Source: SlowMist Technology – “Revealing the 1155 WBTC Phishing Incident: Catching Big Fish with Small Bait”
Authors: Liz & Zero & Keywolf
Table of Contents
Toggle
Background
Attack Key Points
MistTrack Analysis
Hacker Characteristics
Defense Measures
Conclusion
Disclaimer
On May 3rd, according to the monitoring by Web3 anti-scam platform Scam Sniffer, a whale fell victim to a phishing attack involving the use of identical first and last digit addresses, resulting in the loss of 1155 WBTC tokens worth approximately 70 million USD. While this type of phishing attack has been around for a while, the magnitude of the losses in this incident is still shocking. This article will analyze the key points of the phishing attack using identical first and last digit addresses, the flow of funds, hacker characteristics, and provide suggestions for preventing such phishing attacks.
[Image]
(https://twitter.com/realScamSniffer/status/1786374327740543464)
Victim’s address: 0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5
Target transfer address: 0xd9A1b0B1e1aE382DbDc898Ea68012FfcB2853a91
Phishing address: 0xd9A1C3788D81257612E2581A6ea0aDa244853a91
1. Colliding Phishing Addresses: Hackers pre-generate a large number of phishing addresses in advance and deploy a batch program in a distributed manner. Based on the dynamic of users on the chain, they launch phishing attacks using addresses that have the same first four digits and last six digits as the target transfer address. In this incident, the hacker used an address that matched the first four digits and last six digits of the victim’s target transfer address after removing the “0x”.
2. Trailing Transactions: After users make a transfer, hackers immediately use the colliding phishing address (approximately 3 minutes later) to trail a transaction (transferring 0 ETH from the phishing address to the user’s address). This way, the phishing address appears in the user’s transaction history.
[Image]
[Image]
(https://etherscan.io/txs?a=0x1E227979f0b5BC691a70DEAed2e0F39a6F538FD5&p=2)
3. Falling for the Trap: Due to the habit of users copying recent transfer information from the wallet’s transaction history, they didn’t carefully check if the copied address was correct after seeing the trailing phishing transaction. As a result, they mistakenly transferred 1155 WBTC tokens to the phishing address!
MistTrack Analysis
Using the on-chain tracking tool MistTrack, we discovered that the hacker converted the 1155 WBTC tokens into 22955 ETH and transferred them to the following 10 addresses.
[Image]
[Image]
On May 7th, the hacker began transferring the ETH on these 10 addresses. The pattern of fund transfers is characterized by leaving no more than 100 ETH in the current address, roughly evenly splitting the remaining funds, and then transferring to the next layer of addresses. Currently, these funds have not been converted to other currencies or transferred to platforms. The following image shows the fund transfer situation on 0x32ea020a7bb80c5892df94c6e491e8914cce2641. Click the link to view the high-resolution image in the browser.
[Image]
[Image]
(https://misttrack.io/s/1cJlL)
Continuing with our investigation, we used MistTrack to search for the initial phishing address 0xd9A1C3788D81257612E2581A6ea0aDa244853a91 in this incident and found that the source of the transaction fee for this address was 0xdcddc9287e59b5df08d17148a078bd181313eacc.
[Image]
[Image]
(https://dashboard.misttrack.io/address/WBTC-ERC20/0xd9A1C3788D81257612E2581A6ea0aDa244853a91)
By following the trail of this transaction fee address, we found that between April 19th and May 3rd, this address initiated over 20,000 small transactions, distributing small amounts of ETH to different addresses for phishing purposes.
[Image]
[Image]
(https://etherscan.io/address/0xdcddc9287e59b5df08d17148a078bd181313eacc)
Based on the above image, it is evident that the hacker used a wide net approach, indicating that there is more than one victim. Through large-scale scanning, we also found other related phishing incidents, and here are some examples:
[Image]
[Image]
Taking the phishing address 0xbba8a3cc45c6b28d823ca6e6422fbae656d103a6 from the second incident in the above image as an example, by tracing back the transaction fee addresses, we found that these addresses overlap with the transaction fee source addresses of the 1155 WBTC phishing incident. Therefore, they should be the work of the same hacker.
[Image]
[Image]
Through analyzing the hacker’s transfer of other profitable funds (from the end of March to the present), we have also identified another money laundering characteristic of the hacker, which is exchanging ETH on the Ethereum chain for Monero or cross-chain to Tron and then transferring it to suspected OTC addresses. Therefore, it is possible that the hacker will use the same method to transfer the profits from the 1155 WBTC phishing incident.
According to SlowMist’s threat intelligence network, we have discovered IP addresses of mobile base stations located in Hong Kong that are suspected to be used by the hacker (not ruling out the possibility of using VPN):
182.xxx.xxx.228
182.xxx.xx.18
182.xxx.xx.51
182.xxx.xxx.64
182.xxx.xx.154
182.xxx.xxx.199
182.xxx.xx.42
182.xxx.xx.68
182.xxx.xxx.66
182.xxx.xxx.207
It is worth noting that even though the hacker stole 1155 WBTC tokens, it seems that they have no intention of quitting. By following the three phishing addresses collected earlier (used to provide transaction fees for many phishing addresses), a common characteristic is that the amount of the last transaction is significantly larger than the previous ones. This is the hacker’s operation to disable the current address and transfer funds to a new phishing address mother address. Currently, the three newly activated addresses are still engaged in high-frequency transfers.
[Image]
[Image]
(https://etherscan.io/address/0xa84aa841e2a9bdc06c71438c46b941dc29517312)
[Image]
[Image]
In our subsequent large-scale scanning, we found two deactivated phishing address mother addresses, and after tracing them, we found their association with the hacker. We won’t go into further detail here.
0xa5cef461646012abd0981a19d62661838e62cf27
0x2bb7848Cf4193a264EA134c66bEC99A157985Fb8
At this point, we also raised the question of where the hacker’s funds on the Ethereum chain originated. Through tracking and analysis by SlowMist’s security team, we found that the hacker initially carried out the identical first and last digit address phishing attack on Tron, and after gaining profits, they targeted users on the Ethereum chain and transferred the profits from Tron to Ethereum to continue phishing. The following image shows an example of the hacker’s phishing on Tron:
[Image]
[Image]
(https://tronscan.org/#/address/TY3QQP24RCHgm5Qohcfu1nHJknVA1XF2zY/transfers)
On May 4th, the victim sent the following message to the hacker on the chain: “You win, brother. You can keep 10% and return the remaining 90%. We can pretend nothing happened. We all know that 7 million dollars is enough for you to live a good life, but 70 million dollars will make you sleepless.”
On May 5th, the victim continued to communicate with the hacker on the chain but has not received a response yet.
[Image]
[Image]
(https://etherscan.io/idm?addresses=0x1e227979f0b5bc691a70deaed2e0f39a6f538fd5,0xd9a1c3788d81257612e2581a6ea0ada244853a91&type=1)
Whitelist Mechanism:
Users are advised to save the target address in the wallet’s address book so that they can find it for future transfers.
Enable Small Amount Filtering in Wallets:
Users are advised to enable the small amount filtering function in their wallets to block zero transfers and reduce the risk of falling for phishing attacks. SlowMist’s security team has previously analyzed this type of phishing method in 2022. Interested readers can click the links to view (SlowMist: Beware of TransferFrom Zero Transfer Scams, SlowMist: Beware of Identical Last Digit Airdrop Scams).
[Image]
[Image]
Carefully Verify the Address:
Users are advised to check at least the first 6 digits and last 8 digits of the address when confirming it. Ideally, every digit should be checked.
Test with Small Transfers:
If the user’s wallet only displays the first 4 digits and last 4 digits of the address by default, and the user insists on using this wallet, they can consider testing with a small transfer. In case they fall victim, the loss will be minimal.
This article mainly introduces the phishing attack method using identical first and last digit addresses, analyzes the hacker’s characteristics and fund transfer patterns, and provides suggestions for preventing such phishing attacks. SlowMist’s security team would like to remind users that due to the immutability of blockchain technology and the irreversibility of on-chain operations, users must carefully verify addresses before conducting any transactions to avoid asset losses.
This article is based on data supported by the anti-money laundering tracking system MistTrack and aims to analyze publicly available addresses on the internet and disclose the analysis results. However, due to the nature of blockchain, we cannot guarantee the absolute accuracy of all data, nor can we be held responsible for any errors, omissions, or losses resulting from the use of this article’s content. At the same time, this article does not constitute any position or basis for other analyses.
Previous Reviews
Monthly Recap | Web3 Security Incidents Result in Approximately 90.81 Million USD in Losses
SlowMist’s Official Statement
Empty Gloves, White Wolf – Analysis of the YIEDL Hack
Unveiling a New Scam: Maliciously Modified RPC Node Links to Deceive Assets
SlowMist’s Professional Tracking Results Quoted by the United Nations Security Council
This article is authorized for reproduction by SlowMist Technology.
