What is MevBot Scams?
Luring naive and unsuspecting developers with the promise of risk-free passive income, scammers trick them into deploying contracts that are in fact useless and contain malicious code. Once the developers invest funds and attempt to execute, the malicious code transfers the funds to the scammer’s wallet.
How It Work
Mostly in the form of counterfeit Substack and Mirror articles, these include detailed explanatory videos and step-by-step guides on how developers can use Remix to deploy and execute malicious contracts.
Scam Sites
Over the past few months, ScamSniffer has monitored more than 100 domains related to the MevBot scam being deployed.
Among them, IP 185.149.120.113
has deployed a large number of related websites.
Malicious Contract
Analyzing the malicious contract code that needs to be deployed reveals that regardless of whether you call Start, Stop, or Withdrawal, the actual code simply transfers the ETH funded by the developers in the malicious contract to the scammer’s wallet.
OnChain Case
Taking the malicious contract 0x7149b95d704469798b924841ddB7c46944f20707
as an example, it can be seen that this victim tried using two different wallets to transfer 10 ETH and called Start twice, with both attempts ultimately ending in theft.
After each call Start
, the 10 ETH was immediately transferred to the scammer’s wallet 0x3cd32e6bfe4a8883ec22f08818f0d0e1c2fbcd8c
.
Scam Stats
By analyzing on-chain data, it can be determined that since January, approximately $1.69 million has been stolen from around 877 addresses.
The trend indicates that roughly $20,000 is stolen daily, with over $100,000 being stolen on March 11th.