The rapid development of Blockchain technology and the prosperity of cryptocurrency in the past decade have driven the massive demand for digital assets trading, leading to the emergence of many cryptocurrency exchange platforms. Unlike centralised exchanges (CEXs) where listed tokens and cryptocurrencies are assessed by authorities to make the secured trading environment, decentralized exchanges (DEXs) are introduced to allow users to trade their digital assets without the involvement of any third party, therefore exposing security issues and encouraging the rise of many scams and malicious tokens. In this paper, we investigate an emerging malicious token named Trapdoor, which allows users to buy but prevent them from selling and getting their funds back. The first collection of Trapdoor tokens is constructed in this study by investigating malicious behaviours and maneuvers of these tokens. After manually analysing the tokens' source code, we classify those Trapdoor tokens into different categories according to their malicious code embedding technique. Moreover, we also comprehensively analyse the impact of Trapdoor tokens, the behaviours of scammers, and the characteristics of victims from various perspective. Finally, we also implement and publish our Trapdoor token detection tool and Trapdoor maneuvers analysis reports that help in increasing awareness of investors for this kind of scam.

翻译：区块链技术的迅猛发展以及过去十年加密货币的繁荣，催生了数字资产交易的巨大需求，进而导致众多加密货币交易平台的出现。与中心化交易所（CEXs）不同，后者由权威机构对上市代币和加密货币进行评估以营造安全的交易环境，去中心化交易所（DEXs）允许用户在没有第三方介入的情况下交易其数字资产，因此暴露了安全问题，并助长了众多骗局和恶意代币的兴起。本文研究了一种名为“陷阱代币”（Trapdoor）的新兴恶意代币，该代币允许用户购买，却阻止其出售并收回资金。本研究通过调查这些代币的恶意行为和操作手法，构建了首个陷阱代币集合。在手动分析代币源代码后，我们根据其恶意代码嵌入技术将陷阱代币分为不同类别。此外，我们还从多个角度全面分析了陷阱代币的影响、骗子的行为以及受害者的特征。最后，我们实现并发布了陷阱代币检测工具及陷阱操作手法分析报告，以帮助投资者提高对此类骗局的认知。