Analysis of Verb Lab Discord phishing links

The NFT project Verb Lab recently launched their project to the public. However, their official discord channel was already filled with malicious bots. These bots target new users by pretending to be from the official team and sending them private chats with phishing links to mint. We discovered three links so far in connection to this scam.

Phishing site 1: https://mint-here.xyz/verblabs.html
Phishing site 2: https://verb-mint.netlify.app
Phishing site 3: http://opensea-live.com/limited-sale/verblabsofficial/

Here’s what the sites look like

Phishing site 1: https://mint-here.xyz/verblabs.html

Looking at the source code for the first link and discovered that it was cloned using the HTTrack tool from phishing site 3.

Phishing site 3: http://opensea-live.com/limited-sale/verblabsofficial/

Here’s what the second link looks like

Phishing site 2: https://verb-mint.netlify.app

These three sites seem to be generated using the same template.

Phishing addresses

We dug deeper and discovered the phishing addresses used for each link

Phishing address 1: 0xe7b2AAa70D6133c78006A078b95dF8Be3613385E
Phishing address 2: 0xa096356DeB502d1F5670A2E26a645eA4dbAA4741
Phishing address 3: 0x80eE5caDf0f04058b9dF853017542Ab3dF9D88d7

Analysis of Phishing address 1 ( 0xe…85E)

We started our investigation by searching up this address on Etherscan. We discovered an address with the ENS name satrialingga.eth had two transactions with this address, 0.063 ETH and 0.126 ETH.

It just so happened that this user had a twitter account with twitter handle @satrialingga_. We looked up their account and discovered that on May 26 they posted how they were the victim of this scam and lost 0.3 ETH.

We received 2 private messages upon joining the official discord with phishing links to mint Verb NFTs. We suggest everyone to turn off their private chats in discord to avoid incidents like this in the future.

We then used MistTrack to analyze the transfer of funds from address 1:

The stolen funds were immediately transferred out to various accounts

There was one address with a large number of transactions that caught our attention, 0x7068626254842b0e836a257e034659fd1f211480.

Upon further investigations, we discovered the initial funds used for this address came from two, 1 ETH transfers from TornadoCash. In total, about 37 ETH was sent to this address, and the funds were laundered through 189 transfers. Some of these transactions were withdrawals and deposits from Binance.

Analysis of phishing address 2(0xa…741)

Again we started our investigation with Etherscan. Most of the funds were exchanged for Usdt, then transferred to 0xf44c65d285d6282c36b85e6265f68a2876bf0d39, where it remains at the time of writing.

Analysis of phishing address 3(0x8…8d7)

According to MistTrack, address 3 (0x8…8d7) received a total of about 5.5 ETH, and a total of 53 deposit transactions. We suspect numerous individuals fell victim to this scam.

Most of the stolen fund was transferred to the Binance address
0x2ae27a28ffa6b08d4568133632268d1335e26996.

Upon entering this address into MistTrack, we discovered that it had received a high risk score from our AML risk score feature. In total it received about 76 ETH.

This concludes our analysis of the Verb discord phishing link incident so far. We will provide additional updates as more information is uncovered.

Summary

The goal of this article is to raise awareness to phishing techniques used by scammers. In this incident, scammers prey on new users that join the discord of popular NFT projects. They’ll have maliciou bots waiting to send you private messages with fake mints. We’ve seen these techniques used again and again tricking users into entering their private keys or authorizing the transfer of funds or NFTs.

We recommend everyone to verify the URL of the NFT website you are using before attempting to connect or make a purchase. At the same time, don’t click on unknown links, try to join Discord through official channels or official media outlets, as well as turning off private chats in discord.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.