SlowMist: 2024 Q3 MistTrack Stolen Funds Analysis

SlowMist
11 min readSep 30, 2024

--

Every day, SlowMist/MistTrack receives numerous requests for assistance from victims seeking help in tracking and recovering stolen/lost funds. These cases often involve significant funds, with some victims losing millions of dollars. In this report, we will provide a detailed analysis of the theft cases submitted during Q3 of 2024. Our aim is to highlight both common and less known attack methods, drawn from real, anonymized cases. Our goal is to raise awareness and offer useful tips to help users better protect their assets and stay safe from potential risks.

In Q3 of 2024, MistTrack received a total of 313 theft reports, including 228 from domestic users and 85 from international users. This represents a decrease compared to Q2 2024 (details of which can be found in our Q2 analysis). As part of our community service, we provided free evaluations for each case(Note: this analysis only includes cases submitted via our form, not those received through email or other channels).

In Q3, MistTrack assisted 16 victims in freezing approximately $34.39 million across 16 platforms.

Top 3 Causes of Theft

1. Private Key Leaks

Private key leaks were the leading cause of asset theft in Q3. Based on our analysis, the leaks fell into several categories:

- Account Purchases Leading to Key Leaks: Victims who purchased accounts from untrustworthy sources (such as WPS memberships or overseas Apple IDs) often stored their private keys or recovery phrases in easily accessible places like notes or documents. The sellers then exploited these stored keys, gaining access to the victims’ assets.

Incident Description:

On July 2nd at 07:21 AM, the victim was using an iPhone and had purchased a US-based ID to download software. However, the ID password was changed, and unfortunately, the wallet’s private key had been stored in the notes. Although the funds were still intact on July 1st, by midday on July 2nd, the victim discovered that the assets (denoted as “U”) had already been transferred out.

- Improper Key Storage: Storing private keys improperly was a frequent issue. Common mistakes include:

  • Saving keys as photos in phone notes or cloud storage.
  • Storing recovery phrases in email drafts or unencrypted files (such as .txt or .xlsx).
  • Saving keys on cloud platforms or local devices without proper encryption.
  • Taking screenshots of recovery phrases and storing them in photo galleries.

One case involved a victim whose funds were stolen by a friend who had access to their private key. Overcome with guilt, the friend eventually returned the funds. To prevent such incidents, users should store their private keys securely, such as writing them on paper and keeping them in a safe physical location or using a hardware wallet. If electronic storage is necessary, files should be encrypted and stored offline.

- Downloading Fake Apps

Asset theft caused by fake wallet apps is a well-known issue, but the threat extends beyond just fake wallet applications.

Case 1: Downloading Malicious Apps

A victim downloaded a malicious app provided by scammers, which altered the wallet’s permissions, leading to the TRON address being compromised through multi-signature manipulation. For more information on the risks of malicious multi-signature wallets, you can refer to the “Web3 Security Beginner’s Guide | Risks of Malicious Multi-Signature Wallets.”

Scam Incident Description:

On July 27th, 2024, at 13:05, the victim downloaded a fraudulent app provided by the scammer. The following day, on July 28th, at 15:14, the app’s permissions were maliciously modified, resulting in the theft of the victim’s assets.

In another instance, a victim downloaded a fake version of Telegram. The scammer manipulated the wallet address sent by a friend, changing it to the hacker’s address, which resulted in the funds being transferred to the wrong destination.

Scam Incident Description:

The wallet address sent by a friend via Telegram was altered by hackers, and the funds were transferred to a phishing address instead.

Case 2: Trojan Virus

According to reports, many victims were tricked by scammers into downloading malicious applications, which infected their devices with Trojan viruses, leading to the theft of data and permissions.

For example, scammers contacted users through private messages, pretending to offer job opportunities and persuading them to download a fake version of the game **PartyChaos**. This particular scam has been exposed by multiple users on X (formerly Twitter):

- Official site: partychaos[.]fun

- Scammer’s site: partychaos[.]space

One victim suspected that the program was risky and initially refrained from downloading it. However, they accidentally interacted with it later, leading it to access permissions to all their assets.

Another case involved a victim being scammed on X (formerly Twitter) by downloading a virus-laden VBS script, resulting in asset theft.

Theft Incident Description:

The victim was scammed on Twitter, where they downloaded a VBS script that contained a virus. Despite attempting to remove the virus immediately, the antivirus failed, and the theft still occurred. Almost all private keys stored in the extension were copied. Dogecoin assets from the address were transferred, and collateralized assets were also moved across multiple addresses.

More commonly, scammers posed as venture capitalists (VCs) or journalists, luring victims into downloading malicious video conferencing applications. In one of the reports we received, the scammer impersonated a VC or journalist, contacting the victim via Telegram. They convinced the victim to join a video call using an app called WasperAI. Since the victim didn’t have the app, the scammer sent a link to download it from wasper[.]app, claiming it was the official download link. However, this was a phishing link designed to steal the victim’s computer data, including private keys.

We discovered that the phishing site was carefully crafted, even including a corresponding GitHub open-source project.

To enhance the legitimacy of the fake project, the scammers even manipulated the Watch, Fork, and Star counts on the open-source repository.

The phishing website, fake project, and X accounts all appeared highly coordinated, making the scam seem like a legitimate project. Without careful scrutiny, many victims fell into the trap.

We identified that this was the work of a well-organized, technically proficient hacker group that excels in social engineering. They often masquerade as project developers, creating polished project websites, social media accounts, and open-source repositories. They also inflate follower counts and write whitepapers, making the scam appear like a real project, leading many victims to believe it’s authentic before falling prey to their attacks.

Recommendations: Users should always maintain a healthy level of skepticism when clicking on website links. It’s important to install reputable antivirus software, such as Kaspersky or AVG, to enhance device security. If you suspect your system has been compromised, transfer your wallet funds immediately and conduct a thorough malware scan on your computer.

— “Voluntary” Private Key Input

This type of theft occurs when victims, perhaps in moments of lowered vigilance, unknowingly enter their private keys. The three common scenarios include:

  • While binding a wallet to a bot, victims inadvertently disclose their private keys to fake bots.
  • During participation in projects, scammers provide scripts and trick users into providing funds, then use the private keys to steal the rewards and profits.
  • Victims asking for help on platforms like Discord or X are contacted by fake “official” support agents, who then guide them to phishing links where they are asked to input their private keys.

Reminder: Never disclose your private keys under any circumstances. Always seek help through official customer support channels provided on the project’s official website, and never trust third-party bots or customer service agents.

Phishing

In Q3, phishing attacks were one of the most common reasons for asset theft. Many victims reported falling for phishing links posted in the comments under tweets from well-known projects. SlowMist’s security team conducted an analysis showing that around **80% of the first comments** under project tweets are from phishing accounts. There are also websites that sell X (formerly Twitter) accounts, some of which even offer accounts that closely resemble official project accounts, making it difficult for users to distinguish real from fake.

Phishing groups often use automated bots to monitor high-profile project tweets. As soon as a project posts a tweet, the bot quickly posts a reply, occupying the top comment to gain visibility. These fake accounts look highly similar to official project accounts, so when users click on the phishing link and authorize the transaction or sign in, they may end up losing their assets.

Additionally, a significant number of theft cases stemmed from phishing websites appearing in search engine ads. For example, when users searched for Rabby Wallet on Google, the top two results were phishing ads. In some cases, these ads deceptively displayed Rabby Wallet’s official website address, but after multiple proxy changes, they redirected users to the phishing domain rebby[.]io, which frequently changed to evade detection.

In summary, do not trust any ad results from search engines. We recommend users install phishing risk blockers like **Scam Sniffer** to secure their assets and receive alerts when visiting potentially dangerous sites. Also, we encourage everyone to thoroughly read and gradually master the [Blockchain Dark Forest Self-Help Handbook](https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/) for detailed guidance.

Fraud

Q3 also saw a sharp rise in users falling victim to fake mining pool scams. Several victims described how scammers impersonated well-known exchanges on **Telegram** to create fraudulent groups. These groups often had thousands of members, which easily lulled users into a false sense of security. Many users mistakenly believed that the number of group members was an indicator of the group’s legitimacy. While official groups do tend to have large member counts, this logic doesn’t always work in reverse.

In one notable case, scammers created a group with over 50,000 members, but the online count was fewer than 100. This is a clear indication that the group was filled with fake members (or bots), and the conversations within the group were bait to lure victims into the scam. The group was set up solely to deceive a few victims into participating in a fraudulent mining scheme.

Another type of scam involves scammers guiding users to a fraudulent platform and manipulating the platform’s data to create the illusion of profit. These so-called profits only exist in the platform’s display and do not represent actual asset increases. At this stage, the user is deceived into believing the scammer has superior investment skills. The scammer then invites the user to participate in a mining pool activity, requiring them to deposit 5% or 8% of their total USDT assets daily to “activate” the mining pool. Under the pressure of not being able to withdraw their principal unless they continue to deposit, the user keeps transferring funds to the scammer’s account.

Additionally, the number of cases involving OTC (Over-the-Counter) scams is also on the rise.

Scam Incident Descriptions:

1. Incident Description:

Purchased AVAIL tokens through WeChat, but the scammer modified the profile picture and username of the guarantor’s WeChat account, impersonating the guarantor!

2. Incident Description:

Long-term cooperation with a certain USDT merchant. This time, I chose to trade directly instead of through their OTC service. After contacting them to request U at their address, I lost contact, and they disappeared.

3. Incident Description :

I paid them in RMB, expecting a refund, but they stopped replying and scammed me for 237 USDT.

Final Thoughts

If you’ve fallen victim to cryptocurrency theft, we offer free community assistance to help evaluate your case. Simply submit the appropriate form based on the incident type (stolen funds, scam, or extortion). The hacker’s address you provide will also be shared with SlowMist InMist Lab’s Threat Intelligence Network for further risk control actions.

- Submit the Chinese form here: https://aml.slowmist.com/cn/recovery-funds.html

- Submit the English form here: https://aml.slowmist.com/recovery-funds.html

SlowMist has been deeply involved in the Anti-Money Laundering (AML) field for many years, developing a comprehensive and efficient solution that covers compliance, investigations, and audits. We are committed to fostering a healthy cryptocurrency ecosystem and providing professional services to the Web3 industry, financial institutions, regulatory bodies, and compliance departments. Our MistTrack platform offers compliance investigation services that include wallet address analysis, fund monitoring, and tracing. To date, MistTrack has accumulated over 300 million address tags, more than 1,000 address entities, 500,000+ threat intelligence data points, and 90 million+ risk addresses, providing strong protection against money laundering and ensuring digital asset security.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.