This article is jointly published by X-explore and WuBlockchain.
Hundreds of ERC20 tokens are created daily, but more than 15% are fake tokens (we define fake tokens that are created quickly in a short period of time, attract ordinary users to buy them and end their entire life cycle). Based on our on-chain analysis, the daily profit from the fake tokens can reach 22.4 ETH.
This article will be digging into the fake token industry, revealing the process of how the black groups are making a profit, and analyzing the 2022 fake token trend. In the end, our teams study the evolution of the escalation of the black groups as a revelation and warning of the black industry and raise vigilance with Web3 users.
Hundreds of ERC20 tokens are created per day, including:
Valuable Token: These Tokens are included in CoinMarketCap and CoinGecko after a more rigorous audit. Later, they will also be listed on centralized exchanges.
Test Token: There are many contract creators who are learning to write contracts or are testing contract deployments.
Advertising Token: Some platforms, such as gambling platforms, will distribute URLs as Token names to users on the chain. It serves as an advertising effect.
Fake Token: we define fake tokens that are created quickly in a short period of time, attract ordinary users to buy them and end their entire life cycle.
Because there are so many users who love to purchase new tokens and follow the whales, the fake token groups will work towards this to create the illusion. For instance, using multiple alternate accounts to repeatedly trade with the pool to drive up the price; or getting some kind of relation with a certain project to mislead uninformed users; or defining fake events within the contract to create the illusion that major exchanges, Vitalik, Sun Yuchen and other whale addresses are buying fake tokens.
We have analyzed the complete life cycle of a fake token, summarizing and classifying it in terms of the methods of attracting user funds, the exploited methods, and the flow of funds.
（*EOA: Externally Owned Accounts；*CA: Contact Account）
The detailed process is shown below：
Fake token group transfers some of the funds to a new EOA account for the subsequent gas fee and the creation of liquid assets
Apply the EOA account to complete the process of creating of fake CA, while giving some of the designated users mint fake tokens, the contract may also be hidden in the fake token and often has features, such as honeypot token, fake airdrop
Fake token group uses EOA to create a liquidity pool of fake tokens and other valuable tokens (usually WETH) in Uniswap to make the fake tokens valuable
Fake token group uses a number of techniques to attract user funds (describe the following)
Fake token group uses the harvesting of funds to complete the profit (describe the following)
The fake token group launders the illicit funds to a mixer or exchange, or the funds flow into the next round of the new fake tokens (describe the following)
Point 4 (methods of attracting user funds), point 5 (exploited methods) and point 6 (flow of funds) are highlighted and described as the following:
1.1 Inflating the Coin Pirce
The fake token group will create a great trend of continuously high coin prices by brushing up the volume, thus attracting uninformed users.
Taking the Layer token in the above chart as an example, by analyzing the number of transactions and amount of all users who purchased tokens, we can see that most of the transaction contributions came from user 0xaecf2954a6c49e99e570dfaaa857c53e17a88027 , who purchased tokens 38 times (60% of the total number of transactions) and the amount reached 41 ETH (90.1% of the total transaction amount).
From the source of funds, the fake token creator's source of funds is token with wash-trading users 0xaecf2954a6c49e99e570dfaaa857c53e17a88027; From the destination of funds, the wash trading users laundered 41 ETH and the remaining 9 ETH directly transferred to the fake token creator. There is no doubt that the address and the fake token creator belong to the same identity, and the rising token price is the group's manipulation.
1.2 Following the Hot Topics
The fake token groups will issue the associated fake project tokens based on the recent online hot topics so as to increase the credibility of the fake token or accident faking a project, even to the point of exaggeration that you only need to look at the name of the fake token issued every day to understand the current popular news. According to our statistics, there have been no less than 66 fake tokens related to FIFA in recent months.
1.3 Fake Transfer
The fake token groups will transfer money to a large number of giant whale addresses through fake events. Such transfers will not really transfer tokens to users, but will just record the Logs of the transfer in the blockchain browser, without actually completing the operation of the token transfer. In this way, to deceive some users who follow the giant whale, as well as try to make the fake token credible again.
For example, this transaction is typical of a fake airdrop. The fake token groups faked tokens with the same name as the project owner LayerZero and faked the illusion of Stargate Finance contract deployers giving airdrops to 500 on-chain giant whales in the transaction logs. The airdropped giant whales included the addresses of exchanges such as Binance, Kucoin, FTX, etc., which would make on-chain users believe that these exchanges were about to shelve these tokens.
From the parameters submitted for this transaction, it can be seen that both the sender and the receiver are arbitrarily designated by the group as the two sides of the transaction, and can construct fake transaction events at any time to mislead the transaction decisions of the on-chain users and the on-chain monitor.
In the token contract airdrop() function, we learn that the function just loops and records 500 transfer events, and there is no actual token transfer at all.
However, the normal transfer logic would be to reduce the sender's balance -> increase the receiver's balance -> Transfer logs the event.
When the fake token group has attracted user funds into the pool, they will obstruct the user funds from leaving the market in various ways, including quick exploits so that users cannot sell in time, or defining the logic of "no re-trade after users purchase" in the contract, or 100% token fee, or being blacklisted after purchase and so on. What's more outrageous is that the token creator monitors the user who bought the token, and then actively calls the contract to burn the token in the balance. After that, it is time to exploit the money in the pool.
2.1 Removing Liquidity
The creator of a fake token can add liquidity (create a transaction pair, pay two tokens to the pool) and remove liquidity on Uniswap at any time without any audit or permission, which directly leads to the creator being able to add liquidity to any token, including fake tokens. The creator also has the right to withdraw the pool liquidity to get back all the two tokens, so many fake coins will remove liquidity as owner when the value of the tokens in the transaction pair is highest, thus getting all the tokens in the pool and completing the exploit of the user's money.
2.2 Crashing Pool
The fake token creators hold the highest authority over the fake token and can mint a large number of fake tokens at any time, or use a large number of fake tokens issued when creating the contract to instantly empty the fake pool of all the other valuable tokens. Unlike the removal of liquidity, there will be a large number of fake tokens and very few other tokens in the pool at this time, and the authority of the creators will ensure that they can exploit normal users repeatedly in the future.
The mixing of money flow techniques will make it difficult for others to trace, and can largely prevent others from noticing and making a fortune for themselves.
3.1 Direct Transfer
Direct eth transfer is the crudest way, the initial way of the group's money flow, and represents the most rudimentary but most convenient technical method for the group to begin with.
3.2 Transfer via 1inch
At this stage, the group uses 1inch's swap function to replace the WETH earned from counterfeiting with ETH and send it directly to another new address. By hiding the flow of funds in a swap interaction with 1inch, this transaction is less traceable.
3.3 Transfer via Uniswap
The group integrates the money flow into the normal swap (the group uses addresses holding large amounts of fake coins, goes to the trading pair pool to smash them, and directs the profitable WETH out to the new address for the next fake coin dispatch), thus hiding the transactions of large amounts of WETH in the etherscan transaction list. The transaction list in the upstream address can only see the large number of fake coins flowing into Uniswap, which is harder to track this way.
We came up with the list of the most credible fake coins based on on-chain behavior and found that the percentage of fake coins issued daily is around 15%.
From the proportion of fake coins among new coins on the ETH chain in recent months, we can see that the number of new coins and fake coins created daily has been on the rise in the past six months, reaching a peak level around October 24, 2022, with 757 new tokens added in a single day, 130 of which were fake coins; after November, the number of new coins and fake coins per day gradually stabilized, with around 300 new tokens added in a single day After November, the number of new tokens and counterfeit coins gradually stabilized, with around 300 new tokens and 31 counterfeit coins in a single day.
We calculated the loss of users who bought coins (the same as the daily profit of the fake token group), as shown in the chart, users lost money all for the profit of the fake token group. The average daily gain of the fake token groups on the chain for the past 8 months is 22.4 ETH.
The percentage of the number of fake tokens issued at each address shows that most of the fake creation is done with the new addresses, and after making a profit, the funds flow to the next address to start the next round of exploited behavior of issuing fake tokens.
The average cost of each fake pool is 3.4 ETH, with an average of 31 fake tokens born per day, and an average profit of 0.72 ETH per fake token. Most fake tokens will exploit users on the same day.
The ratio of MEV to normal user transactions among fake token buyers is 1:9, with an average of 0.79 transactions initiated per fake token transaction to the pool MEV bot and 6.8 transactions initiated by normal users. (MEV bots are bots that arbitrage normal on-chain transactions by changing the order of transactions in the block).
In terms of profitability MEV have a much higher probability of making a profit than normal users. MEVs who buy fake tokens are almost 100% able to make a profit, while most normal user users will lose money (75%). The small number of normal users who can make money is because the buying and selling operation is very fast, and the fake tokens are sold before the fake token gang has time to harvest them.
From the number of times normal users bought fake tokens, we can see that most of them only bought fake tokens a few times and then stopped. 69.9% of users bought fake tokens 1-2 times, and 13.4% of users bought fake tokens 3-5 times. The users should have become careful after being exploited, and the rest of them are rushing new token users who used to or are now taking pleasure in gaining revenue by Meme.
An example from a Meme's transaction history, we can see that the user had a lot of Meme transactions before May 2022 and made a great profit (Most of the profits are around 10 times, for example, this user 2 ETH profits from JPG pool).
When the market turned to bear, the fake tokens started rising up. The user topped up 5 tokens and 4 of them are fake, but the user can still get the original funds back in one transaction (Profit: 1.1 ETH, Loss: 0.13 ETH). A few months later, the user once again did not resist the temptation, after thinking the user found a high-quality token, like other duped users invested a lot of ETH, only a minute after the fake token group exploited funds.
The most common way to create fake tokens is to execute add_Liquidity() in Uniswap v2 to create a pair of fake token with WETH and add liquidity, and then delete the liquidity by executing remove_Liquidity() to complete the user funds exploit.
Take the example of creator 0xF6F2E5E9EFa7582deD9a4ebb2ffc333a59C30d4D, first creating the token contract, then creating a Uniswap v2 transaction pair with the just created token and 20 ETH.
The following is the transaction record of one of the alt accounts in the fake token group. Faker used the alternate account to swap and control the price to attract users to enter. We could see that these transactions are all washing transactions with ETH to buy fake tokens.
The creator monitored the real users who buy tokens, then called the submit() function within the token burn off the user's token balance to prevent them from arbitrage away from the market. Finally, the creator removed the liquidity and transferred all the funds obtained from the pool (this part of the funds includes: the principal of the pool creation + the alt account wash trading input + the loss of real token buying users)
A more concealed crashing pool happened when exploited. Fakers would swap WETH and fake token out of the pool via alt accounts.
Such as trading pair Unisawap V2: OASYS2, fake token groups crash into the pool to gain 60 WTH via alt accounts with lots of fake tokens.
When creating a transaction pair, the add_Liquidity() function is not directly called, but this step is coded in the fake token contract constructor. When the fake token is created, the transaction pair is automatically created.
For example, the token BIYC calls the factory contract of Uniswap v2 to create a trading pair when created.
Token pairs are no longer limited to fake coins and WETH, but valuable tokens can replace WETH to have arbitrage.
The following transaction is a token pair formed by a fake token and USDC.
While Uniswap v2 is more popular, fake tokens can also expand to Uniswap v3 and other Dexes that do not require vetting, and currently fake tokens are created through v2's factory contracts.