Day of jubilation among the devs. This September 15, 2022 entered the history books as the accomplishment of a technological revolution called “The Merge”: while functioning, the Ethereum blockchain, on which an entire web3 ecosystem is based, abandoned energy-intensive software in favor of of a more eco-responsible protocol.
Such a moment of joy for a large crypto community is nonetheless an episode of confusion. As clear as the new rules of Ethereum 2.0 are, it takes a long time for the information to percolate and for the widest public to become aware of it, in a sometimes disconcerting media noise.
Crooks and other cybercriminals enjoy such trouble spots and try to profit from them, literally. Especially since the new Ethereum update has completely changed the role of its network operators.
The Merge, a boon for criminals
The Merge excluded miners, who had to juggle both software and hardware components (their graphics processors to solve cryptographic equations). In their place, control now falls to the validators, who only have to stakes, i.e. bet their cryptocurrencies in this high-tech lottery. By locking their ethers (ETH), the native tokens of Ethereum, to the protocol, they are in a way betting to win the possibility of offering the next block in the chain… and the associated rewards.
Financing the security of the second public blockchain on the planet in this way represents a boon for criminals. Some had already taken the opportunity to sell fake “ETH2” tokens (the name originally used for the new version of ETH) in exchange for (old) ETH. ” There are no other legitimate tokens introduced by The Merge. The ETH you owned before the merger is the same today », Recalls the Ethereum.org platform.
Another fraudulent recipe, some present themselves as technicians from a “support” service and help configure your client software, taking care to steal access to wallets or trying to force the signing of illicit transactions. Do we still need to specify that there is no after-sales service or technical team working officially for the “Ethereum company”? Note, however, that variants of tokens supposed to represent staked ethers are circulating on certain platforms, such as Coinbase, which precisely uses… ETH2. When you were told that there is some confusion.
Scams also “upgraded”
Other vectors for cyberattacks include good old email phishing and social media airdrops, with the Ethereum update providing new ammunition for scammers. With a certain sophistication for some.
If everyone can run an Ethereum node, a backup of all the history of validated transactions, only privileged actors can from The Merge have a node that validates and produces new blocks. This role requires at least 32 ETH ($48,000), which is decently not accessible on all budgets.
Some users have therefore joined “staking pools”, service providers that pool the cryptocurrencies of their users to play validators on Ethereum. There is no shortage of scandals in decentralized finance (DeFi) where such pools offered fabulous returns to attract customers before disappearing into thin air.
As with fraudulent mining pools, what is likely to happen is that returns decline for no reason as an incentive to invest more. Until the unexpected moment when all the funds would be sent to an unknown address and the pool no longer appeared on any web page. The Merge could paradoxically “industrialize” this kind of financial trap.
Case(s) to follow…
Small security reminder to protect your data and crypto-currencies
A few basic precautionary principles help mitigate the risks that the crypto jungle may harbor:
- Strong passwords : it is better to avoid “MyCryptoAccount” and other simplistic combinations, which remain vulnerable to certain hacking techniques such as the dictionary attack. Good practice: passwords as long as the form allows, with a mix of letters, numbers, symbols, etc. And, that differ from service to service. Not to mention the two-factor authentication.
- Filter browser add-ons: it is advisable to limit yourself to extensions from known and trusted sources, to uninstall unusual ones and to be wary of automatic updates. ” By default, most browser extensions request access to ‘read and modify site data’, allowing them to do almost anything with your data “recalls Ethereum.org.
- Learn about how crypto ecosystems work: yes, it is better to do your homework in this area. It’s so obvious that most users get scammed for lack of understanding.
- NEVER share your private keys: you should never reveal the only means giving access to your crypto address if you do not want to have your digital assets siphoned off. There are physical solutions to secure your private keys offline.
- Verify the recipient before confirming a transaction: avoid a careless error on a blockchain on which the transaction remains irreversible (unless you know the owner of the address).
- Capping expenses on a smart contract: it is recommended to set a limit to the amount necessary for the transaction, in order to avoid seeing the contract empty its wallet.
- Stay skeptical by default: it is not a question of sinking into paranoia, but of being aware of the techniques used by scammers. ” No one is going to give you ETH for free says Ethereum.org.