Anatomy of a Proof-of-Stake crypto scam

The hype for Proof-of-Stake cryptocurrencies is running hot. As Ethereum prepares to switch from Proof-of-Work to PoS, investors are looking for ways to hop on the PoS bandwagon early, often throwing caution to the wind and taking on quite a bit of risk. This leaves them vulnerable to scammers, who are also taking advantage of the hype, helping investors part with their money. I recently observed a very PoS-specific scam play out, and wanted to share the story as a cautionary tale.

Mo’ risk, mo’ gains


There are some established players in the PoS space, like PIVX, but the market seems to be more interested in the high-risk options: the new, small, and undervalued coins that have the largest upside potential.

Electra (ECA) and ColossusCoinXT (COLX) are two such coins that are generating a lot buzz at the moment. Both of them can be found on CoinsMarkets, a small exchange dedicated mostly to staking coins. For the past 5 days, their website has been largely inaccessible as it struggles under the huge influx of would-be investors.

Having seen what happened to RaiBlocks (XRB), investors are keen to find the next coin like it, one that’s only available on smaller and dodgy-looking exchanges, and will skyrocket once it hits an established ones like Binance. The potential gains come at the cost of the risk in trusting the current exchanges.

CoinsMarkets landing page
The CoinsMarkets landing page, with the now ever-present CloudFlare warning at the top, indicating that the website is actually down, and you’re viewing a cached copy of the page.

The amount of trust CoinMarkets demands of the investors is quite significant. Their outgoing e-mails are currently being rejected by the big e-mail providers like Google, Yahoo, and Microsoft, and you’ll need a mailbox with weaker filtering (e.g. one that was provided by your ISP, or one you host yourself) just to sign up. And then, if you’re lucky enough to get a response from the actual website instead of CloudFlare, you will be entrusting them with a deposit of cryptocurrency, which you then hope to be able to exchange for one of these new coins, with the additional hope that you’ll be able to withdraw them at a later point.

That said, I don’t believe that either CoinsMarkets or coins like ECA and COLX are actually scams. I’m simply using them to illustrate the level of risk that people are currently willing to take on. And whenever dishonest people see a market so tolerant of risk, they know there is money to be made/stolen. And in the last few days, I observed a coin called DIVVY use a uniquely PoS-specific way to run a scam.

What is Staking


Before we dive in, let’s go over a very simplified and generic primer on how staking works. In a PoS system, instead of mining new currency by writing transactions into the ledger, you would “stake” your existing currency by keeping a wallet containing that currency online for extended periods of time. Your wallet would connect to other staking wallets, and together you’d verify the legitimacy of new transactions. The coins that you stake are used as collateral to keep you honest. If your wallet turns out to be running a modified algorithm and verifying fraudulent transactions, you would lose some or all of the amount you staked. So the larger the amount you stake, the more you have to lose by being dishonest, and thus the more trustworthy you are.

In return for your staking efforts, you would receive interest on the coins you staked. This interest comes from transaction fees that others have paid to have their transaction verified. The amount is a percentage of your staked amount, so this would generally only generate worthwhile profit to those holding really large amounts of the coin. If your wallet is big enough, you can even become a “masternode”, one of the select few wallets on the network that are officially endorsed, and whose addresses are the first ones clients try to connect to, to then get the addresses for the rest of the node network.

Masternodes are generally rewarded with additional payments/interest, and can be quite profitable to run. This is balanced out by the extremely high entry cost for becoming a masternode, especially for an established currency. For example, to become a PIVX masternode you would need a wallet with 10,000 PIVX, which is currently worth around USD 135,000. A more viable way to become a masternode would be by being an early adopter of a new currency, either mining lots of coins while the rewards are high and difficulty is low, or by buying lots of coins while they’re still cheap.

The Altcoin Announcements Board


Before new coins are shilled on 4chan’s /biz/ or discussed in /r/ethtrader’s daily altcoin discussion, they are introduced to the world on bitcointalk.org’s Announcements (Altcoins) board.

Screenshot of thread titles
A sample of the board’s threads on a random day.

When a new coin is announced, a new thread is posted on the board, and the first people to see it get to be the first to start mining it, or the first to volunteer to translate it in exchange for a bounty of coins. It’s the primordial soup of cryptocurrency, governed by survival of the fastest.

This leads us to the announcement thread for DIVVY, excerpted below:

[ANN] DIVVY - PoW/PoS | Masternode | Skein | Dividend System Coming Soon

Name: Divvy
Ticker: DVY
PoW Algo: Skein
Block time: 60 seconds
Total POW: 50,000 Blocks
Masternode: Required 5000 DVY
Port: 11445
RPC Port: 11446

Diff Retarget: 5 Blocks ( DGW in future )
Maturity: 30 Blocks

Stake Minimum Age: 24 Hours
Premine: 1% of total coins for 3 years (will be used for bountys, exchanges and other stuff)
*We’re moving premine 20K DVY for stacking . This funds will use for exchange

This lays out the specifications of the currency: it will be Proof-of-Work for the first 50,000 blocks using the Skein algorithm, then becoming Proof-of-Stake, with 5,000 coins required to be a masternode, and 24 hours of keeping the wallet online required to stake the coins in it. The developers have pre-mined the first 20,000 coins, which they’ll use to pay for exchange listings.

These specifications are simply changes to the hard-coded configuration parameters in the DIVVY source code, which is extended (forked) from an existing project that offers the kind of hybrid PoW/PoS system they want to use. In this case, it appears to come from Novacoin, a fork of PeerCoin, which was an early implementation of PoS forked from Bitcoin.

It’s not unusual to see coins doing this; Dogecoin, for example, was a fork of a Litecoin fork. But a lot of the time the new currency is expected to add some new useful paradigm into the mix. In the case of DIVVY, it appears to be “dividends”, hinted at by its name and a tagline that says “The New Generation Dividend System” on their promotional website.

DIVVY Website screenshot
And what a nice-looking website it is.

The Red Flags


So far, things are looking good, and checking a lot of boxes that people are looking for: there’s a pretty logo, there’s source code, there’s a wallet and block explorer, there’s staking and masternodes, there are mentions of speed via “InstantSend”, privacy via “Darksend”, an upcoming “airdrop”, and there’s a schtick: dividends. In other words, it’s very “shillable”.

Anonymouse
“Only mousetraps have free cheese”, according to an old Russian proverb.

But it all falls apart when you take a closer look. Most of the links on the website don’t do anything. There are spelling and grammar errors throughout. There is no white paper. There is no explanation of how the coin will work, just empty catchphrases. The source code lacks a proper development history. There is no information about the people involved whatsoever. There are no social media accounts. But for bitcointalk.org forum users, where the fastest are rewarded, there’s no time to check any of that.

This was the part that was most fascinating for me. Within minutes, posts appeared on the thread announcing that mining pools have been set up for DIVVY, and people were already mining and troubleshooting each others’ issues. The next few days were a flurry of activity: the initial PoW blocks were mined; the developers deployed a masternode, then changed their mind about the pre-mine amount, causing a bit or furore; an unofficial Discord channel with 100+ members was set up; alternate block explorers were made; shared masternodes were being negotiated... The amount of infrastructure to support the coin that was put up without any input from the dev was incredible.

The Scam


The masternodes are the uniquely PoS-specific part of this scam. When the DIVVY developers changed the pre-mine amount, granting themselves 20,000 coins, explaining it as “this funds will use for exchange [sic]”, this drastically incremented the mining difficulty, making it impractical for anyone else to quickly mine the 5,000 coins required to run a masternode. The remaining option was to buy the coins from the devs.

Screen Shot 2018-01-08 at 11.43.52 pm.png
…and the devs were keen to sell

If the post above is to be believed, the devs got 7.5 BTC (USD 115,000+) out of the sale. Not a bad return for getting a logo designed, putting up a website from a pre-built template (some keen observers in the thread noticed a “smart home” section on the website, leftover from the template they were using), running a search-and-replace script over a codebase, and tweaking a few lines of configuration code.

There were a few dissenting voices in the thread, pointing out that it may be a scam, but they were drowned in a sea of people who wanted to believe that this was the ship that they boarded early enough to take them to the moon.

Argument on scam or not
Cynicism clashing with blind optimism in the thread.

The devs have gone awfully quiet since the masternode sale, with a single post in the past week, promising upcoming exchange listings. But the infrastructure that had sprung up around the coin appears to still be running. The network is alive, and there are staking nodes, the mining pools seem to work, and the discord channel is fairly active, despite not having any of the devs (which could well just be a singular dev for all we know) in it.

If there was anything particularly unique and redeeming about the code, the community could well continue the project without the devs. But since all the project currently offers is a name, a logo, and some parameters, I don’t see it happening. But who knows, maybe the devs will come back to prove me wrong and build a legitimate product.

The Lesson


The clear lesson here is to always apply due diligence. Do not let the sparkle of potential profits in the distance blind you to the glaring issues right under your nose.

A bit of quick research led me to NUMUS, another PoW/PoS hybrid that uses Skein. A comparison of its codebase to DIVVY’s shows minimal differences besides replacing “divvy” with “numus” throughout. It’s slightly more established, having a few exchange listings (including CoinsMarkets, which I discussed earlier), and it’s hard to tell if it’s simply an earlier iteration of the same scam by the same people, or if the scammers behind DIVVY simply built off of NUMUS’s work. Looking back at the likely early origin of the code, NovaCoin, also reveals something interesting:

Scam warning
This is the 3rd post in NovaCoin’s announcement thread.

It’s hard to tell how deep this goes. I'm pretty sure I've only seen a tiny glimpse of the bigger picture. There are many more creative methods of scamming listed in this warning thread. Hard to say how many scam coins have taken advantage of CoinsMarkets’ low barriers for entry to get listed there. Or how many of the PoS coins on the MasterNodes list are there only to prey on people caught up in the staking hype. It’s hard to even definitively call them scams, since their existence and value aren’t irrevocably tied to their developers. It’s also hard to do your own research, but that seems to be the only way to avoid being taken advantage of in this wild unregulated market.

Sort:  

It is not news that the crypto market is highly unregulated and as such no entry and exit barriers. That being said, we need to extensively carry out checks before investing. Thanks to the Steemit platform, I get lots of reviews and many thanks for explaining proof of stake.

The old axiom of "something is worth what people are willing to pay for it" I have no problem with.
The concept of "it's worth something because we say it is" is something else altogether.