In a recent incident, DeFi Llama, a popular data service in the world of decentralized finance (DeFi), fell prey to a spoofing link. The company has issued a warning against using top links from Google due to the detection of malicious activity.
In more details, DeFi Llama alerted users against using Google to search for Llama Swap, its native decentralized exchange (DEX). The search yielded a sponsored advertising site as the top result, which remained live for over two hours. This site is not the native DEX on DeFi Llama, and instead, contains malicious links. Despite the company reporting the site to Google, it remained active for a significant period.
It’s essential to note that DeFi Llama Swap’s contracts have not been compromised, nor is there any additional risk to users. The service aims to be a zero-fee platform, seeking the most efficient route among multiple aggregators. It’s primarily targeting Ethereum and L2 tokens and isn’t compatible with Solana wallets. DeFi Llama itself is a passive data service that doesn’t require a wallet connection.
One might wonder how dangerous a malicious link could be. Thankfully, some wallets have internal checks that warn users about discrepancies and prevent transactions or permissions. However, using sponsored content on Google is an old trick to serve fake links and attempt to drain wallets. And this type of attack seems to increase, especially during crypto bull runs, when enthusiasm for crypto is high.
The spoof site for Defi Llama Swap was an exact replica of the original, barring the URL. Although flagged for suspicious activity, it contained no malware. The risk arises when a user voluntarily connects a wallet and attempts a swap.
In response to the recent event, DeFi Llama advises users to reach the URL from its main data service page and ensure it is the same tab and connection. Similar search results pose a risk for other DEX and services. Unofficial links requiring a wallet connection could potentially send out transactions and drain wallets. However, as long as users do not sign approvals or issue transactions, the link itself is not dangerous.
On the broader scale of crypto scams, phishing link scams are becoming increasingly sophisticated and accelerating in pace. Despite forming a relatively minor part of overall crypto losses, they are among the most damaging as they target personal holdings and wealth. Based on Certik’s reporting, scams and project attacks increased in October, with over 46 events. Phishing scams alone accounted for around $20M in losses in October.
These scams often occur during NFT and meme token booms, where multiple crypto events may require a wallet connection. Hackers exploit moments of lowered attention and masquerade behind legitimate services or spoofed links. On social media, malicious links are often disguised as promises for fund recovery, frequently attempting to ask for a wallet’s private keys.
Recent on-chain data shows up to 493 ETH stolen in September, the highest level for 14 weeks in a row. More than 90% of phishing scam victims are users of the Ethereum network, with most wallet attacks being phishing, and under 10% linked to poisoned addresses.
In conclusion, while the world of DeFi offers numerous opportunities, it’s crucial for users to exercise caution and diligence to guard against potential scams and attacks. It’s always safer to connect to services through official channels and avoid sharing sensitive information like private keys.