Squid Game Crypto Scammers Rip Off Investors for Millions

Anti-dumping code kept investors from selling SQUID while fraudsters cashed out.

Players in the Squid Game cryptocurrency market have been eliminated — at least their investment has — by what cryptocurrency watchers have called a classic “rug-pull” scam.

When SQUID tokens were first released last week, they were valued at a paltry $0.01 but promised entry into a game with the same premise as the Squid Game series from Netflix — players in desperate financial straits compete in a ruthless, deadly series of games for a shot at winning millions.

On Nov. 1 the price started escalating dramatically, but investors were blocked from selling SQUID by a so-called “anti-dumping mechanism.” Meanwhile, scammers cashed out, according to complaints received by CoinMarketCap. SQUID’s value peaked at $2,861.80 and dropped to zero within hours.

Infosec Insiders Newsletter

The intoxicating combination of a get-rich-quick cryptocurrency investment and the Netflix wild smash hit show Squid Game was just too much for some investors to resist, and estimates from Gizmodo peg potential losses from the scam at around $3,38 million.

Stop Sales, Spike Price 

All it took to keep investors from selling was a simple piece of code, Joe Stewart, researcher with PhishLabs HelpSyst4ems, explained to Threatpost.

“All the rules of how a token can be bought and sold are contained in the smart contract code itself, since these tokens are traded on a decentralized ‘automatic market-maker’ contract,” Stewart said. “Basically, it just needs an extra line of code in the transfer function to prohibit the swap from occurring in the ‘sell’ direction unless the transaction sender is the address controlling the contract (i.e. the developer who removed all the liquidity from the pool and absconded).”

CoinMarketCap reported viewing messages from SQUID administrators blaming issues on a compromise of their systems.

“Someone is trying to hack our project these days,” CoinMarketCap reported the administrators said about the incident. “Now only the Twitter account but also our smart contract.”

The Twitter account associated with the SQUID cryptocurrency has been “temporarily restricted for… unusual activity,” and the squidgame.cash site is gone, according to the report.

‘Nifty Scheme’

Purandar Das, president and co-founder at Sotero, called this an “electronic pump-and-dump scheme” in an email to Threatpost.

“It appears they may have come up with a very nifty scheme,” Das wrote. “Adopting the brand of a very popular and current theme would have permitted them to cover themselves with a cloak of credibility. Combine that with the fear of missing out, they appear to have concocted a scheme to combine the Squid Game name with cryptocurrency.”

Popular headlines and events, from COVID-19 to elections and holidays, have proven effectively popular ways for scammers to not only drum up interest but also hide the fraud in flurries of legitimate activity. That reality, coupled with renewed criminal interest in efforts to scam gamers and rip off cryptocurrency platforms, means that a fake Squid Game gaming crypto-scam seems practically predictable.

Das explained that in a market artificially rigged with only buyers, the price of SQUID was designed to dramatically spike at the opportune time for the scammers.

“Using digital currency also eliminates any fail-safes from kicking in,” he added.

It’s up to buyers and investors to beware of scams like these, researchers added.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles