Monthly report attached - August 2023

Thanks for your continuous support!

Bad sites detected and shared with vendors for removal: 46 😵

app-balancer.org
app-balancer.xyz
app.apps-balancer.finance
appbalancer.fyi
balanccer.finance
balancer-dashboard.com
balancer-fi.info
balancer.claims
balancer.houseextra.com
balancer.lat
balancer.my.id
balancer.web3-connects.net
balancer.world
balancerapp.finance.augurapp.com
balancercode.newfinancialmarketworld.com
balancerd.xyz
balancerf.site
balancerfi.online
balancerglobal.org
balancerglobal.org
balancerio.com
balancerlab.com
balancerr.shop
balancers.cc
balancers.finance
balancerv2.pro
balaner.exchange
ballanser.fi
belancer.finance
bl0ckbalancer.com
cjh64likbfgta528qhr0.apps-balancer.finance
cjh8arakbfgta52aclf0.apps-balancer.finance
compensate-balancer.com
compensate-balancer.finance
compensate-balancerfi.com
cryptobalancer.info
defibalancerdao.com
dg-balancer.com
dg-balancer.net
dg-balancer.org
register-balancer.com
revoke-balancer.finance
v2-balancer.com
withdraw-balancerfi.com
wwwbalancer.comalancer.capital
wwwbalancer.org

Fake twitters

https://twitter.com/BaIancers
https://twitter.com/BaIencar

UrlScan IoCs
Balancer

https://urlscan.io/search/#hash%3A4190365d98e4a8b7dd238d9a00e90ef10fe61f4ebdd434dc9bdf58bb3b18c145%20AND%20page.domain%3A(NOT%20balancer.fi)

https://urlscan.io/search/#hash%3A3a72e9cdb4410479c260db7d0d38bef02b09f10afe396764e073088201570ad0%20AND%20page.domain%3A(NOT%20balancer.fi)

https://urlscan.io/search/#hash%3Af6fdab9c41d39233683686605861ba73a844534ba76886666d923e0c158fe12c%20AND%20page.domain%3A(NOT%20balancer.fi)

https://urlscan.io/search/#hash%3A8e4700b375a7ee6fef79af6f73cf3466980edaf8d6d514c90f89f280e1a1428c%20AND%20page.domain%3A(NOT%20balancer.fi)

Sync up meeting with Danko / Dubstard

Discussed the general workflow with Danko over a conference call and got added to Balancer Maxi Repo in GitHub.
Came to a mutual agreement the following extra data will start to be accumulated as data streams in the maxi repo as additional data to the usual monthly reports.

All scam URLs detected and reported so far since the anti scam initiative has been running + deltas each month
All scam wallets that we have from various scam airdrops. wallet drainers, phishing scams and so on
All scam Google or iOS impersonator apps that imitate Balancer
Maybe also consider add an array of scam discord IDs of users that were banned (optional)

I am not sure of the format, I plan to use plain text or JSON, whatever is preferred for easier pipeline integration.
I also have a system which I use, called "IceCream" where i put the new stuff (Cacao) detected versus the old array (Vanilla) I can upload those too, as I have them.

I use this system with a few regular expressions to remove duplicate from huge json arrays (50K lines +) without manual checks, as manual checks is like looking for a needle in a hay sack with thus much data.
Sorry about the dumb name, I made it up as a "temporary" thing and then stuck with it.

So no matter how many scams I find, I stack them, filter duplicates and only then push to pull requests with the IceCream system. Otherwise CI/CD in MetaMask's GH complains and manual work is needed, which is sub optimal.

Balancer boosted pools exploit

My role to controlling the damage was limited to:

Detecting scammers in Discord during the attack mitigation period
Detecting scammers in the Balancer forum during the attack - this one was very sneaky as the scammers had cyber squatted a handle named BALANCER in the forum. I believe this was my biggest win as we booted the scammer in 17 minutes, and could had been devastating. We took measures so that the Balancer handle in the forum can no longer be registered, to prevent users from being "Balancer" in the future! So legitimate support directed users to the forum, and in the forum there was a fake "compensation"

Check how can we export Bal discord with Tritium (not very successful here TBH)

Detecting and flagging scam sites during the attack - for example this PR https://github.com/MetaMask/eth-phishing-detect/pull/13356 only has Balancer URLs to make the merge quicker:

Added additional warning that there is No Compensation!

Added additional warning that there is No Compensation website

Proactively searched for fakers on twitter reported and removed their profiles and scam sites

How it started

How its going

Proactively searched for fakers and removed their scam sites

Search Balancer (1673 hits in 30 files of 31 searched)

As balancer is a common word and "Load Balancer" is often registered and present in subdomains alike, there is a lot to filter though, but the real number of scams is fairly low ~ 2.7%, 46 from almost 1700. Still higher than usual, presumably due to the exploit.

Sneak Peek in my abuse inbox

Metamask, airdrop, walletconnect, etc:

Search "walletconnect" (14 hits in 9 files of 31 searched)
Search "trustwallet" (36 hits in 18 files of 31 searched)
Search "sushiswap" (73 hits in 26 files of 31 searched)
Search "pancakeswap" (262 hits in 31 files of 31 searched)
Search "metamask" (482 hits in 31 files of 31 searched)
Search "elonmusk" (416 hits in 31 files of 31 searched)
Search "coinbase" (2044 hits in 31 files of 31 searched)
Search "binance" (2565 hits in 31 files of 31 searched)
Search "airdrop" (403 hits in 31 files of 31 searched)

Total potential bad hits for the month ~42K

Multiple offenders exposed and banned in Discord

Responsible moderator: dubstard after: 2023-08-01 before: 2023-08-31 in: 👮︲moderation = 144

144 offenders banned manually:

As myself and Cosme, Danko, Gerg, Gleb and the rest of the mods are in somewhat different timezones (I am in EEST), we sort of "cover" for each other, while one is asleep, the other continues to monitor and swing the ban hammer, alongside with the bots, that autoban many offenders!
Also the new bot is doing a lot of automated cleaning up now!

Warnings issued Discord

Various fake Balancer copycats
balancer.lat balancerfi.online

Fake twitter profiles
https://twitter.com/BaIencar https://twitter.com/BaIancers

balancerf.site balancerr.shop balancer.my.id register-balancer.com

balancer.world defibalancerdao.com balancers.finance balancerglobal.org balancerd.xyz cryptobalancer.info balancerglobal.org

Fake BAL compensation scams
revoke-balancer.finance compensate-balancer.com compensate-balancer.finance compensate-balancerfi.com

Fake BAL compensation scam
withdraw-balancerfi.com

Fake BAL compensation scam
balancer.claims

app-balancer.xyz app.apps-balancer.finance balancerlab.com bl0ckbalancer.com

balancers.cc balancercode.newfinancialmarketworld.com cjh64likbfgta528qhr0.apps-balancer.finance cjh8arakbfgta52aclf0.apps-balancer.finance

app-balancer.org balancerv2.pro balancer.houseextra.com


 balanccer.finance
 balancer-dashboard.com
 balancer-fi.info

 ballanser.fi
 v2-balancer.com
 wwwbalancer.org
 belancer.finance

 balancerio.com
 balancer.web3-connects.net


 balaner.exchange

 appbalancer.fyi
 wwwbalancer.comalancer.capital

 dg-balancer.com
 dg-balancer.net
 dg-balancer.org


balancerapp.finance.augurapp.com

Key for DeBank

Still plenty of Computing Units available - 978K

Fake apps Google play store taken down - just 2 this month

Mobile trojans that could steal your assets as well if a malicious actors takes control over a Mobile device.

And one fake Chrome Extension

25 GH pull requests (PF, dot and metamask anti-phish repos) in August 2023

ℹNote that each PR blocks many scam URLs, so the total number of blocked sites is significantly larger than the PRs.

https://github.com/dubstard

As scammers tend to be very active during weekends, so am I.