When it comes to the “next big thing” for independent platforms, the newsletter platform Substack has been at the forefront of the charge. The company has lured big-name independent writers such as Casey Newton and Glenn Greenwald to the platform to start their own newsletters.
Substack is now also being leveraged for its ease of use and reach by scammers to impersonate various cryptocurrency projects, encouraging those it reaches to “upgrade their smart contracts” and send funds to a proxy contract ID.
The language across multiple newsletter emails was similar, just plugging in and playing with different project names, suggesting they had a similar origin.
Scam Substack newsletter impersonates Gnosis
For a scam newsletter impersonating the project Gnosis, the dek of the newsletter reads, “The upgraded smart contract uses 71% less gas, supports updates thanks to proxy patterns and allows you to participate in future votes.” While the newsletter said no immediate action was needed, “GNO holders who update early will be eligible for the new liquidity rewards program, starting on January 20th and lasting one week.”
The Gnosis Twitter account tweeted that the newsletter was fraudulent. In the tweet, the Gnosis account told users not to interact with this Substack account, share their wallet address or send any funds.
“Gnosis was alerted to the phishing attempt on Substack via Twitter, as we were one of many popular blockchain projects targeted,” said Gnosis Director of Strategy Kei Kreutler in a direct message. “We immediately contacted Substack and they took down the fraudulent account.”
When CoinDesk reached out to Substack regarding the account on Jan. 15, it noted the account was taken down but did not respond to questions regarding what preventive measures are in place for these types of situations.
“We have permanently removed this account from the platform and any subscribers will no longer have access to the fraudulent Substack site,” the support team said.
While that Substack post (archived here) has been taken down, it appears the scam account is still active and was able to post additional material as of Jan. 21.
Other projects affected
Gnosis wasn’t the only project where this happened.
Projects such as RenProject, Kyber Network, Synthetix, Quant, UMA “and probably more,” were also victims, according to cybersecurity researcher Avigayil Mechtinger of the firm Intezer.
“This together with sending emails to relevant users is a whole infrastructure of its own and [the newsletters] used the same scam contract id – 0x093fAd33c3Ff3534428Fd18126235E1e44fA0d19.”
The scam impersonating Gnosis has already been seemingly successful to some extent though, with at least one responder to the Gnosis tweet admitting to being a victim and sending tokens to this proxy. Another expressed surprise that Gnosis wasn’t the one sending these emails after receiving one.
“We look forward to [Web 3.0] account tools becoming integral for providing trusted, unique and authenticated identity on the web so that such issues on other platforms arise less in the future,” said Kreutler. “This is why we built the Gnosis Safe, and we hope to see platforms like Substack beginning to adopt Web 3.0 technologies.”
Imitating emails so they look like they are coming from a legitimate source is a common practice, with the overall goal being for users to open them and give up information or money. Indeed, CoinDesk readers have been victimized by scammers sending out emails impersonating us.
The Substack scam is a logical extension of this method, with the goal of reaching a large group of people with seemingly legitimate material. Scammers are often looking for new and convincing ways to target individuals. While people might pass over a classic “Nigerian prince” scam email, they may let their guard down when it comes to legitimate-looking emails from a popular newsletter site.
With a limited number of moderators and Substack’s hands-off approach, it will likely be up to readers to keep an eye out for scams like these when they arise.