Source:
SlowMist Technology – “Revealing the WBTC Phishing Incident: How a Small Investment Led to a Big Catch”
Authors:
Liz & Zero & Keywolf
Table of Contents
Toggle
Background
Key Points of the Attack
MistTrack Analysis
Hacker Characteristics
Defense Measures
Conclusion
Disclaimer
On May 3rd, according to the monitoring by the Web3 anti-fraud platform Scam Sniffer, a whale fell victim to a phishing attack using the same prefix and suffix addresses and lost 1155 WBTC, worth approximately 70 million USD. Although this phishing method has been around for a while, the magnitude of the loss in this incident is still shocking. This article will analyze the key points of the phishing attack using the same prefix and suffix addresses, the flow of funds, hacker characteristics, and provide suggestions for preventing such phishing attacks.
(https://twitter.com/realScamSniffer/status/1786374327740543464)
Victim’s Address: 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5
Victim’s Target Transfer Address: 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91
Phishing Address: 0xd9A1C3788D81257612E2581A6ea0aDa244853a91
1. Collision to Generate Phishing Address: Hackers would pre-generate a large number of phishing addresses and deploy batch programs in a distributed manner. Based on the dynamic of users on the chain, they would launch phishing attacks using addresses that have the same prefix and suffix as the target transfer address. In this incident, the hacker used an address that has the same first 4 digits and last 6 digits (excluding the “0x”) as the victim’s target transfer address.
2. Trailing Transaction: After users make a transfer, hackers would immediately trail the transaction with the generated phishing address (approximately 3 minutes later) by transferring 0 ETH from the phishing address to the user’s address. This way, the phishing address appears in the user’s transaction history.
(https://etherscan.io/txs?a=0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5&p=2)
3. Falling into the Trap: Due to the user’s habit of copying recent transfer information from the wallet’s transaction history, when they saw the trailing phishing transaction, they did not carefully check if they copied the correct address. As a result, they mistakenly transferred 1155 WBTC to the phishing address!
MistTrack Analysis
Using the on-chain tracking tool MistTrack, we found that the hacker has exchanged the 1155 WBTC for 22955 ETH and transferred them to the following 10 addresses.
On May 7th, the hacker began to transfer the ETH from these 10 addresses. The pattern of fund transfers is characterized by leaving no more than 100 ETH in the current address and roughly evenly splitting the remaining funds before transferring them to the next layer of addresses. Currently, these funds have not been converted into other currencies or transferred to platforms. The following image shows the fund transfer situation on 0x32ea020a7bb80c5892df94c6e491e8914cce2641. Click the link in a browser to view the high-resolution image.
(https://misttrack.io/s/1cJlL)
Next, we used MistTrack to query the initial phishing address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 and found that the source of transaction fees for this address is 0xdcddc9287e59b5df08d17148a078bd181313eacc.
(https://dashboard.misttrack.io/address/WBTC-ERC20/0xd9A1C3788D81257612E2581A6ea0aDa244853a91)
By following the transaction fee address, we can see that this address initiated tens of thousands of small transactions between April 19th and May 3rd, distributing small amounts of ETH to different addresses for phishing purposes.
(https://etherscan.io/address/0xdcddc9287e59b5df08d17148a078bd181313eacc)
Based on the above image, we can see that the hacker adopted a wide-net approach, indicating that there is more than one victim. Through large-scale scanning, we also found other related phishing incidents. Here are some examples:
Taking the phishing address 0xbba8a3cc45c6b28d823ca6e6422fbae656d103a6 from the second incident in the above image as an example, by tracing back the transaction fee addresses, we found that these addresses overlap with the transaction fee source address of the 1155 WBTC phishing incident, indicating that they belong to the same hacker.
Through analyzing the hacker’s transfer of other ill-gotten funds (since the end of March), we have also concluded that another money laundering characteristic of the hacker is converting ETH on the Ethereum chain to Monero or cross-chain transferring to Tron, and then transferring to suspected OTC addresses. Therefore, it is possible that the hacker will use the same method to transfer the ill-gotten funds from the 1155 WBTC phishing incident.
According to SlowMist’s threat intelligence network, we have discovered suspicious mobile base station IPs in Hong Kong used by the hacker (not excluding the possibility of using VPN):
182.xxx.xxx.228
182.xxx.xx.18
182.xxx.xx.51
182.xxx.xxx.64
182.xxx.xx.154
182.xxx.xxx.199
182.xxx.xx.42
182.xxx.xx.68
182.xxx.xxx.66
182.xxx.xxx.207
It is worth noting that even after stealing 1155 WBTC, it seems that the hacker has no intention of disappearing.
By following the three mother addresses of the phishing addresses (used to provide transaction fees to many phishing addresses), we found a common characteristic: the last transaction amount is significantly larger than the previous ones. This is the hacker’s operation to disable the current address and transfer funds to a new mother address. Currently, the three newly activated addresses are still conducting frequent transfers.
(https://etherscan.io/address/0xa84aa841e2a9bdc06c71438c46b941dc29517312)
During a large-scale scan, we also found two deactivated mother addresses of phishing addresses, and tracing them revealed their association with the hacker. This will not be further discussed here.
0xa5cef461646012abd0981a19d62661838e62cf27
0x2bb7848Cf4193a264EA134c66bEC99A157985Fb8
With this, we have raised the question of where the hacker’s funds on the Ethereum chain come from. Through tracking and analysis by the SlowMist security team, we found that the hacker initially conducted the same prefix and suffix address phishing attack on Tron, and after making a profit, they targeted users on the Ethereum chain and transferred the profits from Tron to Ethereum to start phishing. The following image shows an example of the hacker’s phishing on Tron:
(https://tronscan.org/#/address/TY3QQP24RCHgm5Qohcfu1nHJknVA1XF2zY/transfers)
On May 4th, the victim sent the following message to the hacker on the chain: “You won, brother. You can keep 10% and return the remaining 90%. We can pretend nothing happened. We all know that 7 million dollars is enough for you to live well, but 70 million dollars will make you sleep poorly.”
On May 5th, the victim continued to shout out to the hacker on the chain but has not received a response yet.
(https://etherscan.io/idm?addresses=0x1e227979f0b5bc691a70deaed2e0f39a6f538fd5,0xd9a1c3788d81257612e2581a6ea0ada244853a91&type=1)
Whitelist Mechanism:
It is recommended that users save the target address in the wallet’s address book so that they can find the target address for future transfers.
Enable Wallet Small Payment Filtering:
It is recommended that users enable the wallet’s small payment filtering function to block zero-value transfers and reduce the risk of falling for phishing attacks. The SlowMist security team has previously analyzed this type of phishing method in 2022. Interested readers can click the links to view the analysis (SlowMist: Beware of TransferFrom Zero-Value Transfer Scams, SlowMist: Beware of Same Suffix Airdrop Scams).
Carefully Check the Address for Accuracy:
It is recommended that users, when confirming an address, at least check the first 6 digits and last 8 digits (excluding the “0x”) for accuracy. Ideally, each digit should be checked.
Test with Small Transfers:
If the user’s wallet only displays the first 4 digits and last 4 digits of the address by default and the user insists on using this wallet, they can consider testing with small transfers. In the unfortunate event of falling for a phishing attack, the damage will be minimal.
This article primarily introduces the phishing attack using the same prefix and suffix addresses and analyzes the hacker’s characteristics and fund transfer patterns. It also provides suggestions for preventing such phishing attacks. The SlowMist security team would like to remind users that due to the immutability of blockchain technology and the irreversibility of on-chain operations, users must carefully verify addresses before conducting any transactions to avoid asset loss.
This article is based on data supported by the anti-money laundering tracking system MistTrack and aims to analyze publicly available addresses on the internet and disclose the analysis results. However, due to the nature of blockchain, we cannot guarantee the absolute accuracy of all data or assume responsibility for any errors, omissions, or losses caused by using the content of this article. Furthermore, this article does not constitute any position or basis for other analyses.
Previous Reviews:
Monthly Update | Web3 Security Incidents Result in Losses of Approximately 90.81 Million USD
SlowMist Security’s Official Statement
Empty-handed Wolves – YIEDL Hack Analysis
Unveiling a New Scam: Fraudulent Modification of RPC Node Links
SlowMist’s Professional Tracking Results Cited by the United Nations Security Council
This article is authorized for reprint by SlowMist Technology.
Successful Conclusion of CoinEx Taiwan’s 7th Anniversary Celebration, Embracing the Arrival of the Web3 Era Hand in Hand with Users
Since its establishment in 2017, CoinEx has been a professional cryptocurrency trading pla…