Taking A Closer Look at Roe Finance Exploit
A price manipulation attack at Roe Finance allowed a hacker to be profited by $80,000.
Playing the video that you've selected below in an iframe
When bumping into the topic of hackers and scammers, we tend to picture the stereotypical…
When bumping into the topic of hackers and scammers, we tend to picture the stereotypical masked figure in a black hoodie hiding in the shadows, facing a red or green screen with thousands of lines of code, and hands typing faster than light. Surely, you’ve seen those characters in your typical movie and TV hacking scenes.
But, the average hacker or scammer usually isn’t like that. They’re everyday people that could pass off as your neighbours or the friendly person who smiled at you the other day.
Recently, we met with an ex-scammer whom we’ll call Sam (obviously not his real name). At first glance, he looks like a young, decent guy who you wouldn’t think of being the ringleader of a citywide Ethereum-based Ponzi scheme that siphoned thousands of dollars from unsuspecting people.
In an effort to make amends for his involvement in a scam that would deliberately harm investors, he has now agreed to share his experience in an effort to help investors be aware of these types of exploits and be better prepared to avoid them.
Hi, thanks for having me here. I’m Sam. I led an almost nationwide scam back in 2019 together with a team of 6. We introduced an already popular crypto Ponzi scheme called ******, to the Ethereum network. We marketed it as a fast-growing and high-profit investment with two ways of generating returns: Ether capital gains (something you could already do without joining the scheme) and getting other people to buy into the scheme. Essentially, it was a pyramid scheme disguised as an MLM scheme (multi-level-marketing).
We got a lot of people to sign up from five different cities. We also managed to get some users from other countries. Our team used all types of social media tools to pull people into the scheme: social media accounts including a Discord channel to close transactions, chatbots, and people dedicated to closing a deal to onboard individuals. We even tried to break into influencer marketing to grow the scheme more rapidly. Fortunately, the influencers we contacted either ignored us or were smart enough not to bite our bait.
Of course, our success in growing the scheme got the project noticed not only by those we were trying to onboard but also by those that could see it for what it was. Towards the end, the scheme got so big that it was flagged up by a government financial regulator who issued a warning about the scam and everyone involved. As a team, we were mostly amateurs, including myself. Eventually, one by one, members of the team started to get worried about being caught and started to leave, before the situation and consequences got even worse. I was one of the last ones to go. And now, I wish I was one of the first.
I was in charge of communication and our social media channels. At first, our initial targets were people who understood the Ponzi nature of the scheme and that they were getting in early and therefore had a good chance of exiting and making lots of money. Thereafter the network effect took over and all these people were incentivised to onboard others. Exponential growth appears to progress relatively slowly to start with but with the number of people who grew that were strongly motivated to recruit others, we experienced an unbelievable acceleration in the growth of the scheme. And of course, we did everything possible to maximise this growth, opening up more and more social media channels to widen the base of the Ponzi scheme.
We did our best to answer the questions in the social media channels, but when I say did our best, I mean we did our best to obscure what was going on and encourage the community to onboard new users. Showing users that they could make a lot of money fast by onboarding new users was usually all we needed to do in order to get people to cash in, and then we set them up on a call to guide them through the process. Once that was done, the money went into the accounts and progressed up the Ponzi chain to those that joined first. We didn’t completely leave new users on their own. We had post-sales service and got them to join in a mini-community. And that was about it. Providing a big monetary incentive with simple instructions and actions that individuals felt they could achieve. And they were hooked.
Oh, it affects everyone involved. Mainly the victims, but it can affect the scammers too — depending on how much of a conscience they have, and how much money they are making. I have seen first-hand how money can warp your values and sense of right and wrong. Unlike a blackhat hack where an individual steals crypto, this type of Ponzi scheme is bad because it incentivizes the whole community to behave in a selfish and self-serving way at the expense of others. This type of scheme is a sickness to society and a contagious one at that. It’s also hard to heal from, even after you’ve stopped, because of the realization of how many people have been badly affected, or infected, so to speak.
As a scammer, it affects you mentally. As I said, it screws up your value system. Right from the start, I knew it was wrong, but those who invited me presented it as a no-risk offer with a huge upside. They flattered me by telling me how good I was at closing deals, and they told me how much money I could make if I joined them. At first, it was sort of an adrenaline rush, a Wolf of Wall Street kind of thing. Heck, it was easy money paid for by a few chats here and there. And of course, one thing led to another, and before long I was part of the team masterminding a huge scam. I think when people say the “wrong side of the law”, it sounds like a very binary choice, which in some sense of course it is, but what I want to say is that my journey started off with a choice that didn’t seem that unreasonable to me at the time — introducing a few people to a risky project in a risky industry where some people get lucky and some don’t. Others had their opportunity to get rich, and life’s not fair. This was my chance. That was what I told myself anyway.
But, anyway, the most affected individuals are not the scammers, it’s the victims. They are the ones who are affected most, those whose hard-earned money got swiped away from their hands.
It was really only towards the very end of the project I realized just how out of hand the whole thing had become, and how many people were being badly affected. It is something I’ll take with me and that I have to deal with. Of course, now I want to make up for the wrong that I’ve done but obviously, that’s too late for those that were directly impacted. The guilt and shame are hard to face up to.
Being here and sharing my story with you and disclosing how to avoid exploits is one way that hopefully I can do some good.
As a bystander, hacking and exploitation incidents appear to be just unfortunate events where money was lost. In truth, it’s actually more than that.
Circumstance. The seriousness and scale of the situation we got ourselves into changed my mind. The nature of the scheme, where we were encouraging others to grow the scam, meant that it got out of control.
As for me, it was when public authorities started to take notice and warn about the project that I got scared of the consequences of what we had done. It opened my eyes. True, not everyone would react like this. But, it certainly had an effect on me.
I repaid losses to those people that I knew and had onboarded. The nature of the flow of payments in the scheme and the scale of the losses meant that I wasn’t able to do a great deal financially to make good those that had lost money.
It really depends on where the hackers and scammers are based as well as the specifics of what they have done. Laws are different in every country and each government takes a different approach. Authorities and regulators are becoming much more sophisticated, and whilst the blockchain is anonymous, it is transparent as transactions can be followed.
At the end of the day, whether individuals are hacking wallets or exchanges or robbing a bank, the end result is the same. The same is true of a Ponzi scheme whether it is on or off-chain. As to the consequences, I am not an expert, but I imagine that for those that get caught the penalties or sentences would be much the same as for a traditional crime. Hiding behind an impersonal computer screen might make hackers feel more distant from the crime and their victims, but when they are caught I don’t think legal systems treat hackers any differently than other criminals.
Yes, absolutely. Many scams, hacks, and exploits use similar tactics and elements. In general, they all use the same tools to manipulate people — using psychology and peoples’ insecurities, vulnerabilities, and of course, greed — who wouldn’t want to get rich quick?
Social engineering is the most typical way a server gets “hacked” — a dev or mod’s credentials are stolen through screen share, blackmail, and/or identity theft.
Protocols and projects should not only strive to strengthen their cyber security and smart contract security but also promote awareness about scams and help users understand how to improve their own security and protect their digital assets. There’s unbelievable strength in communities.
Hacks and exploits in the crypto and DeFi space are highly prevalent. Almost every week, there’s a hack of some kind that’s stolen millions in digital assets. You can visit our recent weekly reports to learn more about them.
Furthermore, companies reveal surprising information about how easily-accessible hacking tools and methods can be. According to a report by RiskIQ, they found 27 unique malware types hosted on Discord’s CDN servers. On the other hand, Google search results reveal hundreds of guides and how-tos that help bad actors hack into Discord accounts and servers. It can be as easy and simple as a Google search for “how to hack a discord server”. Also, many open-source projects and repositories found on Github help scammers use code and techniques to attack Discord servers such as this one.
Investors or users should consider joining communities that are focused on digital asset protection and security, such as Neptune Mutual. These types of communities help others avoid getting scammed by consulting each other about any projects or opportunities that they plan to invest in.
As responsible investors, we should do our own research when getting into something new and promising. When we encounter hacks and exploits, we can help out by letting others know about them. If you are sure of your source and of the information, take it to social media and spread the word.
You can also share this article with your friends, community, and people you know to help them avoid the worst exploits in crypto.