On the Trail of the Squid Game Scammers

Just over a year ago, the crypto world was rocked by one of the simplest yet most audacious scams in its history. Exploiting the global frenzy around Squid Game, a violent South Korean drama that became the most watched show on Netflix, scammers launched a tradable token called SQUID. Its flashy website and slick social media accounts, replete with images from the show, falsely suggested official endorsement.

The story is the subject of a just-released podcast on Audible produced by ITN. TRM undertook an in-depth investigation of the scam on chain, which is discussed by TRM’s Head of Global Investigations, Chris Janczewski, throughout the podcast.

Read our detailed report on the investigation here.

Within weeks of SQUID’s launch in October 2021, its price surged by over 40,000%. But when holders rushed to realize their gains, they were locked out by the smart contracts underpinning the tokens. These, it turned out, allowed only the creators to sell. When the creators  cashed out, SQUID’s price collapsed from USD 2,862 to a fraction of a cent – pulling the rug out from under investors’ feet. Within moments, the anonymous scammers walked away with millions.

SQUID’s perpetrators perfected many of the principles that characterize crypto scams:

• The use of decentralized exchanges (DEXs), with low barriers to entry

• Smart contracts rigged against token buyers

• Laundering stolen funds through mixing services (including the now-sanctioned service, Tornado Cash)

• Cross-chain swaps and high-risk Virtual Asset Service Providers (VASPs) with no or minimal KYC requirements 

TRM Labs’ capability to trace complex cross-chain swaps using our Forensics tool enabled investigators to follow the flow of these stolen funds. TRM’s analysis also helped link the scammers behind SQUID to two other similar “rug pulls”. Although the total value obtained from the three scams is difficult to determine due to the complexity of the laundering process, research by TRM Labs estimates it to have been at least 35,025 BNB (approximately USD 19.3 million at the time of the events). 

Scammers Took Advantage of DeFi’s Openness 

SQUID’s token contracts had two key functions that enabled the scam to take place. The first gave its creators permission to drain funds from any linked liquidity pools. Second, the contracts were coded in such a manner that selling the token was not practically possible for anyone other than the scammers. 

At the heart of decentralized finance is a rejection of red tape and institutional gatekeepers. The SQUID scammers appear to have taken advantage of these democratic principles and the lack of central oversight to list their compromised token on Pancake Swap. The token pairs listed in the liquidity pools could then be freely traded using whatever assets are in the pool. 

The Squid Laundromat

Much more sophisticated than the scam itself was the way its proceeds were laundered. Once the scammers drained liquidity from the pool they had established on Pancake Swap, they swapped the SQUID tokens first for WBNB, or a wrapped Binance Coin enabling swaps with other tokens. They then converted the WBNB into regular Binance Coin (BNB), which they withdrew from the DEX. The lion’s share was then sent to Tornado Cash, a notorious mixing service used to obscure cryptocurrency origin. 

The funds deposited into Tornado Cash were quickly withdrawn and consolidated. On 1 November 2021 alone, 55 deposits were made into Tornado Cash and then sent into a single address. The scammers then used bridge applications to move the funds onto the Ethereum network.

VASPs With Poor KYC Controls: The Perfect Off Ramp for Criminals

In every scam, one of the biggest challenges for the scammer is how to convert ill-gotten gains into cash that can be spent in the real world. The alleged criminals behind SQUID relied on two crypto exchanges with minimal verification and KYC controls. Analysis by TRM Labs showed that a significant portion of the proceeds was cashed out through an established entity in the crypto ecosystem offering a wide variety of financial services, including the ability to deposit, trade and withdraw virtual assets with no ID checks.

At least 2,693 ETH (around USD 11.1 million at the time) was sent to this VASP from addresses linked to the SQUID scammers. Before arriving, the funds were funneled through two services for "cleaning" —Tornado Cash, a mixer, and Compound, a decentralized lending and borrowing protocol that allows users to earn interest on their crypto holdings, but which can also serve to obscure the source of funds. The second VASP received the remaining portion of the proceeds that had not been migrated to other chains. Ironically, even as the VASPs appeared to have enabled the scam by their low KYC standards, their data protection mechanisms did not allow TRM Labs to access the relevant account information that could have provided clues to the scammers’ identities.  

Fortunately, for all their significant skills, the scammers behind SQUID still left a breadcrumb trail of errors that could be followed by investigators. Lapses included apparent mistakes while using mixing services, exhibiting consistent patterns of behavior, and an overreliance on just two VASPs. Still, these clues have proved insufficient to identify the culprits or reunite victims with their lost funds – as of yet.

A Bear Market Should Not Breed Complacency 

Could SQUID happen again?

The scam fed on a combustible mix of pop culture and wild speculation that existed in cryptocurrency markets.The fevered atmosphere and prospects of sensational gains led many investors to miss or rationalize away red flags such as SQUID’s lack of official partnerships and a white paper full of errors and inconsistencies.

Ultimately, the ease with which tokens can be created and listed on decentralized exchanges continues to pose risks. Furthermore, the difficult economic climate can lead many to take extreme risks to earn yield on their assets. All this suggests that whichever form it takes, another massive scam could be on the horizon. Conducting thorough due diligence prior to investing in any new project, and using tools such as Chainabuse, remains the best way to avoid becoming victimized. TRM will also continue to quickly respond to crimes of this nature by tracing fund flows, activating relevant networks and ultimately helping hinder the ability of illicit actors to launder the proceeds of these exploits.