Large parts of the Helium LoRaWAN network consists of hotspots spoofing their location and earning HNT via Proof-of-Coverage while actually not providing any real world coverage for genuine data traffic. This is well known, Helium/NOVA claims to be fixing it but so far all they have done is come up with a largely dysfunctional denylist, asking the community to report suspicious hotspots and then not acting on it.
Recently, a new type of scam seems to gain traction: using cheap ‘Data-Only Hotspots‘ to earn HNT by generating data traffic over them. How does it work?
- you buy a cheap Data-Only Hotspot and add it to the Helium blockchain for a fixed fee of USD 10 (e.g. SenseCAP M2 at USD 199)
- you get a cheap LoRaWAN device that let’s you update its firmware (e.g. LoRa-E5 mini dev board at USD 21.9)
- you create a free account on the Helium Console, which gives you 10,000 DC (the equivalent of USD 0.1), and you buy/obtain more DC as you need them
- you create a device ID in your Helium Console to use in your LoRaWAN device
- you let your device send data packets which are received by your hotspot, so your hotspot gets rewarded in HNT for the data traffic
It seems the Helium system is setup to prevent DC arbitrage since HIP10 (details). But it would not surprise me if scammers had access to free DC by setting up hundreds of free Helium Console accounts.
From Data-Only Hotspot to USD 500K Wallet
Let’s have a look at Mammoth Mint Butterfly, a Data-Only Hotspot that has earned 22 HNT over the last 30 days, and on 29 May 2022 alone, 2.793 HNT or 29 times the network average of 0.095 HNT.
This hotspot has no location asserted, that would cost the scammers USD 5 extra (‘assert location‘), so we have no way of knowing where it is.
Why this is probably not genuine data traffic
- this hotspot sees an unusual amount of data traffic: 2.81% of the entire Helium network data traffic (over the last 7 days 23-30 May 2022)
- this hotspot has received 1,317,110 data packets over the last 7 days, or an average of 2 packets per second
- the data packets are a lot larger than the network average, to maximize the DC rewards: an average of 9.99 DC per data packet vs network average of 6.23 (which used to be below 2.00 in Feb 2022) – see below explanation
- the hotspot has no location set, but that may be common for data-only hotspots
Below screenshot shows this hotspot was rewarded for transferring 11,672 packets representing 116,594 DC, or 9.99 DC per packet. Packets are charged at 1 DC per 24 bytes, so these packets are averaging 240 bytes, which is very close to the technical limit of LoRaWAN packets (only under certain conditions up to 242 bytes of payload is possible).
The scammer wants to push a maximum of DC through his/her hotspot, so it makes sense to go for maximum length packets. In the real world, sensors are only sending a few bytes of data over LoRaWAN networks, to minimize battery consumption, and keep the airtime within legal limits. As recently as Feb 2022, the average DC per packet on the Helium network was 1.63 vs 9.99 for this and similar hotspots.
The 116.594 DC associated to these 11,672 packets is theoretically worth USD 1.16 (fixed DC rate). The hotspot was rewarded 0.153 HNT, or about USD 1.16 at a rate of 7.6 USD/HNT (this is an estimation for that moment in time). So it seems there is no significant margin to be made by buying DC and receiving rewards in HNT.
Let’s check for another moment in time, when 524,120 DC worth of packets (USD 5.24) was rewarded with 0.595 HNT, with the rate at that time 8.7 USD/HNT, resulting in USD 5.17 reward, roughly equivalent to the DC value, so it seems there is no arbitration.
Follow the money
This wallet A1 is transferring its earned HNT every day to wallet B1 (143uSCsZXgAXJu21B4mSEGwBdjPdkrMXMNwDdRyHyD1kWQfnZKP). This also includes earnings from the other Data-Only Hotspot Melted Linen Raven (13QaynhnQ7So5GNvajDG9TbLukeGUsLaskNhpz59LL2ZDofRNzU) belonging to the same wallet A1.
Wallet B1 (forwarder) does not hold any HNT, it just passes on what it receives, minus the transaction fee of 35,000 DC which is about 0.05 HNT.
The same goes for Data-Only Hotspot Upbeat Linen Cow (13iccGvQMDDzQpU5mwJAZyhrwJYAzuShxBtEEzx6HjEeifSi8e6) belonging to wallet A2 (14jf5258TaPDaeDwa7TX2jJbWDe2yBhCjBb3YbSZAYiSGRnNG21). This one is sending via ‘forwarder wallet B2‘ (12xBwVy2kAwuCUWk9qtyvSsahCYpa8UWDVxGJGDApFFbia4XxJU) to wallet C.
And Data-Only Hotspot Sharp Taffy Albatross (1366ngm4LFUhQ4UiCnmKwKGZStTumzL3JgPC25pLGChdAQDXAzz) belonging to wallet A3 (142fLAtW5PcGFfGDQpxD3gCnxpJBhZiRuZj7eYCrssexnd1SLEz). It is using the same ‘forwarder wallet B2‘ (12xBwVy2kAwuCUWk9qtyvSsahCYpa8UWDVxGJGDApFFbia4XxJU) to wallet C.
All these relatively small payments go to wallet C (13p7rGEpTkYzkMtoeDtHF3a14A7obaVhoATaSMFshHBH38qyqXN), that holds 58,550.91 HNT, valued at around half a million USD.
This ‘big wallet C‘ is receiving relatively small amounts of 1-100 HNT regularly from many other wallets, presumably HNT earned by mining/data.
Most incoming payments are below 10 HNT, but some stand out, such as this incoming payment of 1,399.9 HNT.
The origin is wallet D, which is only 1 day old and seems to be created for the occasion, just to forward payments (minus the transaction fee of around 0.05 HNT).
This wallet D (forwarder) received the payment from wallet E, the original source, that has 407,429 HNT worth about USD 3.4 million (ranked #45 at the moment). This is probably linked to an exchange platform, where people send their HNT in exchange for other currencies.
This huge wallet E (exchange platform?) is very active, sending and receiving dozens of payments per hour, mostly around 10 HNT, and sometimes sending a few 100s HNT. One outlier is an incoming payment of 17,340 HNT on 30 May 2022.
This payment comes from ‘wallet F‘ (14mG8daMRj95Mf3bNqJfffoM94rYZBMxQxHSkqApFVeww5LpruN), which receives very frequent payments of up to 100s of HNT, and sends a large sum to wallet E infrequently, the previous transfer was 1,126.85 HNT on 1 May 2022.
Back to the ‘big wallet C‘ that sits on USD 0.5 million and receives frequent payments as above, where do its outgoing payments go? It seems to send a few payment per month to ‘huge wallet E’ via a forwarder ‘wallet G‘ (144UDeDfetrJ5yAH5w4sYsNx43oLMNhJDUGAFrrcrp9878PDJgt).
It’s difficult to know what’s going on in this web of transactions between anonymous parties, but the use of automated forwarding wallets seems to indicate a high degree of coordination between these suspicious hotspots.
To be continued..