Author: GoPlus
This is the most bizarre and stupid thing I’ve experienced since entering Web3. One sentence after another, “Brother, you are not sincere at all!” and “How could I lie to you?” made me fall into this carefully crafted scam of a beautiful, intelligent, financially intelligent, considerate and friendly woman…
——James, the user whose Web3 wallet was stolen
The Adventures of Rita
More than half a month ago, Rita was looking for a job in Web3 and saw a tweet from a "beautiful boss" named Doris Cao Brown recruiting assistants. This assistant position has no salary, but you can learn a lot of trading knowledge. Rita saw that many real KOLs follow Cao Brown, and she was very tempted. With a learning attitude, she took the initiative to chat with the "beautiful boss" privately. She learned that when she was a graduate student at Wharton Business School, her professor suggested that she learn about Bitcoin. She and her classmates established the early BitcoinMarket trading platform, but the platform was hacked and more than 20,000 Bitcoins were stolen, and it went bankrupt. Then she began to ask Rita how long she had been in Web3? What is her main job? What are her interests in life? Unexpectedly, this "beautiful boss" is surprisingly interested in yoga and Pilates as well as Rita...
Gradually, Rita was impressed by the "beautiful boss"'s good looks, high emotional intelligence, and high financial intelligence. After understanding that she was qualified for the job, she signed up for the assistant position. The next day, the "beautiful boss" began to induce Rita to exchange the funds in the exchange for ETH, saying that their agency analysis showed that ETH could rise to 8,000 US dollars in August this year, and then suggested Rita to withdraw the funds to her wallet step by step, repeatedly urging her to do so. This made Rita suspicious, and she refused to withdraw the funds on the grounds that she had transferred the funds to a friend for safekeeping. Since then, the "beautiful boss" has not responded.
James's experience of being cheated
James, like Rita, was blinded by the "beautiful boss" image portrayed on Twitter and applied for the assistant position in a private chat. After the successful application, the "beautiful boss" continued to paint a rosy picture for James:
"In the first two weeks, I will give you some funds to learn first, and after two weeks, I will give you 100,000 U. After two months of making money smoothly, I will give you 2 million U to let you officially manage it."
“I’ll show you my smallest wallet has 16 ETH, I can transfer it to you to play with first.”
“My last assistant earned 144 ETH after studying with me and went to Vietnam. I can manage it myself, but I’m too busy…”
What really made James let down his guard was not the temptation, but the "sincerity" of the "beautiful boss". She talked to James about Wang Yangming, funerals, interests and hobbies, her life in Singapore, where she planned to travel and settle down... and they talked all night long.
After James fully trusted her, the “beautiful lady” began to guide him to withdraw his funds to the wallet, and even asked James to take a screenshot of the wallet private key and send it to him on the pretext of teaching him how to issue coins. After a little hesitation in pledging, the “beautiful lady” began the classic PUA scam:
"You are not sincere at all, you have no integrity, and you are wasting everyone's time."
"I have several other registration assistants vying to come here, but I really want to help you..."
"You don't trust me so much, brother?!"
In this way, James fell completely. When the "beautiful boss" proposed to transfer more funds to promote block production and reminded him that if he did not transfer the funds, the hardware wallet PIN code would become invalid and the hardware wallet would be damaged, he did not hesitate and transferred his last ETH and BNB. In less than 1 minute, all the funds in the wallet were emptied. From then on, the "beautiful boss" no longer responded to any content and continued to cheat on the carefully packaged Twitter.
Wonderful dialogue sharing
Martin, founder of Bytehunter: Everyone must learn some basic knowledge of blockchain when interacting on the chain. Block acceleration can only be accelerated by increasing Gas on new transactions or transactions that are still being packaged. Initiating a new transfer will not accelerate the block generation of old transfers. What's even more outrageous is that the PIN code is only a wallet payment verification password, and it is impossible for the hardware wallet to be damaged due to the failure of the PIN; and the private key of the wallet is equivalent to your bank card and password, which is equivalent to your money. Once sent or leaked to others, they will completely control all the funds in the wallet corresponding to your private key. It is very dangerous, so don't do it!
GoPlus Chinese Community: By tracking multiple transfer records of on-chain data, it seems that James was not the only one who was deceived. We also found that the fraudulent address transferred funds to the Wallet Drainer address.
GoPlus Fang Tou Zai: Yes, the funds transferred to Wallet Drainer are likely to be service fees for purchasing fraud toolkits. Web3 fraud is no longer a one-man show now, and has formed a complete and mature industry chain, with multiple attack methods and smooth SOP coordination between upstream, midstream and downstream. Upstream fraudsters are responsible for producing and training Trojans, phishing contracts, and fraud toolkits for applications such as Twitter, email, and Telegram that circumvent different security rules; midstream is a group of people who buy fraud toolkits and carry out fraud. They will immediately use fraud toolkits to create phishing websites when a project is popular or an airdrop is issued; downstream is to collect volume and channel delivery, such as replying to phishing websites on Twitter and Telegram, or pushing advertisements for fake projects and fake airdrops.
Fraud attacks generally pay attention to the input-output ratio. From these one-to-one targeted scams that take a lot of time and energy, the attackers benefit greatly, and the corresponding victims are very vulnerable. We know that North Korea has an official attack team, and there are 5 to 6 top Wallet Drainers in the world. They earn 50 to 60 million US dollars a year from fraud toolkits. This is only a small part of the successful attack. You can imagine how many attackers there are, how many users are deceived, and how huge the amount of loss is. This is terrible. This is an urgent need for Web3 security projects like our GoPlus, and more security research, prevention, interception and theft prosecution for user security scenarios, to comprehensively protect user assets.
GoPlus Chinese Community: Yes, the Wallet Drainer fraud gang’s mature industrial assembly line and refined division of labor allow them to design targeted phishing scams one-on-one. For example, this time the “beautiful boss” used different accounts to play the roles of loli, mature woman, young woman, quantitative institution, MEME project party, etc., targeting all kinds of people.
Martin, founder of Bytehunter: When we were helping James track down his stolen assets, we found that the scammers had transferred the money to a centralized exchange. We immediately contacted the centralized exchange and wanted to freeze the money, but all centralized exchanges require a police case filing certificate to freeze the money. So if your on-chain assets are stolen, how should you save yourself?
The first and most important step is to prevent secondary theft and immediately transfer all remaining assets to a safe wallet;
The second step is to contact security agencies such as GoPlus to trace the flow of stolen funds and block the attacker's address;
The third step is to call the police immediately and try to file a case;
The fourth step is to organize the theft process and the entire evidence chain, such as off-chain evidence: the attacker’s Twitter, chat or video records, and on-chain evidence: the stolen transaction Hash.
Finally, contact the exchange to freeze and retrieve.
Follow-up
After seeing Rita's tweet exposing the whole scam, the scammer who stole photos of beautiful women from Xiaohongshu and disguised himself as "Doris Cao Brown" also tweeted a rebuttal, used a small account to interact and flood the forum, and then immediately launched an airdrop and private placement of the MEME coin "Ekingdog".
A carefully planned serial fraud, rolling forward...
Column Introduction:
GoPlus "Web3 Ghost Stories" is a chat column that shares a "ghost story" of Web3 asset theft in each episode. By unraveling the details of the story, the audience can have a deeper understanding of the evil spirits and ghosts in the Web3 world, thereby dispelling the mysteries and being able to successfully avoid similar risks in the story.
Space Topic: Web3 job hunting adventure! I happily applied for the position of assistant to a "Web3 boss", but ended up crying when the "boss" emptied my wallet.
host:
GoPlus Chinese Community: Asking questions on behalf of Web3 “newbies”.
Speaker:
Rita: Ghost story sharer, Web3 job seeker
James: Ghost Story Sharer
Martin:Bytehunter Founder
GoPlus Square Head Boy
