Someone is entering your wallets and withdraws funds without you can do anything. After more than a month of research, on and off chain, emails and various requests, Decripto.org is able to publish an exclusive investigation into a colossal crypto theft against unsuspecting users. Yes, you got it right, someone is able to enter your wallets and empty them, without you having to do anything. Right now.
So, we discovered a lot of little thefts. Indeed, an infinite series of small thefts. The criminals never take large amounts, in fact, and never attack important wallets. They usually focus on small Wallets (maximum a few thousand dollars) and take small quantities of funds: from a few cents to maximum 4 Eth at a time (less than 7 thousand dollars, at the change while we write).
They take away what in crypto jargon is called “dust,” that is, the remnants of coins that remain in the wallets after various transactions, hence the name of the investigation: Money Dust. A very clever modus operandi: who would bother to report a theft of a few tens of euros if not a few cents? The problem is that these thefts occur to the detriment of hundreds, thousands, of accounts every day, so eventually we get to talk about millions and millions of dollars being stolen. The perfect crime.
They also often involve “sleeping” wallets, accounts that had not been used for several months, sometimes years. The thefts, then, occur on any EVM (Ethereum-compatible blockchain, such as BSC and Avalanche) and affect any coin, ETH mostly, but not only. The other important fact is that all the victims we identified (thousands) have Metamask accounts (direct, not using any hardware) and, apparently, almost all of them have never interacted with scam tokens, scam NFTs or malicious smart contracts. But how is this possible? What don’t we know? What are we missing?
Alarmed, we immediately alerted Aaron Davis, the CEO of Metamask, the world’s leader in “non-custodial” wallets with more than 30 million active users. The company responded to us through Elo Gimenez, the external relations manager of Consensys, the giant founded by Ethereum co-founder Joe Lubin of which Metamask is a part, saying that at this time they have no comment to make. Although we sent them the robbed and “attacking” wallets, the response was a laconic “no comment.” That’s all we were told: there may be a trivial explanation behind this, but we don’t know. Of course, if MetaMask wishes to respond regarding what we publish, we are willing to publish their reply.
But now let’s get going, because there are many things to say. At the end of this article you will also find a Miro link where you will find all the addresses involved, all the incriminated transactions and also all the wallets where the stolen funds end up. So anyone will be able to check if they have come into contact with these malicious addresses and, if they wish, they can let us know.
By following the money, from transaction to transaction, we got to big wallets on some exchanges, notably Okex, from China, whose founder in the past was arrested for fraud, but also legitimate and established exchanges like Binance. So, following the money, we started with the hacked wallets and arrived in accounts on exchanges where, in most cases, you need personal documents, the famous KYC. Both exchanges, however, told us that to do any fund freezing there needs to be a formal request from law enforcement or the judiciary. A call was made with Binance with their intelligence leadership, but even they could not get to the bottom of this mystery.
All documentation in our possession, therefore, was sent to the Italian Postal Police.
We would like to remind you that Decripto.org, as you can see, has no advertising and no funders, let alone receives public funds. So if you appreciate our work and want to support it you can make a donation: either by Paypal or credit card, in any cryptocurrency, or on Gofundme. Even a very small amount is vital for us to continue doing free information on the web3.
And now we can start.
Who are the victims of theft
Decripto.org, the first registered Italian news journal dedicated to crypto and Web3, started from the request of one of our readers who informed us how about $170 (0.1 ETH) had disappeared from his Metamask wallet from this address 0x5B1047114E303436BFE24e908340C18d1110b190. This is where we started, but we found many victims, including on social media. In fact, many have complained over the past few weeks, in some cases even before, about strange withdrawals from their wallets without any kind of authorization, and all of them swear that they have not surrendered their access keys, or been fooled by phishing, malicious sites and various scams.
Who are the attacking wallets
Following the first report, which came to the paper through the investigative cybersecurity division of Mulium Consulting, we began to identify a whole series of malicious wallets that carried out these attacks. The wallets found so far are these:
How they try to lose their tracks
Once the attacking wallets have completed the theft, they pass the funds into other wallets. And from these to others. All to try to raise as much smoke as possible, trying to shuffle the cards, and succeed in getting the money out of the blockchain.
Where the stolen money goes
Our team of experts, led by our journalist and debunker James Moriarty, meticulously tracked each transaction, sifting through hundreds of wallets, thousands of transactions, even using specific, open source sites and software. In the end, we were able to see how money eventually flows to nominal wallets on different exchanges (Okex and Binance, but not only). In addition, we tracked a great deal of Nft buying activity, as we explain in more detail below, which would appear to be a self-laundering operation, again low risk given that in many nations around the world NFT trading is clearly not tax regulated.
The giant scheme summarizing the thefts
To keep track of all these wallets and transactions, we created a file on the Miro material sharing site. We decided to make all of our work public, both because law enforcement has already been notified and because we find it a formidable tool for figuring out whether you who are reading this article have also been the victim of these thieves and then checking the addresses your account has interacted with. We also chose Miro because it allows you to attach screenshots and links to the websites under consideration. We also hope for the help of developers and experts who, starting from the information we have gathered in over a month of work, can possibly help us understand more.
The Metamask “no comment”
One of the common factors in this matter is the fact that almost all of the victims of these thefts are Metamask account holders, which is the world leader in noncustodial wallets. To them we handed over, even before law enforcement, all the victims’ wallet addresses, all the attacking addresses, and the incriminating transactions. After several days of waiting, Metamask let us know that they would not answer our questions. An attitude that caught us off guard, since Decripto.org’s main interest was to see if we missed anything in our investigation. Of course, the paper remains available to Metamask if they wish to answer the simple questions we have been sending them, now for almost a month.
Exchanges wash their hands of it
The response of the exchanges was also disappointing. Although Decripto provided all the data and evidence of at least strange if not blatantly illicit activity, the response was cold and detached. No one wanted to know more, and only with Binance, one of the most serious operators in the market, it must be said, was a call arranged with their head of intelligence, Jarek Jakubcek. But the answer was the same: in order to act, we need the police to ask us.
All the unanswered questions
There are many questions that have emerged after this investigation. How is it possible that funds can be withdrawn without the wallet owner’s consent? It is like someone could get into the home banking of users, perhaps dormant ones, and empty them. How is it possible that exchanges did not do more thorough research when they saw these large amounts of money coming into their accounts, often even from blacklisted wallets on various websites and Github pages?
The step-by-step investigation
Once in possession of our reader’s wallet, we looked on Etherscan at the unauthorized outgoing transaction. The ETHs were sent to wallet 0x7bd… which we will call “Gino” for convenience. Going to Zerion to look at the activity on this wallet we noticed unusual incoming traffic, each incoming transaction was a few cents of dollars. Since transactions on the Ethereum network are known not to be low, it was illogical to think that someone would pay $6-7 fee to send a few cents, even more so if hundreds of wallets were doing it.
So we went to analyze the various wallets that had sent pennies, many of which had been idle for months, sometimes more than a year. How is it that wallets that have been idle for months, with only a few dollars on them are reactivated only to send a few pennies and pay several dollars in fees?
Since this was starting to look suspicious we started googling the wallet receiving the money, “Gino” using the Dork (advanced Google search that communicate with the “language” of the servers) intext:”0x7bd…” to force Google’s servers to give us only links that contained said wallet in the text, a Github page then came up where the wallet was flagged as malicious, hence blaklisted.
Having confirmed that this wallet had already been reported on Github, we therefore looked at where it was sending money, among the noteworthy outgoing transactions, a sending of 23 ETH to wallet 0x808 stands out… (Goofy as of this moment) ETHs are eventually sent to wallet 0x765… personal account on OKX, in fact from there they are forwarded to the CEX hot wallet (wallet where personal accounts are aggregated). In this way Gino in a few steps sends the ETHs to OKX.
The rabbit hole
Following the logic of “they took the money, now where do they send them?” we began tracking most of the larger outgoing transactions. Funds taken apparently without consent were sent to other wallets that were themselves flagged, from them then forwarded back to ghost wallets (wallets used only to forward a transaction) and then ended up on other personal accounts also on OKX.
Among these wallets that received money from “Gino” reported in other blacklists or on social media such as Twitter and Reddit, other wallets that have the same kind of activity as “Gino” stand out, such as 0x9ee… which was reported directly by Etherscan, which gave it the name “Fake_Phishing6050” to warn that this address is fake and has been used for several phishing operations (scams where you convince people to send funds). “Fake_Phishing6050” also sent funds to “Goofy” who then as we have seen, sends them to OKX.
An important note about the “Goofy” wallet is that it also receives funds from the 0xcdd… wallet in some cases as much as 90 ETH in a single day, the latter wallet has been reported several times for various hacker attacks and frauds against SpaceSwap Bridge in early 2022 and the Play to Earn Ninja Fantasy game also in early 2022. More than 12,000 ETH (about $20 million at current ETH prices) transited from this wallet.
Money laundering through NFTs
Continuing with the investigation, we noticed that several wallets are paired with ENS (Ethereum Name Services), which are domains on blockchain. The peculiarity of onchain domains is that they are assigned to wallets by a person. We then went to see who the owner of these ENS is and found out that after buying them with the funds from the blacklisted wallets, he resells or buys them on Opensea with the account “SellBuy_ENS”.
Some of the reported wallets that are linked to ENS owned by 0x1499… (SellBuy_ENS) then started trading NFTs so as to clean up the stolen funds and allocate part of the value in a “treasure trove” of digital objects belonging to multiple projects, such as lands from Decentraland (the first metaverse), NFTs from The Walking Dead and others…
Miro and the details of the investigation
For those who would like to help us understand what is going on, on Miro we have kept track of the various wallets, movements, and reports found so far. Each piece of data is supplemented by screenshots and links so that it is more easily usable and identifiable, with dates and pictures. For any evaluation and for those who would like to help us understand what is going on, we are available.
At this point, after sifting through all the hypotheses, the most likely one is that of a virus. It enters the victim’s computer, retrieves the Metamask file saved locally and decrypts it with the Metamask Decryptor, as can be seen on the Metamask site, to recover the seed phrase. Once in possession of the seed phrase the job is done. A malicious link or fake software, which installs an automated program inside the machine, would then suffice to access the computer.
There are hundreds of wallets that wake up every week after months and months of inactivity, only to pay $6 to $7 fee, to send a few cents to blacklisted and flagged wallets. We tried to ask Metamask for an explanation of how such a movement is possible, since there were no malicious smart contracts for most wallets. The only response we received was a “no comment,” an answer we did not expect. We therefore asked Binance and Okex if they had any comments, but they said that without a law enforcement warrant they would not do anything.