Hackers Steal $58,000 Using Fake EOS Tokens

Hackers Steal $58,000 Using Fake EOS Tokens

By Benson Toti - min read
Updated 21 March 2023

Exploiting incompetence and misinformation, hackers have made off with 4,028 EOS from Newdex exchange, paid for with phony EOS tokens they created themselves. While more fault lies with Newdex than with EOS, the event is another negative headline for EOS. Because only $58,000 worth of crypto was taken, little is likely to change. But this hasn’t stopped some from complaining that EOS is ignoring the issue, is it safe to buy EOS?

Fake EOS Tokens: How Did This Happen?

fake eos hack
fake eos hack

It might seem that persons able to create EOS tokens to buy EOS would be high-level hackers, but the perpetrators of this recent fraud were simply opportunists. EOS is a smart contract platform, and EOS users can create dApps and digital tokens of their own. The fraudsters in this case simply thought that if they were to create an EOS token called “EOS”, they might be able to pawn it off on a vulnerable exchange.

They created their new “EOS” tokens (1 billion of them!) and found their vulnerable exchange in Newdex. Newdex has garnered attention by claiming to be the first decentralized exchange (DEX) on the EOS blockchain. Unfortunately, the exchange is not decentralized. It doesn’t use smart contracts for order matching, and relies to a large degree on human oversight.

This is how the EOS hackers were able to trade tokens they should never have been able to create, for cryptocurrency they should never have been able to buy. The person or persons behind the hack bought up Blackcoin, IQcash, and ADD in more than 11,000 individual orders. These tokens were then exchanged for real EOS tokens, which were then withdrawn to Bittrex exchange.

Newdex has acknowledged the hack but has announced no plans to give restitution to those who lost money. At this time, no direct response from EOS has been made.

The fake EOS hack is not a long term problem
The fake EOS hack is not a long term problem

Whose Fault is This?

It’s hard to blame EOS, though other blockchains should take note. It shouldn’t be possible for anyone to create a token that so resembles the token of its parent blockchain. This case of fraud was an attack of opportunity, and it would be somewhat difficult (but not impossible) for another fraudster to replicate it. In the future, parent token names should be off-limits for users creating their own digital coins.

The main fault lies with Newdex. The company had already been experiencing criticism for their seemingly deceptive advertising about their exchange. “DEX” is a hot topic in the crypto world, and every major blockchain protocol is unveiling their own decentralized exchange(s). Clearly, Newdex does not fit the bill, and this attack doesn’t speak well of their long-term potential.

In the end, this event doesn’t change much. It doesn’t speak to fundamental vulnerabilities in the EOS protocol. The fraudulent tokens were EOS tokens in appearance only. If anything, the attack shows how vulnerable centralized exchanges continue to be. Newdex had no way of verifying the phoney EOS tokens as authentic.

Readers are advised to take care when using new platforms, especially ones upon which digital currencies must be stored. This event is just another reminder about the dangers of centralized exchanges, as well as new untested applications. Fortunately no Newdex user incurred great losses.


Featured image source: Flickr