On June 14, 2024, Binance co-founder Ms. He Yi posted on social media that someone pretended to be her identity and created a fake X account. The fraudster used this to push phishing links to the victim, causing the victim to lose money. An encrypted asset worth 60 ETH, this news quickly aroused heated discussion after it was released.

Later that day, the victim contacted Bitrace for help. After investigation by the security team, it was found that the address behind the incident was related to the real-world phishing service provider Inferno Drainer, and the victim group was rapidly expanding, with the amount of stolen funds exceeding 28 million US dollars. This article aims to disclose this incident by introducing the phishing method, fund scale, and money laundering channels.

Fishing Techniques

Impersonating the social accounts of crypto celebrities is a very popular fraud method on the X platform. Fraudsters use rhetoric to induce victims to submit token authorization through phishing links or download phishing applications, thereby illegally obtaining various crypto assets of the victims.

The amount of funds lost by the victims this time is quite large, with Ethereum and Ethereum pledge certificates worth more than 200,000 US dollars being stolen. Among them, 57.54weETH directly flowed into the phishing address and was converted into ETH through a third-party DEX for temporary hoarding, and another 0.58ETH was transferred through a phishing contract.

After auditing the funds of the stolen address 0x5Ae6, it is not difficult to find that this is another typical case of professional Drainer theft. The theft gang will transfer the valuable assets in the victim's address as soon as possible after obtaining the address authority. Therefore, in addition to Tether, assets issued by well-known protocols such as Etherfi and Puffer are also targets.

As of now, the address still contains 197.78 ETH remaining after the exchange of various ERC20 tokens, as well as other tokens worth more than 30,000 US dollars.

Fund size

Tracing the handling fee of 0x5Ae6, it can be seen that this address is closely related to 0x0000db5c8b030ae20308ac975898e09741e70000, which is one of the business addresses of the notorious Inferno Drainer according to the markings of major security agencies including Bitrace.

In the past few months, e70000 has initiated transfers to more than 30 sub-addresses including 0x5Ae6. These sub-addresses are widely used to collect funds for various fraudulent phishing activities. Some of the victimization incidents perceived by community members on social platforms can be traced back to these addresses.

According to statistics from the Bitrace security team, in the first half of this year, the non-contract addresses alone have illegally obtained various assets worth more than 28 million US dollars, of which more than 20 million US dollars of illegal gains have been laundered and transferred. And this may only be the tip of the iceberg of the entire criminal network.

Money laundering techniques

Compared to fake wallet-based coin-stealing gangs that target assets such as Tether and other stablecoins, this type of Drainer and its users show a more "Crypto Native" side in fund laundering. They will prefer to convert illegal proceeds into ETH rather than more easily settled stablecoins, and conceal the whereabouts of funds through centralized payment and exchange platforms rather than traditional money laundering water rooms.

Taking 0x768a as an example, this address used a large number of centralized or decentralized platforms such as Changenow, eXch, RhinoFi, 1inch, Gate, etc. during the fund laundering process to hide the whereabouts of funds.

The address 0x5Ae6 that hoarded the illegal proceeds of this incident has not yet started any fund laundering activities. Bitrace will continue to monitor the address, seek to intercept funds, and help victims recover their losses.

Finally, we would like to remind investors again to repeatedly confirm the project’s official website or social media account before taking any action to avoid phishing attacks.