://doi.org/10.48550/arXiv.2011.02673

2020-11-05

Abstract:The production of counterfeit money has a long history. It refers to the creation of imitation currency that is produced without the legal sanction of government. With the growth of the cryptocurrency ecosystem, there is expanding evidence that counterfeit cryptocurrency has also appeared. In this paper, we empirically explore the presence of counterfeit cryptocurrencies on Ethereum and measure their impact. By analyzing over 190K ERC-20 tokens (or cryptocurrencies) on Ethereum, we have identified 2, 117 counterfeit tokens that target 94 of the 100 most popular cryptocurrencies. We perform an end-to-end characterization of the counterfeit token ecosystem, including their popularity, creators and holders, fraudulent behaviors and advertising channels. Through this, we have identified two types of scams related to counterfeit tokens and devised techniques to identify such scams. We observe that over 7,104 victims were deceived in these scams, and the overall financial loss sums to a minimum of $ 17 million (74,271.7 ETH). Our findings demonstrate the urgency to identify counterfeit cryptocurrencies and mitigate this threat.

Cryptography and Security

Mehrnoosh Mirtaheri,Sami Abu-El-Haija,Fred Morstatter,Greg Ver Steeg,Aram Galstyan

DOI: https://doi.org/10.48550/arXiv.1902.03110

2019-12-18

Abstract:Interest surrounding cryptocurrencies, digital or virtual currencies that are used as a medium for financial transactions, has grown tremendously in recent years. The anonymity surrounding these currencies makes investors particularly susceptible to fraud---such as "pump and dump" scams---where the goal is to artificially inflate the perceived worth of a currency, luring victims into investing before the fraudsters can sell their holdings. Because of the speed and relative anonymity offered by social platforms such as Twitter and Telegram, social media has become a preferred platform for scammers who wish to spread false hype about the cryptocurrency they are trying to pump. In this work we propose and evaluate a computational approach that can automatically identify pump and dump scams as they unfold by combining information across social media platforms. We also develop a multi-modal approach for predicting whether a particular pump attempt will succeed or not. Finally, we analyze the prevalence of bots in cryptocurrency related tweets, and observe a significant increase in bot activity during the pump attempts.

Social and Information Networks,Machine Learning

Massimo La Morgia,Alessandro Mei,Francesco Sassi,Julinda Stefa

DOI: https://doi.org/10.1109/ICCCN49398.2020.9209660

2024-09-02

Abstract:In the last years, cryptocurrencies are increasingly popular. Even people who are not experts have started to invest in these securities and nowadays cryptocurrency exchanges process transactions for over 100 billion US dollars per month. However, many cryptocurrencies have low liquidity and therefore they are highly prone to market manipulation schemes. In this paper, we perform an in-depth analysis of pump and dump schemes organized by communities over the Internet. We observe how these communities are organized and how they carry out the fraud. Then, we report on two case studies related to pump and dump groups. Lastly, we introduce an approach to detect the fraud in real time that outperforms the current state of the art, so to help investors stay out of the market when a pump and dump scheme is in action.

Computers and Society,Cryptography and Security,Machine Learning,Statistical Finance

Iman Vakilinia

DOI: https://doi.org/10.1109/UEMCON54665.2022.9965686

2022-06-16

Abstract:This paper investigates the cryptocurrency giveaway scam with the YouTube live stream carried out on 5/15/2022 and 5/16/2022. In this scam scheme, the scammer plays a recorded video of a famous person in a YouTube live stream annotated with a cryptocurrency giveaway announcement. In the annotated announcement, the victims are directed to the scammer's webpage. The scammer's webpage is designed intelligently to deceive victims such that they believe the legitimacy of the giveaway. The scammer claims that whatever donation the victim sends to a cryptocurrency wallet address, the giveaway scheme will double the donated amount and immediately send it back to the victim. By analyzing the scammers' wallet addresses, it can be seen that scammers could steal a significant amount of money in a short time. After analyzing the attackers' techniques, tactics, and procedures, this paper discusses the countermeasures that can be applied to mitigate such a fraudulent activity in the future.

Cryptography and Security

Zhen Cheng,Xinrui Hou,Runhuai Li,Yajin Zhou,Xiapu Luo,Jinku Li,Kui Ren

DOI: https://doi.org/10.48550/arxiv.1904.01981

2019-01-01

Abstract:We performed the first systematic study of a new attack on Ethereum that steals cryptocurrencies. The attack is due to the unprotected JSON-RPC endpoints existed in Ethereum nodes that could be exploited by attackers to transfer the Ether and ERC20 tokens to attackers-controlled accounts. This study aims to shed light on the attack, including malicious behaviors and profits of attackers. Specifically, we first designed and implemented a honeypot that could capture real attacks in the wild. We then deployed the honeypot and reported results of the collected data in a period of six months. In total, our system captured more than 308 million requests from 1; 072 distinct IP addresses. We further grouped attackers into 36 groups with 59 distinct Ethereum accounts. Among them, attackers of 34 groups were stealing the Ether, while other 2 groups were targeting ERC20 tokens. The further behavior analysis showed that attackers were following a three-steps pattern to steal the Ether. Moreover, we observed an interesting type of transaction called zero gas transaction, which has been leveraged by attackers to steal ERC20 tokens. At last, we estimated the overall profits of attackers. To engage the whole community, the dataset of captured attacks is released on https://github.com/zjuicsr/ethhoney.

Kai Li,Darren Lee,Shixuan Guan

2023-08-11

Abstract:This paper presents a comprehensive analysis of the cryptocurrency free giveaway scam disseminated in a new distribution channel, Twitter lists. To collect and detect the scam in this channel, unlike existing scam detection systems that rely on manual effort, this paper develops a fully automated scam detection system, \textit{GiveawayScamHunter}, to continuously collect lists from Twitter and utilize a Nature-Language-Processing (NLP) model to automatically detect the free giveaway scam and extract the scam cryptocurrency address. By running \textit{GiveawayScamHunter} from June 2022 to June 2023, we detected 95,111 free giveaway scam lists on Twitter that were created by thousands of Twitter accounts. Through analyzing the list creator accounts, our work reveals that scammers have combined different strategies to spread the scam, including compromising popular accounts and creating spam accounts on Twitter. Our analysis result shows that 43.9\% of spam accounts still remain active as of this writing. Furthermore, we collected 327 free giveaway domains and 121 new scam cryptocurrency addresses. By tracking the transactions of the scam cryptocurrency addresses, this work uncovers that over 365 victims have been attacked by the scam, resulting in an estimated financial loss of 872K USD. Overall, this work sheds light on the tactics, scale, and impact of free giveaway scams disseminated on Twitter lists, emphasizing the urgent need for effective detection and prevention mechanisms to protect social media users from such fraudulent activity.

Cryptography and Security,Social and Information Networks