A massive crypto wallet draining operation has been exposed, having targeted experienced crypto users and industry insiders since December 2022.
For the past 48hrs I've been unwinding a massive wallet draining operation 😳😭I don't know how big it is but since Dec 2022 it's drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.Its rekt my friends & OGs who are reasonably secure.No one knows how. pic.twitter.com/MafntG7RkP
— Tay 💖 (@tayvano_) April 18, 2023
Draining over 5,000 ethereum (ETH) and an unknown amount of tokens, non-fungible tokens (NFTs), and coins across 11+ chains, this scam has left the community searching for answers.
Let’s dive into the facts and data surrounding the operation and its impact on the crypto community.
Decoding the scammers’ modus operandi
The attackers have been methodically draining keys, potentially from a cache of data obtained more than a year ago.
My best guess rn is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove.But that's just a guess. I *don't* know.It is NOT cryptographic/entropy related tho, don't waste your time.
— Tay 💖 (@tayvano_) April 18, 2023
They exhibit distinct patterns in their theft and post-theft on-chain movement, often moving assets between multiple victims’ addresses.
Large December 2022 thefts utilized RenBridge, and the final destination for stolen assets is always bitcoin (BTC).
You might also like: The darknet’s Reddit clone makes exit scams harder
The attackers utilize centralized swappers like FixedFloat, SimpleSwap, SideShift, ChangeNOW, and LetsExchange to launder funds before moving them to privacy-focused mixers like Coinomize, Wasabi, and CryptoMixer.
6. "Out" is always a centralized swapper such as:FixedFloatSimpleSwapSideShiftChangeNOWLetsExchangeUnknown swapper @ 0xca60Other unlabeled swappers nested at BinanceLarge Dec'22 thefts used RenBridgeFinal desty is always BitcoinLTC, XRP, XMR, etc also moves to BTC.
— Tay 💖 (@tayvano_) April 18, 2023
The commonalities among victims
The victims share some common characteristics, such as having created their keys between 2014 and 2022 and being more crypto-native than most (e.g., having multiple addresses and working in the space).
Afaik, no one has determined the source of their compromise.Multiple devices have been forensic'd. Nothing.The only known commonalities are:– Keys were created btwn 2014-2022– Folks are those who are more crypto native than most (e.g. multiple addresses, work in space, etc)
— Tay 💖 (@tayvano_) April 18, 2023
This scam has not affected any newbies; it has specifically targeted experienced users with a single secret recovery phrase or private key.
To prevent such scams, the crypto community must prioritize education and awareness. Users should avoid keeping all assets in a single key or secret phrase and should migrate to hardware wallets.
Patterns in the timing of the thefts
The wallet draining operation exhibits peculiar patterns in the timing of the thefts. Many of the thefts appear to have occurred on weekends, with notable incidents on Sundays.
Large-scale thefts seem to be scripted, and the dust remaining in the original drained address has been stolen up to 80+ days after the first address was drained.
The attackers’ IPs and user agents (UAs) are quite diverse, often using VPNs, proxies, and other methods to mask their true identity.
The road ahead
By examining the scammers’ methods, commonalities among victims, timing patterns, and understanding the importance of preventive measures, the community can better safeguard its assets.
Collaboration, education, and vigilance are crucial in mitigating risks and restoring confidence in the security of digital assets.
Read more: Crypto scams escalate as CertiK reports 27 incidents in past week