Source: SlowMist - "Spending small money to catch big fish | Revealing the secret of the 1155 WBTC fishing incident"
Author: Liz & Zero & Keywolf
background
On May 3, according to monitoring by the Web3 anti-fraud platform Scam Sniffer, a giant whale encountered a phishing attack with the same first and last address and was phished away 1,155 WBTC, worth approximately US$70 million. Although this fishing method has been around for a long time, the scale of the damage caused by this incident is still shocking. This article will analyze the key points of phishing attacks on addresses with the same first and last numbers, the whereabouts of funds, hacker characteristics, and suggestions for preventing such phishing attacks.
(https://twitter.com/realScamSniffer/status/1786374327740543464) Attack key points
Victim’s address: 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5
Victim’s target transfer address: 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91
Phishing address: 0xd9A1C3788D81257612E2581A6ea0aDa244853a91
1. Collision of phishing addresses: Hackers will generate a large number of phishing addresses in advance in batches. After deploying the batch program in a distributed manner, they will launch a phishing attack with the same first and last number address against the target transfer address based on user dynamics on the chain. In this incident, the hacker used an address whose first 4 digits and last 6 digits after removing 0x were consistent with the victim's target transfer address.
2. Trailing transaction: After the user transfers the money, the hacker immediately uses the collided phishing address (about 3 minutes later) to trail a transaction (the phishing address transfers 0 ETH to the user's address), so that the phishing address appears in the user's transaction record inside.
( https://etherscan.io/txs?a=0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5&p=2)
3. Those who wish to take the bait: Since the user is used to copying recent transfer information from the wallet history, after seeing this trailing phishing transaction, he did not carefully check whether the address he copied was correct. As a result, 1155 WBTC were transferred to the phishing address by mistake!
MistTrack Analysis
Analysis using the on-chain tracking tool MistTrack found that the hacker had exchanged 1,155 WBTC for 22,955 ETH and transferred it to the following 10 addresses.
On May 7, hackers began to transfer ETH on these 10 addresses. The fund transfer mode basically showed the characteristics of leaving no more than 100 ETH funds in the current address, and then roughly dividing the remaining funds evenly before transferring them to the next level address. . At present, these funds have not been exchanged for other currencies or transferred to the platform. The picture below shows the fund transfer situation on 0x32ea020a7bb80c5892df94c6e491e8914cce2641. Open the link in the browser to view the high-definition picture:
( https://misttrack.io/s/1cJlL)
We then used MistTrack to query the initial phishing address in this incident, 0xd9A1C3788D81257612E2581A6ea0aDa244853a91, and found that the source of the handling fee for this address was 0xdcddc9287e59b5df08d17148a078bd181313eacc.
( https://dashboard.misttrack.io/address/WBTC-ERC20/0xd9A1C3788D81257612E2581A6ea0aDa244853a91)
Following the fee address, we can see that between April 19 and May 3, this address initiated more than 20,000 small transactions, distributing small amounts of ETH to different addresses for fishing.
( https://etherscan.io/address/0xdcddc9287e59b5df08d17148a078bd181313eacc)
From the picture above, we can see that the hacker adopted a wide-net approach, so there must be more than one victim. Through large-scale scanning, we also found other related phishing incidents. The following are some examples:
We take the phishing address 0xbba8a3cc45c6b28d823ca6e6422fbae656d103a6 from the second incident in the above picture as an example. We continue to trace the fee addresses upwards and find that these addresses overlap with the fee traceability addresses of the 1155 WBTC phishing incident, so they should be the same hacker.
By analyzing the situation of hackers transferring other profitable funds (from the end of March to the present), we also concluded that another money laundering characteristic of hackers is to convert funds on the ETH chain into Monero or cross-chain to Tron and then transfer them to suspected OTC addresses. Therefore, there is a possibility that hackers will later use the same method to transfer the funds gained from the 1155 WBTC phishing event.
Hacker characteristics
According to SlowMist’s threat intelligence network, we discovered the mobile base station IP in Hong Kong used by suspected hackers (the possibility of VPN is not ruled out):
182.xxx.xxx.228
182.xxx.xx.18
182.xxx.xx.51
182.xxx.xxx.64
182.xxx.xx.154
182.xxx.xxx.199
182.xxx.xx.42
182.xxx.xx.68
182.xxx.xxx.66
182.xxx.xxx.207
It is worth noting that even after the hacker stole 1,155 WBTC, he did not seem to be planning to wash his hands.
Following up on the three previously collected phishing address parent addresses (used to provide handling fees to many phishing addresses), their common feature is that the amount of the last transaction is significantly larger than the previous one. This is because the hacker deactivated the current address and transferred the funds. In the operation of transferring to the new phishing address's parent address, the three newly activated addresses are still transferring funds at a high frequency.
( https://etherscan.io/address/0xa84aa841e2a9bdc06c71438c46b941dc29517312) 
In subsequent large-scale scans, we discovered two more deactivated phishing address parent addresses. After tracing the source, we found that they were associated with the hacker, so we will not go into details here.
0xa5cef461646012abd0981a19d62661838e62cf27
0x2bb7848Cf4193a264EA134c66bEC99A157985Fb8
At this point, we have raised the question of where the funds on the ETH chain come from. After tracking and analysis by the SlowMist security team, we found that the hacker initially carried out a phishing attack on Tron with the same first and last address, and then targeted Tron after making profits. Users who got on the ETH chain transferred the profit funds on Tron to the ETH chain and started phishing. The following picture is an example of hackers' phishing on Tron:
( https://tronscan.org/#/address/TY3QQP24RCHgm5Qohcfu1nHJknVA1XF2zY/transfers)
On May 4, the victim conveyed the following message to the hacker on the chain: You win brother, you can keep 10% and then return 90%, and we can pretend that nothing happened. We all know that $7 million is enough to live well, but $70 million will make you sleep poorly.
On May 5, the victim continued to call the hackers on the chain, but has not yet received a reply.
How to defend
Whitelist mechanism: It is recommended that users save the target address in the wallet's address book. The target address can be found in the wallet's address book next time a transfer is made.
Turn on the small amount filtering function of the wallet: It is recommended that users turn on the small amount filtering function of the wallet to block such zero transfers and reduce the risk of being phished. The SlowMist security team has analyzed this type of phishing method in 2022. Interested readers can click on the link to view it (SlowMist: Be wary of the TransferFrom zero transfer scam, SlowMist: Be wary of the same tail number airdrop scam).
Carefully check whether the address is correct: When confirming the address, it is recommended that the user at least check whether the first 6 digits and the last 8 digits except the leading 0x are correct. Of course, it is best to check every digit.
Small-amount transfer test: If the wallet used by the user only displays the first 4 digits and the last 4-digit address by default, and the user still insists on using this wallet, you can consider testing the small-amount transfer first. If you are unfortunate enough to get caught, it will be a minor injury.
Summarize
This article mainly introduces the phishing attack method using the same first and last number address, analyzes the characteristics of hackers and fund transfer patterns, and also puts forward suggestions to prevent such phishing attacks. The SlowMist security team would like to remind you that since blockchain technology cannot be tampered with and operations on the chain are irreversible, users must carefully check the address before performing any operation to avoid asset damage.
Disclaimer
The content of this article is based on data support from the anti-money laundering tracking system MistTrack. It aims to analyze public addresses on the Internet and disclose the analysis results. However, due to the characteristics of the blockchain, we cannot guarantee the absolute accuracy of all data here. , and cannot be held responsible for errors, omissions, or losses caused by the use of the content of this article. At the same time, this article does not constitute the basis for any position or other analysis.
Review of past issues
Monthly Updates | Total losses from Web3 security incidents are approximately US$90.81 million
SlowMist solemn statement
Getting something for nothing - Analysis of the hack of YIEDL
Revealing a new type of scam: maliciously modifying RPC node links to defraud assets
SlowMist’s professional tracking results were cited by the United Nations Security Council
This article is reprinted with permission from SlowMist
This article Spending Small Money to Catch Big Fish, Slow Mist Reveals the 1155 WBTC Fishing Incident first appeared in Zombit.
