Welcome to the Transaction scam prevention Breakout Group Discussion!

Group Focus

• Topic: Transaction scam prevention
• Objective: Initiative to Combat Scams in Algorand Transaction Notes

As many of you are aware, the Algorand network boasts exceptionally low transaction fees, making it an attractive platform for both users and developers alike. However, this advantage has been exploited by scammers. They have begun including misleading URLs in transaction notes, attempting to defraud individuals. This issue not only undermines the security of our community but also the trust in our network.

Our primary goal is to safeguard the Algorand ecosystem and its participants from malicious activities. To achieve this, we’re considering a variety of strategies and welcome input from all community members.

One of our proposals is to create a centralized repository, where community members can report fraudulent activities. This platform will serve as a comprehensive database of known scams, including misleading URLs and other forms of malicious transactions. Here’s how it could work:

1. Reporting Mechanism: Community members can submit reports of suspicious transactions, including details such as the wallet address involved and the misleading URLs contained within the transaction notes.
2. Verification Process: Submitted reports will undergo a verification process to confirm their validity. This step ensures that the “database” remains accurate and free from false accusations.
3. Integration with Wallets: Wallet developers can then utilize this database to implement features that warn users about potentially malicious transactions. For example, if a transaction from a flagged address is received, the wallet could display a warning or even prevent the display of the transaction note altogether.
4. Community Involvement: To ensure the success of this initiative, we encourage broad community involvement. Not only can community members contribute by reporting scams, but developers can also participate by integrating the database into their applications, thereby enhancing the ecosystem’s overall security.

We believe that centralizing information about bad behaviors and scam attempts in one accessible place will significantly contribute to preventing these malicious activities. However, this is just one idea, and we are open to suggestions. We invite everyone in the community to join the conversation, share your thoughts, and contribute to the development of this important project.

Let’s work together to protect our network and ensure that Algorand remains a secure and trustworthy platform for all.

Great initiative. Very happy to see that this is on the agenda of the Wallet council.

To paint a picture, this is the problem we’re facing (last 7 days). The scams come in waves, some days a lot. Some days barely anything:

image2308×1262 165 KB

And here the most popular (scam related) domains:

image2278×1344 207 KB

In my opinion, step 1 & 2 should be considered as an add-on. In my opinion it’s simply to slow & cumbersome to maintain manually. Especially #2 - which group of people want that job to maintain and verify the incoming list? While effectively it can be done almost fully automatic.

So here’s what I did to flag it properly for Chaintrail (would say that we hit the 99% coverage for the past couple of days). We already process each and every transaction, trying to identify where it originates from. That’s the core engine of Chaintrail. We extended that with a Scam Detector engine which processes each transaction and identifies on basis of sender & note whether it’s a scam. A blocked domain results in a direct scam, same for a blocked sender.

The blocklist can be publicly seen here: https://chaintrail.io/api/v1/scam/blocklist. Even though it doesn’t look much yet, it’s constantly being updated by our internal systems to catch all new scam domains (mostly since Feb this year). We use a combination of certain algorithms and AI, cross-checking our internal database of domains including the already provided blocklist. This result in a new domain being either added to blocked or skipped. We do get emails for every skip & block, so we can constantly tweak it to get that golden hit ratio.

Algorand Scam Detector
We already combined this in an open source project called: Algorand Scam Detector. Which uses the exclusion list as a base and considers any transaction a scam that contains an excluded domain or sender address, so combining a valid domain with a false domain will also fail.

Projects can opt to send the user to an explainer page that looks like this (example SCAM tx):

image2880×1624 230 KB

Projects that integrated it

• Allo.info is recently showing a note near the transaction field
• Blocksteak (new blockchain explorer soon to launch by Shiva prasad) added a SCAM label to the transaction view
• Chaintrail (into the entire product and several dashboards).
• Send out requests to Pera Wallet/Explorer, Defly & Blockstalker for now.

Point 4
I strongly believe that this all succeeds or fails on point 4: community involvement. We can battle & flag scam quite easily, but putting it out there in the respective wallets / explorers and dApps to educate users is the key part in making sure scammers skip Algorand because we have an effective and automated anti-scam program.

I’m happy to support here where needed, invite you’ll to use parts that are already out there. If the original idea goes through, we’ll of course also implement it as an add-on to our own scam detection system.

Hi,

This is a great initiative. As Pera, starting today, we are;

• Block notifications from all accounts that are listed in Chaintrail Spam API, as well as any note containing the listed URLs.
• Masking spam URLs on Pera Explorer
• Killing wallet connect connections initiated by all spam URLs
• Disable web wallet for spam URLs.

Currently, users will just see a connection error message when they want to connect to a scam website, without much information, but with the next release, we will give a better message to the users. We will also remove spam URLs from the app UIs soon.