Our readers have reported another scam that, in recent days, has affected some users of virtual currencies. Unfortunately, it seems that a “fake” client for the popular Ledger hardware wallets has been spread on the Microsoft Store, the official software and app store managed by Microsoft.
Today, fortunately, the malicious app has been removed and can no longer be downloaded.
Only a few traces remain among the Google search results.
Despite the app being removed and no longer available for download, it seems to have already claimed several victims. Twitter user ZachXBT has posted on his profile a message reporting two addresses to which the scammers allegedly sent the funds stolen from the unfortunate individuals:
Where have the stolen assets ended up? Our team attempted a small investigation to discover where the funds collected on the reported addresses have gone. As usual, we created a graph to summarize the movements using the Miro platform.
The first is a Bitcoin address that, at the time of writing, has received 16.02476081 bitcoins. Of these, about half is currently held in the addresses bc1qjjtks3sjz92arect2afsfkvh04kku72aszlccl and bc1qa9jf870xpzdmccnpqdxes93gd34zwplr69wpuz, while the remaining part has been sent to addresses that, according to our experience, can be traced back to CoinJoin transactions made through the Wasabi wallet and cannot be tracked without sophisticated techniques and tools.
The second address is an Ethereum (ETH) address, for which we detected activity on both the Ethereum network and the BSC and Polygon networks.
On the Ethereum network, the address has received 57.86323660976835 ETH and various ERC-20 tokens. We can also note that the etherscan.io explorer warns us that the address is involved in a scam and has labeled it as “Fake_Phishing188618.”
Analyzing the transactions, we observed that ERC-20 tokens were converted into ETH using decentralized swaps such as 1Inch and Uniswap. For instance, if we look at the 2500 Celsius tokens received in transaction 0x335ed0a812feb7759e17d3b26ca6b14023964c78ead0f3218130da3076ced65
we can observe that they were sent, through transaction 0x762d01e84dbeb43158e8642b58e8459c0c456bd1469dfa2202fef21d144a2f53, to UniSwap to obtain ETH.
Between the ETH received from scam victims and those obtained through swaps, the address accumulated over 84 ETH. After summarizing several transactions on the Miro graph, these funds were sent to the address 0xf1dA173228fcf015F43f3eA15aBBB51f0d8f1123, used by the centralized swap service exch.cx.
Regarding the movements detected on the Binance Smart Chain (BSC), we can see that the address received 10 BNB, which, after being routed through the address 0xcE3c1E3F3dEbC42e2cF59A0daAd32B1361C0BACA, were then sent to the address 0x4727250679294802377dD6cA6541B8E459077c95, used by the centralized swap service FixedFloat.
On the Polygon network, we can observe a similar pattern. In this case as well, the received Matic tokens were routed through the address 0x7477dEC268783dE4E8cD448963A90ddBB8ee1A60 before being sent to the address 0x71d4249079684479F2651745fA2fcD79c9b45f53, also used by the centralized swap service FixedFloat.
In this case, the scammers appear to have been quite clever, at least in the eyes of an ordinary observer, as they used services that make it nearly impossible to follow transaction flows simply by observing various blockchains. However, we must not forget that centralized services like exch.cx and FixedFloat were utilized, which could provide information to law enforcement. Moreover, there are solutions for tracking very sophisticated transactions that could even estimate the destination of bitcoins mixed through Wasabi Wallet’s CoinJoin. Additionally, there are still several bitcoins that have not been spent, and the scammers might make mistakes with them.
In conclusion, we take this opportunity to remind our readers always to carefully verify the authenticity of the software used and to prefer those downloaded from official sites. Those who use crypto assets are called to be their own bank, with all the responsibilities that come with it. If you have any doubts, you can always reach out to us at email@example.com or on Telegram.
If you have been scammed online, fill out our form. Our team of analysts will provide you with a free pre-analysis on the recoverability of your lost funds and advice for subsequent actions, including legal ones, aimed at reimbursing the stolen money.