Backdoor in Dingo Cryptocurrency Allows Creator to Steal (Nearly) Everything

A tax variable in the software implementing the Dingo Token allows the creators to charge 99% in fees per transaction, essentially stealing funds, an analysis finds.

4 Min Read
Dingo on Fraser Island, Queensland, Australia
Source: Russotwins via Alamy Stock Photo

The originator of the Dingo Token — a cryptocurrency with a purported market capitalization of $11 million — has included a backdoor in the code to charge each transaction a fee of up to 99% of the worth of the token.

That's according to cybersecurity firm Check Point Software, which has issued an advisory warning potential investors of what the company calls "a scam." 

While the documents describing the Dingo Token claimed that the scheme charged 10% per transaction, Check Point researchers found 47 transactions where the total fee per transaction had been increased to 99%. The creator had also set the fee to 99% for future transactions, essentially stealing the funds of any traders of the cryptocurrency, according to the analysis published this week.

The Dingo Token creator has already transferred previously collected funds to other accounts, leaving no money for anyone holding Dingo tokens, says Oded Vanunu, head of products vulnerabilities research at Check Point Software.

"The function was called many times by the owners to prevent users from selling their holdings," he says.

Cryptocurrencies are heavily based on mathematics but also on good marketing, a dose of libertarian ideals, and an influx of gray market cash. Overall, hundreds of cryptocurrencies have been created, and not all will be legitimate, nor will they be free of fraud. In a 2019 report, for example, Alameda Research uncovered significant fraud in many crypto exchanges. That's ironic, given that two years later the firm and its sister company, cryptocurrency exchange FTX, had both declared bankruptcy, and their executives, including FTX and Alameda co-founder Sam Bankman-Fried, have been charged with numerous financial crimes.

While those efforts may have started as legitimate businesses, the Dingo Token scheme likely started as fraud from the start, Check Point stated in its analysis.

"We examined the Dingo smart contract and quickly found it seemed like a scam," the company stated. "The project website contains no real information about the owners of the projects."

A Quick Jump in Popularity

While the Dingo Token is far down the lists of popular cryptocurrencies — No. 774, at the time Check Point released its advisory — transactions using the currency had jumped 8,400% in the past year, according to the cybersecurity firm. The meteoric rise in popularity, along with the fact that the description of the cryptocurrency was limited, raised suspicions, leading to Check Point analyzing the digital smart contract on which the token is based.

The analysis uncovered systematic theft of traders' funds, using a variable called "TaxFee" to set the amount to take from each transaction. 

"We don’t believe that it was a mistake due to the nature of crypto-scam projects," Vanunu says. "In this case, [the] setTaxFeePercent function code...operates as a backdoor, [allowing] the owner to change the fee dynamically, which is not best practice for legitimate projects."

The fake cryptocurrency scheme may be the most technical attack yet, but fraud is increasingly a hazard for cryptocurrency investors and users, surging after a hiatus following numerous cryptocurrencies plunging in value by more than 60%. In 2022, for example, the FBI warned that cryptocurrency scams had once again targeted businesses and consumers, this time with fake investment apps that led to the theft of more than $40 million.

Know Your Code

The Dingo Token incident highlights the fact that companies need to conduct due diligence on any cryptocurrency in which they plan to use or allow customers to use. Security gaps, such as the backdoor code used by Dingo Token, need to be identified and cryptocurrency investors need more education on the risks, Vanunu says.

"We recommend that users only use known exchanges and buy from a known token that has several transactions behind it," he says. "In the near future, we believe that more preventative solutions will be available for users to deal with these cyber threats."

The Dingo Token creators did not respond to a request for comment sent to their contact email address by publication time. Check Point believes the creators are gone, but more scams will likely appear to take its place.

"It is important for consumers to be careful with the tokens they buy," the company stated in the analysis, adding that "cryptocurrency is a volatile market. Scammers will always find new ways to steal your money using cryptocurrency, and new forms of crypto are constantly being minted."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights