LaneAxis uncovers sophisticated fraud attempt targeting ConsenSys founder Joseph Lubin
When the Equifax data breach occurred in September 2017, crypto guru and Ethereum co-founder Joseph Lubin was quick to criticize corporate mishandling and monetization of user data, doubling down on his call for heightened digital security via decentralized networks. Lubin stressed the importance of protecting our online identities:
“…hack after hack after hack and the resulting time and resources devoted by government agencies attempting to safeguard identity, how can regulators not be excited about the Ethereum blockchain? An immutable and transparent protocol with products where each individual owns all aspects of their identity. No more widespread hacks.” –There is another way: The Equifax Hack and the Road to Decentralization
But just a year later, Lubin’s own identity and brand were hijacked on the internet.
On September 13th Rick Burnett, CEO, and founder of LaneAxis received a message from Lubin via Telegram, “LaneAxis: want to know more…”
Burnett, who is currently launching LaneAxis Virtual Freight Management’s Ethereum-based supply chain management ecosystem, was unaware of who exactly Lubin was, but offered to speak with him and share more information about the company and its blockchain and token sale project. After a short call, Lubin said he would mull over the information and take a few days to examine the LaneAxis platform.
Burnett, curious about the mysterious potential investor, Googled Lubin.
Ethereum Co-Founder. ConsenSys Founder. Billionaire. Entrepreneur…
Google’s news feed on Lubin pulls up a near constant stream of stories featuring Lubin investing in blockchain-based startups or offering sage advice about the future of crypto.
Burnett was stunned. This could be game-changing for LaneAxis. Companies partnered with ConsenSys often sell out their tokens within minutes of receiving backing from Lubin.
The LaneAxis team immediately went to work researching Lubin and ConsenSys. The first move was to verify that the Telegram messages were actually from Lubin.
Telegram is the preferred communication platform of the cryptocurrency community due to its ability to encrypt messages as well as its robust group chat features. The app allows for the creation of public usernames, helping platform users contact anyone else on the network who has also created a username. Like any other network, usernames must be unique, and personal names are rarely available. However, Telegram does offer users with an “online identity” to secure a username if the same name is used for at least two other different social accounts [Facebook, Twitter, Instagram].
Lubin’s Telegram name is @ethereumJoseph. His verified Twitter handle is also @ethereumJoseph. Based on his Twitter, Burnett and the team concluded ConsenSys and Lubin must have secured his verified Twitter handle for Telegram as well, and this was indeed the real Lubin.
For the next week, Burnett messaged Lubin, receiving blunt responses almost stereotypical of a jet-setting billionaire managing a plethora of business ventures. Finally, Lubin messaged Burnett on September 15th with an offer.
Lubin: “How can I be of help?”
Burnett: “I would love you to be involved at whatever level you want to be involved. Investor? ConsenSys? Team member and let us do a press release that you are involved. You tell me and I’m in.”
Lubin: “How about a partnership with ConsenSys?”
Burnett: “Yes. How do we proceed?”
Lubin: “I’ll send you more information on Monday.”
The LaneAxis team spent the rest of the week preparing for the deal and coordinating with Lubin. Lubin sent a ConsenSys contract to Burnett from his personal email, [a non-ConsenSys email address], which Burnett thought a bit strange and questioned Lubin.
Lubin claimed it was his personal email. Burnett initially found it odd but reasoned that a person of Lubin’s stature might use company-independent emails for correspondence, and, potentially, business deals. Burnett did not want to spook a deal with a seemingly eccentric tech billionaire and pressed on.
The contract centered around a token exchange. Provided ConsenSys passed due diligence and met the terms and conditions of LaneAxis’ token sale, LaneAxis would receive ConsenSys backing and $2.2 million in Ether for $2 million of LaneAxis’ AXIS tokens. Both companies would be required to keep sixty percent of the received tokens as company reserves and forty percent for utilization. Burnett received the signed contract on ConsenSys letterhead with Lubin’s signature. The LaneAxis team celebrated what they thought was a partnership with ConsenSys.
Lubin put Burnett in contact with James Slazas, Head of Capital Markets at ConsenSys, via Telegram to carry out the contract. After receiving a signed contract from Lubin with ConsenSys watermarks, addresses, and information, Slazas provided the transfer details and sent Burnett two crypto wallet addresses for the exchange.
That’s when the red flags went up.
“We still had not received any messages directly from ConsenSys accounts. Slazas was the right guy at ConsenSys to handle this kind of exchange but everything was direct over Telegram and personal email. Lubin’s businesses pioneered smart contracts. They would understand the need for official confirmation before sending tokens to unknown wallet addresses,” Burnett recounted.
The LaneAxis team set out to establish contact with Lubin over verified channels. No response from Lubin’s company email, which they had been copying on email since acquiring it mid-week. No response from Twitter DM’s. Finally, Burnett messaged Lubin over LinkedIn. A few hours later ConsenSys representatives responded to Burnett.
There was no deal.
LaneAxis had not been in correspondence with the real Joseph Lubin.
The LaneAxis team was shocked and frustrated; two weeks were wasted trying to secure what turned out to be a fraudulent deal. This was a multimillion-dollar scheme, reaching far into Lubin’s identity to impersonate both him and his company, and expertly forge executing documents on his behalf. Burnett had identified the scam in the nick of time and wanted to prevent others from falling victim to similar ploys.
LaneAxis set up a call with the real Joseph Lubin and ConsenSys the next day to bring the scam to their attention and encourage them to take control of their online identity.
ConsenSys issued a brief statement, but a week later @ethereumJoseph was still messaging Burnett about the fake deal and @ethereumJoseph still popped up next to the real Joseph Lubin’s Twitter on the first page of a Google search.
The scammers had almost everything they needed to cloak themselves as Lubin: Telegram username, addresses, logos, pictures, schedules, colleagues’ Telegrams, signatures, and legal documents. The only giveaway was a “personal” email.
“Giving our personally identifiable information over and over again to organizations (who usually profit off that information) with centralized data centers is the definition of insanity. The current model is broken and hackable. It’s time to take back our identities.” – Joseph Lubin, after the 2017 Equifax breach
Weeks later, Lubin has yet to claim his Telegram handle. His identity.
ConsenSys has taken no action to respond to the real, sophisticated, and successful attempts to impersonate both their founder and the company. If one of the biggest names in digital security, at the forefront of emerging decentralization tech, can have his identity stolen, who is really safe?
Decentralization and encryption are not worth a whole lot of information if handled carelessly in the first place.
While he is disappointed with ConsenSys’ response, Burnett primarily places blame on Telegram.
“At the end of the day, this is really a Telegram issue. This is about exposing a major scam and preventing others like it from occurring in the future. There needs to be a better verification process if they want to maintain their reputation as the standard in messaging security… if they want to maintain the trust of the crypto community.”
Telegram did not respond to LaneAxis inquiries about the fake account and fraudulent activity on its platform.
It has not been a good few months for the reputation of Telegram’s security protocols.
In late August, its “end-to-end” encryption messaging platform was found to have a bug that leaked the “private” IP addresses of its users during desktop voice calls, subjecting those users to potential hacks. In late July, another Telegram bug also resulted in the release of users’ private IP addresses. Back in April, it was reported that up to 70 million Telegram accounts may have been leaked.
The current blockchain revolution has big promises to keep: disrupting power structures across the globe, democratizing the internet by breaking mammoth corporations’ holds on user data and providing a new age in online security. Blockchain proponents, like Lubin, herald the end of identity theft and large-scale hacks, promising never before seen efficiency in global commerce and collaboration.
In the wake of the scam, Burnett is calling for the entire industry to shore up security,
“I hope everyone involved takes serious steps to improve their online security. Joseph and ConsenSys are ushering in new waves of innovation and it’s alarming to see someone access so much of their information and assume their identity. It is even more alarming when, after being made aware of the situation, there isn’t a swift response to reclaim their identity. As a community, we must actively take control of our online presence and demand that platforms like Telegram do better.”
With the dawn of the “trustless” internet upon us, we cannot solely rely on technology to protect our information, as evidenced by the ConsenSys impersonators and Telegram’s flawed verification systems. As networks become more and more secure due to decentralization, proper and diligent verification, attentive account monitoring, and conscientious handling of information by human beings is more important than ever.
LaneAxis uncovered the fraudulent activity by taking the verification process into its own hands and identifying key vulnerabilities in trusted systems. After carefully examining all the interactions with the scammers, the LaneAxis team discovered a suspect’s name buried in the metadata on one of the contracts. Burnett turned the information over to the Federal Bureau of Investigation [FBI], which the real Joseph Lubin has been made aware of. Burnett hopes his efforts will prevent other startups from falling victim to similar scams and encourage companies like ConsenSys and Telegram to improve their security protocols.