Phishing Scams Steal US $1M in NFTs and Crypto Assets

Since at least August 2022, a number of phishing scams have been active, including the one reported by ZachXBT. The criminal entity used fake sites posing as legitimate projects such as Yugalabs and Moonbirds to get the victims to approve transactions toward multiple addresses, presumably belonging to it, and rob them of their NFTs and tokens. 

Tracking of stolen funds using QLUE™

Using QLUE™, we started by investigating the phishing contract (0xd13b) reported by twitter user @iamdeadlyz back in August and then again in September. This address was part of 2 separate phishing scams according to the twitter user.

QLUE™ graph demonstrating the movement of stolen funds

The phishing contract (0x31db) was used to drain ETH from victims through more than 3500 transactions over months August to October. The first fraudulent transaction occurred on the 19th of August. Following that, various amounts, ranging from US $0.01 to $158,000 in ETH, were stolen directly by the address. The last transaction we observed was only yesterday October 27th.

A total of 320.93 ETH were moved out of the phishing contract (0x31db) to an intermediary address (0xd361). This intermediary address then transferred 211.7 ETH to 68 other addresses between August 22 and October 27, 2022.

Among these 68 addresses, two have been widely reported:

1. Monkey-drainer.eth (0x9fc8)

monkey-drainer.eth (0x9fc8) has approved over 7k token and NFT transfers from victims.

2. Federalagent.eth (0x845)

This address has been the recipient of a lot of the funds approved by monkey-drainer.eth (0x9fc8).

So far, federalagent.eth (0x845) received crypto and token worth approximately US $977,000. Until now, It laundered 251 ETH through Tornado Cash using an intermediary address (0x30e) and currently still holds more than US $612,000 worth of ETH. This address (0x30e) had also received funds from (0xd361) mentioned earlier.

One of monkey-drainer.eth (0x9fc8) victims lost 11 NFTs including 1 BAYC token and 1 BAKC token, later to be sold for 70 wETH and 6.5 wETH respectively. Then, part of the proceeds (10.936 ETH) was transferred to federalagent.eth (0x845).

QLUE™ graph: victim losing NFTs to monkey-drainer.eth before they’re sold.

Our investigation shows that this criminal entity is behind several major phishing attacks that trick users into giving token approvals and then proceed to drain funds from the victims.

Phishing is a popular type of malicious attack. More than 323,000 people were targeted by phishing attacks in 2021, according to the FBI Internet Crime Report. 

Phishing schemes sometimes include criminals disseminating links to websites pretending to be legitimate initiatives or businesses in an effort to trick individuals into linking their wallets and approving transactions.

Promising a lucrative purchase opportunity or a free giveaway similar to the fake and frequent Musk and Apple giveaways and are among some of the most popular defraud strategies. It is advised to be extra cautious while visiting or connecting your crypto wallets to websites you do not recognize and granting wallet permissions or approving any transactions. 

A number of the addresses identified to belong to the scammer were marked by the community to expose the malicious intent. Nevertheless, until new addresses are discovered, the culprit may layer and launder more stolen funds through entities with little to no transaction risk monitoring.

Protect your assets and customers from illicit fund sources and compliance risks. Get more training on how criminals use crypto and advanced concepts. Get crypto-certified in a matter of days with our on-demand training.