Potentially malicious mass account name squatting

Hi all,

I have recently joined the Near community as a developer looking to create some cool apps on the network. Unfortunately it didn’t quite start out as well as I’d have hoped.

When I went to create my wallet, I used the account name that I’ve always used for developing (on Github etc.) and some other forums. But I was very surprised to see it taken. This name is lostpebble- which to me seems like not a very obvious name and the likelihood of someone else using it is very slim, especially because I was able to register pebble.near afterwards.

I had a strange feeling that something wasn’t right here.

I investigated on the Near Explorer, and noticed that the account was registered on the 14th January of this year and had only a single transaction on it- that which was used to actually create the account. And a balance of 0.006N.

Already, that’s an initial indication of a squatter.

But looking deeper into it, I checked out the account creation transaction and dug into the parent account which created it- 9nearapps.near. This account was registered in late December and already amassed 309347 transactions! It might not be a stretch to say that a lot of those were similar such account creation transactions- I would like to find a way to validate this on the blockchain and do more investigations based on the names which were selected.

My gut feeling is that this is a malicious account which likely crawled Github for highly active developer account names (I have a few libraries, the most popular of which has 920 stars as of writing) and registered them en masse. The goals of which could be a few:

  • Typosquatting: misleading potential donors to developer projects to send Near to the wrong account (this is the most annoying one for me, as I don’t think I’ll even use pebble.near for donations now, as its too similar and might confuse people- I’ll have to change my dev name on the Near protocol completely).

  • Stolen identity fraud- using Twitter, blogs, videos, forum posts or any other type of media, pretending to be me and requesting donations for my projects.

  • Holding the account knowing that people might pay to have their personal developer account name transferred to them at some stage.

I’m sure there could be other reasons I’m missing as well.

Some references online that I’ve found to “9apps”, as in the account name in question, is not a great sign either. (see https://www.quora.com/Is-9apps-safe). It appears to be an entity owned by Alibaba, from what I can see online, and exhibits some scammy practices. Not to say these are definitely the same people, but it certainly could be.

Is there any recourse in this kind of situation? Is there potential for some kind of governance system to deal with this? Obviously, “malicious” in this situation would have to be well defined. Personally, I think clear and undeniable registering of account names en masse, especially with targeting of previously known unique identities, should be considered “malicious”.

Lastly, I’d like to investigate this more. I’d like to take a closer look at all the account creation transactions of that account and cross-reference them to some external systems. If there is anyone who could point me in the right direction, the best methods to do this (block chain API, or other efficient methods of querying the blockchain- I assume I’d have to access the archive for older transactions)- I’d really appreciate it! Perhaps this could be the start of developing systems to help govern against such malicious activity :slight_smile:



Interesting observation and, frankly, I think it’s something that’s going to continue to grow as the network does.

Similar to how ENS handles, particularly unique ones, are desirable, I can see the same thing happening with NEAR Account names, too.

There is no recourse. The nature of decentralisation and a completely open and accessible ecosystem gives way to things like this.

I’d argue that there, in fact, shouldn’t be any recourse.

Best way to avoid it is, I guess, to be early haha! In all seriousness, there is already a secondary market for these account names so as I alluded to earlier, I personally expect it to grow.

I don’t think they are, most are interactions with a v2.nearapps.near contract, I suspect it’s related to these efforts by Primelabs (this is a complete guess, though).

Edit: Just got confirmation that these are Primelabs contracts

The big brains in the Dev teams have office hours on the regular, they might be able to direct you to an efficient way of exploring the chain?


FWIW I think this is a coincidence because there is also 8nearapps.near, 7nearapps.near, and I’m sure more - I just didn’t look that far.


Not quite the same, but I’ve gone ahead and created a DAO on AstroDAO called lostpebble.sputnik-dao.near - would love to get you on as Council and remove myself. You can then use that to receive donations and anything else you fancy:


  • always open for a call if you ever want to talk about building on NEAR
1 Like

Hi David, thanks for your responses!

That’s understandable. Although it does bring up some feelings of the misgivings I have about crypto and the decentralized / “no one has control” nature of it. Definitely opens the door to misuse and abuse, in various ways. I think a bit of healthy oversight ability can be a good thing, I’m sure others disagree though.

So I guess this is a bit of dead end, in that the Near governance doesn’t have the ability to intervene in such cases? (in the case of undeniable malicious activity on the network)

Ah okay thanks, I’ll be sure to jump on the Discord and get more direction in this area.

Oh… so is it Primelabs which created these accounts en masse? Is it them that somehow used my username? If so, hopefully there might be some recourse in requesting it from them.

Cool, thanks! I’ll look into that now :slight_smile:

Appreciate it! Might take you up on that sometime. My brother and I are currently building a tool for tracking NFT prices on the Near protocol, right now with the help of Paras but would like to try create a more native implementation at some point as well (directly inspecting the blockchain).

1 Like

That’s correct, but, as I mentioned above, not sure if we can label this ‘malicious’ (in my opinion, anyhow).

I’ve dropped @ross from Primelabs a message regarding this - will give you an update as and when :100:

Any questions just ping me :tada:


Yep, agreed- in this case its still a bit ambiguous (though it does seem like some scraping and intention was involved). I just meant to say, that even in the case of real and undeniable malicious activity- their hands are still tied.

Appreciate it!


I can’t seem to send you a direct message on here. But I think I’ve sent out a proposal to add me as a member to the DOA.

Should be prompted to DM me if you click on my profile pic.

But yeah, perfect. I’ve added you to the Council and proposed to remove myself:


Feel free to vote it through :tada:

1 Like

So this is the UI when I click on your pic, and its similar on your profile page. Can’t seem to find a message button anywhere.

Awesome, thanks! I’ve voted on the proposal- think you also need to confirm your vote.

BTW, I see there’s like 5.1 Near inside the DAO- guessing that’s an initial investment to open the DAO? Didn’t realize there was such a cost involved, hope you didn’t need to fund that yourself?

Thanks for the heads up, will check it out!

All done :tada:

All good, there are funds reserved for things like this - glad to have you in the ecosystem :beers:

1 Like

Wow! Much appreciated. My brother (who got me into Near recently) mentioned the community and ecosystem was great, first hand experiences are definitely confirming that! :grin: cheers :beers:


celebrate hell yeah GIF by Brooklyn Nine-Nine


Hi @David_NEAR , did you ever manage to get a response from @ross regarding this situation? Still holding out with a tiny glimmer of hope that my username might be able to come home some day :stuck_out_tongue:

Hey gm, let me see what I can do to chase it with him