Community

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.The Bybit hacker is currently laundering funds through platforms like Exch exchange, Chainflip, and Thorchain, converting assets into BTC, ETH, and TRON USDT.Since many teams worldwide are already tracking the money laundering process and sharing similar information, we will focus on profiling rather than laundering activities.According to on-chain investigator ZachXBT, one address, 0x33d057af74779925c4b2e720a820387cb89f8f65, has been linked to transactions from a previous hacking incident involving Phemex, which was connected to the Lazarus Group.We will dig deeper into this connection.Source:https://x.com/zachxbt/status/1893211577836302365We have verified this information and found it to be credible.The reason is that while many new addresses are being used for money laundering, this particular address is not new. Its first transaction dates back to November 2024.Looking at its deposit and withdrawal patterns, it appears to be an automated address within a money laundering cluster. This suggests that some of the laundered funds have overlapped with addresses previously used for laundering.Based on this, we assume that this wallet is part of an automated money laundering cluster. We are now analyzing patterns of other wallets linked to this address.During this analysis, we discovered something unusual.We found that 0x33d057af74779925c4b2e720a820387cb89f8f65 exists on the BSC (Binance Smart Chain) and decided to trace the movement of BNB backward.By doing so, we were able to track the reverse flow(Figure 1) as follows:0x33d057af74779925c4b2e720a820387cb89f8f65 → 0x9d636e330abef7a34fbb079580e6c3d20b4dd3cc → 0x543568d6c7b41537eb0bb9ed455e77949f0892aeFigure 1: Reverse TrackingWe observed the following transactions:0x543568d6c7b41537eb0bb9ed455e77949f0892ae → 0x9d636e330abef7a34fbb079580e6c3d20b4dd3cc0.72 BNB sent on 2025-02-19 at 04:50 AM (UTC)TX: 0x60701fdd9a31edde197316df50068b002472e430d7b412e495a71f94c14016610x9d636e330abef7a34fbb079580e6c3d20b4dd3cc → 0x33d057af74779925c4b2e720a820387cb89f8f650.72 BNB sent on 2025-02-19 at 08:55 AM (UTC)TX: 0xaf1fd305f297b1b723835c1800d5cff351ee0210a0ddd16236f6ef0d0f0bc4a2Both wallets show patterns commonly associated with relay wallets used in money laundering.For example, each wallet has only five transactions in total, with small amounts being transferred, which is a typical characteristic of temporary relay wallets used for one-time fund transfers.Figure 2: Relay Wallet PatternSource: BSC Scanhttps://bscscan.com/address/0x9d636e330abef7a34fbb079580e6c3d20b4dd3ccContinuing our investigation from 0x543568d6c7b41537eb0bb9ed455e77949f0892ae, we found that some funds within this money laundering cluster were received from two centralized exchanges (Figure 3) CoinEx and Gate.io.Figure 3: CEX Connection for Fund Deposits to the ClusterThe complete transaction trail is as follows:Wallet 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e0 received a total of 1.2738 BNB from Gate.io and CoinEx.Gate.io → 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e00.46 BNB sent on 2025-02-12 at 11:39 PM (UTC)TX: 0xf1c6f53328e13ab82ec754e3292e718ae8d783c4f6c00c0c1dd396979300a178CoinEx → 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e00.81 BNB sent on 2025-02-10 at 19:26 PM (UTC)TX: 0xbf063a7f3bafeacbfc190b2739e58f822c98018b5bf732a3aef9e1004f5e1d24To gather more details, cooperation from CEXs is required to obtain IP logs, KYC data, and further transaction records. This should be coordinated with law enforcement for verification and further investigation.Here is the continued transaction trail(Figure 4) from 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e0:Figure 4: Full Trail for Reverse TrackingHere's a structured breakdown of the transaction history: 1) 0x17eef0f69e0cf668ab51b75aab5b944ca09fb3e0 → 0x8fa78148eabcda855f84e98d6568ce9f93c5c8ceAmount: 0.10 BNBDate: 2025-02-11 at 06:02 AM (UTC)TX: 0xaba91fc1a940dc1cfe3ef3a88f0a0b11aaf0451dc914680c13d10a2eb3f0ec6c 2) 0x8fa78148eabcda855f84e98d6568ce9f93c5c8ce → 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572Amount: 0.09 BNBDate: 2025-02-13 04:40 AM (UTC)TX: 0xc37c888605d24a16ca083e0ed13e47eba3946ca1840f80c5e5ca2f37d1346db5 3) 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572 → 0xd9cbf4290651ef7f8b4571a55167a414619bd15bAmount: 0.05 BNBDate: 2025-02-13 at 05:24 AM (UTC)TX: 0x29cb21f7bc3bd4686bd6d055a216663eb893c7bccfc362506d9be7c2d9e0f437 4) 0xd9cbf4290651ef7f8b4571a55167a414619bd15b → 0x543568d6c7b41537eb0bb9ed455e77949f0892aeAmount: 0.05 BNBDate: 2025-02-17 at 02:15 AM (UTC) TX: 0xbf380e69478f585694cd80ed257e11a7be692511a0da03cf90abbb7e7fcafb7e 5) 0x543568d6c7b41537eb0bb9ed455e77949f0892ae → 0x9d636e330abef7a34fbb079580e6c3d20b4dd3ccAmount: 0.05 BNBDate: 2025-02-19 at 04:50 AM (UTC)TX: 0x60701fdd9a31edde197316df50068b002472e430d7b412e495a71f94c1401661SummaryThe original transaction of 0.10 BNB was sent from 0x17eef0f6 to 0x8fa78148.The same amount was immediately transferred to 0x672ee9a8.Then, 0.05 BNB was split off and sent to 0xd9cbf429 on Feb 13.That 0.05 BNB was further transferred to 0x543568d6 on Feb 17.Finally, it was moved to 0x9d636e33 on Feb 19.This means the initial 0.10 BNB transaction was divided into two 0.05 BNB transfers, and one of those portions moved through multiple addresses.This pattern indicates layering in the money laundering process, where small amounts are moved between multiple addresses to obscure the original source of funds.The wallets linked to 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572 show some distinct characteristics compared to typical relay wallets.As seen in the transaction patterns, many small incoming transactions of 0.016 BNB are received from various addresses. These funds are then consolidated into larger amounts such as 0.3 BNB, 0.6 BNB, and 2.354 BNB before being sent out.This pattern suggests that the wallet might be used for fund aggregation, (Figure 5) where small amounts from multiple sources are collected and then distributed in larger transactions. Such behavior is often observed in cases related to money laundering, transaction obfuscation, or automated fund processing. However, further analysis would be needed to determine the exact intent behind these transactions.Figure 5: Fund Aggregation PatternExpanding on this pattern, the transaction flow can be visualized as follows:On the left side, numerous addresses send small amounts of BNB (e.g., 0.016 BNB) into the wallet. These small transactions are then collected and consolidated before being sent out in larger amounts on the right side (e.g., 0.3 BNB, 0.6 BNB, 2.354 BNB).This structure suggests a fund aggregation mechanism, where multiple small inputs are gathered and then processed into larger outgoing transactions. This pattern is commonly seen in:Mixing services attempting to obscure the origin of fundsMoney laundering activities using structured deposits and withdrawalsAutomated fund distribution for services or payoutsFurther investigation into the sources of these small deposits and the destinations of the larger transactions would be necessary to understand the true purpose of this activity.(Figure 6)Figure 6: Full Visual of Fund Aggregation PatternWhen dealing with such a high volume of transactions, it becomes difficult to manually analyze and track all the movement patterns. This is where an AI investigator can be extremely useful.Figure 7: AI Investigator SupportThe AI Investigator's full analysis of wallet 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572 suggests potential money laundering activity based on the following transaction patterns:AI Investigator responseUpon analyzing the transaction data for the origin address 0x672ee9a8db4ce9787752f7ca34b85a1d30f69572, several patterns emerge that could be considered suspicious or indicative of potentially fraudulent or unusual activity:High Frequency of Small Incoming Transactions: There is a noticeable pattern of numerous small incoming transactions (negative depths) from various addresses. These could be indicative of a dusting attack, where small amounts of cryptocurrency are sent to a wallet by an attacker in an attempt to deanonymize the wallet by linking it to other accounts or to engage in a phishing attack.Repeated Transactions Between the Same Addresses: There are several instances where the same addresses appear multiple times in the transaction list, both sending to and receiving from the origin address. For example, address 0x1d3146598721f9380fd3860e960602b782288b7a appears multiple times in both incoming and outgoing transactions with similar amounts. This could suggest a pattern of cycling funds, which might be an attempt to obfuscate the movement of funds (a technique often used in money laundering).Timing of Transactions: If the transactions are occurring at regular intervals or at specific times that coincide with certain events, this could indicate automated behavior or timing the transactions to avoid detection during low-traffic periods.Similar Transaction Amounts: Transactions that are consistently for similar amounts, especially if they are just below reporting thresholds, could be indicative of structuring, a technique used to avoid triggering legal reporting requirements and scrutiny.Rounded Transaction Amounts: Many transactions are for rounded amounts of BNB (e.g., 0.1 BNB, 0.5 BNB), which is unusual for regular transactions but common in artificial transaction patterns.Direct Reversal of Transactions: Some transactions appear to be directly reversed shortly after they occur. For instance, address 0x1d3146598721f9380fd3860e960602b782288b7a sends 0.1 BNB to the origin and then receives a similar amount back. This could be indicative of wash trading, where an entity trades with itself to create misleading market activity.Use of Multiple Addresses: The use of a large number of receiving and sending addresses in relation to the origin address could indicate an attempt to disguise the true source or destination of the funds through address hopping.It is important to note that while these patterns can be indicative of suspicious activity, they do not provide conclusive evidence of wrongdoing. Each pattern would need to be investigated more thoroughly in the context of additional information outside of this dataset. Identifying suspicious patterns is the first step, and each observation would require further analysis and context to determine if there is indeed fraudulent or illegal activity occurring.ConclusionTo summarize, automated mixing clusters consist of multiple types of wallets, each serving different roles. Some of the identified funds have been deposited from Gate.io and CoinEx, indicating potential exchange interaction.With this information, Bybit should collaborate with law enforcement agencies for further investigation.Within these clusters, different wallets serve specific functions:Relay Wallets: Used to transfer funds without holding them for long.Storage Wallets: Hold a portion of the funds temporarily.Distribution Wallets: Collect and redistribute funds.If overlapping patterns emerge among these wallets, there is a high probability that they are linked to the same group, similar to what ZachXBT described in the Phemex hacking case.However, based on our extensive investigations, while on-chain data may suggest these wallets belong to the same group, hacking groups and money laundering networks often operate separately. Multiple organizations frequently collaborate to facilitate illicit transactions, making it essential to conduct deeper profiling to determine which individuals or entities are involved.We will continue to investigate this case and update the community as we gather more insights.

The Bybit Hack: A Wake-Up Call for Crypto SecurityThe crypto world was shaken in February 2025 when Bybit, a major centralized exchange (CEX), suffered the largest hack in history. Attackers exploited vulnerabilities in Bybit’s security system, stealing approximately $1.4 billion worth of Ethereum (ETH) from its cold wallet. This incident surpasses previous record-breaking hacks, including the Ronin Network breach in 2022 and the WazirX attack in 2024.Inside the Attack: How Hackers Stole $1.4 BillionThe Bybit hack was executed using an advanced social engineering attack. Hackers tricked the exchange’s team into approving a fraudulent transaction that granted them control over the cold wallet. Here’s how it unfolded:Malicious Transaction Masking – The hackers embedded a hidden smart contract modification inside a seemingly harmless transaction. This transaction appeared to transfer assets from the cold wallet to a legitimate hot wallet.Signer Deception – The project’s team members, responsible for approving transactions, unknowingly authorized the malicious transaction, believing it to be a routine fund transfer.Cold Wallet Takeover – Once the transaction was signed and approved, control of the cold wallet was transferred to the attacker, who then moved the stolen assets into their own wallets.Immediate Fallout – Panic spread across the market as news of the breach emerged, leading to a decline in Bitcoin and other cryptocurrencies. Traders quickly adjusted their positions amid the uncertainty.Bybit’s CEO, Ben Zhou, swiftly addressed the situation, reassuring users that the compromised cold wallet was an isolated case and that customer funds would be restored through Bybit’s reserves.Breaking Down the Tech: Cold Wallets, Hot Wallets, and Multi-Signature SecurityTo understand how this attack was possible, it’s crucial to differentiate between key crypto storage methods:Cold Wallets: Offline storage solutions offering higher security by keeping assets disconnected from the internet.Hot Wallets: Online wallets providing convenient access but exposing funds to hacking risks.Multi-Signature (Multi-Sig) Wallets: Require multiple approvals to execute a transaction, adding an extra layer of security.Despite Bybit’s use of a multi-signature cold wallet, the attackers manipulated the approval process, effectively bypassing its security measures.Lessons from the Bybit Hack: How to Stay SafeThe Bybit breach highlights the growing sophistication of crypto hacks and reinforces the need for enhanced security practices. Here’s what we can learn:Beware of Social Engineering Attacks – Hackers often manipulate trusted individuals into granting unauthorized access. Always verify transaction details carefully.Strengthen Security Protocols – Even multi-signature wallets are vulnerable if signers can be tricked. Additional verification steps, like hardware authentication, should be implemented.Routine Security Audits – Continuous monitoring of smart contracts and transaction approvals can help identify vulnerabilities before they are exploited.Use Hardware Wallets for Maximum Security – Users concerned about exchange security should consider moving funds to hardware wallets for enhanced protection.Community Vigilance Matters – Crypto investigators, like ZachXBT, play a key role in tracking stolen funds and raising awareness of security risks.The Future of Crypto Security: What’s Next?This attack serves as a wake-up call for the entire crypto industry. Moving forward, exchanges must adopt:Multi-Party Computation (MPC) Technology – A more advanced security mechanism that reduces the risks associated with multi-signature wallets.Stronger Authentication Measures – Two-factor authentication, biometric verification, and AI-powered fraud detection should become standard.Regulatory Compliance – Defined security guidelines can help exchanges maintain higher protection standards for users.Education & Awareness – Users must remain informed about security threats and best practices to safeguard their assets.Final Thoughts: Strengthening Crypto’s Security FutureThe Bybit hack is a stark reminder of the risks associated with digital currencies. As crypto adoption grows, so do the threats. The industry must prioritize security enhancements, and users should stay vigilant to protect their investments. By working together—exchanges, developers, and the community—we can build a safer and more resilient crypto ecosystem.

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.Live tracking updated!The stolen ETH is currently being laundered, and the activity is being monitored in real-time through the Bybit Hack 2025 live dashboard.Live Tracking DashboardMonitoring is free—anyone can sign in with a Google account to view the data.1. Overview of the IncidentOn February 21, 2025, Bybit, a leading cryptocurrency exchange, suffered a major security breach, resulting in the theft of approximately $1.4 billion in digital assets. The attackers compromised one of Bybit’s Ethereum cold wallets, which are typically offline and considered more secure than hot wallets.Due to the urgency of the situation, our immediate priority is tracking the stolen funds. Below are the hacker’s main consolidated addresses.The primary address distributed 401,347 ETH is:0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2 (Referred to as Hacker 1)The secondary address distributed 98, 048.8948 ETH  ETH is :0xa4b2fd68593b6f34e51cb9edb66e71c1b4ab449e (Referred to as Hacker 2)2. Breakdown of the Stolen AssetsThe following amounts have been confirmed as stolen:401,347 ETH (~$1.12 billion)90,376 stETH (~$253.16 million)15,000 cmETH (~$44.13 million)8,000 mETH (~$23 million)3. Transaction Analysis of Hacker Address: 0x47666Fab8bd0Ac7003bce3f5C3585383F09486E2Total distributed: 400,001 ETHTransaction breakdown:40 transactions of 10,000 ETH each1 transaction of 1 ETHTotal of 41 transactionsTimeframe of initial movements:Earliest transaction: 2025-02-21 14:29:47 (UTC)Latest transaction: 2025-02-21 15:54:23 (UTC)Total duration: approximately 1 hour and 30 minutesAmong these transactions, 1 ETH was transferred to Hacker 2.For Hacker 2,A total of 98,048.75 ETH was first transferred to the address 0xdd90071d52f20e85c89802e5dc1ec0a7b6475f92. Following this, the funds were redistributed in 10,000 ETH increments through multiple transactions.The transactions were concentrated within the timeframe of 16:04:23 to 16:05:11 (UTC).It appears that the activity in Hacker 2's wallet began after the transactions from Hacker 1 were completed.Given the current fund movement pattern, it is highly likely that the stolen assets will be deposited into Tornado Cash for obfuscation.We will continue our investigation.

We are excited to announce the addition of a new General Discussion category to our community platform. This space is designed to foster open and engaging conversations that may not fit within our existing categories of Blockchain Insight and Cyber Security.To ensure that our community remains focused, respectful, and aligned with ChainBounty's mission, we have established the following guidelines:Relevant Content: While the General Discussion category allows for a broader range of topics, we ask that all posts remain pertinent to the overarching themes of our community. Discussions explicitly about token prices, exchange listings, or similar subjects are discouraged. Such posts may be removed to maintain the integrity and focus of our platform.Respectful Communication: We encourage open and constructive dialogue. Please engage with fellow members respectfully, avoiding any form of harassment, hate speech, or discriminatory remarks.Content Moderation: Our moderation team reserves the right to remove any content that is deemed off-topic, harmful, or inconsistent with the community's values. Repeated violations may result in further action, including temporary or permanent suspension from the platform.By adhering to these guidelines, we can create a welcoming and informative environment for all members. We appreciate your cooperation and look forward to the enriching discussions that will emerge in the General Discussion category.Thank you for being a valued part of the ChainBounty community.Sincerely,The ChainBounty Team

Bounty King: Investigation Series follows a team of skilled investigators as they navigate the dark world of cybercrime, uncovering hidden digital trails and solving complex mysteries with the power of AI and blockchain technology. Each case takes them deeper into the realm of online fraud, crypto hacks, and digital heists, where bounties fuel the relentless pursuit of truth. With every investigation, they piece together the puzzle—tracing lost assets and exposing the individuals behind the screens. It’s a journey of persistence, intelligence, and teamwork, where every clue brings them one step closer to justice in an ever-evolving digital landscape.The Ionic Hack: $8.8M Heist on the Mode NetworkOn February 5, 2025, the Ionic platform, operating on the Mode network, suffered a security breach, leading to an estimated loss of $8.8 million. According to security firm QuillAudits, attackers exploited the platform by using unofficial fake LBTC (Lombard BTC) as collateral to secure loans.X Post: QuillAudits' Analysisionic stated that they are still investigating the incident.X Post: Ionic’s UpdateAnalysis of the Hacked Wallet and Fund MovementsFirst, let's organize the details regarding the hacked wallet and the movement of the associated funds.According to the incident details, the attacker's address is 0x9E34d89C013Da3BF65fc02b59B6F27D710850430, which was used to exploit the smart contract.Interestingly, before transferring the funds to Tornado Cash, the attacker moved 1,203.651 ETH to 0x15ED470607601274DF6ED71172614B67001901EB, which was then used to funnel the funds into Tornado Cash.100 ETH was sent directly from 0x9E34d89C013Da3BF65fc02b59B6F27D710850430 to Tornado Cash.1,203.651 ETH was first transferred to 0x15ED470607601274DF6ED71172614B67001901EB, which subsequently sent the funds to Tornado Cash.Notably, this intermediary address (0x15ED470607601274DF6ED71172614B67001901EB) received ETH from multiple sources, not just the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430).Therefore, the attacker’s wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) and the relay wallet (0x15ED470607601274DF6ED71172614B67001901EB) played key roles in moving the stolen assets to Tornado Cash.Figure 1: Flow of Stolen ETH to Tornado CashSource: ChainBounty Track(to be released)Among them, we identified an interesting characteristic in the wallet used just before depositing the funds into Tornado Cash.The wallet that sent 1,203.65 ETH received funds not only from the attacker's primary wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) but also from several other wallets.Let's examine whether these wallets are also connected to the incident.Figure 2: Source Flow of Relay Wallet to Tornado CashSource: ChainBounty Track (to be released)The key factor here is timing. If there is a connection, the related wallet must have sent funds before the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) made its transaction.In this context, the wallet at the top of the list, 0x9ec235ca191e6d434b7ef70730e7fb726bf50430, appears suspicious. Here's why:According to UTC timestamps, the attacker's wallet (0x9E34d89C013Da3BF65fc02b59B6F27D710850430) transferred funds to 0x15ED470607601274DF6ED71172614B67001901EB at the following times:February 4, 16:21 UTCThe transfer occurred three times within 16 minutes, with a gap of approximately 16 minutes between transactions.This timing pattern suggests that 0x9ec235ca191e6d434b7ef70730e7fb726bf50430 warrants closer examination.Figure 3: Three Transactions from Attacker Address to Relay WalletSource: ChainBounty Track (to be released)In the meantime, at 16:32, 0.0001 ETH was sent.One might question its significance, but it’s worth examining the possible connection.Figure 4: Single Transaction from Unknown Address to AttackerSource: ChainBounty Track (to be released)Actually, when an incident occurs, often receive these kinds of requests.Figure 5: Donation Request from Community On-ChainSource: EtherscanHowever, an interesting aspect of 0x9ec235ca191e6d434b7ef70730e7fb726bf50430 is the transaction pattern.At 16:21, the first 1 ETH was transferred.At 16:30, an additional 100 ETH was sent.At 16:32, a small amount of 0.0001 ETH was received.Finally, the remaining 1,102.65 ETH was transferred.The increasing amounts (1 → 100 → 1,102.65 ETH) with time gaps suggest a manual operation.Now, the question arises—why was a small amount of ETH transferred in between these manual transactions? There’s no accompanying message as mentioned earlier, but the transaction (TX) details can be found below for reference.Additionally, the gas fee settings appear to be standard (21,000 | 21,000 (100%)), even for transactions made just before entering Tornado Cash. Using standard gas settings alone doesn’t necessarily indicate a direct connection.However, in most hacking incidents, funds are typically moved along with gas fees to ensure smooth transactions. In this case, the process seems more deliberate and unhurried, which is worth noting.Figure 6: Transaction Information from Unknown Address to AttackerSource: EtherscanLink: https://etherscan.io/tx/0x48e96238a04f4607ec8333c4633d82329708331e351d0dfa558a9503a5ee2781Tracing Microtransactions: Uncovering Fund FragmentationNow, let's trace back the wallet that received the 0.0001 ETH.Interestingly, there is a record of 0.0002 ETH being received from 0x14cb9b0d268556cc4c056801f88cfc2b1a19ce3d.0.0002 → 0.0001? It seems like the funds are being fragmented, doesn’t it?Typically, when such small transactions follow a pattern in terms of amount and timing, it suggests a deliberate intent behind the transfers.Figure 7: Small Fund DistributionSource: ChainBounty Track (to be released)Because both transactions occurred at the same time—16:32 UTC.0x14cb9b → 0x9ec235 (attacker)0x9ec235 (attacker) → 0x15ED47 (Tornado Cash deposit address)Why did this automated transaction occur right when the attacker was transferring funds to Tornado Cash? What was the intent behind it? This address itself is quite interesting. As you can see, it distributes small amounts of funds to multiple wallets.Figure 8: Suspicious Wallet DistributionSource: ChainBounty Track (to be released)What Could This Address Be?What exactly is its purpose? It appears similar to a gas fee supplier, but so far, no OSINT (Open-Source Intelligence) labels have been identified for it.However, one thing is certain: after one hop, the small amounts of ETH end up in an exchange deposit address.To investigate further, I will ask AI to analyze which exchange these funds were deposited into between January 1, 2025, and February 5, 2025. Figure 9: Suspicious Wallet Distribution – AI InvestigationSource: ChainBounty Track (to be released)The AI explains how it is connected to such a wide variety of transactions. For example, it reveals that Upbit’s user account is linked to these transactions.Figure 10: Suspicious Wallet Distribution – AI Investigation FindingsSource: ChainBounty Track (to be released)However, there is still something curious—what exactly is the purpose? Upon closer inspection, the answer becomes clear. By analyzing Upbit’s deposit wallet, we can see that large sums are deposited first, followed by smaller amounts sent to addresses with similar prefixes. This is known as address poisoning, a technique where scammers deposit small amounts into specific addresses after a significant transaction.Suspicious Transactions Identified During AnalysisThe goal of this attack is to trick the wallet owner into mistakenly sending funds to a fake address instead of the intended recipient during a future transaction.Thus, the small amounts received from unidentified addresses confirm that this is part of an address poisoning attack. In this case, at 16:30, after 100 ETH was transferred, the attacker generated a lookalike address (0x9ec235ca191e6d434b7ef70730e7fb726bf50430) within two minutes of the original transaction and then sent a small amount of funds.Unfortunately, the source of these funds could not be directly linked to the Ionic attacker. However, it has been observed that address poisoning attacks are also targeting stolen funds. A detailed analysis of the identified address poisoning attackers will be provided in a separate series.Interestingly, most of these attacks are heavily targeting Korean exchange addresses. If attackers are monitoring large ETH movements, it raises the question of why Korean exchange wallets are the primary targets despite the existence of other major exchanges. This trend suggests a deliberate focus on Korean platforms, warranting further investigation.Additionally, any further findings related to Ionic will be updated accordingly.Figure 11: Exchange Usage from Arkham Intelligence (Period: 01/02/2025 – 02/01/2025)Source: Arkham IntelligenceView on Arkham Intelligence

First, it would be great if we could post in categories like "General" or "Suggestions" on this community page.I have many questions, but there isn’t a proper place to ask them. Therefore, I apologize for posting in an unrelated category.Also, I’m unable to log in to MetaMask on my mobile phone.When I scan the QR code, it opens the MetaMask mobile app (Android),and after accepting the permissions, it redirects me back to the page, but I’m still not logged in.How can I log in to MetaMask on mobile?

GMGM

Binance gogo

Singapore, October 11th 2023 — Navigating through the vast Decentralized Finance (DeFi) and Non-Fungible Token (NFT) space requires sharp awareness and a skeptical eye. An example that underscores this imperative is the recent “Lucky Star Rug Pull” incident that took place on the Binance Smart Chain (BSC) Mainnet. This event, reported by news sources like Cointelegraph or projects like CertiKAlert, entails the unauthorized withdrawal of LSC tokens, subsequently exchanged for BUSD and accumulated at a single address, costing the stakeholders an estimated $1 Million.Our in-house research team at Uppsala Security assessed the case to uncover any noteworthy findings.Incident BreakdownThe strategy employed by the malicious actor(s) appears rather straightforward yet carefully executed. LSC tokens were illicitly withdrawn, converted to BUSD, and ultimately consolidated into a single address (0x23f8c805306Bf27AB8bf3cEbEce4B778acfFd896).In a brief, here’s how the event unfolded:Withdrawal of LSC tokens from the systemSwap of LSC tokens to BUSDConsolidation of BUSD at a single addressThe wallet addresses involved in this operation, swapping LSC tokens to BUSD and funneling them into the consolidation address, are as follows:0x9Ef72Ee68a7c841986A0C60e0FDbAE4e27446Deb0x895c414F17Ef676dd9c18D55D3358D411ba795740xFA24FcAff5A51965F762101c2BD4E46302a2Bd640x8789DA3886386740DD775C95E18820BEe339a48AExamining the consolidation address reveals an interesting aspect: it harbors a history of other incoming funds prior to this incident. Could it be a mere coincidence or an intentional confusion tactic? Or does this address serve as a confluence point for funds derived from other criminal activities?The intersection between multiple streams of incoming funds, presumably from various illicit endeavors, suggests a plausible continuity among them. This intriguing convergence propels an inquiry: is there a common threat actor masterminding multiple cyber-attacks?Image captured from the Crypto Analysis Transaction Visualization (CATV) Dashboard.On December 18th 2023, it was observed through CATV that funds were laundered to known entity MEXC Global Exchange. The Lucky Star incident serves as a grim reminder for stakeholders, developers, and investigators within the cryptocurrency ecosystem to forge ahead with elevated diligence and skepticism. Deploying advanced security protocols, conducting rigorous smart contract audits, and fostering a culture of security awareness among users are paramount.About the Crypto Analysis Transaction Visualization (CATV) ToolThe Crypto Analysis Transaction Visualization (CATV), developed exclusively by Uppsala Security’s expert team, serves as a sophisticated yet seamless forensic tool that offers in-depth insights into cryptocurrency transaction flows. This tool is designed to trace both inbound and outbound transactions linked to a specific wallet. CATV empowers users to effectively track, analyze, monitor, and graphically visualize cryptocurrency transactions, highlighting the flow of tokens and their interactions with various entities like exchanges and smart contracts.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.

Singapore, November 1st 2023 — In the ever-evolving landscape of cryptocurrencies, security remains a paramount concern. On October 17th, Cointelegraph released an article mentioning an incident involving one of the Fantom Foundation’s hot wallets, which led to the loss of $550,000 worth of cryptocurrency through a vulnerability in the official Fantom wallet. This serves as a stark reminder of the vulnerabilities that can be exploited in the digital realm. In this article, however, we will delve into the details of this cybersecurity breach, examining the trajectory of the stolen tokens/the perpetrators’ actions after the incident.The Fantom Foundation Hot Wallet HackThe incident, which unfolded a couple of weeks ago, sent shockwaves through the crypto community as it came to light. A few wallets belonging to the Fantom Foundation, a prominent player in the blockchain space, were drained of their assets. The stolen tokens encompassed a wide array of assets, including ETH, USDC, USDT, Frax Share, DAI, OriginToken, Republic, OMG, Livepeer, Shiba Inu, The Graph, LoopringCoin, ChainLink, Quant, WAVES, Aave, Convex Token, Immutable X, SingularityNET, Compound, Request, Curve DAO and more.The affected tokens found their way to two primary addresses: 0x2F4F1D2C5944Dba74E107d1e8E90e7C1475f4001 and 0x1d93c73d575b81a59ff55958afc38a2344e4f878.The perpetrators skillfully executed a series of swaps, converting the stolen tokens into ETH. The consolidated ETH was subsequently transferred to another address, 0x0b1F29DF74A19C44745862ab018D925501FE9596, in an attempt to conceal their trail.Our investigatory team at Uppsala Security swung into action and initiated an investigation using the Crypto Asset Monitoring Service (CAMS), tracing the origin and movement of the stolen assets. This included 68 origin hashes, 9 origin wallets and 36 initial tokens involved, some of them already being mentioned above.Image captured from the Crypto Asset Monitoring Service (CAMS) Dashboard.Further details can be found in the CAMS Dashboard as well as the Portal Case.CAMS, or Crypto Asset Monitoring Service, built by Uppsala Security, stands at the forefront of real-time monitoring solutions, providing advanced capabilities for overseeing cases related to digital assets. A standout feature is its automated fund monitoring system, reducing the need for manual oversight. CAMS maintains continuous surveillance over financial transactions, instantly identifying any fund movements and promptly alerting relevant parties. This not only boosts operational efficiency but also guarantees swift responses to potential security and compliance issues, establishing it as an essential asset in the realm of digital asset management.The hot wallet hack that affected the Fantom Foundation, like any hack that negatively impacts original asset owners, serves as a clear reminder of the significance of cybersecurity within the cryptocurrency realm. As the crypto industry continues to evolve, it becomes increasingly crucial for both projects and individuals to maintain vigilance and take proactive measures to protect their digital assets. While hackers may have briefly gained an advantage, the unwavering dedication of security experts and community assures that justice will ultimately prevail in the digital world.If you have any details about the Fantom Foundation case or if you would like to cooperate with our team on this investigation, please reach out by filling in this contact form.About Uppsala SecurityUppsala Security is a leading provider of innovative security tools and services, specializing in Crypto Anti-Money Laundering/Counter-Terrorist Financing (AML/CTF), Transaction Risk Management, Regulatory Compliance, and Transaction Tracking. With a team of experts dedicated to staying ahead of emerging threats, Uppsala Security empowers organizations with the knowledge and tools to safeguard their operations in the fast-paced world of cryptocurrencies.Disclaimer: This article is meant for informational purposes only and does not constitute financial or legal advice. Always conduct your own research and consult professionals directly.