Crypto-Scam.io Project

[tgbv]

I humble say a warm hello to everyone happening to read this post.

The issue
No doubt you've heard of recent advance fee schemes among crypto world: Elon Musk and SpaceX donating bitcoins from Youtube videos. Bill Gates organizing faucets on Twitter. Barack Obama doing so to help fight COVID and many many others. These were all scams organized by hackers who used the public figures of prominent individuals to gain trust. Almost all have trapped hundreds of people, as open ledger explorers proved, into thinking they'll get rich over night by sending some coins to random crypto addresses and receive x2, x5, x10 in return. Unfortunately similar ads and videos are still posted on social media and video distribution networks. Elon Musk scam faucet-campaign hasn't stopped, same as Vitalik's one and even if social media staff manages to take the posts down in mean time, scammers still manage to trap victims into sending funds to fraudulent addresses in exchange of illusory hopes of getting rich.

So what's to be done with it? We know bitcoin helps us all, the senders, remain anonymous in our payments. But that applies to our receivers as well! Can we trust our receivers? Satoshi said "We have proposed a system for electronic transactions without relying on trust." And I guess he meant it in every aspect.

Proposal
We can create a giant open source database containing all abusive addresses. This is what Crypto Scam Project is all about and it's core idea relies on the following sketch:

Let's assume three fictionary men: John Doe, Foo Bar, Baz Bar

 1. John Doe spots a scammy Youtube ad with a fraudulent BTC/ETH/XRM/etc.. address claiming to triple the amount of coins you send to it. He goes to https://crypto-scam.io/report and reports it.
 2. Foo Bar spots the ad as well but doesn't know it's an advance-fee scheme. He proceeds to send funds to the address.
 3. Before executing the order, the wallet software used by Foo Bar queries the database of https://crypto-scam.io to check if the receipt address is fraudulent. Because John Doe already reported it, Crypto Scam signals it, and wallet software halts the transaction initiated by Foo Bar preventing him from falling into the scam.
 4. Alternatively Baz Bar spots the ad as well but he's suspicious about it. He goes to https://crypto-scam.io/search and manually queries the database only to discover the address is fraudulent.

That simple. You spot an abusive address - you report it to this database. You attempt a transaction - the receipt is anonymously checked before execution.

Now you'll probably say: "An abuser can always create a new abusive address. How does this app help us?" It takes time for anyone to merge the new address into an ad, a post, an image, moreover into a video. Comparing the time it takes for hardcoding the new address with the time it takes to report it, we'll notice this mechanism is productive in terms of protection. If such system was online when Musk's twitter got hacked, much more people would've been protected, that's what I think. And such breaches will occur in future, I believe it's important to develop security mechanisms in such matter.

Conclusion
Crypto Scam is a non-profit, open source database of abusive crypto addresses, distributed under MIT. I am positive its service will soon be adopted by prominent wallet software to help prevent abuse in crypto ecosystem. I hope you will find this initiative useful.

Project Homepage: https://crypto-scam.io
Project source (Github): https://github.com/tgbv/crypto-scam

There are very few startups in this world that went perfect from the beginning. The more tests we make the more we'll know the system is reliable, so please if you spot an abusive crypto address don't hesitate to report it: https://crypto-scam.io/report
If you want to contribute, I'd be more than happy to have you on board. Feel free to open PRs or Issues in Github repo.

[1715415765]

1715415765

[1715415765]

1715415765

[1715415765]

1715415765

[1715415765]

1715415765

[LeGaulois]

Q: What about if someone abuses the database by reporting addresses that have nothing related to a scam? Doing it as revenge or something similar.
I'm thinking for example someone adding my address and could then trying to blackmail me and my address popping out on search engines as a scammer.

Suggestion: It could be useful if a link is included in the report, pointing to the place the scam happens or, where there is a discussion about it.

Good luck with your website  

[OmegaStarScream]

I agree with LeGaulois. I think there should be some sort of scoring system. So in order for someone to submit an address, he must first create an account and then, in each report, other (registered) users should be able to vote and give a thumbs up/down on the address so people can have an idea on how accurate that report is. Adding comments (Disqus) could be great as well.

I've also tried to submit an address, and in my opinion, the way reports are currently being displayed can be improved. Instead of showing a table (which make things difficult to read), you should display the description, attachments, etc. like if they were a blog post.

[tgbv]

Thank you for your suggestions!

@LeGaulois indeed it's difficult to prevent such behaviour unless reports are manually verified. To avoid this type of abuse, system is currently limited to one report per 15 minutes from any machine; I couldn't think at something better in short time.

[cryptomaniac_xxx]

I think this is very similar to, Bitcoin Abuse Database. Maybe you can look at that thread and see what other members are saying, pros/cons.

[Zemomtum]

This is a good initiative but you must try to implement scoring system and there must be a source of information that relates to such address been tag scam. I mean in form of evidence that clearly shows that the address is used  to scam if not, it will be abused.

[SFR10]

3. Before executing the order, the wallet software used by Foo Bar queries the database of https://crypto-scam.io to check if the receipt address is fraudulent.
~Snipped~
I am positive its service will soon be adopted by prominent wallet software to help prevent abuse in crypto ecosystem.

Without a software wallet integrating such thing, this will just be another list that most beginners won't ever see...

<sup>- Any plans for its adaptation or you're just hoping for the best?
- At most, a centralized so-called crypto wallet might use it but at the same time, a lot of users have switched their wallets to something with little to no restrictions.</sup>
Overall, I do like this project...
^{- Suggestion: Show reported addresses by default (without having to search for them).}

[NotATether]

Without a software wallet integrating such thing, this will just be another list that most beginners won't ever see...

A brand new wallet shouldn't be needed and ideally there would be a plugin for crypto-scam.io that can be downloaded and installed into the major wallets. The only problem is, only Electrum supports plugins currently, Bitcoin core and mycelium don't. Then again, there's a risk wallet developers are making by implementing plugin support because malicious plugins can steal all of your coins, using an address that ironically will likely be flagged in a database.

That is the major problem with all databases, they rely on users searching the address they send coins to before using it. And most people don't do that.

[tgbv]

CS = Crypto-Scam

Thank you all for your questions and ideas. Thanks to them I've developed a better abstract concept of handling crypto abuse. Before answering your concerns separately I'm gonna draw the whole picture of the working mechanism and hopefully your question will be answered meanwhile.

As mentioned several times before, such database will rarely be queried by anyone before sending coins. That's the reason why integration with major wallets is a must so they can help automate that process and actually advertise it to the user; what I mean is, there are two ways in which wallets should affiliate with CS:

• Receipt checking - Before executing a SEND order wallet app queries CS database and checks if the receipt address is fraudulent, because average user won't do that by himself
• Address reporting - I believe a very very small amount of crypto users will actually go to http://crypto-scam.io/report and fill a report with an abusive address they spot online, because that would require them to: a) open a tab in browser, b) lookup the domain of CS in case they forgot it, c) find a way to append the abusive address, d) fill other required info - given more and more people are using smartphones it's a general tedious process. If wallet devs would implement in-app reporting mechanisms to CS that would be great in terms of accessibility and more abusive addresses would be discovered, because people tend to be familiar with wallet app's interface instead of the one of another site.

I believe anyone should be able to report addresses without the need of some account registration. The cryptocurrency world is vast with many users, requiring each to create an account to report may be exhausting for server and possibly a privacy killer depending on the required registration data. However, as posts here have mentioned, reports themselves cannot be trusted and must be validated. For such issue I propose a dicing system, what do you think of it?

https://i.imgur.com/nZnjALD.png (image)

Steps:

   1. Humans are applying as verifiers. Verifiers are manually confirmed by CS webmasters to make sure they aren't bots or criminals. They will later check and validate reported crypto addresses. Because not many may enjoy browsing a website daily to do that, they will use a CS website interface and a custom android/iOS app.

   2. Within wallet application someone reports abusive addresses.

   3. CS sends the report to 3 random verifiers across globe to validate it and set the state of the address - scam or not. State of address is decided democratically. In case one or more verifiers is not online the report is passed to others worldwide. This method is more secure because in case a verifier itself is an abuser and reports addresses for no reason he can't be sure he'll be the one to incriminate the false-positive.

   4. Before executing SEND order, wallet checks the state of receipt address with CS.

I think this is very similar to, Bitcoin Abuse Database. Maybe you can look at that thread and see what other members are saying, pros/cons.

It's similar to that with few exceptions: CS database will support more than BTC addresses, and will have a different verification system for deciding whether a report is fake or not.

Without a software wallet integrating such thing, this will just be another list that most beginners won't ever see...

There is no need for a new wallet. Already existing ones can use CS via the public API it offers; for example: https://api.crypto-scam.io/a/0x3Ae5c187FDB90553Cc439b1ee7341C0D2461688A/rep,type. They just need to code it in their app and ship a new version with it.

- Any plans for its adaptation or you're just hoping for the best?

I've started this last week; project is still in beta phase - that means features are to be added, bugs to be fixed and tests to be made before asking popular wallet software developers to use CS. After being confident the backbone of the service is reliable I'll ping them, starting with those open source.

- At most, a centralized so-called crypto wallet might use it but at the same time, a lot of users have switched their wallets to something with little to no restrictions.

As mentioned before there's no need for a centralized wallet but I understand your point - yes, it will take time until wallets will make use of CS database. However things will speed up if service proves to be efficient, and that can be achieved by implementing meaningful tested features.

[pooya87]

there are always 3 major problems with ideas such as this one.
1. a beginner who is never going to research before trusting an offer is also never going to find things like this either. and if they do search they will find enough information online (mainly on forums, etc.) that warns them against such scams.
for example if you search the name of a cloudminer you will find scam accusations and warnings against it or if you don't find anything it is an indication that it is brand new (even if they claim otherwise) and should be avoided.

2. no matter what you say, there is always a certain level of centralization to the system. you already mentioned in your last post "CS webmasters" and "verifiers". there is nothing stopping them from being bribed into hiding a scam report or falsifying one (very similar to ICO benchmarks that scammed people themselvews!) or worse, to be paid to show the "competition" as scammers!

3. and finally cryptocurrency addresses are a one time use tokens, there is nothing stopping a scammer to change their address on each scam. the database could soon grow to need to trillions of addresses.

[NotATether]

there are always 3 major problems with ideas such as this one.
1. a beginner who is never going to research before trusting an offer is also never going to find things like this either. and if they do search they will find enough information online (mainly on forums, etc.) that warns them against such scams.
for example if you search the name of a cloudminer you will find scam accusations and warnings against it or if you don't find anything it is an indication that it is brand new (even if they claim otherwise) and should be avoided.

2. no matter what you say, there is always a certain level of centralization to the system. you already mentioned in your last post "CS webmasters" and "verifiers". there is nothing stopping them from being bribed into hiding a scam report or falsifying one (very similar to ICO benchmarks that scammed people themselvews!) or worse, to be paid to show the "competition" as scammers!

3. and finally cryptocurrency addresses are a one time use tokens, there is nothing stopping a scammer to change their address on each scam. the database could soon grow to need to trillions of addresses.

I would add a fourth problem to the list. If there are thousands of reporters and only a handful of webmasters and verifiers then they are going to be overloaded with processing reports and addresses will be added slowly as a result. Services that do handle that many reports automate the report handling and as expected, there will always be false positives in such a handler, and false negatives.

[dkbit98]

There should be some verification from multiple sources for sent addresses and even them I would rename word 'scam' to 'suspicious for scam'.
Proof and sources of information must be posted (news article, titter post or bitcointalk post), and without that I would not publish any address.

[Vod]

@LeGaulois indeed it's difficult to prevent such behaviour unless reports are manually verified. To avoid this type of abuse, system is currently limited to one report per 15 minutes from any machine; I couldn't think at something better in short time.

Manual verification is a must.  This would be a good test project for micro-tasks.   Let's say you choose a five person verification - five people at random (sorted by when they helped you last, to avoid abuse) answer yes or no.  The majority sets the status, and ones that answered against the majority receive less tasks. 

I would suggest you stay away from "limits".  False sense of security that cannot be enforced - cookie or IP manipulation will make your results worthless.