Cookie Crumbs 3: Accountsquatting with a Bonus & Addressing a Neccessary Change in HF20

in #steemit7 years ago (edited)

Sherlock Holmes Header

During my investigations, I often come across some less relevant cases, stories from the past or inconclusive leads. Some I may find worth mentioning, I will present them to you as "Cookie Crumbs".


@bryner had notified me about @tm888ph in a comment on Case 7.

While Professor Moriarty is still on the loose, I was clearing my backlog of user-submitted leads and stumbled over this one again.

The culprit here doesn't seem to be active anymore, but the scheme and profile might be worth a mention after all.

The Findings:

The account I was notified about, @tm888ph, doesn't have any posting history, it never commented or voted, but take a look at the transfers ledger, that's where the shenanigans are going on.

@tmph888ph has collected a total of 5,338.475 STEEM from 163 (mostly) inactive accounts.

All accounts involved had been created around February to March of this year. Back then, still used to top-up new accounts with a whopping 35 STEEM. Someone had simply signed up 163 accounts over the course of roughly one month, just to collect their signup bonuses.

And that's pretty much all that happened.

By the end of June @tm888ph had transferred most of the money out through bittrex and has remained inactive since.

Identifying the Culprit

Including @tm888ph there are 164 accounts directly connected in this operation.

But, under all these, there's only a single one that has a posting history: @rur. The account identifies as a bot and has some limited activity, at first I thought I was on to something here, a hint at a connection to an active user, but I never trust circumstantial evidence alone, and a bit of digging confirmed, this was indeed a dead end. Either pure coincidence, or quite possibly, a false lead left on purpose.

If the content isn't revealing, just follow the money, right?

Yes! About half of it, 2,682.540 STEEM to be precise, went through bittrex, right into the pockets of @tomino.

@tomino identifies as Tomas from the Czech Republic, a "blue-collar intellectual with skin in the game".

@tomino profile
Sorry bro, the only "skin" you've brought to the game was that free sign-up money!
Please, get real!

Tomas is nearing his one year anniversary on steemit, but I doubt there will be a great celebration. He seems to have lost interest in this game after all. He is currently powering down, and aside from greeting introduction posts with a self-voted comment, he has become mostly inactive.

greed-ing new users
Yes, upvote a new user with 1% and your own comment with full power.
It just makes you feel so much better about life, doesn't it?!

Tomas started as a genuine user, at least that's what it looks like, and I'd like to point out again, he has not misused any of those fake accounts. Looking at the full list, I can't help but speculate that he simply had plans on cybersquatting a bunch of potentially valuable account-names and collected a bonus while doing so.

But looking back at him sharing advice for new users about being patient, right before he started registering all these accounts, does taste a bit funky!

Removing the Incentive - Hard-Fork 20

The exploitation works through the sign-up process.

Steemit is aware of the problem. They have already made some changes and currently a new account gets preloaded with only half a STEEM vested and some delegated voting power to get started with.

But even with the current model, there's still free money to be collected and a voting stake available to the user at no initial cost. My previous cases, revealing thousands of fake-accounts abusing their free stake or delegation to farm the reward pool, show it pretty well, there's still a huge incentive.

Steemit is addressing this further with their plans for "Effortless Onboarding", a proposed change that would come with Hardfork 0.20.0, "Velocity":

The current system also incentivizes attackers creating multiple accounts in order to acquire free STEEM, which again increases the overall cost of maintaining the protocol. To solve this problem, we propose a new method of burning STEEM (i.e. destroying the tokens and removing them from the token supply) on each account creation and crediting the account with permanent minimum bandwidth instead of providing Steem Power to the new account. This will reduce incentives to abuse the signup system and will prevent users from temporarily preventing themselves from transacting after powering down in full.

In essence, a new account would still come at a cost to the creator but without any initial funding and hence, zero voting power. To make this feasible, the protocol must be changed to allow a minimum bandwidth to accounts, even without any funding.

This might not be a perfect solution, maybe there will be new loopholes, but let's appreciate that the problem has been acknowledged and potential solutions are already in development.


P.S.: The list of accounts registered by @tomino and excerpts from the relevant transaction ledgers have been posted here.

Sorry, no pitchforks today!

There's no open posts and the damage has already been done.

Let's look forward instead!

Are there better solutions to fix the sign-up vulnerability?
Are there other vulnerabilities that need to be addressed?
Which rules would you changed to limit abuse on the platform?

Let me know what you think!


Thanks for your investigations. I know youre busy, but can you check my latest post. Didnt know how to reach you or your team.

Noted, I will take a look at the accounts when I find the time. In the meantime please feel free to discuss your findings on