Small Bait, Big Fish| Unveiling the 1155 WBTC Phishing Incident
Background
On May 3, according to the monitoring by Web3 anti-scam platform Scam Sniffer, a major whale fell victim to a phishing attack using addresses with matching beginning and end digits, resulting in the theft of 1155 WBTC, valued at approximately $70 million. While this type of phishing method has been known for some time, the magnitude of the losses in this incident was nonetheless shocking. This article will analyze the key aspects of the same-beginning-and-end-digits address phishing attack, track the flow of the funds, profile the hacker, and offer recommendations for preventing such phishing incidents.
Key Points of the Attack
Victim’s Address:
0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5
Victim’s Intended Transfer Address:
0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91
Phishing Address:
0xd9A1C3788D81257612E2581A6ea0aDa244853a91
1. Generating Phishing Addresses: The hacker preemptively generated a large number of phishing addresses. By deploying batch programs in a distributed manner and monitoring on-chain user activities, they launched a phishing attack using addresses that matched the victim’s intended transfer address in the first 4 and the last 6 digits (after removing the “0x”).
2. Following Transactions: After the user initiated a transfer, the hacker immediately used the generated phishing address to follow with a transaction (sending 0 ETH to the user’s address) approximately 3 minutes later. This transaction then appeared in the user’s transaction history.
3. Cast The Bait: Users often copy the most recent transaction details from their wallet’s history. Seeing the follow-up phishing transaction and not thoroughly checking the address copied, the victim mistakenly sent 1155 WBTC to the phishing address!
MistTrack Analysis
Using the on-chain tracking tool MistTrack, it was discovered that the hacker had exchanged the 1155 WBTC for 22955 ETH and transferred them to the following 10 addresses:
On May 7, the hacker began moving the ETH from these 10 addresses. The pattern of fund transfers generally involved leaving no more than 100 ETH in the current address, then roughly evenly splitting the remaining funds before transferring them to the next layer of addresses. Currently, these funds have not been exchanged for other cryptocurrencies or moved to any platforms. The following image shows the fund movement situation at the address 0x32ea020a7bb80c5892df94c6e491e8914cce2641. Open the link in a browser to view a high-resolution image:
Continuing our investigation with MistTrack, we explored the initial phishing address from the incident, 0xd9A1C3788D81257612E2581A6ea0aDa244853a91, and discovered that its transaction fees were sourced from 0xdcddc9287e59b5df08d17148a078bd181313eacc.
Upon investigating this fee address, we observed that from April 19 to May 3, this address initiated over twenty thousand small transactions, distributing small amounts of ETH to various addresses for phishing purposes.
The pattern revealed in the image above indicates that the hacker employed a widespread net approach, suggesting multiple victims. Through extensive scanning, we also identified other related phishing incidents.
Using the address 0xbba8a3cc45c6b28d823ca6e6422fbae656d103a6 from the second incident as an example and tracing its transaction fee addresses upwards, we found overlap with the fee origin address from the 1155 WBTC phishing incident, indicating they are likely operated by the same hacker.
Further analysis of the hacker’s movement of other illicit gains (from the end of March to present) revealed another laundering pattern: converting ETH on-chain funds into Monero or transferring them across chains to Tron and then into suspected OTC addresses. This suggests a possibility that the hacker may use the same method to move the funds obtained from the 1155 WBTC phishing incident.
Hacker Profile
Based on the threat intelligence network of SlowMist, we have identified several IPs suspected to be used by the hacker, originating from mobile stations in Hong Kong (the use of VPNs has not been ruled out):
- 182.xxx.xxx.228
- 182.xxx.xx.18
- 182.xxx.xx.51
- 182.xxx.xxx.64
- 182.xxx.xx.154
- 182.xxx.xxx.199
- 182.xxx.xx.42
- 182.xxx.xx.68
- 182.xxx.xxx.66
- 182.xxx.xxx.207
It is noteworthy that even after stealing 1155 WBTC, the hacker does not seem to have any intention of ceasing their criminal activities.
Following up on the previous collection of three initial phishing addresses (which provide transaction fees to numerous phishing addresses), a common characteristic is that the amount of the last transaction is significantly larger than previous ones. This indicates the hacker’s method of deactivating current addresses and transferring funds to new phishing addresses, with the three newly activated addresses still frequently transferring funds.
In subsequent large-scale scans, we identified two deactivated parent addresses linked to this hacker, which we will not detail further here:
- 0xa5cef461646012abd0981a19d62661838e62cf27
- 0x2bb7848Cf4193a264EA134c66bEC99A157985Fb8
As the investigation progressed, we questioned the source of the hacker’s ETH chain funds. After tracking by the SlowMist security team, it was found that the hacker initially conducted similar end-to-end digit phishing attacks on the Tron network. After profiting there, they targeted Ethereum chain users, transferring the proceeds from Tron to start phishing on the Ethereum chain. Below is an example of the hacker’s phishing activity on the Tron network:
On May 4, a victim communicated the following message to the hacker on the blockchain: “You’ve won, brother. You can keep 10% and return the 90%. We can act like nothing happened. We both know $7 million is enough to live very comfortably, but $70 million will keep you up at night.”
On May 5, the victim continued to publicly call out to the hacker on the blockchain, but has not yet received a response.
How to Defend Against Phishing Attacks
Use of Whitelisting Mechanism: It is advisable for users to save trusted addresses in their wallet’s address book. For future transactions, users can select the target address directly from the wallet’s address book, which reduces the risk of sending funds to a malicious address.
Enable Small Transaction Filtering in Wallets: Users should consider enabling the small transaction filtering feature in their wallets to block zero-value transactions, which are commonly used in phishing. The SlowMist security team analyzed such phishing techniques in 2022. Interested readers can view their reports on “Beware of TransferFrom Zero Transaction Scams” and “Beware of Same-End-Digit Airdrop Scams”.
Carefully Verify Addresses: Users should verify not only the first 6 digits after the “0x” but also the last 8 digits of the address before confirming a transaction. Ideally, every digit of the address should be checked to ensure its accuracy.
Test with Small Transactions: If the wallet in use only displays the first and last 4 digits of an address, consider making a small test transaction first. This method limits potential losses if the address is incorrect or malicious.
Summary
This article has discussed phishing attacks that exploit addresses with matching beginning and end digits, analyzed the characteristics and fund transfer patterns of the hacker, and provided recommendations for preventing such attacks. The SlowMist security team reminds users that because blockchain operations are irreversible and blockchain data is immutable, it is crucial to meticulously verify addresses before conducting any transactions to avoid asset loss.
Disclaimer
The content of this article is supported by data from the anti-money laundering tracking system, MistTrack, and aims to analyze publicly available addresses and disclose the results of such analyses. However, due to the inherent characteristics of blockchain technology, we cannot guarantee the absolute accuracy of all data and cannot be held liable for any errors, omissions, or losses resulting from the use of this content. Additionally, this article does not constitute a stance or basis for further analysis.
About SlowMist
At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.
We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.
By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.
