On May 10th, 2022, Sentinel founder, Serpent, tweeted that scammers exploited a vulnerability in Google ads by making an identical phishing version of a website’s URL page.
Looking deeper into the source code of the phishing website, we found and assessed the address dedicated to the scammer.
Scammer address:
0xf738ffbde48570763d8ce7dc6d263205699d7cd9
First, the scammer created and executed a phishing contract: x2y2Refund, witnessing its first victim at 03:50pm.
Further, adding insult to injury, the scammer created another phishing contract: EthRefund at 10:00 am on May 8th, 2022.
Then the scammer transferred the stolen funds from both phishing contracts (approximately 100 ETH) to his personal address 0xf73…cd9.
Let’s first analyze the scammers’s addresses. The initial funds originated from two separate addresses.
Looking at address 0xb07…c49. It created two contracts: ApeClaim & Auto4Connect. The contents of the contract were basically the same as the second phishing contract (EthRefund) that was created on May 8th. Therefore, we can infer that these new contracts were phishing contracts deployed by the scammer as well.
Going back further, let’s further analyze one of the phishing contract addresses: 0xbbc…291
It has been determined that the initial funding source of address 0xbbc…291 corresponds with the initial funding source of address 0xbfa…69e, one of the original funding sources of the previous addresses.
Let’s shift gears and focus on the transfer out of the scammer address.
First, we’ll take a look at the scammer’s address through our MistTrack anti-money laundering tracking system.
The scammer address 0xf73…cd9 accrued about 113 ETH, with 8.39 ETH being transferred to OKX and the rest being transferred to 4 different addresses.
One of the addresses where funds were transferred out to was 0xbfa…69a, one of the addresses mentioned above. MistTrack denotes that this address is associated with mr-beast.eth, as well as displays complex transaction behavior.
Address 0xbfa…69e also seems to have stolen a significant amount of NFTs, using the call function: transferFrom.
Let’s take a look at another one of the receiving addresses that funds were transferred to: 0x4a…ebc. This address has been marked as a phishing address and holds multiple currencies, with an earning totalling around 56 ETH.
With tracking analysis performed through MistTrack, it was determined that most of the ETH was transferred to Hitbtc, with a small amount being transferred to other trading platforms such as Binance, Bitzlato, and Cryptonator. It’s interesting to note that the phishing address donated a small amount of its ETH to a Ukrainian Crypto Donation fund.
The remaining 2 out of 4 addresses will not be discussed in this article.
Summary
The purpose of this article was mainly to use a phishing website as an example to track and analyze the nature of the address and entities involved. It’s becoming even more apparent that phishing websites are on the rise. It’s crucial to remain vigilant and verify URLs are genuine to prevent yourself from becoming a victim.
How can users safeguard their assets in the face of repeated scams?
1)In order to improve security awareness, it’s strongly advised that users read the “Blockchain dark forest selfguard handbook”
2)Don’t ever click on any unknown links and never disclose private keys or recovery phrases to anyone.
3)Immediately revoke permissions when being asked to sign. You can use https://revoke.cash/ to check whether you have a history of suspicious authorizations.
4)If your wallet has been compromised, make sure to immediately transfer your assets to a replacement wallet.
5)Be vigilant, remain suspicious, trust nothing.
