Analysis of Verb Lab Discord phishing links
The NFT project Verb Lab recently launched their project to the public. However, their official discord channel was already filled with malicious bots. These bots target new users by pretending to be from the official team and sending them private chats with phishing links to mint. We discovered three links so far in connection to this scam.
Phishing site 1: https://mint-here.xyz/verblabs.html
Phishing site 2: https://verb-mint.netlify.app
Phishing site 3: http://opensea-live.com/limited-sale/verblabsofficial/
Here’s what the sites look like
Looking at the source code for the first link and discovered that it was cloned using the HTTrack tool from phishing site 3.
Here’s what the second link looks like
These three sites seem to be generated using the same template.
We dug deeper and discovered the phishing addresses used for each link
Phishing address 1: 0xe7b2AAa70D6133c78006A078b95dF8Be3613385E
Phishing address 2: 0xa096356DeB502d1F5670A2E26a645eA4dbAA4741
Phishing address 3: 0x80eE5caDf0f04058b9dF853017542Ab3dF9D88d7
Analysis of Phishing address 1 ( 0xe…85E)
We started our investigation by searching up this address on Etherscan. We discovered an address with the ENS name satrialingga.eth had two transactions with this address, 0.063 ETH and 0.126 ETH.
It just so happened that this user had a twitter account with twitter handle @satrialingga_. We looked up their account and discovered that on May 26 they posted how they were the victim of this scam and lost 0.3 ETH.
We received 2 private messages upon joining the official discord with phishing links to mint Verb NFTs. We suggest everyone to turn off their private chats in discord to avoid incidents like this in the future.
We then used MistTrack to analyze the transfer of funds from address 1:
The stolen funds were immediately transferred out to various accounts
There was one address with a large number of transactions that caught our attention, 0x7068626254842b0e836a257e034659fd1f211480.
Upon further investigations, we discovered the initial funds used for this address came from two, 1 ETH transfers from TornadoCash. In total, about 37 ETH was sent to this address, and the funds were laundered through 189 transfers. Some of these transactions were withdrawals and deposits from Binance.
Analysis of phishing address 2(0xa…741)
Again we started our investigation with Etherscan. Most of the funds were exchanged for Usdt, then transferred to 0xf44c65d285d6282c36b85e6265f68a2876bf0d39, where it remains at the time of writing.
Analysis of phishing address 3(0x8…8d7)
According to MistTrack, address 3 (0x8…8d7) received a total of about 5.5 ETH, and a total of 53 deposit transactions. We suspect numerous individuals fell victim to this scam.
Most of the stolen fund was transferred to the Binance address
Upon entering this address into MistTrack, we discovered that it had received a high risk score from our AML risk score feature. In total it received about 76 ETH.
This concludes our analysis of the Verb discord phishing link incident so far. We will provide additional updates as more information is uncovered.
The goal of this article is to raise awareness to phishing techniques used by scammers. In this incident, scammers prey on new users that join the discord of popular NFT projects. They’ll have maliciou bots waiting to send you private messages with fake mints. We’ve seen these techniques used again and again tricking users into entering their private keys or authorizing the transfer of funds or NFTs.
We recommend everyone to verify the URL of the NFT website you are using before attempting to connect or make a purchase. At the same time, don’t click on unknown links, try to join Discord through official channels or official media outlets, as well as turning off private chats in discord.