Better Call Saul also suffered a SIM card attack, fake celebrity coins were used to defraud hundreds of thousands of dollars

Original author: ZachXBT, Chain Detective

Original translation: Ismay, BlockBeats

Editor's note: Recently, the convicted British hacker Gurv (Gurvinder Bhangu) has once again attracted attention. He was accused of being involved in the theft of social media accounts of famous actors Sydney Sweeney and Bob Odenkirk. By creating the Solana meme coin scam, these attacks caused a total loss of more than $530,000.

Related reading: "Friend.tech users suffered SIM Swap attacks, is Verizon's SMS verification a security vulnerability?"

The scam used by Gurv was a SIM card swap attack. Last year, crypto user @darengb also claimed that his SIM card was swapped by hackers, resulting in the theft of 22 ETH from his friend.tech account. Some people criticized the insufficient security measures of mobile operators, while others pointed out that phone numbers have inherent security vulnerabilities as a means of authentication. Verizon's related security features and the industry's security measures have also become the focus of discussion. A similar SIM card swap attack even happened to Ethereum co-founder Vitalik.

The following is the original content:

An investigation into convicted UK hacker Gurv (Gurvinder Bhangu) and his connection to the recent thefts of Sydney Sweeney and Bob Odenkirk’s social media accounts revealed that a total of over $530,000 was stolen through the creation of the Solana meme coin scam.

On July 2, Sydney Sweeney’s account was attacked by a SIM swap, and a meme coin link was subsequently posted on his account, causing the price of the coin to rise sharply and then plummet.

In total, the team wallets from the SWEENEY scam sold over $515,000 in assets.

Main team wallet address:

AgySZeAtqM3iSbvMPxv2g94oTd3segx4WdKuFD7M5CEr

jQEaiiAkRGhFoCDnjxn6mmtrksC4EckF38fxkaNMs1j

After cashing out, the hacker began trolling on social media, where they tried to pin the blame for recent events on the likes of Hulk Hogan and 50 Cent, with little evidence to suggest they were responsible for those events as well.

Through time analysis, we can see that the proceeds from the scam were first transferred to an exchange on Solana and then converted into Bitcoin and Ethereum.

Destination address:

0x0350730e4907cd69d1f3cf89f42a58091e397b11

bc1qs2lg3m278cuem2kz6shx6vn9xxzvf8lrd67dp5

bc1qvpjvdjvl98z2uz5dxhv3s32f3eenvjwzdtmlf8

These funds are dispersed on-chain, so we can infer that multiple people were involved.

After the incident, screenshots of Gurv receiving codes to log into Sydney Sweeney's account on Telegram appeared online. These codes were obtained through SIM card swapping. In addition, a receipt from Verizon was attached, showing Sydney Sweeney's SIM card swapping record.

Gurv, a convicted hacker who served a prison sentence in the United Kingdom for breaking into Instagram accounts and extorting users, told law enforcement at the time: “This wasn’t even a crime.”

Further confirmation showed that Gurv was indeed the man in the screenshots. In multiple Telegram groups, he responded to messages using the same Telegram user ID and talked about his experience in prison.

By correlating Ethereum addresses from the Sydney Sweeney SIM swap, we found that 1.5 ETH was sent to an exchange and received on Solana on July 9. Based on this information, we can find another attack carried out by Gurv or his partners.

Source transaction:

0xec0c75bc72bec3804c056e56da52ce8b1e43e2f9e326debaf979a6c61cfab41f

Target transaction:

i1kC4YgDTwfg7zvt5krxbarxdDeVSbk3t7o3jYEDMyBiWhWFEFVjMbD8qtMUQYnvzP1ybJ7ZA4SqZFivAfcUhoK

On July 9, Bob Odenkirk’s (Breaking Bad and Better Call Saul actor) social media account was hacked and a link to a meme coin was posted, just like in the case of Sydney Sweeney. However, this time they screwed up and posted two coins (KIRK and SAUL), so the profit was small.

The proceeds were sent to the same Ethereum address that also funded the Solana address.

Hopefully, UK law enforcement will act quickly and use the wealth of evidence available to hunt Gurv down again. Some of the funds have been transferred to cryptocurrency casinos and used to purchase gift cards.

Currently, funds held in wallets associated with these hacks stand at approximately $488,000.

Funding location:

0x461f8929fc2b039f2917b7556894f21a51b4138a

bc1qs2lg3m278cuem2kz6shx6vn9xxzvf8lrd67dp5

bc1qvpjvdjvl98z2uz5dxhv3s32f3eenvjwzdtmlf8

0x2655770dc11073d8ce90725655862a13c73999fd

0x71d06fa03134fe5fd4b235f448e490e521f00845

Original link