SlowMist receives a large number of requests for help from victims every day, hoping that we can provide assistance in fund tracking and recovery, including victims who have lost tens of millions of dollars. Based on this, this series collects statistics and analyses the stolen forms received each quarter, aiming to analyze common or rare malicious methods with real cases after desensitization, so as to help industry participants learn from them and better protect their assets.
According to statistics, the MistTrack Team received a total of 313 stolen forms in Q3 2024, including 228 domestic forms and 85 overseas forms, which is a decrease compared to Q2. For the Q2 form situation, please refer to SlowMist: 2024 Q2 MistTrack stolen form analysis. We provide free evaluation community services for these forms (Ps. The content of this article only applies to cases submitted from forms, and does not include cases contacted through email or other channels.)
Among them, MistTrack Team assisted 16 stolen customers in freezing approximately US$34.39 million in funds on 16 platforms.
Top 3 reasons for theft
The most common malicious methods in Q3 2024 are as follows:
Private key leakage
Private key leakage ranks high among the reasons for theft in Q3 forms. According to the results, it can be divided into the following categories:
1. Purchasing an account leads to private key leakage
For example, a user purchases a WPS membership, overseas Apple ID, etc. from an untrusted channel, and then records the private key/mnemonic phrase in a memo or document. The seller modifies the account password and detects the private key, putting the user's assets at risk of being stolen.
Users are advised to always purchase accounts from well-known or trusted platforms and not to save important personal information on shareable platforms.
2. Improper storage of private keys
Improper storage of private keys is the most common reason for private key leakage. Let’s take a look at the improper storage methods in Q3:
The private key is saved as a photo in the mobile phone notes/memos/WeChat collection
The mnemonic is saved in the draft box of the mailbox in the form of a QR code
The private key is stored locally or in a cloud document
The private key is saved in xlsx or txt format
Save the mnemonic screenshot in the mobile phone album and transfer it via the cloud
Written on paper, secretly photographed by an acquaintance
The above are all common ways of saving private keys for users who submitted forms in Q3. These behaviors that seem to improve information security actually greatly increase the risk and are easily hacked by hackers or malware, or even targeted by people around them. There was a case where the victim requested assistance from the MistTrack Team after his funds were stolen. As soon as the MistTrack Team evaluated the tracking results, they found that the funds had been transferred back to the victim's address. Later, they learned that it was the victim's friend who was greedy and transferred the funds, but they were always panicked. Under psychological pressure, they returned the funds and apologized to the victim. Therefore, please do not share your private key/mnemonic phrase with anyone, and save it in a safe and reasonable way, such as copying it on paper and storing it in a secure physical location or using a hardware wallet. If electronic storage must be used, make sure the file is strongly encrypted and stored on an offline device.
3. Download fake apps
Cases of asset theft caused by fake wallet apps are already a commonplace, and the fake apps here do not only refer to fake wallet apps.
Case 1: Downloading a malicious app
The victim downloaded the malicious app given by the scammer, which resulted in the modification of permissions and the multi-signing of the TRON address. For information about malicious multi-signing of wallets, please read Web3 Security Beginner's Guide to Avoiding Pitfalls | Risks of Malicious Multi-Signing of Wallets.
The victim downloaded a fake Telegram, and the wallet payment address sent by a friend was tampered with to the hacker's address, resulting in the transfer to the wrong address.
Case 2: Trojan virus
According to the form, most victims were induced by scammers to download malicious applications and were infected with Trojan viruses, resulting in the theft of data and permissions.
For example, scammers sent private messages to users, asking them to download a fake PartyChaos game in the name of providing job opportunities. We understand that this scam has been disclosed by multiple users on X:
Official: partychaos[.]fun
Scammer: partychaos[.]space
One of the victims guessed that this might be a risky program and did not download it immediately, but later accidentally clicked it, resulting in the theft of access rights to all his assets.
There are also cases where victims were defrauded in X and downloaded a vbs script with a virus, which led to theft:
More commonly, scammers impersonate VCs or journalists and send private messages to victims to trick them into downloading malicious video conferencing applications. For example, in one of the forms we received, scammers posed as VCs or journalists and sent private messages to victims, communicating via Telegram. Then, the scammers tricked the victims into making a video call on the video conferencing application WasperAI. Since the victim did not have the application, the scammers sent a link (wasper[.]app) claiming to be the official download link for the application, but it was actually a phishing link, which stole data from the victim's computer, including private keys.
We found that the phishing site was beautifully crafted and had a corresponding GitHub open source project.
In order to make the fake projects more credible, the scammers even designed Watch, Fork, and Star for the open source projects.
Because the information between phishing websites, fake projects, and X accounts echo each other, it looks like a normal project, and it is easy to fall into the trap if you don’t carefully identify it.
We found that this is an organized hacker group that operates in batches, has professional skills and is proficient in social engineering. Sometimes they disguise themselves as project owners, create exquisite project websites, social media accounts, and project open source repositories, and increase the number of followers and write project white papers, which look highly similar to normal projects, causing many victims to think that these are real projects and are therefore attacked.
SlowMist recommends that users be vigilant and remain skeptical before clicking on website links; install well-known anti-virus software such as Kaspersky, AVG, etc. to improve device security. If unfortunately you are infected, please transfer wallet funds as soon as possible and conduct a comprehensive anti-virus check on your personal computer.
4. "Actively" enter the private key
This type of leakage mainly refers to the victim's input of the private key without being vigilant and knowing the reason, which leads to the theft. It can be divided into three categories:
When binding the wallet robot, careful identification was not performed, resulting in the private key being leaked to the fake robot.
When participating in the project, the scammers provide the scripts, the users provide the funds, and the scammers directly steal the output and profits through the private keys.
Users asked questions on Discord and X, and received private messages from fake official personnel, inducing them to visit phishing links and enter private keys.
Again, never disclose your private key at any time. When you encounter problems, you should seek help directly through the regular customer service channels provided by the official website, and do not trust third-party robots or customer service.
fishing
According to analysis, the reason for phishing in many cases of stolen help in Q3 was: clicking on phishing links posted under tweets of well-known projects. Previously, the SlowMist security team conducted targeted analysis and statistics: about 80% of well-known project parties will have the first message in the comment area occupied by fraudulent phishing accounts after posting tweets. We also found that there are some websites that specialize in selling X accounts. These websites sell X accounts of various years and even support the purchase of highly similar accounts. Due to the high similarity with the accounts of the real project parties, many users find it difficult to distinguish between the real and the fake, which further increases the success rate of phishing gangs. Subsequently, the phishing gangs carried out phishing operations, such as using automated robots to follow the dynamics of well-known projects. When the project party posts a tweet, the robot will automatically reply to grab the first comment, thereby attracting more views. Given that the accounts disguised by the phishing gangs are extremely similar to the project party accounts, once the user is negligent and clicks on the phishing link on the fake account, and then authorizes and signs, it may lead to asset losses.
Secondly, there are many cases of theft caused by clicking on phishing websites in the advertising space of search engines. For example, when searching for Rabby Wallet on Google, the top two search results are phishing ads, but the link of the first ad is very abnormal, it shows the official website address of Rabby Wallet. Through tracking, it was found that phishing ads sometimes jump to the real official address rabby.io, and after changing the proxy to different regions many times, it will jump to the phishing address rebby[.]io, and the phishing address will be updated and changed.
In summary, do not trust any advertising addresses displayed in search results! It is recommended that users install the phishing risk blocking plug-in Scam Sniffer to ensure asset and information security. When users open suspicious phishing pages, the tool will pop up risk warnings in time. At the same time, it is recommended that everyone read in depth and gradually master the (Blockchain Dark Forest Self-help Handbook): https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/.
Scams
In Q3 user submissions, there was a significant increase in the number of users compromised by fake mining pool scams. According to the descriptions of many victims, scammers pretended to be well-known exchanges to establish fraud groups on Telegram. This kind of fraud group often has thousands of members, making it easy for people to relax their vigilance. When many users search for official accounts on Telegram, they regard the number of people in the group as one of the factors to identify the authenticity of the account. It is true that the number of people in the official group will be larger, but this logic is not necessarily correct when it is reversed. It is unimaginable that a scammer has established a group with tens of thousands of people just to deceive a few "sheep", and even the "chat" in it is just bait. It is worth noting that a group with more than 50,000 people has less than 100 people online.
Another scam is that the scammers first guide users to the fraudulent platform and manipulate the platform data to create the illusion that users are "profitable". However, these profits only exist on the platform display and do not represent the actual increase in assets. At this stage, the user has been deceived by the scammers' "superb" investment ability. Next, the scammers further invite users to participate in mining pool activities and stipulate that users need to recharge 5% or 8% of their total assets in USDT to the recharge account every day to activate the mining pool. In order to obtain dividends and under the pressure of "if you don't continue to recharge, you can't redeem the principal", users continue to recharge the account provided by the scammers.
Secondly, the number of cases of OTC fraud is also increasing.
Final Thoughts
If your cryptocurrency is unfortunately stolen, we will provide free community assistance services for case assessment. You only need to submit the form according to the classification guidelines (funds stolen/fraud/extortion). At the same time, the hacker address you submitted will also be synchronized to the SlowMist Lab threat intelligence cooperation network for risk control. (Note: Submit the Chinese form to https://aml.slowmist.com/cn/recovery-funds.html, and submit the English form to https://aml.slowmist.com/recovery-funds.html)
SlowMist has been deeply involved in the field of cryptocurrency anti-money laundering for many years and has formed a complete and efficient solution covering compliance, investigation and auditing. It actively helps build a healthy cryptocurrency ecosystem and provides professional services to the Web3 industry, financial institutions, regulatory agencies and compliance departments. Among them, MistTrack is a compliance investigation platform that provides wallet address analysis, fund monitoring, and tracking and tracing. It has accumulated more than 300 million address tags, more than 1,000 address entities, 500,000+ threat intelligence data, and 90 million+ risk addresses, all of which provide strong protection for ensuring the security of digital assets and combating money laundering crimes.
Author | Lisa
Editor | Liz
