Defend Against Cybercrime with the Power of Community

Many victims have already taken action through ChainBounty. Report now and join the effort to stop online crime

chainbounty
Risk assessment

Quick AI Scam Check

Help protect others by sharing your scam experience

View More

오픈씨 사칭 피싱

팔렸다는데 등록한 적이 없음

seckey3

11 reads

증권스캠

최근 국내 증시는 변동성이 확대되고 있지만, 그 안에서도 선별적인 상승 기회는 계속 나오고 있습니다 특히 거래량 증가와 함께 기관·외국인 수급이 유입되는 종목은 조정장에서도 강한 흐름을 보이고 있습니다 박세익 교수팀은 이러한 종목 중심으로 내일 핵심 관심주를 공유드릴 예정입니다 📌 예상 목표 수익 구간 : 15~20% 빠른 정보 확인을 원하시면 “11”를 보내주세요

klip

18 reads

사스펨및사기신고

지금 유례없는속도로 폭락하고있습니다 가만히 있으시면 큰손실을 보실수 있습니다 저희따라 빠르게 대응하세요

klip

22 reads

최상위증권가정보방

유튜브1위 따라하면 수익 초보자도 ok

klip

17 reads

도박스캠

에코벳 월드컵 돌발 배민 에코주소.com

klip

13 reads

로맨스 스캠

로맨스 스캠

klip

14 reads

Contribute by sharing insights to strengthen the community

ITTJ
ITTJ

July 19, 2026

General Discussion
CBP DEDUCTION

Hello I'm I the only person who is having a reduction in CBP? Mine gets deducted daily now, quite noticeable,I believe I have over 160 CBP last week but somehow turned 40 CBP. I don't know if this is normal.

0 likes9 reads
dooooo
dooooo

June 29, 2026

Community Investigation
Comprehensive Threat Intelligence Report: Polymarket Frontend Supply Chain Attack

Date: June 29, 20260. Forensic MethodologyTo investigate this high-profile frontend exploit, the ChainBounty Threat Intelligence team deployed the SentinelTX Blockchain Forensic Intelligence System. Our forensic specialists executed a rigorous, multi-hop trace tracking assets across heterogeneous networks (Polygon to Ethereum Mainnet) to assemble an immutable chain of custody:OSINT Aggregation: Compiled open-source intelligence logs from public threat feeds (including Specter and PeckShieldAlert) to establish the primary point of compromise and target addresses.Multi-Chain Asset Auditing: Executed real-time state and balance checks across both the Polygon and Ethereum layers to monitor historical and dormant movements.Outbound Multi-Hop Profiling: Initiated automated tracing workflows from the attacker-controlled wallets to flag laundering infrastructure, mixers, tumblers, and centralized exchange (CEX) deposit corridors.Cross-Chain Bridge Mapping: Tracked telemetry data traversing third-party bridge protocols (specifically identifying Relay.link) to match outbound Polygon transaction events with inbound Ethereum mainnet arrivals.Threat Identity Attribution: Evaluated wallet clusters using the Sentinel Threat Intelligence Database (TRDB) to isolate verified institutional counterparties from unlabelled private accounts (EOAs).Evidentiary Anchoring: Bound all trace configurations to per-transaction hashes and block height records to meet legal and judicial evidence standards.1. Executive SummaryOn June 25, 2026, Polymarket's web deployment interface was targeted via a third-party vendor supply chain compromise. The adversary successfully injected a malicious JavaScript payload into the platform's frontend, altering contract call triggers to siphon user wallet balances. The total loss from this incident is estimated at approximately USD 2,940,000 in Polymarket USD (PUSD).On-chain analysis reveals that after siphoning the PUSD on the Polygon network, the attacker rapidly converted the assets into USDC.e and bridged them over to the Ethereum Mainnet. The incoming flows were then consolidated into a single Ethereum master aggregation address: 0xe65b1c586757c5510B60F998Eebb14C1Ef71EleD.A total of 1,893 ETH was collected at this nexus point and subsequently parsed out into four distinct structural pathways:Primary Dormant Hoard (99.8%): A total of 1,888.516 ETH (valued at roughly USD 2,960,000) was pushed into two high-capacity storage wallets where they remain completely stationary under the attacker's control. This provides an immediate window of opportunity for centralized exchange blocklisting and legal intervention.Layering & Mixing (0.2%): A minor fraction (4.4 ETH) was routed through unlabelled dispersion hubs and automated circular tumbler networks to test laundering exit paths.2. Complete Chronological Attack TimelineTimestamp (UTC)Event DescriptionBlock HeightTransaction Hash (TX)Associated Addresses2026-06-25Malicious JS injection starts via compromised third-party vendorN/AN/APolymarket Frontend Network2026-06-25 21:55:11Attacker initiates minor L1 dispersion transfer (Path D)253974580xf2c690d8bf1b7a12b3126cdb0adc2c43c3e82134f38fa1fb52f1345ef7e6e6fc0xe65b1c58...1eD -> 0xe3c8c6cfcfb8edfa83b86e5a98e58568f78bd9222026-06-25 22:19:47Attacker routes gas capital to structural mixer node (Path C)253975810xc807fc375cadf9c2b8f8c0e4c67795dd42199c094f28914424e55537041be6050xe65b1c58...1eD -> 0x5a6b2f8fab6cf480c93d152ef96d1e0c830fe5872026-06-26 07:08:23Master wallet funds secondary storage wallet (Path B)254002130x67fdfea184253b97f32da76f0d77e82650924d3be702d7858050e4be8efc55210xe65b1c58...1eD -> 0xea0a80070c38f63c10d7fed95286e83eb415441f2026-06-26 20:49:59Main capital migration to primary storage vault (Path A - Pt. 1)254043010x62781171eef8748b967d3926c82f5c73cbf2cb40a189443347ad9f276966b0860xe65b1c58...1eD -> 0x975268a2a71e4a7e282b962ec0blee01d3778ac02026-06-26 20:57:47ERC20 state consolidation to primary storage vault (Path A - Pt. 2)254043400xc053a95983965cle0ee39f04c22flaelef65dcea95c0295ebd57145814f597950xe65b1c58...1eD -> 0x975268a2a71e4a7e282b962ec0blee01d3778ac03. Detailed Inventory of Stolen AssetsNative Token VolumeLayer-1 Token EquivalentSpot Exchange ValuationOperational Deployment Status537,526 USDC.eBridged via Relay.linkUSD 537,526.00Siphoned on Polygon via 0xC771A30a...cBaAe2; converted to L1 ETH.1,788.516 ETHVault Storage Address 1USD 2,798,692.50Held entirely static inside 0x975268a2...78ac0. Zero outbound movement.100.000 ETHVault Storage Address 2USD 156,624.25Held entirely static inside 0xea0a8007...5441f. Zero outbound movement.3.400 ETHDispersion WalletUSD 5,320.35Stored static inside 0xe3c8c6cf...bd922. No outbound activity.1.000 ETHLaundering NodeUSD 1,564.81Dispersed through cascading programmatic micro-transactions.Total Unliquidated Residue1,888.516 ETHUSD 2,960,637.1099.8% of total loot immediately available for targeted blocklisting.4. Advanced Fund Flow & Cluster AnalysisCross-Chain Bridge Ingestion LayerThe initial compromise siphoned user PUSD directly into the threat actor's primary Polygon deployment engine: 0xC771A30a7c1aCA828eeEF7B822ac864a64cBaAe2. To cross standard tracking perimeters, the attacker swapped the pool assets for Polygon-native USDC.e and initiated automated execution calls using the Relay.link cross-chain portal to mint native ETH on the Ethereum Mainnet.Master Distribution and Layering ArchitectureUpon reaching the Ethereum Mainnet consolidation nexus (0xe65b1c58...1EleD), the capital allocation was split across four distinct tracks to test ecosystem resistance and setup long-term holding vaults.Path A & B (The Master Vaults): Combined, these paths contain 99.8% of all stolen capital. The wallets show zero outbound transaction history, indicating a long-term storage strategy rather than active exit-liquidation.Path C (The Programmatic Tumbler): A 1.0 ETH probe was processed through a 6-tier split structure (transfers ranging from 0.04 to 0.61 ETH). Forensic analysis flagged a distinct "reverse-flow loop" pattern across 2 addresses, confirming an attempt to utilize automated mixing scripts before depositing dust into a final collection account (0x113b0cef...20bc0).5. Comprehensive Key Address LedgerTarget Address Wallet Network Chain Forensic Role Designation Current Token Balance Technical Observations & Profile Status 0xC771A30a7c1aCA828eeEF7B822ac864a64cBaAe2PolygonExploiter Siphon Portal0 MATICPrimary deployment gateway for frontend drainage calls.0x71d4249079684479f2651745fa2fcd79c9b45f53PolygonInfrastructure Gas Funder0 MATICDistributed 1,379 MATIC. Historical logs tie it to Bitfinex/OKX hot wallets.0xe65b1c586757c5510B60F998Eebb14C1Ef71EleDEthereumL1 Master Consolidation0 ETHReceived 1,893 native ETH via bridge; fully distributed.0x975268a2a71e4a7e282b962ec0blee01d3778ac0EthereumPrimary Deep Storage Vault1,788.516 ETHHigh-priority target for compliance tracking and blocklisting.0xea0a80070c38f63c10d7fed95286e83eb415441fEthereumSecondary Storage Vault100.000 ETHStatic balance. Zero outbound transfers executed.0xe3c8c6cfcfb8edfa83b86e5a98e58568f78bd922EthereumMinor Asset Dispersion Node3.400 ETHStatic balance. No activity detected following injection.0x5a6b2f8fab6cf480c93d152ef96d1e0c830fe587EthereumTumbler/Laundering Router Hub0 ETHExecuted programmatic micro-splits across 6 sub-nodes.0x113b0cef1061992ea30dc70f3949e0bbeae20bc0EthereumMixer Output Accumulator0.090 ETHReconciled reverse-flow residual dust from layering loops.6. Centralized Exchange Intersect & Historical TiesWhile no direct cash-out attempts to centralized exchange liquidity pools have been executed from the Ethereum holding vaults, our team uncovered an essential lead within the Polygon gas supply network.The gas funding infrastructure wallet (0x71d4249079684479f2651745fa2fcd79c9b45f53) exhibits historical transaction markers linked to institutional deposit paths at Bitfinex, Bitget, and OKX on May 30, 2026. Although these actions occurred weeks prior to the supply chain breach, they indicate a persistent operational setup. Subpoena requests targeting the historical account configurations of this gas funder at those specific exchanges represent a high-probability vector for uncovering the attacker's off-chain identity.7. Strategic Recommendations & Immediate Action PlanDue to the threat actor's choice to keep 99.8% of the siphoned capital entirely stationary, security networks have a critical window to enforce isolation protocols:Global CEX Blocklisting (Immediate): Forward the cryptographic signatures of the storage vaults (0x975268a2a71e4a7e282b962ec0blee01d3778ac0 and 0xea0a80070c38f63c10d7fed95286e83eb415441f) to all Tier-1 centralized exchanges (Binance, Coinbase, OKX, Kraken, Bitfinex). This ensures an immediate asset freeze if any deposit migration is initiated.Historical KYC Subpoena: Law enforcement agencies should issue immediate data preservation notices and subpoenas to Bitfinex, Bitget, and OKX to extract identification records, device fingerprints, and access IPs tied to the historical activity of the gas funding node.Bridge Monitoring Intercepts: Deploy persistent real-time webhooks on the Relay.link routing infrastructure to identify and automatically flag secondary wallets interacting with the same smart contract execution parameters.Regulatory Compliance Reporting: Coordinate with international financial intelligence agencies (such as South Korean KoFIU or global cyber divisions) to submit specific Suspicious Transaction Reports (STRs) based on the structural indicators mapped out in this report.8. ConclusionThe Polymarket frontend breach highlights the expanding threat vector of decentralized web application dependencies on third-party software supply chains. By modifying client-side logic, the adversary easily sidestepped standard smart contract access perimeters.However, the attacker's post-exploit strategy presents a significant operational bottleneck: by locking the overwhelming majority of the siphoned funds inside visible, un-mixed Layer-1 wallets, they have left an accessible trail. Immediate, aggressive asset blocklisting combined with legal sub-surface tracing of the historical gas funding infrastructure gives the Web3 ecosystem a highly viable pathway for attribution and recovery.ChainBounty Threat Intelligence has locked webhooks onto all associated cluster addresses. Real-time updates will be deployed automatically if any L2 state updates occur.

Comprehensive Threat Intelligence Report: Polymarket Frontend Supply Chain Attack
0 likes25 reads
REPORT
REPORT

June 23, 2026

Blockchain Insights
🔐 Anatomy of the Taiko Hack: How a GitHub Key Leak Drained $1.7M from an Ethereum L2

🔐 Anatomy of the Taiko Hack: How a GitHub Key Leak Drained $1.7M from an Ethereum L2June 22, 2026 | Blockchain Forensic AnalysisIntroductionJust past midnight on June 21, 2026, approximately $1.7 million vanished from the bridge of Taiko, an Ethereum Layer 2 blockchain. The attacker didn't need a sophisticated exploit. A single signing key left exposed on GitHub was more than enough.Security firm Blockaid was the first to detect anomalous activity. The Taiko team quickly posted on X (formerly Twitter), urging all bridge users to withdraw their funds immediately. South Korean exchanges — Upbit, Bithumb, Coinone, and Korbit — suspended TAIKO deposits and withdrawals within hours.So where exactly did the money go? We traced the attacker's footsteps on-chain.The Attack: Forging a Proof to Open the VaultTaiko relies on a system called Raiko — an SGX (Secure Enclave)-based proof generator — to verify the validity of transactions bridging between chains. The signing key for this system had been left publicly accessible on GitHub.The attacker obtained this key and executed the following sequence: ① Crafted fraudulent "MessageSent" events without any real bridge deposits ② Submitted forged withdrawal proofs to the Ethereum mainnet bridge contract ③ The bridge contract accepted the proofs as legitimate and released ERC-20 Vault assets ④ Assets worth millions were drained — without a single dollar ever being deposited In plain terms: the attacker checked out funds they never checked in.Four Attacker Wallets — Published by Taiko ItselfThe Taiko team disclosed four attacker wallet addresses directly on X, requesting cooperation from centralized exchanges.Following the Money: A Step-by-Step BreakdownStep 1 — Immediate Post-Exploit: Token DispersionThe primary wallet (0x7506...b76a) extracted the following assets directly from the Taiko Bridge contract (0xd60247c6848B7Ca29eDdF63AA924E53dB6Ddd8EC):Step 2 — ETH Siphoned Into a Holding WalletThe attacker split 500 ETH into exactly five transfers of 100 ETH each, routing them to a separate holding wallet (0xa98035081fb739ebe9c8f80904668fb11438a846). This is a textbook structuring pattern — breaking up large transfers to evade detection thresholds.🔴 As of the time of analysis, this wallet still holds 778 ETH — approximately $1.34 million — with no outbound movement recorded.For investigators, this is a window of opportunity. The funds remain accessible for freezing via legal process or exchange cooperation before they move further.Step 3 — Stablecoins Routed Through UniswapThe stablecoins and ERC-20 tokens (USDC, USDT, crvUSD, CRV, WBTC) were consolidated at the swap hub wallet (0x9108...acd4), then swapped via Uniswap V3 and fully dispersed. That wallet's current balance is zero.Step 4 — TAIKO Tokens Cashed Out via MEXCThe fastest-liquidated asset was the TAIKO token itself. On-chain data corroborated by Lookonchain shows the attacker transferred 1.99 million TAIKO (≈ $189,000) directly to MEXC within hours of the exploit.Notably, MEXC is listed on South Korea's KoFIU (Korea Financial Intelligence Unit) high-risk / unregistered exchange blocklist — suggesting the attacker deliberately chose a venue where regulatory freeze requests face higher friction and slower response times.Full Fund Flow Map [Taiko Bridge Contract: 0xd602...d8ec] │ Forged proof withdrawal ▼ [Attacker Wallet #1: 0x7506...b76a] ├─ 500 ETH × 5 splits ────────► [ETH Holding Wallet: 0xa980...a846] │ 🔴 778 ETH (~$1.34M) STILL SITTING HERE │ ├─ USDC / USDT / crvUSD / CRV / WBTC │ └──────────────────────► [Swap Hub: 0x9108...acd4] │ └─► Uniswap V3 swaps → drained │ └─ 1,990,000 TKO ────────────────► MEXC (cash-out in progress) [Attacker Wallet #2: 0x5fbc...4990] └─ 1,990,000 TKO ────────────────► MEXC [MEXC-linked address: 0x3cc9...cf18] └─ 1,500 ETH ────────────────────► MEXC internal transfer confirmed Three Lessons This Hack Leaves Behind① Operational Security Is Code QualityThis attack didn't exploit a bug in Taiko's bridge logic. The contracts themselves functioned as designed. What failed was operational security (OPSEC). A signing key was left in a public GitHub repository. No amount of cryptographic sophistication matters if the key walks out the front door.② Bridges Remain DeFi's Weakest LinkRonin ($620M, 2022). Wormhole ($320M, 2022). Nomad ($190M, 2022). Now Taiko. Cross-chain bridges require complex verification logic by their very nature — and complexity is attack surface. Until the industry develops more robust, trustless bridge architectures, this pattern will repeat.③ Attackers Know the Regulatory MapThe choice of MEXC was likely not accidental. Unregistered exchanges operating outside major regulatory frameworks respond more slowly — or not at all — to freeze requests. Sophisticated attackers now factor the regulatory geography of their cash-out venues into their operational planning. This is a level of tradecraft that investigators must account for.Where Things Stand NowOn-chain evidence shows 778 ETH (approximately $1.34 million) has not moved from the holding wallet as of this writing. That is a meaningful recovery opportunity if law enforcement and the Taiko team act swiftly.Taiko has stated it is actively coordinating with its Security Council and ecosystem partners. South Korean exchanges have designated TAIKO as a cautionary trading asset and will reassess the status in the fourth week of July.Closing ThoughtThis hack was not technically sophisticated. But it was effective — and expensive. What the attacker left behind on-chain, however, is a remarkably clear trail. The immutability of the blockchain cuts both ways: every transaction is permanent, public, and traceable.$1.7 million moved in the dark — but the ledger kept the lights on.This analysis is based on publicly available on-chain data. All addresses and transaction hashes are independently verifiable on the Ethereum mainnet.Analysis date: June 22, 2026

🔐 Anatomy of the Taiko Hack: How a GitHub Key Leak Drained $1.7M from an Ethereum L2
0 likes30 reads

Your journey to defend against cyber crime starts here.

Join us to turn your expertise into a force for a safer digital world.

Blog

Gravity Bridge Exploit: Full Attacker Fund Flow Traced — 113 Transactions Reveal Sophisticated…

Gravity Bridge Exploit: Full Attacker Fund Flow Traced — 113 Transactions Reveal Sophisticated…

Gravity Bridge Exploit: Full Attacker Fund Flow Traced — 113 Transactions Reveal Sophisticated Laundering OperationThe laundering infrastructure behind the recent Gravity Bridge exploit has now been largely uncovered.After tracing 87 confirmed attacker transactions and an additional 26 downstream movements, the overall flow of stolen funds is becoming clear. What initially appeared to be a straightforward bridge exploit has evolved into a highly structured laundering operation involving decentralized exchanges, relay wallets, non-custodial swap services, and centralized exchanges.This report summarizes the complete fund flow observed so far and highlights the remaining recovery opportunities.Executive SummaryTotal tracked transactions: 113Initial stolen assets converted into ETH almost immediatelyApproximately $4.7M converted through KyberSwap and 1inch2,600 ETH consolidated into a secondary aggregation walletFunds dispersed through dozens of one-time relay walletsConfirmed deposits identified at ChangeNOW and KuCoinMultiple staging wallets still hold potentially recoverable fundsSeveral laundering paths remain active and require real-time monitoringPhase 1 — Asset ConversionThe attacker-controlled wallet:0x7B582033061b96cC3F9421e73a749ED7C62da1F9immediately began converting stolen stablecoins into ETH.The swaps were executed primarily through KyberSwap and 1inch, suggesting the attacker wanted to reduce exposure to token freezes while maximizing liquidity.Observed transactions include:$100K USDC → ETH$200K USDC → ETH$500K USDC → ETH$400K USDT → ETHMultiple additional swapsIn total:Approximately $4.3M USDCApproximately $434K USDTwere converted into ETH within a short time window.The rapid conversion indicates pre-planning and suggests the operator anticipated potential blacklisting or asset recovery attempts.Phase 2 — ETH ConsolidationAfter conversion, the attacker consolidated funds into a second wallet:0x4d3ca32e687e871a58b78AcAc73bE59AC37C7A47A total of 2,600 ETH was transferred through multiple transactions:600 ETH500 ETH500 ETH500 ETH500 ETHThis wallet appears to have functioned as the primary distribution hub for the laundering operation.Rather than cashing out directly, the operator implemented a layered relay strategy designed to fragment attribution and complicate tracing efforts.Phase 3 — Distributed Relay LaunderingThe most notable discovery is the laundering architecture itself.Instead of sending large transfers directly to exchanges, the attacker repeatedly split funds into dozens of temporary wallets.The observed pattern resembles:Primary Wallets → One-Time Relay Wallets → Swap Service / Exchange → Cross-Chain ExitIndividual transfers were commonly observed in the 6–10 ETH range.This methodology significantly reduces the visibility of exchange deposits and makes automated clustering more difficult.The pattern appears intentional and operationally mature.Confirmed ChangeNOW ActivityThe largest identified laundering route currently leads to ChangeNOW.Observed destination:0xeba88149813bec1cccccfdb0dacefaaa5de94cb1Estimated deposits:Approximately 114 ETHRoughly $230,000 equivalentBecause ChangeNOW is non-custodial, recovery options are more limited.However, transaction records still exist.The highest priority investigative question is determining what assets these ETH deposits were converted into.Particular attention should be given to:Monero (XMR)Privacy-focused assetsCross-chain bridge destinationsIf conversion into privacy-preserving assets occurred, tracing may become significantly more difficult.Confirmed KuCoin DepositsA second laundering path has been identified through KuCoin.Known deposit address:0x45300136662dd4e58fc0df61e6290dffd992b785Estimated deposits:Approximately 6 ETHAdditional suspected deposit address:0x58edf78281334335effa23101bbe3371b6a36a51Status:Further confirmation requiredUnlike ChangeNOW, KuCoin operates as a custodial exchange and maintains KYC records.This creates a potential recovery and attribution opportunity if law enforcement or affected parties act quickly.Remaining On-Chain FundsSeveral wallets remain active and continue to warrant monitoring.Primary Staging Wallet0xc8c71ae4261e55a66d9967f2ac252be4e669f562Current observations:Received 59 ETHOnly 15 ETH moved onwardApproximately 44 ETH potentially remains under attacker controlThis wallet may represent an operational staging point rather than a final cash-out destination.Additional Unresolved Destinations0xf1ed839d08309e2a52e58d69b06d286d35fc18bc — 15 ETH0xe1e471614305656114c39294637b65adccf665a3 — ~13 ETH0x58432e011aa493c404f80409d997b1eabdfd8e24 — 9 ETH0x79f376453537878eeb79fb7d2cdb2c10bc58f454 — 9 ETH0x98d9022fa2789c0d8e9cd49707599c6848619ed8 — 10 ETHThese wallets currently represent unresolved portions of the laundering network.Immediate Investigative Priorities1. KuCoin Cooperation RequestThis remains the strongest recovery opportunity.Required actions:Identify account owner(s)Preserve account recordsFreeze assets if still presentObtain associated KYC informationTiming is critical.2. ChangeNOW Exit TracingInvestigators should determine:Destination chainDestination assetConversion timingPotential privacy-coin exposureThis path likely contains the most important unanswered questions in the investigation.3. Real-Time Monitoring of Staging WalletsThe wallet:0xc8c71ae4261e55a66d9967f2ac252be4e669f562should be monitored continuously.A significant portion of attacker-controlled funds may still be sitting on-chain.Any future movement could reveal:Additional exchange depositsAdditional swap servicesNew laundering infrastructureFinal cash-out attemptsConclusionThe Gravity Bridge attacker did not rely on a simple exchange cash-out strategy.Instead, the operator employed a structured relay-wallet laundering network designed to fragment attribution, obscure exchange deposits, and delay investigation.While a meaningful portion of the funds has already entered laundering channels, several opportunities remain.The most actionable leads currently include:KuCoin deposit attributionChangeNOW conversion tracingMonitoring of the 59 ETH staging walletThe next movements from these wallets will likely determine whether investigators can continue following the money — or whether the trail disappears into privacy infrastructure permanently.

ChainBounty

ChainBounty

2 months ago
Unmasking a Sophisticated Solana Scam Network: A $SUBY Forensic Investigation

Unmasking a Sophisticated Solana Scam Network: A $SUBY Forensic Investigation

How automated bots and shared infrastructure revealed a 10-month-old organized crime syndicate.The blockchain never forgets, but it can be incredibly complex to navigate. Recently, ChainBounty conducted a deep-dive forensic investigation into a significant asset theft involving $SUBY and other Solana-based tokens. What began as a single incident report evolved into the discovery of a professional, long-standing scam infrastructure that has now led to an active criminal investigation by the Cyber Crime Investigation Division in Seoul, South Korea.1. The Incident: Precision and AutomationOn May 30, 2025, a victim’s wallet was drained of approximately 8.2 million $SUBY tokens, along with $SSE and $DAW. The speed of the transfer was alarming.Our forensic analysis revealed that this wasn’t a manual operation. The assets were moved to an intermediary wallet (46S5bgHq...) and immediately processed through automated scripts. These bots executed swaps into stablecoins and distributed funds across multiple "hop" wallets with 0-second latency, ensuring the trail became as fragmented as possible within minutes.2. Identifying the “Cash Out” InfrastructureBy tracing the flow of stolen assets, we identified two primary exit points: Bitget Exchange and FixedFloat (a mixing service). While some deposits to these platforms occurred shortly before or after the specific $SUBY theft, our “Infrastructure Analysis” proved a definitive link. We discovered a massive, interconnected network:27 Common Fee Payers: A cluster of wallets consistently funded the gas fees for the attack wallets.63 Shared Addresses: These wallets acted as a central hub for multiple thefts over a 10-month period.The Forensic Anomaly: Why tracking the criminal organization is more effective than tracking the tokens aloneThis confirms that the attackers are not “lone wolves” but an organized syndicate operating a “Scam-as-a-Service” model on the Solana network.3. The Evidence: The Smoking GunThe most compelling evidence of organized crime was the Machine-like Transfer Patterns. Our timeline analysis showed batch processing intervals of exactly 15 to 28 seconds. This level of synchronization is only possible through a dedicated command-and-control (C2) botnet designed for money laundering.Through our investigation, we identified over $142,430 USDT funneled through the Bitget deposit addresses associated with this specific group.Inhuman execution: Batch processing and mechanical intervals confirm the use of laundering bots.4. Active Investigation and Next StepsChainBounty has officially submitted this forensic package to the Seoul Metropolitan Police Agency. The investigation is currently focused on:KYC De-anonymization: Working with Bitget to identify the account holders behind the identified deposit addresses.Cross-Chain Tracking: Tracing funds that exited via FixedFloat into Ethereum and Bitcoin.Asset Freezing: Coordinating with exchanges to blacklist and freeze the identified criminal infrastructure.Conclusion: Vigilance in the Web3 EraThis case is a stark reminder that in the world of DeFi, your digital footprint — and that of the hackers — is permanent. At ChainBounty, we are committed to turning the tide against these scam networks.We urge the community to stay vigilant. Do not click on suspicious partnership links or authorize “blind signings” in your wallet. The scammers are professional, but so is our pursuit of justice.Join the Fight. Follow our investigation and report suspicious activities at our community: 🔗 https://community.chainbounty.io 📧 For inquiries: [email protected]#ChainBounty #Solana #Forensics #CyberCrime #Web3Security #OSINT #CryptoInvestigation

ChainBounty

ChainBounty

6 months ago
MemeCore (M) Digital Asset Theft Incident: On-Chain Forensics & OSINT Analysis Report

MemeCore (M) Digital Asset Theft Incident: On-Chain Forensics & OSINT Analysis Report

IntroductionThis report details a real-world case submitted by an applicant to ChainBounty’s Victim Relief Program. The victim approached us after suffering a significant loss due to a targeted social engineering attack. ChainBounty is actively assisting the victim by providing comprehensive on-chain forensics and intelligence analysis to trace the stolen assets and identify the perpetrators for law enforcement purposes.1. Executive SummaryThis report synthesizes the results of on-chain forensic analysis and Open Source Intelligence (OSINT) investigation regarding the digital asset theft incident that occurred between December 7 and 8, 2025.The incident appears to have originated from a social engineering attack targeting an active user of Memex, a major dApp in the MemeCore (M) ecosystem. The attacker impersonated community administrators and creators to lure the victim into a fake Telegram group, then induced them to connect their wallet to a fraudulent bot service using “high-yield staking rewards” as bait.The victim created a new wallet and transferred assets as instructed, but the flow was designed to funnel funds into the attacker’s scam network.On-chain analysis reveals that the stolen funds did not end with a simple transfer. A multi-stage laundering flow was observed, involving MRC-20 token swaps within the MemeCore network, repetitive transactions based on the WM contract, cross-chain bridging via Meson Finance, inflows into Centralized Exchanges (CEX), and dispersed withdrawals across multiple exchanges.Notably, a “direct-to-exchange” flow is clearly visible in the early stages. M tokens were directly transferred from the victim’s wallet to Suspect Bitget Deposit 1 (0x7a5d…), and this fund was collected into the exchange’s hot wallet (0x1ab4…) within a short period. This suggests the attacker operated a direct route to the exchange alongside other methods to accelerate cash-out early on.The damage is calculated based on two criteria:Total M Token Outflow (Direct): 2,151.11 M, approx. $2,881.39 (Combined sum of direct transfers to exchange + EOA/Gathering Wallet).Total M Token Outflow (Including Bridge): 8,280.11 M, approx. $11,150.17 (Direct outflow + Meson bridge outflow included).Furthermore, clues suggesting a connection to specific social accounts and developer community profiles were identified in Gathering Wallet 2 (0x1c00…5f), which was confirmed as a key hub for money laundering. Based on this, grounds to narrow down suspect candidates have been partially secured. However, this is a circumstantial judgment based on the correlation between public information (OSINT) and on-chain data, and is not a legally confirmed conclusion.1.1 Summary StatisticsThe key flows are summarized as follows:1.2 Summary of Key Flows (4 Core Paths)Path 1: Victim → Direct Outflow to Bitget (Attempt at Immediate Cash-out)A total of 2,140.72 M (approx. $2,867) was directly transferred from the Victim Wallet (0xdc54…) to Suspect Bitget Deposit 1 (0x7a5d…).The deposit was collected into the Bitget exchange hot wallet (Bitget 6, 0x1ab4…) within minutes (approx. 3–5 mins).This flow represents the attacker sending “M tokens that are easy to cash out immediately” straight to the exchange.Path 2: Victim → Gathering Wallet 1 → Meson Bridge → Gathering Wallet 2 (Mainstream of Indirect Laundering)After WM contract processing, 5 types of MRC-20 tokens were received by the Victim Wallet and then drained to Gathering Wallet 1 (0x8325…e6).In Gathering Wallet 1, MRC-20s were swapped back to M, and 6,129 M was bridged via Meson Finance (0x25ab…48d3).6,122.87 M arrived at Gathering Wallet 2 (0x1c00…5f) on the BNB Chain.Path 3: Gathering Wallets 1, 2 → Reconsolidation at Bitget Deposit 2 (Possible Mixing with Other Victims’ Funds)900.65 M from Gathering Wallet 1 and 5,007.02 M from Gathering Wallet 2 flowed into Suspect Bitget Deposit 2 (0xb408…).The combined total is 5,907.67 M. As there is a “possibility of other victims’ funds being mixed,” this needs to be interpreted separately from the victim’s sole damage amount.Subsequent collection into Bitget 6 (0x1ab4…) was confirmed.Path 4: Multi-chain Dispersed Withdrawal from Gathering Wallet 2 (Evasion/Smurfing)From Gathering Wallet 2, after swapping M → BNB, there is a record of 37.51 BNB being dispersed and withdrawn in 48 transactions to 5 exchanges: Bybit, Bitget, MEXC, Binance, and Remitano.Activity of the same address was confirmed on Arbitrum and Base as well as BNB, reinforcing the cross-chain laundering pattern.2. Incident Mechanism and Psychological AnalysisThis incident appears to have started from a social engineering scenario targeting human trust rather than technical flaws such as system vulnerabilities. It seems to be a variation of the typical “Pig Butchering (Sha Zhu Pan)” tactic adapted to the MemeCore ecosystem context. There are indications that the attacker analyzed the community atmosphere and the victim’s activity patterns beforehand to approach with a tailored script.2.1 Manipulating the Environment to Build Trust: “The Illusion of the Fake Room” The attack seems to have begun with an approach from an account mimicking an acquaintance active on Memex. In anonymous messenger environments like Telegram, profile pictures and Display Names can be configured similarly, and Usernames (Handles) are hard to distinguish with just a one-character difference. The attacker judged to have secured trust by exploiting these characteristics. The Telegram room the victim was invited to contained multiple accounts impersonating Admins and Creators. They staged the room to look like an “Official Community” by continuing conversations or sharing profit verification screenshots even before the victim joined. In such an environment, it was easy to mistake the room for an extension of the official Memex community, which became the basis for the fraud.2.2 Technical Deception: Fake Bot and Inducing Wallet Connection Once a certain level of trust was established, the attacker guided the victim saying, “You can receive staking rewards if you connect your wallet via the Telegram bot”. The method is close to a typical Phishing or Drainer type. The wallet (0xDC54…69b) the victim newly created and connected was a “clean wallet” with almost no transaction history. The moment the victim trusted the instructions and moved assets, it is likely the attacker secured control through one (or a combination) of the following methods:Possibility that the transaction signed via the bot was actually an Unlimited Token Approval, not staking.Possibility that it was designed to execute an asset Transfer transaction during the signing or connection process.Possibility that keys or permissions were exposed to the attacker during the wallet creation/connection process. The key point is that “Wallet Connection” may have turned into an act of handing over actual asset authority, rather than simple login or authentication.3. Technical Characteristics of MemeCore Ecosystem and Asset StructureTo interpret the fund flow, it is necessary to first understand the background of the MemeCore chain where the victim’s assets existed and the asset structure. This explains why the attacker performed repetitive swaps and why the laundering path developed into a specific pattern.3.1 MemeCore and Proof of Meme (PoM) MemeCore is a Layer 1 chain aimed at connecting the cultural value of Memes with an economic reward structure. It promotes Proof of Meme (PoM) as its consensus structure, which includes elements like community contribution and viral activities in the reward system alongside simple staking. The base asset of this chain is the M token. M is used for core functions such as gas fees, governance, and validator staking, and has relatively high liquidity, which is why the attacker ultimately pooled funds into M for laundering.3.2 MRC-20 Token Standard and Cash-out Constraints Tokens such as NinjaMEX, walxop, LIFT, Bubger, and Abudium identified in the swap path of this incident follow the MemeCore-specific token standard (MRC-20). These appear to be “transit tokens” temporarily passed through during the process of the attacker exchanging stolen assets on the internal DEX, rather than assets originally held by the victim. Technically similar to ERC-20, they are structured for the creation and circulation of meme tokens within MemeCore. The issue is external compatibility. Since it is rare for external chains, centralized exchanges, or bridges to directly support MRC-20, it is difficult for the attacker to move them out externally and cash them out in the MRC-20 state. Eventually, to proceed to the actual cash-out stage, they must go through the flow of: converting back to M on the internal DEX -> moving to an external chain (BNB Chain, etc.) via a bridge -> attempting cash-out via swap/dispersed withdrawal on the external chain. The massive internal swap transactions observed in the report are interpreted as reflecting the constraint of having to convert back to M for external export, along with the possibility of transit swaps intended to confuse tracking in some sections.4. Incident Timeline and Detailed Forensic ReconstructionThis incident is clearly divided into Reconnaissance & Testing on December 7 and the Main Exploit on December 8. The attacker checked the validity of the path the day before, and then stole all available assets and proceeded with rapid laundering the next day.4.1 Phase 1: Reconnaissance and Initial Infiltration (Dec 7) — Traces Left by Destination Choice Immediately after securing access rights, the attacker showed a pattern of verifying two things with small (or relatively small) transfers first, rather than moving the full amount immediately:Whether the wallet is actually usable by the attacker.Whether the exchange deposit is processed normally (no risk of detection/blocking). At 10:18 UTC, 388.717 M was transferred to Bitget Deposit 1 (0x7a5d…), and at 14:08 UTC, an additional 752 M was transferred via the same path. This flow aligns with the typical pattern of a small test followed by additional transfers. The notable point is that the receiving address 0x7a5d…337 is estimated to be a User-Assigned Deposit Address of a Centralized Exchange (Bitget), not a personal wallet. Funds flowing into this address were observed being collected into the Bitget hot wallet (0x1ab4…f23) within minutes. If cooperation with the exchange is established, there is a possibility that tracking can continue on an account basis (KYC-based).4.2 Phase 2: Full-Scale Asset Theft and Laundering (Dec 8) — Forced Conversion to M and Exfiltration The full-scale theft proceeded rapidly on December 8. In this phase, it is observed that repetitive processing of the WM contract and mass liquidation (swap) of MRC-20 tokens were carried out in parallel with simple transfers.4.2.1 WM Repetitive Processing Pattern: Between 06:45 and 06:49 UTC, 8 repetitive transactions occurred against the WM contract, confirming processing (Deposit/Withdraw) of approximately 8,000 M. This repetitive wrapping/unwrapping can be interpreted as (1) a staging to confuse tracking, or (2) a preparatory step to match the asset form required for subsequent swaps/bridging.4.2.2 Organized Outflow of 5 MRC-20 Tokens and Immediate Cash-out: Around 1:24 PM, continuous M→MRC-20 swap transactions via the internal DEX occurred in the victim’s wallet, which appear to have been performed by the attacker. Subsequently, these 5 MRC-20 tokens were transferred to Gathering Wallet 1 (0x8325…eae6), where a process of converting them back to M via the Swap Router was observed. This choice is pragmatic from the attacker’s perspective. The longer low-liquidity meme tokens are held, the greater the price fluctuation and tracking traces may become. It seems the attacker chose to quickly convert MRC-20 to M to increase mobility and cash-out potential.4.3 Phase 3: Cross-Chain Bridging and Final Concealment — Attempt to Evade Tracking via Chain Hopping The secured M tokens did not stay in the MemeCore chain for long and were observed moving to the BNB Chain via the Meson Finance (0x25ab…48d3) cross-chain bridge.Meson Bridge: 6,129 M Deposited.BNB Chain Arrival: 6,122.87 M received at Gathering Wallet 2 (0x1c00…5f) (Approx. 3 mins to arrive). Gathering Wallet 2 subsequently acts as a hub to send funds to exchanges or disperse them to other chains (Base, Arbitrum). It has a strong character of a “Operational Wallet” used repeatedly rather than a simple transit point.5. Fund Flow Structure AnalysisFunds drained from the victim’s wallet moved largely in two directions:Direct Outflow straight to the exchange (Priority: Speed).Indirect Laundering via gathering wallets and bridges (Priority: Evasion).5.1 Key Deposit (Receiving) AddressesSuspect Bitget Deposit 1: 0x7a5d...337 / Received: 2,140.72 M (~$2,867.47) / Note: Exchange Transfer.Gathering Wallet 1 (MemeCore): 0x8325...eae6 / Received: 5 MRC-20s + 10.39 M / Note: MRC-20 → M Swap.Gathering Wallet 2 (Multi-chain Same Address): 0x1c00...285f / Received: 6,122.87 M & Multi-chain activity (BNB/Arbitrum/Base).Suspect Bitget Deposit 2: 0xb408...dd5c / Received: 5,907.67 M (~$7,969) / Note: From Gathering Wallets 1, 2 → Exchange. Caution: Possibility of mixing with other victims' funds..5.2 Characteristics and Implications in Fund Flow First, the laundering strategy is split into two. Part of it prioritized speed by sending it quickly to the exchange (Path 1), while the rest tried to make tracking difficult through bridging and multi-chain dispersion (Paths 2, 4). Second, Bitget appears repeatedly. Both the direct outflow path (0x7a5d…) and the path from the gathering wallet (0xb408…) converge to Bitget deposit addresses. In particular, 0xb408… is a common point receiving funds from both Gathering Wallet 1 and Gathering Wallet 2, making it a candidate for a key cash-out window. However, as other victims’ funds may be mixed in this section, definitive conclusions should be avoided. Third, Gathering Wallet 2 (0x1c00…5f) functions as a central node that receives bridged funds and then performs exchange transfers or dispersion to other chains.5.3 Multi-Exchange Dispersed Withdrawal (Smurfing) Statistics (BNB Only) From Gathering Wallet 2 (BNB Chain) → Exchange Withdrawal Statistics:Bybit: 23.44 BNB / 16 txsBitget: 7.15 BNB / 2 txsMEXC Global: 5.06 BNB / 22 txsRemitano: 1.30 BNB / 4 txsBinance: 0.56 BNB / 4 txsTotal Exchange Withdrawals: 37.51 BNB / 48 txs / 5 Exchanges Note: After swapping M → BNB at Gathering Wallet 2, dispersed withdrawals were made to multiple exchanges. Activity of the same address was confirmed on Arbitrum and Base, reinforcing the cross-chain laundering pattern. Reference: Remitano is known as a platform widely used for P2P trading in Southeast Asia, which can serve as a reference clue for geographic profiling (Note: Do not conclude).6. Relevant Actor Intelligence AnalysisIn this investigation, by cross-examining on-chain flows and off-chain public activity traces, we secured clues to narrow down the relevant Actor (Actor A) and associated account/profile candidates. The central address of the analysis is Gathering Wallet 2 (0x1c00…5f), and OSINT information was organized around this address.6.1 Circumstances Connecting On-Chain Activity and Digital Identity In this case, some clues were observed where 0x1c00…5f, identified as a key gathering address, could be connected to external public activities. If the same address is repeatedly mentioned or exposed in specific social accounts or community profiles, it can serve as important evidence connecting on-chain addresses with off-chain activities. There are circumstances where a specific social account marked as (Redacted) posted the 0x1c00…5f address multiple times in posts related to past airdrops, whitelist registrations, faucet participation, etc. This raises the possibility that the address is associated with the account’s activity to a certain level.6.2 Detailed Identity Profile (Circumstantial) In the OSINT investigation, circumstances were confirmed where the social account/handle marked as (Redacted) is connected to a specific bounty/task platform (e.g., Superteam Earn) account/profile. The following additional information is derived from this:Real Name/Legal Identity: (Redacted)Country/Region of Residence: (Redacted; Partially consistent with Remitano usage patterns, etc.)Professional Identity: (Redacted; Based on self-introduction)Tech Stack Claims: (Redacted)Activity Character: (Redacted)Additional Explanation: Meaning of “Partially Consistent with Remitano Usage Patterns” Here, “Partially consistent with Remitano usage patterns” does not mean concluding residence in a specific country/region (e.g., Vietnam) solely because Remitano appeared. It is intended to be referred to as a supplementary clue that increases probability from the perspective of Geo-profiling. specifically:Regional Character of Remitano: Remitano is known to be relatively widely used for P2P On/Off-ramp (cash-out/settlement) purposes in Southeast Asia (especially Vietnam) rather than being used equally worldwide like global major exchanges. Therefore, if Remitano is naturally included and repeatedly observed in the multi-exchange withdrawal flow, the possibility that the actor’s living sphere/settlement environment touches the Southeast Asian region (including Vietnam) relatively increases.Hints form “Exchange Combination”: In this case, regional P2P channels like Remitano appear alongside general-purpose exchanges like Bybit, Binance, and MEXC. This combination can be interpreted as a form often observed in dispersed withdrawals considering the final cash-out route, rather than simple investor propensity.Therefore, Remitano traces are worth referencing as a “Geographic Clue Candidate”. However, it is a “Supplementary Clue,” not definitive evidence. Final confirmation must be made through cooperation/investigation data such as exchange KYC, login/access logs (IP/Device), and withdrawal methods (Bank/Payment info).7. Conclusion & Our CommitmentComprehensive Conclusion This incident, occurring on December 7–8, 2025, was a social engineering-based asset theft. Funds were laundered through two parallel paths:A direct path flowing straight into the Bitget exchange (Speed).An indirect path exfiltrated to external chains via the Meson bridge after internal swaps on MemeCore (Stealth).Additionally, circumstantial evidence links “Gathering Wallet 2” (0x1c00...5f) to specific social accounts and developer profiles, providing strong identification clues for law enforcement.Response Strategy ChainBounty has advised a phased response:Phase 1: Immediate reporting to law enforcement with key TxIDs and requesting asset freezing at Bitget.Phase 2: International cooperation review for cross-border tracking.Phase 3: Continuous monitoring of suspect addresses and community education on risk factors.Need help tracking stolen funds? Recovering stolen assets starts with professional tracking. If you have been targeted by a similar exploit, do not hesitate to reach out. ChainBounty’s Victim Relief Program provides the forensic evidence needed for law enforcement reporting and exchange cooperation.👉 Apply for Victim Relief Program: https://chainbounty.io/en/event/campaign-victim-support/(Disclaimer: This report is based on on-chain data and public OSINT. Identity-related content is circumstantial estimation. Final legal judgments must be confirmed through lawful procedures by law enforcement agencies.)

ChainBounty

ChainBounty

6 months ago