Polkadot’s Anti-Scam Initiatives
How the community is working to make the Polkadot ecosystem safe
For the last year and a half, a group of people have been quietly working hard behind the scenes to make the Polkadot ecosystem safer for its users. Unfortunately, scams are commonplace in our industry and in most cases users are left to fend for themselves.
However, this approach requires solid knowledge of the best security practices, which most newcomers, and some veterans also, do not have. The Polkadot community has differentiated itself in that regard and taken an active stand against scams. The onus ultimately still falls on the user to make sure they keep their funds safe, but measures can still be taken to make it harder for scammers to victimize people.
In this post, we look at how these initiatives came to be, what they have accomplished, and how the Polkadot community will continue working to protect the ecosystem from scammers in the future.
How it all started
It’s February, 2021. Polkadot has been live for less than six months, but that hasn’t deterred scammers from spawning fake claim sites for DOT allocation tokens on Ethereum or giveaway scams (“send us X DOT and we’ll send you back 3X” — yes, these are scams!) The Web3 Foundation legal department has a big backlog of takedown requests against these sites and the situation isn’t getting any better.
The threat to the developing Polkadot brand is real, but our concern goes beyond that. We don’t want Polkadot to be a free-for-all ecosystem; we want it to be a safe ecosystem, where its users don’t have to constantly worry about falling for scams and scammers should think twice before casting their nets.
Talks start between W3F and Parity people on how to address the situation and from these talks the Anti-Scam team is born, led by the Foundation’s newly-founded Anti-Scam department. This might seem trivial, and it really wasn’t hard to do, but to my knowledge it was the first time a blockchain had a dedicated Anti-Scam team, even one that at that time was quite centralized.
The objective was simple: do what we can to protect users and make Polkadot a safe ecosystem. Simple in theory but tricky to accomplish, especially if you want to stay true to the Web 3.0 ethos and do it in a decentralized way and on-chain, like we do.
A year and a half later, much progress has been made on all fronts, including decentralizing the efforts, but there is still much to be done. Read on to learn more about what steps we’ve taken, the current status of affairs, and what we envision for the future.
Early steps
Decentralizing anti-scam efforts and bringing them on-chain is no easy task, mainly because most scam fighting happens in Web 2.0. It is achievable, and the road there is clearer now, but scammers weren’t going to wait for us to figure everything out, and users would fall victim in the meantime. So, we started with things we could do right away, while working towards our broader goals.
Crypto scams take many forms, like giveaways scams, seed stealers, fake support agents and groups on social media, and scammers always find new ways to trick their victims. It requires vigilance, which is why we’ve put together this guide on how to protect yourself against them.
To curtail the proliferation of these scams quickly, Web3 Foundation partnered with PhishFort, an anti-phishing company specializing in the crypto industry, to detect and take down fake sites and social media instances. After a year of collaboration, Web3 Foundation made a switch to another great company in the field, Allure Security.
Even this was a big step in the right direction. Until then the only way to find out about a scam in the wild was if someone saw it and reported it, either an employee or a user, and in the latter case, too often only after falling for it. But by working with an anti-phishing company like PhishFort and later on an online brand protection company like Allure Security, we started taking the fight to the scammers.
With this first line of defense established, we turned our focus on how to address scams in areas that are not usually protected by anti-phishing companies, like Telegram or Discord, on how to be more proactive than reactive, but more importantly, on how to decentralize our efforts and eventually bring them on chain.
The solution came from the community. At the time, there were a couple community members who were quite involved in fighting scams in their various forms and that made the way forward clear: we would gather these security-minded individuals and reward them in a consistent manner for protecting the community. In other words, the community would protect itself.
Two initiatives were created: one where community members would find and take down scam sites, and another where they’d do the same for scam Telegram groups. These were the precursors of the Anti-Scam Bounty (more on that later).
The first initiative was a resounding success. From September 2021, when this experiment started, until the end of February 2022, when it was replaced by the Anti-Scam Bounty, the participants of the initiative found 1,661 scam sites targeting Polkadot users and had taken down more than 95% of them.
Its counterpart on Telegram was not as successful, unfortunately. Not because the participants were not as involved or as capable, but because Telegram is infamous for its inaction against scams and their reports and efforts usually were in vain. As a result this initiative was abandoned and we are looking for a more innovative way to address the problem.
But these initiatives had another big effect: they shifted the decision making processes from Web3 Foundation and Parity towards the community. The Anti-Scam team was decentralizing!
The Anti-Scam Bounty
The idea that we should reward participants in the anti-scam initiatives with child bounties was there from the beginning. But the child bounties pallet wasn’t. Bounties allow a portion of the treasury to be earmarked for a specific task. It’s controlled by the curators of the bounty, individuals or entities with expertise in the field, to be dispersed according to the purpose of the bounty. Child bounties expand on that functionality and allow for the bounty to be open-ended and to award the allocated funds in smaller chunks for different completed tasks or milestones.
So, in the beginning we rewarded participants’ efforts with tips. When the child bounties pallet finally made its way into the Polkadot runtime the Anti-Scam Bounty was created, and it was the first bounty to make use of that pallet. In fact, until recently, all child bounties opened on Polkadot were from the Anti-Scam Bounty.
In the months between the launch of the initiative and its replacement by the bounty, a lot of good feedback was provided by the participants. For one, our efforts should not be focused solely on taking down scam sites. Although this is our flagship effort, the participants came up with ideas to utilize all tools at our disposal and expand the anti-scam activities in other areas. As such, when the Anti-Scam Bounty was created, it incorporated all these ideas as Tasks that the community could undertake to help make our ecosystem safer.
These are described in detail in the Anti-Scam Bounty proposal, but to give a high level overview, the bounty incentivizes the community to detect and take down scam sites (Task 1), along with other types of scam, like fake social media profiles and phishing apps (Task 5), to create educational material for users (Task 7), to bring wallets, exchanges, and antivirus companies into the fold by integrating our phishing repo (Task 6), to protect our Discord servers from raids (Task 4), and to create an Anti-Scam Dashboard to act as the central hub for all anti-scam activities in our ecosystem (Task 3).
An overview of these tasks, with their current status of implementation and links to their specific descriptions and rules, can be found in this spreadsheet.
Each task is curated by a member of the community, whose role is to work with the implementers to ensure the task is successful, come up with ideas to improve it, and push it to reach its full potential. And they too are rewarded for their efforts.
The bounty is managed by the general curators, who currently consist of three community members, and two people from the W3F Anti-Scam department as backups. But the goal is that the bounty, like all anti-scam activities, will be managed exclusively by the community and all general curators will be community members.
And if you’re wondering whether it’s worth the time the implementers and curators put in, the bounty has given out more than 16,000 DOT in rewards to date, with the detection and taking down of scam sites (Task 1) getting the lion’s share.
In June, we changed the denomination of the rewards from DOT to USD to keep the participants incentivised and allow them for better financial scheduling. As a result the rewards in DOT increased significantly.
But have we achieved anything?
A clear success metric for such an initiative would be how many people we have protected. But obviously something like that is impossible to measure. We can only make deductions and assumptions based on other metrics, like how many sites have been taken down, how many scam victims have contacted support, and how much DOT has been sent to known scam addresses.
So, let’s see what we have achieved so far.
Since the bounty started in March 2022 and until the end of October 2022, a total of 5524 sites have been submitted, with the vast majority of them being taken down in the same or subsequent months. This is an increase of 270% compared to the previous initiative, if we compare average monthly submissions, reinforcing the conclusion that it was a successful first iteration of the initiative leading to an even more successful bounty task.
In fact, after establishing the bounty program as a community and witnessing its effectiveness, we now rely solely on them for finding and responding to scam websites. Web3 Foundation continues to partner with Allure Security to find and eliminate deceptive social media accounts and rogue apps targeting community members. In the future, the goal is to entrust all aspects of online scam protection exclusively to the community. And any company in the field that wishes to join the bounty and contribute with their expertise is welcome.
The overwhelming majority of the sites the implementers submit are generic seed stealers, while only a small percentage target Polkadot specifically. A requirement for these seed stealers to be eligible for the bounty is to target Polkadot or Kusama users somehow. This usually means that they feature Polkadot or an ecosystem-specific wallet (like Polkadot-JS) among the “compatible” chains/wallets. But by taking them down, the implementers don’t protect just our community, they also protect users of all the other “advertised” chains, wallets, and dApps on those sites.
To take things one step further, the community members also add to the list of scam sites in our phishing repo all the domains they find during their searches, even if they are not targeting Polkadot and are thus not eligible for reward.
As a result, the blocklist has grown from a couple hundred sites when our anti-scam efforts started in April 2021 to a whopping almost 14,000 entries by the end of October 2022! And the impact of this initiative since its beginning in September 2021 is quite obvious.
This amazing growth, besides attesting to the initiative’s success, also shows that more than 50% of the entries in the scam sites list are not related to Polkadot. Yet the implementers, and other community members, add them because we want everyone to benefit from our efforts, and we invite any project across the industry that provides safe browsing features to their users to integrate our blocklist to their services. We’re all in this together!
But before moving forward, we’ve mentioned the phishing repo a few times already and you might wonder what it is exactly. The phishing repo is an open-source, community-curated Github repository that contains scam sites and addresses associated with scams. The Polkadot extension will prevent users from visiting sites in the repo and the Polkadot-JS UI will warn users that try to send funds to one of these known scam addresses. But since this repo is open-source, any app or extension that offers similar functionality can integrate these lists. That’s what Task 6 of the bounty is trying to accomplish and we invite any interested project to contact us and make this happen!
Now, of these scam addresses in the repo, about ⅓ have received no DOT at all, while almost 92% received up to 3000 DOT overall. The vast majority of accounts that received more than that did so before our anti-scam efforts started and the top two accounts that received about 13,000 and 16,000 DOT are linked (meaning the 13k are included in the 16k), as are some of the others.
The total amount lost is not small by any measure (about 125,000 DOT) but it is encouraging that most of it was lost before our efforts started and since then we’ve seen a reduction in the scammers’ gains.
But what about the effect on users? Requests relating to scams in general and reports from scam victims tend to correlate to market conditions, so safe conclusions cannot be reached, but the low volume in recent months is encouraging nonetheless. And there are certainly more victims out there that never contacted us. If you’re one of them, please check out this article and contact our support.
The bounty is not just about taking down scam sites, though. As mentioned before, the goal is to address the problem from all angles. The implementers and curators work feverishly on all of the other tasks too, and results are beginning to show.
A database of contacts for 47 DNS registrars and hosting providers is already in place, as part of Task 2, so that implementers of Task 1 can contact them efficiently and take down scam sites quickly. There’s also a detailed tutorial to help new implementers be effective in taking down scam sites.
The tools to protect our Discord community from scammers and bot raids are either already in place or being tested, while the efforts to take down social media scams and phishing apps started in October 2022. 42 scam profiles or groups have been detected so far and 10 of them have been taken down.
And the first material to educate our community on how to protect themselves is already published. A short, fun video, infographics, an article, and a quiz to test the new knowledge about mnemonic phrases and private keys are at the disposal of the community, and more are yet to come.
As for decentralizing our efforts, in June 2022 the Polkadot Anti-Scam Team was founded to act as the “governing body” of all anti-scam efforts, officially moving the control from Web3 Foundation and Parity to the community. It consists of five members from the community, two from Web3 Foundation, and a Polkadot councilor as associate member. It has a team “captain” chosen from the community members on rotation, whose role is to organise the team.
Other initiatives
The Anti-Scam Bounty is obviously the main focus of our efforts, but it’s not the only one. We also do what we can to assist victims that have fallen victim to scams or hacks.
Since day one, Web3 Foundation has joined the Crypto Defenders Alliance (CDA), a consortium of exchanges and wallets that work together to prevent the laundering of stolen funds. Whenever a scam or hack victim contacts our support, or we find a scam in the wild, we report all associated addresses to CDA for blocklisting, the hope being that if these funds find their way to an exchange that has flagged them, the exchange will freeze them and let us know.
The support team at Web3 Foundation can also provide advice and help victims secure any funds that may have not been stolen yet. For example, we have developed methods to help users with bonded DOT in a compromised account to unbond them safely and move them to a secure account. Since we created these methods we have successfully helped four people in that situation and have saved close to 13,000 DOT. In those cases, the users usually had already lost other tokens, sometimes valued much more than the bonded DOT. But the action alone of helping them in their hour of need, working with them for weeks, and finally saving their DOT, was invaluable on its own for both sides.
Finally, a collaboration is in the works that will provide victims with a dedicated, end-to-end support experience and better recourse in the event they are affected by a scam. Stay tuned!
What does the future hold?
As mentioned several times in this article, our efforts are far from complete and we still have a long way to go to achieve all our goals.
Our immediate focus is to complete all tasks in the Anti-Scam Bounty and ensure all of them are as successful and useful as Task 1. Creating the Anti-Scam dashboard to provide better tools for the bounty and a hub for the community to stay updated on all things anti-scam, is of special importance.
Also, the Polkadot Alliance is just around the corner. It will be the first on-chain collective built on the new Collectives system parachain. Its founding members will be elected by the community and new members can apply or be invited to join. The Polkadot Alliance provides an on-chain framework to increase reputation to those teams in the ecosystem who empower others and contribute to the ecosystem in alignment with open source culture. The Anti-Scam team’s goal is to join the Alliance as a Fellow, because we feel that our goals in creating a safer ecosystem are aligned and we can provide useful assistance and expertise in getting there.
Another important goal, perhaps the most important, is to increase our educational efforts to reach more people within, and outside, our ecosystem in new, innovative ways. This is a big undertaking that will probably never cease, but it’s the most effective way for long-term safety for our community. Education is the “silver bullet”, because if all users know how to protect themselves and avoid pitfalls, then all other initiatives become obsolete and we can all go home, scammers included.
Along with that, we’ll expand our efforts to protect not only Polkadot and Kusama, but parachains and other projects in our broader ecosystem. The most immediate step we can take in that direction is to expand the coverage of relevant bounty tasks to include parachains and other popular projects. But with new and exciting tools being built everyday in our ecosystem, we could potentially do much, much more.
Of course, the decentralization of our efforts will also continue unabated. First step is to have all the curators and Anti-Scam team members be from the community, with Web3 Foundation serving only an advisory role. At the same time we want to define more clearly the scope and structure of the team, as well as the processes for joining and advancement. The ultimate goal for decentralization is to bring the team on-chain in the form of a Collective.
Finally, we want to explore moving the submission process for the bounty on-chain, potentially by making use of decentralized storage and NFTs or on-chain remarks as a tool for proof-of-submission. And from then on, who knows. With Substrate being so customizable and Polkadot offering a lot of tools to make use of, we’re probably limited only by our imagination.
How to contribute
The simple act of reporting a scam when you find one is a major contribution by itself. It may not seem like much, but you may prevent someone from losing their life’s savings.
Reporting to our dedicated email address (antiscam@polkadot.network) is the best way, but if you are a member of our Discord server, you can also use the #scam-check channel, dedicated to this. Or you can make a PR directly in our phishing repo.
But if you liked what you read and want to get involved in the anti-scam efforts, post in the #scam-check channel or send us an email, and a member of the Anti-Scam team will get back to you. Currently, only Polkadot Ambassadors and generally active members of our community, are eligible to join, but exceptions can be made for enthusiastic individuals who have a beef with scammers.
And if you are part of a project in our broader ecosystem and all this sounds interesting, get in touch. As mentioned above, we want to grow our initiatives into a protective umbrella over the whole ecosystem, so let’s work together.
Finally, if you are a scammer and you’re reading this, you’ve probably figured out by now that you won’t have it easy in the Polkadot ecosystem. So, pack it up and move on. Or better yet, find a job and stop trying to steal from people!
