Crypto Scammers Exploit ENS Domains in New Fraud Schemes
Experts from FACCT have uncovered a fraudulent scheme involving ENS (Ethereum Name Service) domains, targeting employees of crypto exchanges and cryptocurrency enthusiasts. According to researchers, these attacks begin with social engineering: scammers establish a business contact, promising the victim lucrative investments in various projects. This initial stage is designed to “warm up” the target, gaining their trust and putting them in a dependent position.
How the Scam Works
As communication continues, the scammers ask for help finding trusted cryptocurrency sellers. They claim to need cryptocurrency to purchase diamonds and gold in countries where cash transactions are supposedly difficult—India, for example, is often mentioned. Due to recent sanctions, including the addition of the Moscow Exchange, National Clearing Center (NCC), and National Settlement Depository (NSD) to the US SDN list, and the suspension of dollar and euro trading, researchers expect this scheme to expand to other countries with economic ties.
The actual theft occurs on the day the supposed transaction is set to take place, when a courier is expected to arrive with cash from a bank. However, a few hours before the scheduled time, the scammers request a video call, during which they claim they need to verify the “cleanliness” of the cryptocurrency—ensuring it hasn’t been involved in illegal transfers (which could lead to the crypto being frozen on an exchange or linked to a criminal investigation).
The “verification” process involves the crypto seller transferring their funds from one address to another. The scammers claim this is to confirm the cryptocurrency is genuine and that the seller’s wallets are not blacklisted.
The Role of ENS Domains
During or after the video call, the victim is persuaded—under various pretexts, such as proving the origin of their assets or confirming their wallet isn’t blacklisted—to send cryptocurrency to a unique address ending in .eth. To ensure the buyer’s request is safe, the seller typically sends a small test amount (e.g., 100 USDT or 10 USDT) to your_address.eth, which is actually an ENS domain pointing to a different ETH address. The test amount does reach the seller’s original address, so they proceed to send the remaining funds to the same ENS domain. However, the cryptocurrency sent in this transaction ends up in the scammer’s wallet instead of the seller’s.
This happens because, after the first transaction proves the cryptocurrency is real, the scammers immediately register an ENS domain identical to the address from which the funds were sent. ENS (Ethereum Name Service) is a distributed domain name system built on the Ethereum blockchain. Like DNS links a domain name to an IP address, ENS links a domain name to an Ethereum address. The domain owner is verified primarily by their blockchain address.
The only difference between the seller’s address and the ENS domain is the “.eth” at the end. The registered ENS domain points to the scammer’s crypto address, not the seller’s. So, when the seller sends a test amount to the ENS address, the scammer receives it. The scammer then quickly transfers the same amount to the seller’s second address, usually within a minute.
Convinced everything is legitimate, the victim sends the remaining, much larger amount. Ultimately, the funds end up in the attacker’s crypto wallet, as specified in the ENS records. ENS records can be checked by entering the ENS address at https://app.ens.domains. The associated crypto address can be found under the “Records” tab.
Changing ENS Records and Tracing Scammers
This time, however, the scammer does not transfer the funds back to the seller. Instead, they send the money to one of their own crypto wallets, stealing the cryptocurrency. Researchers note that ENS records, like DNS records, can be changed at any time by the domain owner.
By examining ENS records, you can see the scammer’s Ethereum address and, using the mentioned website (app.ens.domains), get a list of all ENS domains created with it. Several ENS domains registered to the scammers were found, all resembling legitimate crypto addresses. This suggests the scammers were likely targeting multiple crypto sellers at once.