Dissecting an ingenious crypto wallet draining scam
A massive crypto wallet draining operation has been exposed, having targeted experienced crypto users and industry insiders since December 2022.
Draining over 5,000 ethereum (ETH) and an unknown amount of tokens, non-fungible tokens (NFTs), and coins across 11+ chains, this scam has left the community searching for answers.
Let’s dive into the facts and data surrounding the operation and its impact on the crypto community.
Decoding the scammers’ modus operandi
The attackers have been methodically draining keys, potentially from a cache of data obtained more than a year ago.
They exhibit distinct patterns in their theft and post-theft on-chain movement, often moving assets between multiple victims’ addresses.
Large December 2022 thefts utilized RenBridge, and the final destination for stolen assets is always bitcoin (BTC).
The attackers utilize centralized swappers like FixedFloat, SimpleSwap, SideShift, ChangeNOW, and LetsExchange to launder funds before moving them to privacy-focused mixers like Coinomize, Wasabi, and CryptoMixer.
The commonalities among victims
The victims share some common characteristics, such as having created their keys between 2014 and 2022 and being more crypto-native than most (e.g., having multiple addresses and working in the space).
This scam has not affected any newbies; it has specifically targeted experienced users with a single secret recovery phrase or private key.
To prevent such scams, the crypto community must prioritize education and awareness. Users should avoid keeping all assets in a single key or secret phrase and should migrate to hardware wallets.
Patterns in the timing of the thefts
The wallet draining operation exhibits peculiar patterns in the timing of the thefts. Many of the thefts appear to have occurred on weekends, with notable incidents on Sundays.
Large-scale thefts seem to be scripted, and the dust remaining in the original drained address has been stolen up to 80+ days after the first address was drained.
The attackers’ IPs and user agents (UAs) are quite diverse, often using VPNs, proxies, and other methods to mask their true identity.
The road ahead
By examining the scammers’ methods, commonalities among victims, timing patterns, and understanding the importance of preventive measures, the community can better safeguard its assets.
Collaboration, education, and vigilance are crucial in mitigating risks and restoring confidence in the security of digital assets.