Monthly report attached - August 2023


Thanks for your continuous support!

Bad sites detected and shared with vendors for removal: 46 😵

Fake twitters


UrlScan IoCs
Balancer


Sync up meeting with Danko / Dubstard 

Discussed the general workflow with Danko over a conference call and got added to Balancer Maxi Repo in GitHub.
Came to a mutual agreement the following extra data will start to be accumulated as data streams in the maxi repo as additional data to the usual monthly reports.


I am not sure of the format, I plan to use plain text or JSON, whatever is preferred for easier pipeline integration.
I also have a system which I use, called "IceCream" where i put the new stuff (Cacao) detected versus the old array (Vanilla) I can upload those too, as I have them.

I use this system with a few regular expressions to remove duplicate from huge json arrays (50K lines +) without manual checks, as manual checks is like looking for a needle in a hay sack with thus much data.
Sorry about the dumb name, I made it up as a "temporary" thing and then stuck with it.

So no matter how many scams I find, I stack them, filter duplicates and only then push to pull requests with the IceCream system. Otherwise CI/CD in MetaMask's GH complains and manual work is needed, which is sub optimal.



Balancer boosted pools exploit

My role to controlling the damage was limited to:

image


image


How it started


How its going


Search Balancer (1673 hits in 30 files of 31 searched)

Search "(balancеr|balqncer|balancer|balahcer|bqlancer|baIancer|balencer|baiencer|balancer-fi|balancer-fl|baiancer-fi|balencer-fi|balancer\.fi|balancer-fl|ba[l1][ae]ncer|b[ao]l[ae]ncer|b[aq]lancer|fi-balancer|app-balancer|bal-drop|airdropbal|balancerairdrop|[a-zA-Z]*balancer[a-zA-Z]*|[a-zA-Z]*bqlancer-[a-zA-Z]|[a-zA-Z]*balancer[a-zA-Z]*|a-zA-Z]*balancerfi[a-zA-Z]*|a-zA-Z]*bal-[a-zA-Z]*|[a-zA-Z]*baiancer[a-zA-Z]*)" (1902 hits in 31 files of 31 searched)


As balancer is a common word and "Load Balancer" is often registered and present in subdomains alike, there is a lot to filter though, but the real number of scams is fairly low ~ 2.7%, 46 from almost 1700. Still higher than usual, presumably due to the exploit.



Sneak Peek in my abuse inbox


Metamask, airdrop, walletconnect, etc:


Search "walletconnect" (14 hits in 9 files of 31 searched)
Search "trustwallet" (36 hits in 18 files of 31 searched)
Search "sushiswap" (73 hits in 26 files of 31 searched)
Search "pancakeswap" (262 hits in 31 files of 31 searched)
Search "metamask" (482 hits in 31 files of 31 searched)
Search "elonmusk" (416 hits in 31 files of 31 searched)
Search "coinbase" (2044 hits in 31 files of 31 searched)
Search "binance" (2565 hits in 31 files of 31 searched)
Search "airdrop" (403 hits in 31 files of 31 searched)




Total potential bad hits for the month ~42K

Search "(usdc|claim|coinbase|colnbase|c0inbase|c0lnbase|cornbase|coirbase|balancer|balahcer|bqlancer|baIancer|[a-zA-Z]*1inch[a-zA-Z]*|[a-zA-Z]*1inch-[a-zA-Z]|[a-zA-Z]*oneinch[a-zA-Z]*|a-zA-Z]*1-inch[a-zA-Z]*|a-zA-Z]*1-inch[a-zA-Z]*|[a-zA-Z]*1inch[a-zA-Z]*|[a-zA-Z]*pancakesw[a-zA-Z]*|[a-zA-Z]*pancakesv[a-zA-Z]*|[a-zA-Z]*pancokesv[a-zA-Z]*|[a-zA-Z]*pancokesw[a-zA-Z]*|[a-zA-Z]*pancakosw[a-zA-Z]*|[a-zA-Z]*pancakkesw[a-zA-Z]*|[a-zA-Z]*pancake5[a-zA-Z]*|[a-zA-Z]*uniswap[a-zA-Z]*|[a-zA-Z]*uniswap-[a-zA-Z]|[a-zA-Z]*unisvap[a-zA-Z]*|a-zA-Z]*unisvap[a-zA-Z]*|a-zA-Z]*uni-[a-zA-Z]*|[a-zA-Z]*unisvv[a-zA-Z]*|unlswap"|[a-zA-Z]*uniswap[a-zA-Z]*|[a-zA-Z]*uniswap-[a-zA-Z]|[a-zA-Z]*unisvap[a-zA-Z]*|a-zA-Z]*unisvap[a-zA-Z]*|a-zA-Z]*uni-[a-zA-Z]*|[a-zA-Z]*pancakesw[a-zA-Z]*|[a-zA-Z]*pancakesv[a-zA-Z]*|[a-zA-Z]*pancokesv[a-zA-Z]*|[a-zA-Z]*pancokesw[a-zA-Z]*|[a-zA-Z]*pancakosw[a-zA-Z]*|[a-zA-Z]*pancakkesw[a-zA-Z]*|[a-zA-Z]*uniswap[a-zA-Z]*|[a-zA-Z]*uniswap-[a-zA-Z]|[a-zA-Z]*unisvap[a-zA-Z]*|dapp|wallets|wallect|synchr|rectify|unlock|walet|1inch|airdrop|ethereum|walet|wallet|coinbase|uniswap|pancakeswap|liquidity|vvallet|metamask|metamaks|metemask|metamaks|paraswap|exchange|liquidity|kraken|bitso|dapp|sushiswap|sushlswap|sushisvv|opensea|polygon|walletconnect|waletconect|waiietconnect)" (42811 hits in 30 files of 31 searched)


Multiple offenders exposed and banned in Discord

Responsible moderator: dubstard after: 2023-08-01  before: 2023-08-31 in: 👮︲moderation  = 144

144 offenders banned manually:

As myself and Cosme, Danko, Gerg, Gleb and the rest of the mods are in somewhat different timezones (I am in EEST), we sort of "cover" for each other, while one is asleep, the other continues to monitor and swing the ban hammer, alongside with the bots, that autoban many offenders!
Also the new bot is doing a lot of automated cleaning up now!


Warnings issued Discord


Various fake Balancer copycats
balancer.lat balancerfi.online


Fake twitter profiles
https://twitter.com/BaIencar https://twitter.com/BaIancers



balancerf.site balancerr.shop balancer.my.id register-balancer.com



balancer.world defibalancerdao.com balancers.finance balancerglobal.org balancerd.xyz cryptobalancer.info balancerglobal.org



Fake BAL compensation scams
revoke-balancer.finance compensate-balancer.com compensate-balancer.finance compensate-balancerfi.com



Fake BAL compensation scam
withdraw-balancerfi.com


Fake BAL compensation scam
balancer.claims



app-balancer.xyz app.apps-balancer.finance balancerlab.com bl0ckbalancer.com




balancers.cc balancercode.newfinancialmarketworld.com cjh64likbfgta528qhr0.apps-balancer.finance cjh8arakbfgta52aclf0.apps-balancer.finance



app-balancer.org balancerv2.pro balancer.houseextra.com



balanccer.finance balancer-dashboard.com balancer-fi.info



ballanser.fi v2-balancer.com wwwbalancer.org belancer.finance

balancerio.com balancer.web3-connects.net

balaner.exchange


appbalancer.fyi wwwbalancer.comalancer.capital


dg-balancer.com dg-balancer.net dg-balancer.org

balancerapp.finance.augurapp.com





Key for DeBank

Still plenty of Computing Units available - 978K





Fake apps Google play store taken down - just 2 this month

Mobile trojans that could steal your assets as well if a malicious actors takes control over a Mobile device.

And one fake Chrome Extension


25 GH pull requests (PF, dot and metamask anti-phish repos) in August 2023

ℹNote that each PR blocks many scam URLs, so the total number of blocked sites is significantly larger than the PRs.



Visibility 
Organization 
Sort 
MetaMask/eth-phishing-detect Block 53 scams 
 blocklist request
#13412 by dubstard was merged 2 hours ago• Approved
MetaMask/eth-phishing-detect Block 15 scams 
#13405 by dubstard was merged yesterday• Approved
MetaMask/eth-phishing-detect Block 120 scams 
#13401 by dubstard was merged yesterday• Approved
MetaMask/eth-phishing-detect block scams 
#13399 by dubstard was closed 2 days ago• Review required
MetaMask/eth-phishing-detect Block 134 scams 
#13372 by dubstard was merged 3 days ago• Approved
MetaMask/eth-phishing-detect Block 263 scams 
#13346 by dubstard was merged last week• Approved
MetaMask/eth-phishing-detect Block 47 scams 
#13330 by dubstard was merged last week• Approved
MetaMask/eth-phishing-detect Block 85 scams 
#13325 by dubstard was merged 2 weeks ago• Approved
MetaMask/eth-phishing-detect Block 672 scams 
 blocklist request
#13317 by dubstard was merged 2 weeks ago• Approved
MetaMask/eth-phishing-detect Block 123 scams 
#13304 by dubstard was merged 2 weeks ago• Approved
dubstard/phishfort-lists Dubstard patch 1
#1 by dubstard was closed 2 weeks ago
MetaMask/eth-phishing-detect Block 191 scams 
 blocklist request
#13290 by dubstard was merged 2 weeks ago• Approved
MetaMask/eth-phishing-detect Block 194 scams 
#13286 by dubstard was closed 2 weeks ago• Review required
MetaMask/eth-phishing-detect Block 93 scams 
#13273 by dubstard was merged 2 weeks ago• Approved
MetaMask/eth-phishing-detect Block 92 scams 
#13268 by dubstard was merged 3 weeks ago• Approved
MetaMask/eth-phishing-detect Block 139 scams 
#13262 by dubstard was closed 3 weeks ago• Review required
MetaMask/eth-phishing-detect Block 195 scams 
#13252 by dubstard was merged 3 weeks ago• Approved
MetaMask/eth-phishing-detect Block 66 scams 
#13236 by dubstard was merged 3 weeks ago• Approved
MetaMask/eth-phishing-detect Block 46 scams 
#13220 by dubstard was merged 3 weeks ago• Approved
MetaMask/eth-phishing-detect Block 9 scams 
#13211 by dubstard was merged last month• Approved
MetaMask/eth-phishing-detect Block 182 scams 
#13206 by dubstard was merged last month• Approved
MetaMask/eth-phishing-detect Block 100 scams 
#13191 by dubstard was merged last month• Approved




https://github.com/dubstard

As scammers tend to be very active during weekends, so am I.