Dissecting an ingenious crypto wallet draining scam

A massive crypto wallet draining operation has been exposed, having targeted experienced crypto users and industry insiders since December 2022.

For the past 48hrs I’ve been unwinding a massive wallet draining operation ??

I don’t know how big it is but since Dec 2022 it’s drained 5000+ ETH and ??? in tokens / NFTs / coins across 11+ chains.

Its rekt my friends & OGs who are reasonably secure.

No one knows how. pic.twitter.com/MafntG7RkP

— Tay ? (@tayvano_) April 18, 2023

Draining over 5,000 ethereum (ETH) and an unknown amount of tokens, non-fungible tokens (NFTs), and coins across 11+ chains, this scam has left the community searching for answers.

Let’s dive into the facts and data surrounding the operation and its impact on the crypto community.

Decoding the scammers’ modus operandi

The attackers have been methodically draining keys, potentially from a cache of data obtained more than a year ago.

My best guess rn is that someone has got themselves a fatty cache of data from 1+ yr ago & is methodically draining the keys as they parse them from the treasure trove.

But that’s just a guess. I *don’t* know.

It is NOT cryptographic/entropy related tho, don’t waste your time.

— Tay ? (@tayvano_) April 18, 2023

They exhibit distinct patterns in their theft and post-theft on-chain movement, often moving assets between multiple victims’ addresses.

Large December 2022 thefts utilized RenBridge, and the final destination for stolen assets is always bitcoin (BTC).

You might also like: The darknet’s Reddit clone makes exit scams harder

The attackers utilize centralized swappers like FixedFloat, SimpleSwap, SideShift, ChangeNOW, and LetsExchange to launder funds before moving them to privacy-focused mixers like Coinomize, Wasabi, and CryptoMixer.

6. «Out» is always a centralized swapper such as:
FixedFloat
SimpleSwap
SideShift
ChangeNOW
LetsExchange
Unknown swapper @ 0xca60
Other unlabeled swappers nested at Binance

Large Dec’22 thefts used RenBridge

Final desty is always Bitcoin

LTC, XRP, XMR, etc also moves to BTC.

— Tay ? (@tayvano_) April 18, 2023

The commonalities among victims

The victims share some common characteristics, such as having created their keys between 2014 and 2022 and being more crypto-native than most (e.g., having multiple addresses and working in the space).

Afaik, no one has determined the source of their compromise.

Multiple devices have been forensic’d. Nothing.

The only known commonalities are:
– Keys were created btwn 2014-2022
– Folks are those who are more crypto native than most (e.g. multiple addresses, work in space, etc)

— Tay ? (@tayvano_) April 18, 2023

This scam has not affected any newbies; it has specifically targeted experienced users with a single secret recovery phrase or private key.

To prevent such scams, the crypto community must prioritize education and awareness. Users should avoid keeping all assets in a single key or secret phrase and should migrate to hardware wallets.

Patterns in the timing of the thefts

The wallet draining operation exhibits peculiar patterns in the timing of the thefts. Many of the thefts appear to have occurred on weekends, with notable incidents on Sundays.

Large-scale thefts seem to be scripted, and the dust remaining in the original drained address has been stolen up to 80+ days after the first address was drained.

The attackers’ IPs and user agents (UAs) are quite diverse, often using VPNs, proxies, and other methods to mask their true identity.

The road ahead

By examining the scammers’ methods, commonalities among victims, timing patterns, and understanding the importance of preventive measures, the community can better safeguard its assets.

Collaboration, education, and vigilance are crucial in mitigating risks and restoring confidence in the security of digital assets.

Read more: Crypto scams escalate as CertiK reports 27 incidents in past week

Source