A victim here on Reddit recently lost 80K across Ethereum, Solana, and Cardano. There's a post he made a couple of weeks ago outlining the hack/scam.
I didn't see any useful comments in the original post and he reached out to me looking for help.
I focused on the Ethereum network as this appears to be where most of the activity takes place. I'm showing about 970K lost in stolen funds with numerous victims getting caught up in this scam.
Below is my attempt to outline where the funds went as well as how the scam happened.
Ethereum Wallets
Below are the main wallets associated from the victim who lost 80K and the main scammer wallets. The wallet labeled Reddit Sweeper was used to clean out about $25 in ETH.
If it is in fact a sweeper wallet, that would mean a seed phrase compromise. Otherwise the victim may of never revoked access and the scammer could of just gone back and cleaned up a bit of leftovers a day after the scam.
- 0xA40731DceAE46A6bD893cebf97176a87403a26FC – 80K victim Reddit
- 0xcf3BA5a31A376D01EbdcCad2b84Eb40D89EEdBA7 – 80k Scammer Reddit
- 0xAC66519D0650Bd5163fa4a93737E660a780ACDae – 80K Scammer Reddit Sweeper?
Additional Wallets
0xcf3BA5a31A376D01EbdcCad2b84Eb40D89EEdBA7 – 80k Scammer Reddit
I marked off the below wallets as outgoing txns from the 80k Scammer wallet. Interestingly, almost all of the funds (about $950,000) are still sitting in these wallets.
There's a strong chance of recovery if law enforcement is actively monitoring the movements of the below addresses.
- 0x1e2a7127A3D0Cfa1374A26523C0d4a78c5443080 – 80k Scammer Reddit 2 [590K here]
- 0x92d3ADaf98610454f67eD48b0c8a367677DC63B6 – 80k Scammer Reddit 3
- -0x2c6F334CE794e0BA277FDd6838c27050ab19d862 – 80k Scammer Reddit 3 1 [124K here]
- 0xEa30e14960f3A3f996cADc1cDa2895859A430210 – 80k Scammer Reddit 4 [236K here]
Above is a look inside 0xcf3BA5a31A376D01EbdcCad2b84Eb40D89EEdBA7 – 80k Scammer Reddit. Almost all of the funds are sitting in the three decentralized wallets.
Wallet of Interest
0x418f6d0EE7aDF31Eaa757105980fa446a3D66a37
0x418f6d0EE7aDF31Eaa757105980fa446a3D66a37 funded 0xAC66519D0650Bd5163fa4a93737E660a780ACDae – 80K Scammer Reddit Sweeper?
It's possible 0x418f6d0EE7aDF31Eaa757105980fa446a3D66a37 might also be a victim. If I had more time, I'd do a deeper dive to find out who this entity is. This wallet has a user name associated with their OpenSea profile.
Above are all the transactions of 0xAC66519D0650Bd5163fa4a93737E660a780ACDae – 80K Scammer Reddit Sweeper? You can see the original funding of the wallet on 11/17/22. Also of interest is most of the funds went to three HitBTC Deposit Addresses.
HitBTC Deposit Addresses
- 0x997Ae443C97Ad0b8A391D8F0Fa6F739C20512621
- 0xa2ec859DcF2a47AD1BB8Fd91e497eC489c74C4CE
- 0x90cBC9dd3FAbEFF9F36FF1Ca78aD00e4EB43e4Ab
These deposit addresses don’t look like they belong to 0x418f6d0EE7aDF31Eaa757105980fa446a3D66a37. It looks like he was paying for some service. Possibly accounts or gift cards as the wallets in the deposit address appear to have no relation to each other.
Wallet of Interest 2
0x1C1700B0dE3850AbA5ACfd38c3446b9b054e0715 – 80k Scammer Reddit 5
Odd to see a huge ETH txn right before about $971,400 in stolen funds are sent to the three intermediary wallets.
After further investigation, 0x1C1700B0dE3850AbA5ACfd38c3446b9b054e0715 – 80k Scammer Reddit 5 also appears to be a scammer wallet. I almost missed this one as this was the last incoming txn to 0xcf3BA5a31A376D01EbdcCad2b84Eb40D89EEdBA7 – 80k Scammer Reddit.
Below is a user on Twitter reporting the wallet belonging to a hacker/scammer. Interestingly this victim also mention funds getting removed from his Ledger device.
https://preview.redd.it/58un8aloo5wc1.png?width=1210&format=png&auto=webp&s=18218cbe378b6559b8eec8e67268b3f844da7958
Movement of Funds
It seems the scammer took the following route to move all the stolen funds
- 80k Scammer Reddit 5 → 80k Scammer Reddit [154.042 ETH]
- 80k Scammer Reddit → 80k Scammer Reddit 2 [174.142 ETH]
- 80k Scammer Reddit → 80k Scammer Reddit 3 [38.674 ETH]
- 80k Scammer Reddit → 80k Scammer Reddit 4 [73.994 ETH]
Additional Wallets
0x04d554f7f7163226A2CdFAcf127b7d5385576E79
0x1C1700B0dE3850AbA5ACfd38c3446b9b054e0715 – 80k Scammer Reddit 5 sent 2.5K to 0x04d554f7f7163226A2CdFAcf127b7d5385576E79. There’s a number of eXch Deposit addresses.
0x211172b638F73c1bd998E9f57f82E74A10FD0ed4
0x1C1700B0dE3850AbA5ACfd38c3446b9b054e0715 – 80k Scammer Reddit 5 sent 2K to 0x211172b638F73c1bd998E9f57f82E74A10FD0ed4.
More Movement
The below can really open up the Rabbit Hole to find other hacks and deposit addresses.
Above is a look inside 0x04d554f7f7163226A2CdFAcf127b7d5385576E79. There's a number of deposit address activity.
How the Scam Happened
Looking at the original Reddit post from the victim and the twitter user's post, it appears a bad actor is airdropping malicious NFTs to ledger users.
I'm not sure the exact scenario that played out, but the victims could of received an unsolicited NFT that appeared to be a voucher promising “free money”.
The voucher could say something along the lines of “You WON 5000 USDC or USDT!”
The voucher lures the victim to a website requiring you to approve the transaction. Once you sign the contract, your assets now belong to the scammer.
How to Avoid Malicious NFT Airdrops
Unfortunately, it's very hard to avoid someone sending you unsolicited NFTs. However, there are actions you can take to avoid engaging with any of these malicious NFTs.
- DO NOT ENGAGE WITH ANY AIRDROPPED NFT
- NEVER EVER ENTER YOUR SEED PHRASE ANYWHERE
- To avoid seeing the NFTs in your wallet, right click on the NFT and select Hide NFT Collection
- Avoid any links or websites associated with an NFT
Stay safe out there!
Update: – I was able to get clarification from the victim on what actually happened. Apparently it was a seed phrase compromise which would explain the sweeper bot and assets drained across multiple chains.
The attack required the user to follow step by step instructions to claim the reward which ended with the victim entering their seed phrase.
Hello jbtravel84. It looks like you might have found a new scam? If so, please report this scam by crossposting to r/CryptoScams, r/CryptoScamReport, or visiting scam-alert.io. For tips on how to avoid scams, click here.
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
Ping for verified users associated with Ledger device: u/Quintin_Ledger
I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.
That’s the oldest scam in the book. How do you not know that opening a link and signing the contract on one of those airdropped NFTs claiming to reward you with ‘x,xxx’ amount of USDC or whatever was a scam? Like you have that much ETH and you’re oblivious to keeping your funds safe…on a cold wallet nonetheless.
I feel like a youngin watching old timers fall for the Nigerian prince and PC support scams over and over and over again like its Groundhog Day.
Nice writeup OP.
Hide and Report.
That is the only interaction you have with anything saying free.
Good post.
However, I don’t like that you mentioned, but later ignored root problem – signing malicious contract. You focused on seed and nft, but that’s just bait, not root problem.
If people are so greedy that they are willing to sign any contract without understanding it, no hardware wallet like ledger will help them and protect them from loosing money.
Victims are basically signing contract in which they allowing other side to take all of their money.
*Avoid NFTs in general
Very good post,
Thanks for your efforts, it’s a shame these quality posts don’t earn moons anymore.
> The voucher lures the victim to a website requiring you to approve the transaction. Once you sign the contract, your assets now belong to the scammer.
To be clear, a transaction needs signed for EACH asset type. Can not sign a single approval that approves more than a single token.
Cannot sign approval for ETH at all.
TL DR;
Follow shady link to a website. Sign random smart contract. Money gone. Surprised Pikachu face.
lol i still don’t get how these people can’t understand basic security principles but they somehow had enough IQ points to have 6 figures to lose to begin with.
Could have* not could of.
NFT pros & cons with related info are in the collapsed comments below.
OP what service do use to investigate scammer’s wallet?
Scammers having a field day in crypto
the problem is, not matter what the platform, if a person is dumb enough to click a link that says ‘you’ve just won some free money’ and then double dumb enough to enter their private key, they are beyond hope.
it’s sad, but this is financial natural selection
I am sorry, but those 970k aren’t lost. They are just in different hands now and I am sure their new owner appreciates them very much. Indeed the were the informal tuition fee of the NFT-noob online academy. Thanks everyone for playing, valuable lessons have been learned.
It is very invasive having these airdrop nft things show up. Even if someone told me how or why it can happen I’m probably too old to understand it. If you had that much crypto why are you playing around with these stupid things! 970k yikes. Stupid people shit me to tears.
Of course these scams seem obvious to most people, but I don’t get how wallet providers aren’t designing something to stop this.
“You’re about to give this website permission to transfer all your funds” would have saved lots of people from scams
you say the seed phrase was compromised BUT reality is if it was a NFT scam as you mention in the title, you need to interact with the Ledger NfTs that are scams for this to happen.
because if they interacted it was a human error.
you can ignore these crap nfts scams.
could you clarify this?
Stupid question but how do these scammers actually unload money. How do they convert their crypto to cash. Since the blockchain records everything and the addresses are all public, they can’t just send to a CEX and withdraw to the bank.
Sad hamster strikes again🤣
cant happen on MultiversX. but keep investing in insecure chains! Ever heard of Guardian its a 2FA Extra layer of security for transactions ad seed phrase on xPortal of MultiversX chain. just try the super app and stop loosing your money!
Ladies and gentlemen, the future of finance
If it’s too good to be true people, it is!
I don’t understand why we need a detailed thread about the most common types of scamming there are. My wallets are full of those scam NFTs.
Also, “engaging” with the NFT does fuck all. You don’t get magically hacked. People just go to the malicious website, connect their wallets, and then approve a malicious transaction. Like you got to mess up in multiple levels to get scammed like that. You can send or burn those NFTs just fine, they are just NFTs.
Threads like these are like telling people “if you don’t want to get your house robbed, don’t give your keys to strangers”. Like no shit.
why the fuck people sign contracts with their ledger
Its a little crazy how its like a wild west and there seems to be a void in educational content that keeps people away from scams.
I get the feeling most crypto are scams and am now only interested in bitcoin.
The shit coins and NFT markets are too scammy..
I don’t feel bad for greedy dogs signing random contracts
I saw at least 20 “NFT airdrops” last time I checked my Ledger, I guess it’s a widespread thing
I’m getting so many scam emails now…
“MetaMask wallet will be suspended if you don’t kyc now!!”
“Get your free BLAST codes now!”
And about 3 other varieties to get other BLAST airdrops
Thank you for your work sir 😇
How did the scammer take the money crosschain? Is this now possible? As we know so far it isn’t possible or am I not up to date ?
why did you say including cardano, then not mention anything about cardano?
This is probably not the right place but I’ll try my luck . When I swap within phantom or solflare directly, they chose the dex for me . I know this protocols can still be hacked like it happened in past but it’s not very likely and the route should be reliable or not? Is there still a danger to be connected to fraudulent stuff? Sometimes I have 5 routings for a swap. Doesn’t make much sense to me and sometimes I don’t even know the actors in between. I cancel the transaction in that cases.
You should never use your Ledger to sign smart contracts.
Man, that’s a tough break. Losing $970K in a Ledger NFT scam is no joke. It’s scary how these scammers can target unsuspecting victims. It’s a good heads-up about being careful with unsolicited NFTs. Seems like the scammer was playing dirty, dropping those malicious NFTs and luring folks with promises of free money. Never engage with those airdrops and definitely, absolutely, under no circumstances, share your seed phrase. Scammers are always cooking up new tricks.
Doesn’t hurt to revoke permissions either.
Incredible analysis OP. What do you do for a job?
If it’s free you are the product. Never trust airdrops or “free” money. There is always a catch
This is excellent work, seriously, but please learn when to use “have” versus “of,” like say “may have” instead of “may of”
Great writeup! What was the program you used to visualize the flow of funds in the first screenshot?
Stick to BTC. Park on cold storage. Done.
🤣🤣🤣
So many victims as a result of basic lapses in basic security hygiene. I wish people took their security seriously. Scammers will always be out there we have no control over that but we do have control over our security.
Never do any free airdrop or any of that shit as its just not worth the risk
It isn’t a scam, just greedy stupid users. This won’t change either in crypto, it’s inherently the reason why we have crypto
[removed]
I thought it was common knowledge to not open or accept any gifts, especially nft’s on ledger haha.
No one ever needs your seed phrase. If you really want to receive an airdrop, and believe it’s legit connect a brand new wallet with nothing in it that is not connected to any of your financial institutions.