Fake Proposal Scam! 8700+ Accounts Involved

saydie 9 days ago

Great work! Its absurd how those accounts were able to farm 170k points in such a short time.

aslamrer 9 days ago

Good job @pravesh0, amazing 🤩

dantrin 9 days ago

170k points wow! And here I am getting 1 point per day on the free spin 😅. Thank you for this info.

0.17 VYB

pravesh0 9 days ago

LOL

0.00 VYB

claudio83 9 days ago

Nice work! fake accounts will become more numerous if $HIVE increases in value.

@tipu curate

0.00 VYB

livinguktaiwan 9 days ago

I saw that fake proposal a few days ago and it led to nothing when I checked. Surprisingly it had two big supporters. One with over 120k HP, and another with nearly 20K HP, both accounts are familiar to me and are active. I had no idea why they would support a fake proposal other than being careless and ignorant.

The other thing I can't understand is why the scammer is so stupid to create a fake proposal and get on people's radar.

0.28 VYB

5 votes

shmoogleosukami 8 days ago

There is a possibility this could have been a test run to maybe see how viable it is to exploit the points system to get a proposal passed.
But a bit of math would have made it clear it's not viable without 100k or more accounts all farming points like crazy.
and even then the exploit is now public and can be patched and mitigated now so generally it seems at least in our eyes completely pointless.

unless the scammer knows of other methods we have yet to figure out that they can now try exploit to a larger extent? Either way it'll get caught quickly regardless so any attempt to get DHF fund illegitimately will not net you all that much maybe 1 or 2 payouts since they happen hourly. depending on the daily pay it could be a lot or nothing.

0.20 VYB

5 votes

livinguktaiwan 8 days ago

They would never have got funding, and whenever you do things on such a large scale it's bound to trigger alarms.

0.00 VYB

pravesh0 8 days ago

It was a fresh idea, but that was bound to fail. Even Ecency account don't have a lot of HP to delegate so the proposal would have never passed without the support of many big whales.

0.00 VYB

steevc 8 days ago

They were never going to get funded, but maybe they though it was worth a try. They have shown their hand now, so people will be onto them.

meno 8 days ago

Good work mate... you pulled a batman here

0.11 VYB

danzocal 8 days ago

!PIZZA

0.00 VYB

pizzabot 5 days ago

PIZZA!

$PIZZA slices delivered:
@idea-make-rich_(2/5) tipped @pravesh0

hivepakistan 9 days ago

Curious about HivePakistan? Join us on Discord!

Delegate your HP to the Hivepakistan account and earn 90% of curation rewards in liquid hive!

50 HP

100 HP

200 HP

500 HP (Supporter Badge)

1000 HP

Follow our Curation Trail and don't miss voting!

Additional Perks: Delegate To @ pakx For Earning $PAKX Investment Token

Curated by dlmmqb

0.00 VYB

bhr-curation 9 days ago

Great content! Thanks for sharing it on Hive.

We’d love to see you join Block Horse Racing and start winning!
There’s a reward waiting in your wallet to kick off your journey in the BHR-Game multiverse !BHRT .

Let’s enjoy building a healthy movement together on the Hive Blockchain!

0.00 VYB

bot-bdbhueso 9 days ago

Uses: 42/56
!HUESO

0.00 VYB

dlmmqb 9 days ago

GG! 💕

0.24 VYB

bhattg 9 days ago

Thanks bhai , good job

06fdeb9fea8a52eb6fb2d5c297f744a5fe76c1d8793ce6efd58627cdb32cfe6a.0.png

0.00 VYB

pravesh0 9 days ago

Thanks, bhai!

0.00 VYB

bhattg 8 days ago

welcome bhai

_{via Inbox}

mengao 9 days ago

Amazing work!

0.73 VYB

ecency 9 days ago

We have blocked and undelegated those accounts couple days ago. Thanks for hivewatcher and you for doing extra research!

0.48 VYB

7 votes

pravesh0 9 days ago

Perfect! Thanks!

0.00 VYB

indiaunited 9 days ago

This post has been manually curated by @bhattg from Indiaunited community. Join us on our Discord Server.

Do you know that you can earn a passive income by delegating to @indiaunited. We share more than 100 % of the curation rewards with the delegators in the form of IUC tokens. HP delegators and IUC token holders also get upto 20% additional vote weight.

Here are some handy links for delegations: 100HP, 250HP, 500HP, 1000HP.

_{100% of the rewards from this comment goes to the curator for their manual curation efforts. Please encourage the curator @bhattg by upvoting this comment and support the community by voting the posts made by @indiaunited.}.

This post received an extra 19.12% vote for delegating HP / holding IUC tokens.

0.00 VYB

darthsauron 9 days ago

Good to know. Many of us read the proposals but do not know what is real and what is not. We may like the idea, but in today's world sometimes we need help to open our eyes and recognize what is true and what is false. Maybe someone has already thought of this idea, but why not add real-time identification with every registration via a selfie video rather than just a photo? Many platforms already use this, and I think it would help reduce the number of fake profiles. Thank you for sharing 🙏☺️

pravesh0 9 days ago

A selfie video? I would have never been here if that was the case.

Many of us are here because you can stay anonymous and still contribute to this chain. I have friends here whose real names/face I don't even know and not even interested to know. I am more interested in what they do!

0.23 VYB

darthsauron 9 days ago

No, I mean the check should be done upon registration. Not everyone has to see who you are - the platform/system can just check if you are a real user and if you have other accounts, and ext. The video can be temporary, then deleted, or a reverse image search can be used to compare footage from the video to other photos on the platform - introduction post for example. I think that again I'll receive hate because of this idea 😆😅😂

pravesh0 9 days ago

With the advancement of AI and picture/video generation you can fake them too.

But keep those ideas coming haha

0.12 VYB

valued-customer 8 days ago

The video can be temporary, then deleted,

Because some jurisdictions use biometric ID, gaining the biometric data of a person in such jurisdiction enables fraudulently pretending to be that person in other jurisdictions, where financial fraud can be undertaken that will be connected to the ID theft victim, who would have no way of knowing about events ongoing in foreign jurisdictions. Because of such potential fraud I adamantly oppose ever using any biometric data, such as pictures or video of someones face, eyes, fingerprints, and etc, for any purpose on Hive.

Last I heard the biometric data of about half the population of India can be purchased on the darkweb for ~$80K. The incompetence of government and corporate entities to secure data is notorious. Not a day goes by that some new penetration isn't reported. In jurisdictions using biometric ID, people whose biometric data has been acquired by criminals can never, ever change their biometric data, and will be plagued by potential ID theft for the rest of their lives, and nothing can be done about that once their biometric data has been acquired by hostile parties.

Such data used for a temporary purpose might be deleted, or it might be claimed to have been deleted. I am not willing to take the chance that I might be subjected to criminal fraud for the rest of my life for the opportunity to open an account on Hive. I hope the vast majority of people interested in joining Hive aren't either.

0.69 VYB

darthsauron 8 days ago

You are right. Yet it was just an idea. Besides, we live in a world that already has our data. Phones require a fingerprint or a selfie, and we can't know for sure if that data isn't being uploaded somewhere, haha. Everyone has free will and decides for themselves whether to fake or cheat. There is no way to change that. But if we start attacking and blaming platforms or communities, won't we destroy this online world we've created here?

For example, communities demand originality - Hive Watchers and their rules actually teach us something, much like parents. Ecency and other front-ends give us the freedom to vote, promote and get support through automated systems or Google Pay. Most whales have invested time and money to become who they are. All of this just directs us to be better. But it is our free will that leads to mistakes - just as it does in the real world.

We often get hurt by communities, people or platforms and start making excuses or attacking others. This is the world we live in today. Crypto and Hive give us a chance to earn extra income, meet new people and places, and see the thoughts and creativity of others.

Yes, anonymity is a good thing, but why should we be afraid of who we are? We are different now, but sooner or later we will all end up in the same place - bodily, sorry 😆. Unfortunately this stuff will never change because it is part of who we are. The world is changing and so are we - we are adapting, bringing our personalities and problems from everyday life even online, and searching for easy path, always. It is this change that makes us lose faith in people.

Sorry for the long comment - just thought I'd share an opinion. Online worlds and platforms are no different from the real world because we participate in both. And again sorry if I got slightly off topic, haha. We just need to be a bit more positive, the world is already dark enough 😆😂

0.11 VYB

valued-customer 8 days ago

"Phones require a fingerprint or a selfie..."

Mine don't, and if they ever do, I'll not use a phone. I don't use any form of biometric ID, and I won't ever if I can prevent it in any way. I don't use Google anything, particularly not Google Pay. There are no excuses, there are only reasons. If I get scammed, there is no excuse and it's not the scammer's fault. It's my fault because I was vulnerable.

I have learned to avoid being vulnerable by having a great deal of wealth stolen from me. I was the weak link. I am unwilling to allow what I have to be stolen again, so now I do not do things that can enable thieves to take what I have from me.

It's not being negative, it's being responsible. You lock your door when you leave your home, right? It's just common sense.

"We just need to be a bit more positive..."

You may find it difficult to be more positive if you suffer theft of what you value very highly. On the other hand, if you have things you value very highly, you will feel very positive about having them, so not having what you have stolen from you increases how positive you can be. The best way to keep feeling positive is not to have things stolen from you, or to be victimized by criminals, so I hope you consider carefully before putting information out on the internet that can be used by clever thieves to take things from you.

Be well.

0.34 VYB

kachy2022 9 days ago

Thanks for this information, one should be really careful so as not to become a victim of this scammers.

solumviz 9 days ago

Well done and thanks for reporting bro 😄👍.

0.15 VYB

mateodm03 9 days ago

It's amazing that someone has gone to the trouble of programming a bot that sends multiple accounts to earn Ecency Points, claim HP and use it to vote on a proposal haha. Maybe a solution would be to only allow only allow one boost claim per active IP, however, most of us already have dynamic IP's, but I guess that would complicate the issue a bit more.

pravesh0 9 days ago

I was impressed too. That was smartly done. I think Ecency had a similar IP restrictions on creating free accounts.

ahmedhayat 9 days ago

Whoa, sometimes I wonder, the effort they put in wrong doings is nearly equal if they want to do something right. Then why the wrong path, lol.

Anyways, good job pravesh Bhai.

@tipu curate 4

0.18 VYB

tipu 9 days ago

Upvoted 👌 (Mana: 35/75) Liquid rewards.

0.00 VYB

idea-make-rich 9 days ago

Namaste 🙏, nice research bro, your efforts will keep hivers aware of such types of scams. !INDEED !PIZZA

pravesh0 9 days ago

Namaste bhai! Thank you!

0.00 VYB

arcange 9 days ago

Thank you for the mention @pravesh0. I'm glad to read it's helpful and you had fun with it while doing your investigations.

BTW, may I ask you to support the HiveSQL proposal so we can keep it free for the community?
You can do it on Peakd, ecency, Hive.blog or using HiveSigner

Thank you!

0.29 VYB

pravesh0 9 days ago

I thought I was already supporting it through a proxy user(which I set a long time ago). Turns out that didn't work, anyway, supported it now. Thank you, again!

arcange 8 days ago

Thank you for your support, much appreciated! 👍

0.00 VYB

russia-btc 9 days ago

Fraud will increase proportionally to the growth of the cost of #hive

0.28 VYB

cwow2 9 days ago

A little bit crazy to farm that many points, so fast :D

0.23 VYB

inuke 9 days ago

Arey bhai, Bahut gahari Chaan been ki aapne.
And I totally favour your suggested delegation method to more than 40Rep.
Otherwise, such instances will continue to happen.

Waise kitna time laga research par?

0.00 VYB

pravesh0 9 days ago

3-4 ghanta lage, puri SQL hi bhoola betha tha main or itna bda table ko query krne main bhi bhot time lgta hai. Jis table main ye transactions thi usme 1.4 Billion records pde hai. Bhot saara data free data pda hai yahan pr toh. Or ye sirf ek table ki bta rha hu, aise bhot saare alag alag hai.

0.00 VYB

inuke 8 days ago

Bhai, ye sab mein karta nahi aur karne ki sochta bhi nahi. Mera system jawaab de jayega. 😅

0.00 VYB

itsmemic 9 days ago

Wow, 170k points? That’s insane! Thanks for breaking it down so well!

0.00 VYB

pravesh0 8 days ago

That's a conservative estimate, it is likely close to 200k Points

0.00 VYB

steevc 9 days ago

That's an interesting attack. If anything is given away, such as points, then it may be exploited. I do think there should be further requirements to get a delegation. It's pretty easy to build the reputation up a little.

If their plan had worked then they would get a nice chunk of HBD, but the proposal would need a lot more support. Even established projects can struggle to get the votes.

I could create a few hundred accounts for free if I wanted to thanks to my HP. Not that I would use them for evil.

We have to learn from these experiences. As Hive grows we will see more attacks.

0.13 VYB

pravesh0 8 days ago

I do think there should be further requirements to get a delegation.

Me too, but atleast some miniumum rep would eliminate thousands of new accounts created just for this purpose.

Even established projects can struggle to get the votes.

I remember even Ecency having tough time last year to get their proposal renewed. So you are right, it won't be possible this easily.

0.08 VYB

hivewatchers 9 days ago

Hello.
The accounts were created with Hive on Board.
Thank you for finding the remaining ones and breaking down how Eceny Points farming worked.
The report for 25th December was missing so I suppose that I did not get them because of that.

0.07 VYB

15 votes

pravesh0 8 days ago

I have the data involved in this with more info on accounts creation date. I have it in an excel sheet here https://filebin.net/bn1hyysx0ea5denn

The major finding were.... most of the accounts involved were created in Dec 2024 but many hundreds were from before (likely stolen or compromised).

Only December Data ^^

That's like 90% of the accounts involved here.

All the acccounts invovled ^^

But there is a slight problem with some part of the data, the ones which are old accounts. Some of those old accounts have likely transfered Ecency Points to someone whose accounts got compromised in the past. This might introduce some false positives to the early records (before December).

So, I would not blanket blacklist all the accounts created before December.... they are not many anyways. One example of this is the user @olgavita who sends Ecency Points weekly as a contest prize in their community.

0.00 VYB

hivewatchers 8 days ago

Thanks @opravesh0.
I whitelisted olgavita.

It would be great if you to find out which accounts exactly do not fit in that group so there will not be unnecessarily blacklisted.
It is unlikely that this scammer has stolen or compromised any accounts. All he seems to be doing is creating new accounts that exploit HOB vulnerability.

What was most important was to find out which account creation service the scammer used on 25th December if it was not HOB.

9 votes

valued-customer 8 days ago

I am unfamiliar with the process for claiming free accounts and creating them through Hive on Board. When claiming an account token and creating the account a record of the transaction is preserved on the blockchain, is it not? It seems the perpetrator of this attempted scam was well staked enough to claim >8700 accounts, which should narrow down the potential suspects quite a bit.

hivewatchers 8 days ago

Hi.
I had already found the scammer.
The abuser is bgmoha / albro / brook.dev (identity theft)
The vulnerability was the bug with a referral code that was allowed to be endlessly re-used for account creation.

0.11 VYB

11 votes

valued-customer 7 days ago

This is excellent news!

Thanks again.

0.06 VYB

littlebee4 9 days ago

Wow crazy… 😱 so that is what they were doing. 5 days ago my post got over 8000 reblogs and likes. I mentioned it in waves when it happened. I saw several of my friends posts had happening the same at that moment. Those accounts were 2 weeks old, no rep or any voting power. I didn’t understand why they went through all the effort. Now I understand what they were after 🫣
Luckily it was picked up.

pravesh0 8 days ago

Congrats, you were the chosen one xD

I never got that many reblogs in my 3+ years on Hive.

0.10 VYB

littlebee4 8 days ago

Hahaha I rather be not chosen like this. It didn’t do any good to my post, as afterwards it wasn’t seen anymore. 🫣
Have a nice day!

shmoogleosukami 8 days ago

When it comes to account creation there are little to no checks done on creations services that prevent mass bot signups.

It's actually very difficult to do any real meaningful verification without making it considerably annoying for real users. email isn't sufficient, phone numbers are not great either, can't filter IPs. It's tricky, it's better to just make people pay to sign up honestly even if it's insanely cheap, the only trouble is there are few to no places where you can pay in other crypto to sign up to hive. (that I know of)

0.32 VYB

valued-customer 8 days ago

Just a few days ago I checked accounts reported to have been 'onboarded' by Hive on Board. I found one account that appeared to be a sock created to farm Vibes out of the couple dozen I checked that had any account activity at all. It may well have been a cohort of these bots, although I have no recollection of any of the details of the accounts.

There are a lot of substantially staked users that have 10k or more accounts by now. I never bothered to try to find out, but when an account token is claimed and an account created, there must be a record of what account was the source of the account claim, and that should enable attaching the claimed token to the account created because these transactions are recorded on the blockchain. Am I wrong?

0.19 VYB

shmoogleosukami 8 days ago

One way of knowing is checking the account recovery, it's not perfectly accurate since it can be changed but a lot of the time it never is, it by default is set to the owner of the creation token.

I had thought where was a variable in accounts general account data on chain that mentioned the creator but seems there isn't or at least on hive.hub it isn't shown if such a thing does exist.

Not sure if something like this would get added since there isn't a need to know who created an account other than to perhaps find abuse, I mean it's be a nice data point to have for statistical data.

One could parse the blockchain looking for transactions that spend a creation token and tally them up....
On that note actually, you could find the creation date of an account, grab the block and find the create account transaction that is sent when a token is redeemed, it's sent by the account who owns the token.

0.25 VYB

valued-customer 7 days ago

"...find the creation date of an account, grab the block and find the create account transaction that is sent when a token is redeemed, it's sent by the account who owns the token."

This seems a mechanism potential of identifying the scammer that created these accounts, even if the cost of claiming the accounts was somehow gamed or hacked, rather than afforded via the intended stake weighting mechanism. Given the quantity of accounts used in the scam, automating a tool to perform the process would seem recommended. Additionally, this same mechanism would seem potential to resolving the identity of accounts gaining control of accounts whose keys have been phished, or otherwise acquired by hostile actors, such as has been an ongoing issue since the inception of Steem, since the date and time of many such seizures is known and parsing the blockchain data for transactions implementing changes in keys, power downs, and other actions typically undertaken during seizure of accounts would be stored in such archived blockchain data.

I do not have the coding expertise myself to acquire and parse this data, nor to code tools to automate such processes. I am willing to participate in funding such work, however. Is this work you have the capability to perform? If so, can you estimate the cost of performing that work and identifying the criminals involved in these crimes? If not, with appropriate consideration to the fact that the perpetrator of this recent scam apparently possessed nominal stake to fund claiming >7000 accounts in December 2024, can you provide a minumum required stake to claim that many accounts? That would at least enable seeking coders to perform the necessary work that are unlikely to be the scammer themselves, and therefore potentially trustworthy.

I very much appreciate your consideration and substantive comment on this matter.

Edit: upon rereading your response, "the account recovery...by default is set to the owner of the creation token." the account recovery information of each account would inherently be a feature of the account upon creation, that should be included in blockchain data recording the creation of the account.

This would seem to be a sure and certain means of identifying the account responsible for creating the bot army that was used in this scam. Is acquisition and parsing of this data something you have the capability to do? If so the above questions regarding cost of the work would equally apply.

0.19 VYB

shmoogleosukami 7 days ago

with appropriate consideration to the fact that the perpetrator of this recent scam apparently possessed nominal stake to fund claiming >7000 accounts in December 2024, can you provide a minumum required stake to claim that many accounts?

The current minimum stake required to claim a token once every 4-5 days is around 10k HP iirc.
A claim uses about 80% of the RCs on an account that size and takes 4 days to reach 100% again. then claim again.

My account of 23.3k HP a claim uses 27% of my RC so I can claim an account every 1.2~ days recovering 20% rc a day. It'd be safe to say an account of 50k could probably claim 2-3 accounts a day, 100k would be 3-7 a day depending on how the RC costs of the TX are at any given time.

Given enough time you can build a lot of account tokens up, as you can claim then then hold on to them forever until you finally make an account with them.

I currently have 257 such creation tokens myself, Account like OCDB probably have in the 10s of thousands if not more.

Edit: upon rereading your response, "the account recovery...by default is set to the owner of the creation token." the account recovery information of each account would inherently be a feature of the account upon creation, that should be included in blockchain data recording the creation of the account.

I had thought the account recover wouldn't be reliable but of course everything is stored onchain as history so even if they changed their recovery account we can see go back and see what it was previously. finding the first instance would give us the account that redeemed the token.

is this work you have the capability to perform?

I probably do have the skills to create a system to parse the blockchain and create a web of account creations stats but I don't generally do work for other people as I just do stuff as a hobby in my own time. (in other words I don't feel I can reliably get something finished as my interests in project flipflops like crazy)

It seems like an interesting project one I'd probably make for fun along with some other ideas I have kicking about but at the moment I'm currently learning more about RUST as a means to do these projects and know a robust language rather than continuing to use javascript/nodejs or other things that just don't vibe with me too well.

EDIT: regarding account claims it's also worth noting that you could very well lease HP i.e pay for a delegation of HP or better yet just RC as it's probably even cheaper and then claim accounts tokens that way. So you could get like 100B RC for example for like 1-2Hive a week and claim tokens like crazy.
My account has a max of 39.3 trillion RC

0.25 VYB

valued-customer 6 days ago

HW reports that the creator of the accounts has been identified, and used an exploit to create the accounts. However, the recovery account being a feature of accounts created upon creation is a useful thing to remember, and I very much appreciate your sound counsel.

nastyforce 8 days ago

I think they are exploiting the points system. You just need to have the page open and you get 0.250 points every 15 minutes(heartbeat points). You don't even have to be on the page for it to count. I just watched a youtube video and got points for having the page open. @ecency you need to get the heartbeat points to only count when you are on the page or eliminate it all together.

0.00 VYB

incublus 8 days ago

Thanks for this great effort, my friend. You don't really think people can do that until they find a loophole in something, but when they do, they exploit it to the fullest. 55 Reputation would be a better idea. I know a lot of users on Hive reached that level after writing a post that was upvoted by a whale.

0.25 VYB

pravesh0 8 days ago

Yeah, 40 might be too easy nowadays. But what are the chances all of thousands of posts will be upvoted by whales. Plus, if they make posts, they won't have enough RC for more operations that give them Points.

0.05 VYB

incublus 8 days ago

Idk, lots of them getting upvotes from OCD if they are eligible but you are right too. Not everyone is that lucky :)

0.13 VYB

ydaiznfts 8 days ago

As always doing an excellent job, we must put an end to the cheaters who do not play fair

0.00 VYB

manclar 8 days ago

Thanks for the tremendous effort brother, you discovered one of the big traps they make, I hope that measures are taken to prevent this, and that the people of Value Plan and all the others who have a lot of HP are vigilant with these ill-intentioned people who do what What they want is to steal the hive reward pool.

foxkat 8 days ago

That's some great research, it's crazy how creative people get when trying to scam money.

claudy27 4 days ago

👏👏👏🥇