On September 7, 2023, the address (0x13e382) suffered a phishing attack, resulting in a loss of more than $24 million. The phishing hacker stole funds, exchanged funds, and transferred funds in a decentralized manner. In the end, 3,800 ETH of the lost funds were transferred to Tornado.Cash in batches, 10,000 ETH was transferred to the intermediate address (0x702350), and 1078,087 DAI was still retained in the intermediate address (0x4F2F02).
This is a typical phishing attack. The attacker steals user assets by defrauding wallet authorization or private keys, and has formed a black industry chain of phishing + money laundering. Currently, more and more fraud gangs and even state hackers are using phishing to commit crimes in the Web3 field, which requires everyone's attention and vigilance.
Based on the tracking and analysis of SharkTeam’s on-chain big data analysis platform ChainAegis (https://app.chainaegis.com/), we will conduct relevant analysis on the scam process, fund transfer and on-chain behavior of typical phishing attacks.
1. Phishing scam process
The victim address (0x13e382) authorized rETH and stETH to the scammer address 1 (0x4c10a4) via ‘Increase Allowance’.
Scammer address 1 (0x4c10a4) transferred 9,579 stETH from the victim address (0x13e382) to scammer address 2 (0x693b72), with an amount of approximately 15.32 million US dollars.
Scammer address 1 (0x4c10a4) transferred 4,850 rETH from the victim address (0x13e382) to scammer address 2 (0x693b72), with an amount of approximately 8.41 million US dollars.
2. Tracking of fund transfers
2.1 Funds Exchange
Convert the stolen stETH and rETH into ETH. Since the early morning of 2023-09-07, the scammer address 2 (0x693b72) has conducted multiple conversion transactions on Uniswap V2, Uniswap V3, and Curve platforms, converting all 9,579 stETH and 4,850 rETH into ETH, with a total of 14,783.9413 ETH.
(1) stETH exchange:
(2) rETH exchange:
Part of ETH was exchanged for DAI. Scammer address 2 (0x693b72) exchanged 1,000 ETH for 1,635,047.761675421713685327 DAI through the Uniswap V3 platform.
2.2 Funds Transfer
The scammers transferred the stolen funds to multiple intermediate wallet addresses through decentralized fund transfer methods, totaling 1,635,139 DAI and 13,785 ETH. Among them, 1,785 ETH was transferred to the intermediate address (0x4F2F02), 2,000 ETH was transferred to the intermediate address (0x2ABdC2), and 10,000 ETH was transferred to the intermediate address (0x702350). In addition, the intermediate address (0x4F2F02) received 1,635,139 DAI the next day.
2.2.1 Fund transfer to intermediate wallet address (0x4F2F02)
This address has 1,785 ETH and 1,635,139 DAI via a layer 1 fund transfer.
(1) Decentralized transfer of funds DAI and small amounts converted to ETH
First, the scammers began to transfer 529,000 DAI through 10 transactions in the early morning of September 7, 2023. Subsequently, the first 7 transactions totaling 452,000 DAI were transferred from the intermediate address to 0x4E5B2e (FixedFloat), the 8th transaction was transferred from the intermediate address to 0x6cC5F6 (OKX), and the last 2 transactions totaling 77,000 DAI were transferred from the intermediate address to 0xf1dA17 (eXch).
Secondly, on September 10, 28, 052 DAI was exchanged for 17.3 ETH through Uniswap V2.
After the transfer, the address still had 1078,087 DAI of stolen funds left.
(2) ETH Funds Transfer
From September 8 to September 11, the scammers conducted 18 transactions to transfer all 1,800 ETH to Tornado.Cash.
2.2.2 Funds transfer to the intermediate address (0x2ABdC2)
This address has 2,000 ETH through a layer of fund transfer. First, the address transferred 2000 ETH to the intermediate address (0x71C848) on September 11.
Subsequently, the intermediate address (0x71C848) transferred funds to Tornado.Cash through two transactions on September 11 and October 1, totaling 20 transactions, with each transaction transferring 100 ETH, totaling 2,000 ETH to Tornado.Cash.
2.2.3 Funds transfer to the intermediate address (0x702350)
This address has 10,000 ETH through a layer of fund transfer. As of October 08, 2023, 10,000 ETH is still in the account of this address and has not been transferred.
3. Source of fraud funds
After analyzing the historical transactions of scammer address 1 (0x4c10a4) and scammer address 2 (0x693b72), it was found that an EOA address (0x846317) transferred 1.353 ETH to scammer address 2 (0x693b72), and the source of funds of the EOA address involved the hot wallet addresses of centralized exchanges KuCoin and Binance.
4. Summary
ChainAegis (https://app.chainaegis.com/) platform chain data analysis simply and clearly presents the entire fraud process of phishing scammers on the chain, as well as the current status of fraudulent funds. After the scammers stole the funds from the victim address, they conducted a series of fund exchanges and fund transfers, as shown in the figure below. During the period, a total of two fraud addresses were involved: scammer address 1 (0x4c10a4) and scammer address 2 (0x693b72), 4 intermediate addresses: intermediate address (0x4F2F02), intermediate address (0x2ABdC2), intermediate address (0x702350) and intermediate address (0x71C848). All of them were included in the blacklist address library by ChainAegis, and the intermediate addresses were monitored in real time.
About Us
SharkTeam's vision is to protect the security of the Web3 world. The team is composed of experienced security professionals and senior researchers from all over the world, who are proficient in the underlying theories of blockchain and smart contracts. It provides services including on-chain big data analysis, on-chain risk warning, smart contract auditing, and encrypted asset recovery, and has created an on-chain big data analysis and risk warning platform ChainAegis. The platform supports unlimited levels of deep graph analysis and can effectively combat the Advanced Persistent Theft (APT) risks in the Web3 world. It has established long-term cooperative relationships with key players in various fields of the Web3 ecosystem, such as Polkadot, Moonbeam, polygon, OKX, Huobi Global, imToken, ChainIDE, etc.
Official website: https://www.sharkteam.org