Defeating emission fraud: the behind-the-scenes of our battle

In the past few weeks, we had to stop the normal operation of our Hybrid Blockchain. This was caused by a suspiciously large influx of withdrawals, which led us to investigate its causes. The results were surprising — a few dozen users had thousands of HMQ to their name, with very strange transaction histories that didn’t explain how they obtained the tokens.

Further examination revealed that those tokens were received from emissions, on a scale that was far beyond the $20 per person limit. We started looking into how they were able to do that, locking withdrawals until the issue was fixed.

Weaknesses in the App

Already in the summer we noticed and fixed a vulnerability that allowed users to bypass biometric checks and register accounts on fake numbers, which could be obtained through special third-party services. Coupled with the 3$ referral promotions we ran at the time, it was easy money: register 6 accounts on a single referral code, get 20$ in HMQ, rinse and repeat with a new number and new referral code.

This gap in security was fixed, but we were dealing with a persistent bunch of fraudsters, and soon enough they found a different way of triggering invites.

The new exploit method was a lot more involved, requiring some advanced knowledge of programming and security: under the hood, each invite and referral code insertion triggers an API call, which then takes care of assigning the HMQ to the respective users.

The API can also be triggered manually, as the App simply provides the necessary parameters. Under specific conditions, using a modified .apk or by sending a manual HTTP request, these users were able to receive the reward multiple times, thus accruing large amounts of tokens.

In addition to this vulnerability, phone number verification is hard to fully secure from a dedicated attacker, which meant that new fake accounts were still being created, though not at the same rate.

Fixing it up

Once we realized the extent of the issue, we immediately moved to lock withdrawals from our Hybrid Blockchain, as most of the fraudsters simply sold the tokens on the exchanges, or platforms such as Changelly.

Subsequently, we moved on two fronts to fix the issue: prevent any more fraud from taking place, and develop a fraud-detecting service.

Fixing the vulnerabilities, once located, was fairly easy. Simple checks on the API were introduced, fixing the bug that allowed unlimited referral activations.

The registration process was significantly tweaked: a third-party service was added to ensure the integrity of the phone number confirmation, and a CAPTCHA check was introduced to prevent bots from registering.

However, we were dealing against quite sophisticated attackers, and there were no guarantees that they wouldn’t find other exploits to make money. Furthermore, we needed to eliminate and ban all those who already participated in fraud, and we couldn’t just do it manually.

To fix this, we introduced a new service that we called Fraud-Killer. Its role is to monitor all transactions, looking out for fraud patterns: many small transactions to a single address (especially if with a very short delay — sign that it’s done by a bot), gigantic amounts of referrals, multiple accounts that are registered on the same IMEI, and many more.

The risk of false positives is always there, which is why we allow users to appeal the ban decision through the in-App support. They can still use the messaging functions of Humaniq App, as the ban simply means that the wallet is frozen.

The Aftermath

At the time of writing, we’re still finishing up the anti-fraud measures, but we are confident that once everything is done, fraud will be defeated for good.

Unfortunately, those who were engaged in these activities didn’t take it well. Some of the fraudsters received thousands of dollars from exploiting emissions, a huge amount of money in countries such as Tanzania. Moreover, it required some specific technical knowledge and a time investment: creating bots, decompiling and modifying the APK, finding weaknesses in the App, and so on.

Closing down this stream of income understandably left them frustrated and angry, resorting to threats against us: we’ve even received quite a few 1 star ratings on Google Play.

Obviously, we will not be conceding to these threats. We clearly state that the limit of emission bonuses is 20$ for each person, so anything more than that is a violation of our ToS.

Following this unfortunate, but necessary delay, we are resuming the normal development of our App, with Business Chats and other core features. Stay tuned to our latest achievements through our #HMQWeekly series of regular development updates!

Have any more questions about the App? Ask them in our Telegram!