Unsuspecting users lost an estimated $1.6 million to a fake cryptocurrency wallet that somehow slipped through Apples strict app review process in February. Magazine follows a trail of clues on the blockchain to find out who’s behind the fake wallet.

The fraudulent app, posing as DeBanks Rabby Wallet, remained on the App Store for four days, siphoning funds from multiple victims before Apple removed it.

I never once thought it would be a scam since I had complete faith in the Apple App Store. About 20 to 30 minutes later, I opened my Rabby laptop wallet and saw my balance had basically gone to zero, a fake Rabby wallet victim tells Magazine. 

One of the earliest victims to highlight the scam was X user Bthemouth, who reported his funds had been drained to the Rabby Drainer (RD) wallet 0x652…0371F.

Blockchain analysis ties the RD wallet to 0x44Bd9E480, which was initially labeled Konpyl on the NFT marketplace OpenSea. While the account name has since been changed, its original label can still be verified at Arkham Intelligence, a blockchain data platform that tracks OpenSea accounts, among others.

A private investigator, who Magazine has confirmed is collaborating on the case with the authorities, claims that his investigation connects “Konpyl” to a larger web of at least 20 cases, and Magazine has independently confirmed links to seven of those.

The common denominator between this mountain of scams is the Konpyl address.

Hes been doing this for about seven years, [and] he goes after users who put their life savings in some of this stuff, not like the big protocols, the investigator tells Magazine.

The investigator shared images of Know Your Customer (KYC) records with Magazine, which were allegedly submitted to numerous exchanges by addresses linked to the scams.

The documents seen by Magazine are linked to Konstantin Pylinskiy, the CEO of Dubai-based investment firm Moonward Capital, who uses X and Telegram handles @konpyl. However, several fake KYC credentials and aliases were also used to open accounts, so Magazine is not suggesting Pylinskiy is Konpyl just that the name is linked to the accounts. 

Initially, Konpyl greeted Magazine on Telegram with How can I help you? But when asked to clarify the connection between Konstantin Pylinskiy, the Konpyl online persona, and the Rabby wallet scam, he stopped responding.

Magazine has attempted to contact Pylinskiy through alternative channels, but he did not respond.

Moonward Capital also did not respond to Magazines request to comment on this story.

Magazine has confirmed with a United States government agency that an ongoing investigation is linked to the Konpyl address.

The latest inbound transaction to the Konpyl wallet is from an address flagged with a Fake_Phishing label on Etherscan. Its interaction with Konpyl is the sole outbound transaction.

The fake Rabby Wallet-Konpyl connection

He had a drain bot in my account, Bthemouth tells Magazine, referring to an automated script designed to siphon funds. Even after all these months, its still active.

The Rabby Drainer actor takes multiple steps to conceal its tracks, such as splitting criminal proceeds into multiple wallets and using DeFi services to obscure evidence and blend into the crowd.

The scammer then frequently consolidates large amounts of funds into subsequent wallets to deposit in centralized exchanges. Even after such obfuscation efforts, there are connections between RD and Konpyl.

Bthemouths drained funds went to Rhino, a multichain bridge that the Rabby wallet scammer frequents. The scammer deposited tokens into Rhino and withdrew them through another wallet.

Between February 15 and 18, RD drained several more victims, with most of the proceeds in ERC-20 tokens. On February 19, these tokens were converted to 52 ETH (approximately $151,000 at the time) using DeFi services like Uniswap and 1inch.

Later that day, the funds traveled to wallet 0xCE6A…b2Ac5, which, along with Bthemouths money and an additional 7 ETH, transferred roughly $173,000 in Ether to Rhino.

Onchain detectives Tay and SomaXBT identified wallet 0x4E93…c71C2 as the Rhino output recipient. It acquired $173,388 in USDT in three transactions, with the first batch arriving around 10 minutes following the initial deposit.

Blockchain records show that the same Rhino output wallet received nearly $100,000 from Konpyl over six monthly transactions between February and July.

These funds eventually make their way to OKX.

The scammer appears to use several exchanges, typically employing more than one deposit address per exchange.

When analyzing wallets suspected of association with hacks, their first inbound transactions often leave important clues to associated wallets. Sometimes, they can show who funded the wallets gas fees.

But this is not a characteristic of Konpyl-related scams.

[Konpyl] funds these accounts with victims wallets, says the private investigator.

Hell take from other hacks to fund these hacker wallets, so you have no idea that its him.

Read also

Features

Bitcoin payday? Crypto to revolutionize job wages… or not

Features

Insiders guide to real-life crypto OGs: Part 1

Rabby Wallet drainers total damage

Including RD, which drained an estimated $152,257 from victims, there are at least 10 addresses identified by public victim reports. These addresses are responsible for over $1 million in losses after users downloaded Februarys fake Rabby wallet from the App Store.

The February incident wasnt the first time a fake Rabby wallet appeared on the App Store. Another iteration of the scam used at least two other Konpyl-linked wallets to drain approximately $93,000 from victims in late 2023.

Magazine has confirmed that the older Rabby wallet scam is connected to Konpyl, with fund trails pointing to the same Rhino output address used in Bthemouths case.

The private investigator tells Magazine that three other suspicious wallets, suspected of being connected to the Rabby wallet scheme, drained $278,872, though these cases werent publicly reported by victims.

In addition, Magazine is aware of at least three more wallets that werent part of the Rabby fake wallet scheme but stole funds using other tactics, such as phishing links shared on social media. This trio of wallets also displays connections to Konpyl by using a common OKX deposit address as the Rabby wallet scammer and transferring funds to the Rhino output wallet.

Together, they drained $93,261 from victims, bringing the estimated loss connected to the Rabby fake wallet saga to at least $1.6 million.

Read also

Features

The Road to Bitcoin Adoption is Paved with Whole Numbers

Features How to resurrect the ‘Metaverse dream’ in 2023

Other scams linked to the fake Rabby Wallet

The 2024 Rabby wallet scam is not the first illicit activity with strong blockchain ties to the Konpyl address, blockchain records identified by the private investigator show.

For example, a victim report on Reddit states that a users funds were drained by wallet 0x00004e9Aba (which we refer to as LS1 for Ledger Scam). A closer look at LS1 reveals similar deposit strategies to those used in the 2024 Rabby fake wallet schemes.

In 2020, LS1 used deposit address 0x05a8a21e6 (YB1) to move funds into the cryptocurrency exchange Yobit. 

LS1 frequently interacts with 0x1111858eB (LS2), sending and receiving over $51,000 of crypto with each other over 14 transactions for a year starting from April 2020.

The two wallets appear to use different deposit addresses on Yobit, as LS2 favors 0x7e17873cE (YB2).

YB2 was regularly used by Konpyl at that time to move funds to Yobit. Konpyl sent over $41,000 of ETH across 23 transactions from September 2020 to February 2021.

YB1 and YB2 are further connected by 0xBd7D…A2DB7. It uses the second deposit address five times for $196,000 in ETH while logging a 2.4-ETH transaction to YB1.

This wallet also has two direct transactions from Konpyl for 6 ETH.

Read also

Features Unstablecoins: Depegging, bank runs and other risks loom

Features Are DAOs overhyped and unworkable? Lessons from the front lines

Investigation into fake Rabby Wallet and other scams continues

One of my goals is for Apple to get off their ass and go after scammers on their App Store. I reported to Apple months ago but never heard back, the investigator tells Magazine.

Rival tech giant Google previously set a precedent of responding to such fraud schemes earlier this year when it sued a group of alleged crypto scammers for defrauding more than 100,000 people by uploading dodgy apps on its marketplace Google Play.

Bthemouth has given up on recovery efforts and says hes already done everything that he can.

A victims group was formed early on, but by now, everyone went on with their lives.

Its a dead end, Bthemouth says.

But there is still some hope for victims. 

Investigations by law enforcement agencies and private blockchain detectives are ongoing, with Konpyl and associated wallets remaining at the center of suspicion.

Subscribe

The most engaging reads in blockchain. Delivered once a week.

Email address

SUBSCRIBE