Background
Recently, a victim reached out to the SlowMist security team to inquire whether @pig_space is a SlowMist employee. It was discovered that the X account @pig_space impersonated a Web3 recruiter, luring the victim into installing malicious software on his computer. Subsequently, the scammer took over the victim’s wallets and X account.
Upon receiving this information, the SlowMist security team promptly initiated an analysis and disclosed some known findings.
Analysis Process
Claiming to be a data scientist at SlowMist, @pig_space listed a Linktree link on their X profile. Opening this Linktree, we found the following links:
[1] https://referrals.linea.build/?refCode=2VPV86FK9s
[2] https://debank.com/profile/0x386f55fddbadf4920cc35920902215fe7ce94808
[3] https://opensea.io/GotRekt69
[4] https://mirror.xyz/gotrekt.eth/collection
From link [2], we identified the address 0x386f55fddbadf4920cc35920902215fe7ce94808, which led us to another X account: @gotRekt1337.
Based on the behavior and content of this account’s replies to others’ posts, it appears to be operated by a real person. Further analysis revealed that the scammer had previously used Traditional Chinese.
While analyzing link [4], we noticed that @pig_space also used Traditional Chinese.
Using the on-chain anti-money laundering and tracking tool MistTrack, we examined the address 0x386f55fddbadf4920cc35920902215fe7ce94808 and identified several related ENS addresses.
One of the ENS addresses, hexxed.eth, shared content on the on-chain social platform Warpcast, which suggests the scammer’s native language is Chinese.
Next, we explored what could be uncovered from the X account @gotRekt1337. Searching this account on Open Friend revealed another address: 0x159382c5996dc7d05277e60e0ca47411c758c28e.
Using MistTrack to analyze this address, we found that it was tagged with the X account @pig_space. From the fund flow, 0x159382c5996dc7d05277e60e0ca47411c758c28e is directly connected to 0x386f55fddbadf4920cc35920902215fe7ce94808. Moreover, the transaction fees for address 0x159 originated from 0x386, further confirming that @gotRekt1337 and @pig_space are the same person.
Through further analysis of the address 0x386f55fddbadf4920cc35920902215fe7ce94808, we identified another associated ENS: formosalabs.eth. This led us to information about a laboratory in Canada:
- Website: https://www.formosalabs.com/
- Address: 4789 Yonge Street (Suite 303) Toronto, Ontario, Canada
Although this clue does not definitively link the scammer to the laboratory, the scammer had previously shared information about Canada on Warpcast, leading us to infer that the hacker currently resides or has resided in Canada.
The scammer also expressed sympathy and encouragement to victims on Warpcast.
Using MistTrack to analyze the scammer’s address 0x79246fc9fa5c8f7f1fa87abfc474035b85b31bad provided by the victim, we discovered the use of the following cross-chain bridges and platforms: Relay Protocol, cryptomus.com, WhiteBIT, Changelly, Chainflip, Across Protocol, Bridgers.xyz, THORChain, Kucoin, among others. The subsequent transfer activity involved significant transaction volumes, which we will not elaborate on here. Notably, the laundering methods used in this incident suggest a level of sophistication inconsistent with the scam’s execution, indicating the likelihood of a group operation.
Final Remarks
After SlowMist founder Cos issued a public warning to the scammer on X, the scammer chose to block him. This article only discloses part of the investigation findings. The victim has sought law enforcement assistance, and all the above clues, along with undisclosed information, will be provided to law enforcement agencies.
Once again, we strongly advise the scammer to return the victim’s funds as soon as possible.
Risk management requires practice and vigilance — avoiding ill-gotten gains, ensuring account isolation, and refraining from impersonating security company employees are fundamental. Of course, turning back in time is also a form of risk management.
About SlowMist
SlowMist is a blockchain security firm established in January 2018. The firm was started by a team with over ten years of network security experience to become a global force. Our goal is to make the blockchain ecosystem as secure as possible for everyone. We are now a renowned international blockchain security firm that has worked on various well-known projects such as HashKey Exchange, OSL, MEEX, BGE, BTCBOX, Bitget, BHEX.SG, OKX, Binance, HTX, Amber Group, Crypto.com, etc.
SlowMist offers a variety of services that include but are not limited to security audits, threat information, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) software, MistEye (Security Monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, RC², TianJi Partners, IPIP, etc. Our extensive work in cryptocurrency crime investigations has been cited by international organizations and government bodies, including the United Nations Security Council and the United Nations Office on Drugs and Crime.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we could spread awareness and raise the security standards in the blockchain ecosystem.
