Tracing Crypto Scammers by Following Transactions

As mentioned before, there are a lot of victims aside from myself. Reviewing the "Spender" address that shows transactions of moneys stolen from people's wallets, there are now 155 transactions as opposed to 100 transactions captured in the screenshot in my previous post. A lot more wallets are being drained and this will continue if we don't do anything about it.

Can we do anything about it? Is there anyway we can identify those scammers and stop them?

From what I know, it is possible to identify them if we can follow the money to a cryptocurrency exchange (i.e. Binance, Coinbase, FTX Exchange, Tether, etc.). In fact, I was able to request Binance Support to lock an account that they identified as their customer. They also gave instruction for law enforcement to contact them to request information of the suspect's identity. Below is a screenshot of what Binance Support told me after I provided them the list of transactions that showed the money went to them was stolen.

The main evidence I provided to them were the following transaction links:

  1. Stole out of wallet - https://etherscan.io/tx/0x42607ee181bf40b4327a052ca3835b753e0e46aaaa85fb4d350e41ca218eceeb
  2. Transfer 1 - https://etherscan.io/tx/0x13219558c71b70cee495f6fc4b036f27c1a8e504b907a664b51f41bfa664a6b7
  3. USDT -> USDC - https://etherscan.io/tx/0x8667478a2275823e253f7c71f99af4f575516a7882cb0f7332eacd4625397e31
  4. USDC -> DAI - https://etherscan.io/tx/0x669ad62f5c7d6d0ad881e479b213b6bbbccca6f051c902964489606e046e3d97
  5. DAI -> ETH - https://etherscan.io/tx/0xef0ede571e080d9a090a7a1c2b30a04cefa2c6b874b4a6d37c228a2c9094926b
  6. Transfer 2 - https://etherscan.io/tx/0x05894518dd5672653e4feeb9699b535fa25f26427708403f7d7c1daba05ff8bb
  7. ETH -> USDC - https://etherscan.io/tx/0x6420554b1f0d557a90f2b3418cdf7c1529028dade35db9b41029f643da9b210e
  8. Transfer 3 - https://etherscan.io/tx/0x9299052a644e55b20b61cdd626b3cf0798a039ee0925bc69f66e6a3a4d6c2015
  9. Transfer 4 - https://etherscan.io/tx/0xaa8c462ac29bcd82e294bcaa1d9ae463f47ffb0f52eca8e7734221b6a5ead0f1
  10. Transfer 5 - https://etherscan.io/tx/0xfdbb3e9e58c5ad0906adf6a2923cab254459289707f5fcea77d6e81a232a5b6f
  11. Money went to Binance - https://etherscan.io/tx/0xaddde9e986c969d6d7a5fbdd3abc3f7907fbe5f1347f898627e2d24d3ba18638

We don't have to be crypto experts to do this. Most of us who are familiar with a browser should be able to do what I did—tracing where our money went. I will describe how I traced the first amount of money stolen from my brother-in-law's wallet went into Binance.

One unique property of blockchain is that all transactions are logged and publicly available on the Internet for everyone to see. Etherscan is one place where we can see these transactions.

Let's begin with the wallet located at: https://etherscan.io/address/0xe00bfc4ed27c68de9fa1b065a4dc719026c61c82#tokentxns

We will trace the money stolen on 10/30/2021, highlighted in orange, above. To follow where that money went, we would click on the transaction link 0x42607ee181bf40b432... to view the transaction details.

To find where the money went next, we need to go to the destination wallet where the money transferred to, 0x95c48b52845a7..., highlighted in orange above. Below is the screenshot from the destination wallet.

Transactions on Etherscan are listed ordered by time, with the most recent first. Thus, we should note the time of the transaction to find it in the list.

From the screenshot above, we can see that the IN transaction (highlighted in green) has the same time, 2021-10-30 0:36:19 (12:36:19 AM), and amount with the transaction details page.

More than 2 hours after that, on 2021-10-30 2:58:09, the money was transferred out of the wallet through the transaction 0x13219558c71b70cee4... (highlighted in orange), so we should click on that transaction to continue following the money.

Clicking on the address 0xdfb6cf5e46937b68... would take us to the destination below where we can find the corresponding IN transaction on page 2. There are also 2 other IN transactions that are not yet transferred out.

Below is the OUT transaction that we need to follow next, having the hash value of 0x669ad62f5c7d6d0ad8...:

Note that the amount of this transaction is 99,170, higher than the 91,472 originally stole from the wallet. This is because this transaction also transferred 2 other amounts (most likely also stolen) with it. Here are the details of that transaction:

This transaction has more details, going back and forth between Tokelon: PMM and Wintermute 1 until finally ends at 0xdfb6cf5e46937b68... in USDC. This transaction was not a transfer from one wallet to another, but an exchange from USDT to USDC.

We continued following the money to the transaction list below:

The next transaction to follow is the one highlighted in orange above that included some other amounts from the wallet.

The transaction details show that the money was converted from USDC to DAI, and below is the destination of that transaction.

It is simple enough to follow the next transaction, 0xef0ede571e080d9a09..., highlighted in orange above. This transaction swapped DAI with WETH.

Below is the screenshot of the destination with the OUT transaction to follow, highlighted in orange.

That next transaction was a simple transfer.

Below is the destination of the above transaction.

Of course the next transaction to follow is highlighted in orange above, and we got here:

Following the destination, we got here:

I think by now, we got the idea. Thus, I will just give transaction and destination addresses along with screenshots until we get to Binance.

Transaction 0x9299052a644e55b20b61cdd626b3cf0798a039ee0925bc69f66e6a3a4d6c2015:

Destination 0x7bd8d644aee5dd05abad297ad9af47dd07a4c836

Transaction 0xaa8c462ac29bcd82e294bcaa1d9ae463f47ffb0f52eca8e7734221b6a5ead0f1:

Destination 0x5e752d53afa09eb3da0f283e8c580dc5fc06347c:

Transaction 0xfdbb3e9e58c5ad0906adf6a2923cab254459289707f5fcea77d6e81a232a5b6f:

Destination 0x7e55248995c97da0118dbdfe496fb5420b76157a

Transaction to Binance
Location: United States

Comments

Post a Comment

Popular posts from this blog

Inside The Scammer's DApp

Image
With Chrome Dev Tools , I was able to look inside the client code of https://u2e-free.com. This site is the scam dapp that drained all my USDT after my Coinbase Wallet granted them unlimited spending of my USDT. The site is a single-page web application written in Vue.js v2.6.12 and web3.js . Below is the tree view of the site. The application supports two different languages in its UI — English and Chinese, with English as the primary language. I concluded that English is the primary language because there are untranslated texts for the Chinese version as shown below. Next I will focus on the code that implements the Receive button. This is the most important action because it is what obtained the permission to spend unlimited USDT from victims' wallets. Below is the receive function that implements the action. The function above does the following: Obtain the USDT Contract Get the estim
Read more

DApp Phishing in Coinbase Wallet - I Lost Over $50,000

Image
A few days ago, all my money, $58,797, in my Coinbase Wallet drained from my wallet without me knowing about it until I opened my wallet. I believe there is a major security issue in Coinbase Wallet where users can easily get phished to give a DApp (Decentralized Application) to take control and grant spending permission to an external entity. My empty wallet 😢 Contacting Coinbase/Wallet Support , which is the only way I know of to reach out to them, was not helpful. All they said is that I may have leaked the recovery phrase, without looking into the details I provided . I found a recent review on Google that describes the situation really well. A recent user review on Google Play Store. I am going to describe what happened in details. My brother-in-law showed me his Coinbase Wallet a few weeks
Read more