MultiversX Tracker is Live!

[Bounty Hunting] - Attempting to find the 525K "Scumbag Hacker"

All Cryptocurrencies

by COINS NEWS 101 Views

[Bounty Hunting] - Attempting to find the 525K "Scumbag Hacker"

Hello!

A hacker stole my 84K MOONs back in March. That wasn't very nice of them =(

Now it's payback time against those hackers/scammers/rug pullers and other malicious entities who give crypto such a bad reputation.

I went through the exercise of attempting to doxx the hackers who stole 525K from a victim recently https://platform.arkhamintelligence.com/exchange/bounties/4b3c63de-f4fe-4ed5-88ed-ba49fdf8ebe3

The research is all my own! Please feel free to check and cross reference all of my work.

Let's begin!

Part 1 - Hacker 525k 1

0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa - Hacker 525K 1

This address is one of two as outlined by the victim in the bounty. I labeled 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa - Hacker 525K 1 to keep track for my own records.

Above, I noticed numerous interactions between 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA [Pablito147 on Opensea] and 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User]. I moved the shared wallets to the left and shared deposit addresses to the right. I’m pretty confident both are hacker wallets. They are both directly connected to 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa [Hacker 525K 1]

Deposit Addresses

Here’s a list of the shared Deposit Addresses

  • 0x0C43FA6f7dFE8DB1f80748C459A2239c6A08e980 - Binance
  • 0xc2D54190d9C83Da8d30D302ad39a0Ab488b4032d - OKX
  • 0xBf7B0cE8db8883F3E4EC6900079ebFE6AA5573b8 - Kucoin
  • 0x2422371A74Ea2674853B15748EFb491BF49CB6Ec - Kucoin

Shared Wallets

Here’s a list of the shared Wallets

  • 0xf66d22e57Ffa2BedE37DEa913eF4966cFe872f91
  • 0x3fE411272EBbDFfe064640213a3776Ed28c9C67e
  • 0xa36547503a98B25650D1EBD8E52A732213a3Da85
  • 0x2DFd951577d7de93b363e843B9a4d3c16F9f548A
  • 0x36bBa51d19b06Cf07d81cAec249e8056C0F78259
  • 0x9b6d18d156ef8ED96A48d75664315C6Eac6F4906
  • 0xE984bDDFb8E56c5844CeEe20A7B77193FBfb4ba1
  • 0xDBB4Bea4AaaaA6A84a467bA0D22ca93Efc70d4E0
  • 0x0e030d4adc123BFeCa43faDec6518ba80584F57D
  • 0xD26117c7D5039E1921b1a50B88cBeB00d6544581

Another Victim

I did a quick Google search to see if I can find anything on 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA - [Pablito147 on Opensea] . Below is a victim I found who lost 200K.

Victim YouTube -

https://www.youtube.com/watch?v=splBczgXEEY

Hacker Wallets listed in description

  • 0x634CE987dB07BA4197b6Ae9F3478A707e3D7646f [looks like ApeXPool]
  • 0x505B5eDa5E25a67E1c24A2BF1a527Ed9eb88Bf04 [looks like Coinweb token]
  • 0x52A8845DF664D76C69d2EEa607CD793565aF42B8 [looks like ApeX Token]
  • 0x6bB78583889bF9380dB2206e66e2DCd641fB1f39 - High Risk - other comments on Etherscan
  • 0x29488E5fD6bF9B3cc98A9d06A25204947ccCBE4D - Fake_Phishing180395
  • 0x9b6d18d156ef8ED96A48d75664315C6Eac6F4906
  • 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA
  • 0xA4CC15cd24316988dfc4310eC3c2664F3c9BBac1

Tracking ENS Interactions

0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User] is in current possession of the below ENS addresses

  • ballaboveall.eth
  • loveneverfails.eth
  • 03161992.eth (What’s the significance here? Someone’s birthday?)

How did he/she/they acquire these ENS addresses?

Here’s an example

https://preview.redd.it/v869xnuh9knb1.png?1272&format=png&auto=webp&s=8a56a71c98bd203eb5f503d3b4ee3540fe14c51b

-0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C- received ballaboveall.eth from Bigpudgy.eth - https://etherscan.io/tx/0xa3f4e48ff498b83e6032069af509f4e6595d87b29e4a1890a9e854c3dbc7124c

--0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D - Bigpudgy.eth aka Calm_tothemoon

Both loveneverfails.eth and 03161992.eth were also transferred in a similar way from 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D - Bigpudgy.eth

Summary

Looking at https://opensea.io/Calm_tothemoon/activity aka bigpudgy.eth, he could be a victim or have direct ties to the hacker. I looked through the boot2thrill twitter account and didn’t see any signs of a hack. Specifically, I was looking at dates around March 6th 2023 and Feb 2nd 2023 as those dates were when most of the NFT transfers to 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C happened.

However, looking inside 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D - Bigpudgy.eth, I’m seeing mostly Coinbase deposit addresses. Coinbase isn't typically an exchange a hacker would use. If this person is a hacker, he’s certainly keeping his personal and hacking activity separate.

Part 2 - Hacker 525k 2

0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 - Hacker 525K 2

Here’s the other wallet identified by the victim in the bounty. I labeled 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 - Hacker 525K 2

Looking at the 2nd hacker wallet - 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] I was investigating where the most outgoing txns were going. I came up with 6 wallets. Of most interest was:0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user. I labeled this one with a red arrow in the image above.

Wallets of Interest

Below I’ll make the connection between 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user. I wanted to verify that “0b2B43” was indeed a hacker wallet.

Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user, you can clearly see that it was initially funded on 10/9/21 by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]

Tracking ENS Interactions

Below we’ll focus on one ENS address, the-oasis.eth. The route this ENS took was very interesting. Starting with the minting of the ENS from Opensea:

-0x5c255c0571be150Fc482Ec3d345f6218188723bD [The-Oasis_Gamemaster”]

--0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]

---0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user - owner

In all three instances, the ENS was transferred between wallets. In no instance was a sale ever made.

I noticed 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user was in current possesion of \"the-oasis.eth\". Where did this wallet receive it from? You guessed it! 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] And, who sent it to the hacker wallet? 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 [The-Oasis_Gamemaster]

The Connection

https://preview.redd.it/cdl2nwdl7knb1.png?2536&format=png&auto=webp&s=ff74f1c699c96c5983c7d858a433a60dd810c69f

Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user, I noticed a few interesting things.

  1. This wallet is directly depositing into Binance accounts frequently used by Hacker 525k 1 and Hacker 525k 2. There’s more similarities but those appear to be the main ones.
    1. 0xdBe063ddE9A72F511B64e75a4966F907942FC1a6 - Binance
    2. 0x2fe55e3d83c9d85cbfBf7520b5F3Df619744d0Af - Binance
  2. 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user was directly funded on 10/9/21 and represents the first transaction by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]. - Etherscan TXN link
  3. The wallet 0x5c255c0571be150Fc482Ec3d345f6218188723bD [‘The-Oasis_Gamemaster”] appears to be directly connected to 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user

Interestingly enough, the last ever transactions inside 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The_Oasis_Gamemaster] were to both Hacker 525K Arkham and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user .

Part 3 - Additional Info

Below is additional information I found. I don't think there’s enough here yet. It’s worth documenting to investigate at a later time.

GankNFT

I found this wallet interacting with Binance deposit address - 0xE3563A1408CE86836857b495c8Cb9E034abbeAC1. I noticed that 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 - Hacker 525K 2 also deposited $200 worth of USDT to this same deposit address with this Etherscan txn.

Info

  • Wallet - 0x86c0F115926544fF39e0b12960Ee1CafEac35ebb - GankNFT
  • Notes - Opensea and Twitter profile photo matches
  • Additional Wallet - 0x7D00cC2F5539dE3adE7c28975c236A23aa0b406e - “GankNTF on OpenSea”

Maybe Same person - I couldn't find any on-chain connections but the twitter handle is very similar

  • Wallet - 0xD441Aaf73D3Fa35768B5c3AFE2f3C05d90D4e09F

***UPDATE 1 - Thank you all for the kind words! To be clear, this wasn't my hack I was investigating. I was looking into another victim who lost 525K recently. The details of my hack I posted back in March here - https://www.reddit.com/r/CryptoCurrency/comments/11sksgs/i_got_hacked_and_lost_over_300k_today/

***UPDATE 2 - I removed the social information of the persons of interest per requests of the moderators of this form

submitted by /u/jbtravel84
[link] [comments]

Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
💰 Install these recommended apps:
💲 SocialGood - 100% Crypto Back on Everyday Shopping
💲 xPortal - The DeFi For The Next Billion
💲 CryptoTab Browser - Lightweight, fast, and ready to mine!
💰 Register on these recommended exchanges:
🟡 Binance🟡 Bitfinex🟡 Bitmart🟡 Bittrex🟡 Bitget
🟡 CoinEx🟡 Crypto.com🟡 Gate.io🟡 Huobi🟡 Kucoin.



Comments