Harmony Villains

Name of Project / DAO / Company

Harmony Villains

Application type

Bounty

Proposal overview

For the past year we have witnessed numerous scams that vary in severity and that truly disrupt the Harmony of our chain. One thing that does not change, however, is that members of our community are falling victim to these scams over and over. Whether it be simply ‘aping’ into a new token on DexScreener, only to be rugged moments later or investing in a full-fledged project (sometimes even those that have KYC’d to the Harmony team and received funding), the fact remains that scammers are running rampant in our home. For this reason, I propose that a bounty be supplied in order for numerous hours to be spent tirelessly mapping out these scammer’s many wallets and providing reports to the appropriate community, Central Exchange (CEX), and law enforcement. This can and will make a difference, but it takes time and immense effort.

What does Harmony need?

Dedicated staff or contractor(s) that will spend the time and attention on this currently neglected and ignored field. There have been hundreds of thousands of dollars stolen from our family with absolutely no follow-up. We need active tracking, data logging, and reporting. Also, monitoring can be offered on current projects in order to further vet their teams and to watch the multi-signature treasuries (MS) more closely. This is a bounty that could be beneficial immediately and that can also be developed over time to provide the greatest amount of benefit to our ecosystem and userbase.

I have been providing this type of service on the side in an effort to do my part for the chain and for our community. It takes many hours to work through the explorer data, sift through discord information, whitepaper, MS, socials, and conduct informal interviews to gain data. Even more time is required to create useable, concise reports that can be shared with the CEXs and authorities, and then to communicate these details to them, and provide follow-ups (both with CEX/ authorities and our community). Right now this is a passion of mine and I do it for the greater good, as I will continue to do regardless of the outcome of this bounty. Truly, I am making this proposal to gauge interest and to start a discussion.

Since I already do this when I can afford the time or when there is an important scam/ rug (Looking at you most recent Xenon Fi), I don’t have high expectations. Many have told me that I should simply throw up a donation box, and I may. But I would like to propose a part-time wage of $50/ hr, capped at a weekly rate. I am very open to discussion and negotiation on this and would really like to do my part and be able to spend more time on this effort.

The Milestones are also a tricky topic, however I can share the general outline of my workflow, which unfortunately depends on scam activity:

Initial intake: This includes everything that leads to my macro level of understanding how the scam was achieved and by which wallets. (2 hrs)

Tracking: Moving through the wallet transactions and determining key interactions that lead to the eventual fiat offramp, which is the point in which a report can be filed. This step varies greatly in the amount of time it takes because some scammers are more skilled at hiding their tracks than others. (2-10+ hrs)

Mapping: Creating concise maps that illustrate key information is imperative to the eventual reporting and convicting. Additionally, the more organized, the easier it is to pick back up and start again in the event that the scammer goes inactive. (5+ hrs)

Reporting: Contacting the support teams with the various CEX (Binance, FTX, Ku Coin, OK ex, Celsius) that scammers use as fiat offramps requires discipline and follow up. It also usually means sitting on hold with an agent while they go over your report and make additional requests, which is where the degree of organization in the mapping step starts to shine. Writing reports to local law enforcement, Internet Crime Complaint Center (IC3), and the general public, whether in the forums, or via social media, also takes considerable amounts of time and dedication. (5+ hrs)

Prevention: This is where the proposal begins to take shape. Without scammers, what is there to do? Well, I haven’t seen a stretch of time that there were no scammers, but the goal here is to create a preventative model that discourages scams, rugs, and bad actors from even trying. This can be achieved via the methods above, as well as further scrutiny actively watching projects. This aspect of the bounty would be developed as time goes on, and is open for further consideration from the community.

Team

Many of you may know of me from the MtopSwap project, for which I am the Business Developer. I was inspired to take up this mantle by my previous involvement as a moderator in the Holy Grail project, which turned out to be a prolonged and elaborate rug by it’s single developer. It was at that point early this year that I began to use my skills to monitor and report scammers on the Harmony blockchain. At this time I have tracked many scammers and reported via my Twitter @HarmonyVillains
I have also created and submitted formal reports in the past to IC3 and CEX.

In the real world, I am a 33 y/o business person, a veteran of the US Army, I have a BA in South Asian Studies, I’m from the USA, and I have three cats. I like to solve problems and I love to learn and help. I hope to continue to build with my friends and the ONE fam here on Harmony and I am most certainly willing to Dox to the Harmony team at their request in any capacity, be it for tax purposes or beyond.

Proposal ask

$50/ hr wage as a part time contractor with a weekly hourly cap of TBD or monthly, I leave that to the community/ team. I am very flexible on this, as I am self-employed and I afford the vast majority of my time to Web3, all of which is spent on Harmony.

Justification

As stated above, I believe that there is a distinct need for tracking, reporting, and creation of a feedback loop between the moment a scam occurs on our chain and the time that the bad actor attempts to send the funds to a fiat offramp.

What would I do if this bounty were accepted? Well, first I would provide the framework and expectations in more detail if asked. Also, I would use the funding to start and maintain a validator to further aid in the decentralization of our network, as well as to support it through staking $ONE.

Metrics for success

The possibility for stolen funds to be returned is extremely minimal and that is not the scope of this bounty, although it would be warmly welcomed for our community’s sake. Rather, the goal here is to systematize our awareness of scammers, their known wallets, and how they proceed to scam. This bounty will ‘succeed’ by discouraging bad actors on the blockchain and by leading the proper authorities to seize the funds, freeze the accounts, and put these thieves behind bars. What we call a ‘scam’ or a ‘rugpull’ is defined as wire fraud and money laundering in many jurisdictions.

External links

An example of a map that I made leading to the discovery and freeze of a central ‘master’ wallet for the scammer that pulled the liquidity of Xenon Finance only days ago (WIP):

image1742×1176 243 KB

For now, I have become a validator and hope to further support and decentralize the chain within my capacity. If you would like to support my work in researching bad actors, reporting them the exchanges, and hopefully interfacing with the core team in some capacity, please feel free to delegate to my node at:

First, Harmony team is to consider whether it will or will not take the necessary actions.

KYC documents (already implemented by Harmony team) and the result of this bounty (if approved, i.e., the investigative report/summary) without willingness to take the necessary actions is pretty much where it is now.

Thank you.

Great idea! This space sorely needs a community/someone that is watching over them, keeping an eye on bad actors/wallets.

Pioneer is a dedicated community member of Harmony (he was the person that started the OG blacklist + built/evolved it to what it is today (for MTOPSWAP)) and I can think of no better person to spearhead this type of initiative.

I feel strongly that Harmony protocol would do very well with having a bounty system in place to track and even prevent scams in the long run

Love what you’re doin!!! Great work! I would like to learn how to properly investigate. This would be an awesome tutorial, class or walkthrough so more members of the community can learn as well.

That’s a great initiative with great prospects.

I would prefer this to be more educational oriented, rather than policing oriented. But that’s just personal preference derived from personal ideals.

Regardless, i support this.

Yes obviously, Harmony is not taking any precautions or action so I think it would be best if they can pay someone to do it because clearly they dont care much about they’re community getting scam.

Regardless of how passionate I am about this topic which both includes holding scammers accountable and protecting the Harmony One community there is two clear facts to consider and a final point of my opinion.

Pioneer has a demonstrated the ability of finding these scammers and either exposing them or freezing their funds.

Harmony has made it abundantly clear that it will not get involved with defi which was made apparent during the DaVinci Gallery debacle.

Lastly my opinion is that in the environment the project was active and didn’t remove the liquidity or something as simple, that the process of investigation be conducted privately and there should be a significant consideration for “what if I’m wrong”. With my time at Alpha Gaming DAO I have taken on the role of vetting projects before investing, I raise my concerns with the existing project during an AMA and at times they are able to explain some things and been able to give decent responses. Being wrong can be extremely destructive

Thank you so much for the support! Yes, that is a proprietary feature of MtopSwap that truly aims to help the community and will surely be a useful tool for me in monitoring

Would 100% support this. This is important for the community to have more faith in the space and Pioneer has already shown that he can do an amazing job at it

This has my support the community needs protection and your work is stellar!! ONE Love

This is exactly what people need for trust to come back. Thank you for this amazing Idea. I totally agree with you! Lots of this happening on DFK right now also. after the mining incident. I can see when they hide their sell offs. there is no one holding them accountable. There smart cookies but not smart enough. Looking forward to how the team responds to this.

Do you know what permissionless is genius? You should probably look that definition up. Look up DYOR too while youre at it.

I’ve watched your work closely on the xenon fiasco, and you’ve proven that you’re willingly to take the extra step and do something about it when most would simply complain about it on social media for a while and move on. Holding people accountable for their actions in this space is obviously an uphill battle.
You have the knowledge and skill to provide a valuable service in the crypto space, even if we can’t hand down the full punishment that the culprits deserve. Would I support this bounty program? 1000%. With current sentiment, I believe you’ll receive a pat on the back, but a proposal rejection. I’d like you to consider other possible avenues.
There’s obvious interest from community members that would like to learn what you know. Possibly consider partnering with MTOP or Galaxii (Social/visual/earning teaching tool) to provide visual and audio feedback of what and how you do what you do. This is just an example that came to mind in about 2 minutes, but you have a valuable skill, people can benefit from it in several ways, and it’s for the good of the crypto space. What you’ve done the past few days have been very inspiring. Thank you!

Hey, thanks Jerome for your feedback! I agree, I don’t think that this will be funded, but I do want it to be discussed as much as possible.

I am a part of the MTOP Core Team, and I actually used to make informational pamphlets for the community. I have found that the majority of people in DeFi tend not to want to learn and spend that time (unfortunately), and instead they want to be taken care of, in a sense.

That’s just my small insight, but I agree that there could be another way.

I 100% support this. Harmony needs someone like Pioneer to try to hold scammers accountable. He is passionate and talented in what he does and has already successfully had exchanges freeze stolen assets. Pioneer deserves this role and I hope you give him serious consideration.

This is a fantastic idea! Scams, especially large ones like Xenon, unfortunately discredit the whole protocol in the eyes of the larger part of the cryptocurrency space; furthermore, when little is done to hold scammers accountable, it only encourages continued behavior of this nature within the ecosystem. Having someone (especially Pioneer, who is fantastic at tracking all of this stuff) dedicated to preventing and reporting scammers in the ecosystem would definitely be a net positive.

Today the Harmony Horizon Bridge was hacked for 100M. It is still early on and things are yet to be discovered, but it appears to be either:

1. Social engineering to get private keys of 2/4 MS wallet signers for the safe: 0x715CdDa5e9Ad30A0cEd14940F9997EE611496De6

2. An inside job (please no).

3. A combination of 1 legitimate signer and social engineering to gain the private key of one of the other MS signers.

I hope that the Harmony team has a team or the resources necessary to track down the identity of the hacker and to restore the reputation of our chain. I did some digging and gathered the following:

1. Wallet 0x812d8622C6F3c45959439e7ede3C580dA06f8f25 (Contract Caller) called the MS numerous times in order to enact the hack.
2. The funds were sent to 0x0d043128146654C7683Fbf30ac98D7B2285DeD00, titled "Harmony Bridge Exploiter, which then distributed the stolen assets to two other periphery wallets that were used to swap the funds into ETH, which was then sent back to the Bridge Exploiter Wallet, where they now remain.

Oddly, the Contract Caller wallet (0x812d) was funded multiple times ( most recently on June 14th) by wallet 0x12f42d934bb857a0bd6c4809ab425bdce933f65e (see tx hash 0x443bf080e34f5b09b7337013a52736b111d6833c4e4b75af7865a6bb4c2fddea). This could be for any number of reasons, but it stands out when sniffing the wallet behavior.

Digging further, I found that wallet 0x12f4 created a contract (tx hash 0x0c9cdf6d9d4ada9126aae381cb901b36de290ef5c21d56077632fd46193234ad) 0x478279c5A0beb8401De1b4EaCB4863a243a8e3A3 that interacted with ‘Lutty.eth’. I found that odd, but went out on a limb here. Even more odd was it when I found the name of a Harmony contributor. Who’s scope of work involves the bridge. Lutty is probably a great dude.

Update: This most likely appears to have been social engineering or a traditional hack, in which the perpetrators used the MS keys to gain access to the funds from the ETH side.

Fabulous work! Thank you so much

Thank you for your amazing work again!!