search

polkadot-js / phishing

A curated list of known less-than-honest operators on Polkadot and Substrate networks. Includes a simple JS utility function to check any host or address against this list.
https://polkadot.js.org/phishing/
Apache License 2.0
196 stars 149 forks source link

Are we able to report Phishing Polkadot addresses? #59

Closed jackesky closed 3 years ago

jackesky commented 3 years ago

I think i may have answered my own question being a, no.

jacogr commented 3 years ago

Yes. The address.json file has them. They have been extracted from the already listed sites, thus far -

https://github.com/polkadot-js/phishing/blob/master/address.json

It is very new (couple of days) and only used atm in the apps UI to warn/disallow on the transfer dialog. (Documentation around this is still outstanding, hence you not seeing them)

TL;DR Please do report them as well

jackesky commented 3 years ago

thanks for your reply. I have 3 more questions.

  1. Once the Phishing addresses are entered and updated into the Git hub database, what happens to the address? Are future victims then unable to send funds into the scammers wallet as the address becomes listed as Phishing?

  2. Does that address also become useless in that the owner is unable to move crypto out of this Phishing address?

  3. Does the URL link also become listed as Phishing on the Brave Browser, just like it is on Google Crome and Firefox web browser?

jacogr commented 3 years ago

To you questions -

For the addresses/sites to be used/detected it needs to be integrated into wallets. So on the polkadot-js extension (if installed) if you try for instance to go to https://polkadot.express, it does the following -

image

The above would be the same for any wallets forked off the polkadot-js extension, of which there are a couple.

In the same vein wallets need integration to check the actual addresses. At this point (since it is new), as far as I know the apps UI is the only one that checks against this list. For instance if you try to send to the polkadot.company address listed, you will be greeted with -

image

The transaction cannot be sent. At this point it doesn't disallow the account completely in the UI (i.e. the scammer still has his accounts listed), but does protect the victims - originally wanted to go very hard, but rather decided to phase it in.

TL;DR The lists are available to be integrated as-is and it comes with a library for all checks for wallet providers. When merged here the extensions/wallets checks are done online, so the users are immediately protected.

jacogr commented 3 years ago

For now and future reference - if you have a favorite wallet, direct them to https://github.com/polkadot-js/phishing/tree/master/packages/phishing for integration.

polkadot-js-bot commented 3 years ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue if you think you have a related problem or query.