Open in app

Sign in

Write

Sign in

The dangers of unmonitored community activities.

ANDROMALIUS IO
4 min readMar 23, 2023

--

Why monitoring and verifying key asset in a community contribution model is crucial, using our recent Pi-Network findings as an example.

DISCLAIMER: SHORTLY AFTER THIS POST AND ADDRESSING THE ISSUE, THE TEAM UNDERTOOK ACTION, HOWEVER WE NEVER RECEIVED ANY FEEDBACK OR CONTACT REQUEST.

Big chance you’ve installed Pi on your phone and forgot about , however recently Pi got more attention due to the fact they’re close to launching to the ‘mainnet’ and making big steps in regards of achieving this milestone.

In the near future at it’s release this would enable participants (‘Pioneers’ ) to trade their mined Pi like any most cryptocurrencies we all know. These pioneers utilized either the app on their phone or the Pi-node on a computer system in order to mine their pi.

The Pi-Network relies heavily on community participation and contribution due to the hype, expectations, innovative/creative possibilities and knowledge regarding blockchains from it’s ‘Pioneers’ world wide.

This model has shown to be effective in the past however, they also apply this approach on the moderation and maintenance of their community wiki. Putting the community at hand for such a great responsibility towards this giant collective of involved participants demands various forms of reviews due to (potential) risks. Any malicious contributions can result in impacting the Pi-network’s authenticity and credibility, in regards of safety and privacy of it’s users and ‘core’ team-members.

The accessibility because of it’s low complexity in regards of mining Pi which is backed by various of their own statements like:

‘Download the mobile app to start mining today!’

‘Pi makes crypto mining easy.’‘

‘Breakthrough tech allows you to mine Pi on your phone without draining your battery.’

Simplicity leads to curiosity and greed, in order to answer the golden question that everyone at a certain point of their Pioneer career encounters…

‘What can I do to earn more Pi?’

In order to earn more Pi and fill your wallet and greed, you can either:

  1. Invite friends to your security circle in order to increase reward rates.
  2. Install the Pi-Node on your computer.

When you’re out of friends to invite, the next most logical step would be installing the Pi-node.

It’s possible to download the software required to set-up a from their own domain, which can be validated since it’s also advertised in their app for Windows and Mac.

Any individual using anything but these operating systems would probably think where you can obtain files for Linux, after some digging you stumble upon the COMMUNITY WIKI and a page stated ‘Install Instructions’

And this is where the malicious magic happens.

Upon arrival on the Wiki you’re presented with the following (familiar) image.

I got directed by the community wiki, that must mean it’s legitimate right…?

Initially, yes.

Based analyzing the change log we can construct the follow short and simple timeline:

The team behind Pi happily build on their wiki page starting at May 3 2020 and happily build until Feb 7 2021.

As shown below:

However, after the initial set-up was done, this page has been heavily edited by malicious actors for prolonged periods of time starting at June 5 2021 at a regular rate.

These changes were primarily aimed at changing the download URL’s or defacing the ‘wiki’ in general.

Almost all links never install the Pi-node and either install a binance mining bot or screen capture software as displayed in the following image that contains one of many commits (changes).

Users complain that it doesn’t work and seek help by opening an issue, due to their belief that the software is legitimate.

Which sadly, isn’t the case…

We highly recommend all users that were tricked into installing software from this ‘Wiki’ to run the necessary security checks and procedures i.e.:

  • Removing the software and installed services;
  • Virus/Malware scans;
  • Changing (system) passwords;
  • Rollbacks/Clean installs;
  • Checking any unknown transactions from/to other cryptocurrency wallets;
  • Filing a report at local authorities;
  • To always check change logs (if available) on Wiki’s and GitHub for malicious links or code, before downloading and installing software.

This is the perfect example to why moderation and review on majors assets is key, and any lack of monitoring the communication that’s presented on pages advertised by the parenting company can result in major damages.

Innovations, hype and creativity go hand in hand with cybercrime in this digital age roaming new (lawless) frontiers like crypto.

We hope that the Pi Network will undertake proper action in order to mitigate this critical flaw that’s been abused longer than necessary.

-Andromalius.IO

Cybersecurity
Cyber Security Awareness
Cryptocurrency
Pi Network
Web3

--

--

ANDROMALIUS IO

Written by ANDROMALIUS IO

3 Followers

We slither through the malocious mists so you don’t have to.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams