Spend little money to catch big fish｜Revealing the 1155 WBTC phishing incident

By: Liz & Zero & Keywolf

background

On May 3, according to the monitoring of Web3 anti-fraud platform Scam Sniffer, a whale was phished by a phishing attack with the same address, and 1,155 WBTC were phished away, worth about 70 million US dollars. Although this phishing method has been around for a long time, the loss caused by this incident is still shocking. This article will analyze the key points of phishing attacks with the same address, where the funds go, the characteristics of hackers, and put forward suggestions for preventing such phishing attacks.

https://twitter.com/realScamSniffer/status/1786374327740543464 Attack key points

Victim's Address:

0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5

The victim’s target transfer address:

0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91

Fishing address:

0xd9A1C3788D81257612E2581A6ea0aDa244853a91

1. Collision with phishing addresses: Hackers will generate a large number of phishing addresses in advance, and after distributed deployment of batch programs, they will launch phishing attacks with the same first and last digits to the target transfer address based on the dynamics of users on the chain. In this incident, the hacker used an address with the first 4 digits and last 6 digits after removing 0x, which was the same as the victim's target transfer address.

2. Tailing transactions: After the user transfers money, the hacker immediately uses the phishing address that is collided with (about 3 minutes later) to tail a transaction (the phishing address transfers 0 ETH to the user's address), so that the phishing address appears in the user's transaction record.

https://etherscan.io/txs?a=0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5&p=2

3. Willing to take the bait: Since users are used to copying recent transfer information from the wallet history, after seeing this trailing phishing transaction, they did not carefully check whether the address they copied was correct, and as a result, 1,155 WBTC were mistakenly transferred to the phishing address!

MistTrack Analysis

Analysis using the on-chain tracking tool MistTrack found that the hacker had exchanged 1,155 WBTC for 22,955 ETH and transferred them to the following 10 addresses.

On May 7, the hacker began to transfer the ETH on these 10 addresses. The fund transfer pattern basically showed that no more than 100 ETH was left in the current address, and then the remaining funds were roughly split and transferred to the next layer of addresses. At present, these funds have not been exchanged for other currencies or transferred to the platform. The following figure shows the fund transfer on 0x32ea020a7bb80c5892df94c6e491e8914cce2641. Open the link in the browser to view the high-definition picture:

https://misttrack.io/s/1cJlL

We then used MistTrack to query the initial phishing address in this incident, 0xd9A1C3788D81257612E2581A6ea0aDa244853a91, and found that the source of the transaction fee for this address was 0xdcddc9287e59b5df08d17148a078bd181313eacc.

https://dashboard.misttrack.io/address/WBTC-ERC20/0xd9A1C3788D81257612E2581A6ea0aDa244853a91

Following up on the fee address, we can see that between April 19 and May 3, this address initiated more than 20,000 small transactions, distributing small amounts of ETH to different addresses for phishing.

https://etherscan.io/address/0xdcddc9287e59b5df08d17148a078bd181313eacc

From the above picture, we can see that the hacker adopted a wide-net mode, so there must be more than one victim. Through large-scale scanning, we also found other related phishing incidents, the following are some examples:

Taking the phishing address 0xbba8a3cc45c6b28d823ca6e6422fbae656d103a6 of the second incident in the above picture as an example, we continue to trace the fee address upwards and find that these addresses overlap with the fee tracing address of the 1155 WBTC phishing incident, so it should be the same hacker.

By analyzing the hacker's transfer of other profitable funds (from the end of March to now), we also concluded that another money laundering feature of the hacker is to convert the funds on the ETH chain into Monero or cross-chain to Tron and then transfer them to a suspected OTC address. Therefore, there is a possibility that the hacker will use the same method to transfer the profitable funds of the 1155 WBTC phishing incident in the future.

Hacker Characteristics

According to SlowMist's threat intelligence network, we found a mobile base station IP in Hong Kong that was suspected to be used by hackers (the possibility of VPN is not ruled out):

• 182.xxx.xxx.228

• 182.xxx.xx.18

• 182.xxx.xx.51

• 182.xxx.xxx.64

• 182.xxx.xx.154

• 182.xxx.xxx.199

• 182.xxx.xx.42

• 182.xxx.xx.68

• 182.xxx.xxx.66

• 182.xxx.xxx.207

It is worth noting that even after the hacker stole 1,155 WBTC, he did not seem to plan to quit.

Following up on the three phishing address mother addresses collected previously (used to provide service fees to many phishing addresses), their common feature is that the amount of the last transaction is significantly larger than the previous one. This is the operation of the hacker deactivating the current address and transferring funds to the new phishing address mother address. Currently, the three newly enabled addresses are still transferring funds at a high frequency.

https://etherscan.io/address/0xa84aa841e2a9bdc06c71438c46b941dc29517312

In subsequent large-scale scans, we discovered two more disabled phishing address parent addresses. After tracing the source, we found that they were associated with the hacker, which we will not go into details here.

• 0xa5cef461646012abd0981a19d62661838e62cf27

• 0x2bb7848Cf4193a264EA134c66bEC99A157985Fb8

At this point, we have a question about where the hacker's funds on the ETH chain came from. After tracking and analysis by the SlowMist security team, we found that the hacker initially carried out a phishing attack on the same address with the same first and last numbers on Tron. After making a profit, he targeted users on the ETH chain and transferred the profit funds on Tron to the ETH chain to start phishing. The following figure is an example of the hacker's phishing on Tron:

https://tronscan.org/#/address/TY3QQP24RCHgm5Qohcfu1nHJknVA1XF2zY/transfers

On May 4, the victim sent the following message to the hacker on the chain: You win brother, you can keep 10% and return 90%, and we can pretend nothing happened. We all know that $7 million is enough for you to live well, but $70 million will make you sleep poorly.

On May 5, the victim continued to call out to the hacker on the chain, but has not received a response yet.

https://etherscan.io/idm?addresses=0x1e227979f0b5bc691a70deaed2e0f39a6f538fd5,0xd9a1c3788d81257612e2581a6ea0ada244853a91&type=1 How to defend

• Whitelist mechanism: It is recommended that users save the target address in the wallet's address book. The target address can be found from the wallet's address book the next time the transfer is made.

• Turn on the wallet's small amount filtering function: It is recommended that users turn on the wallet's small amount filtering function to block such zero transfers and reduce the risk of phishing. The SlowMist security team analyzed this type of phishing method in 2022. Interested readers can click on the link to view (SlowMist: Beware of TransferFrom zero transfer scam, SlowMist: Beware of the same tail number airdrop scam).

• Carefully check whether the address is correct: It is recommended that users check whether at least the first 6 bits and the last 8 bits are correct except for the leading 0x when confirming the address. Of course, it is best to check each bit.

• Small transfer test: If the wallet used by the user only displays the first 4 digits and the last 4 digits of the address by default, and the user insists on using this wallet, you can consider testing a small transfer first. If you are unfortunately caught, it will only be a minor injury.

Summarize

This article mainly introduces the attack method of phishing using the same first and last number address, analyzes the characteristics of hackers and the fund transfer mode, and also puts forward suggestions for preventing such phishing attacks. The SlowMist Security Team would like to remind you that since blockchain technology cannot be tampered with and operations on the chain are irreversible, before performing any operation, please be sure to carefully check the address to avoid asset damage.

Disclaimer

The content of this article is based on data from the anti-money laundering tracking system MistTrack, and is intended to analyze publicly available addresses on the Internet and disclose the results of the analysis. However, due to the characteristics of blockchain, we cannot guarantee the absolute accuracy of all data, nor can we assume responsibility for errors, omissions, or losses caused by the use of the content of this article. At the same time, this article does not constitute the basis for any position or other analysis.