Series 1: 100 Ethereum stolen in 7 days - NFTs scamming grey area revealed/walk-through
NFTs are getting popular and more people are joining this Web3.0 ship. If you ever use a Discord to join any NFT projects, you know scammers are messaging you, baiting you to click their baiting link. Today I will show you how a fake link from a Twitter account, gone viral and scam 100 Ethereum in 7 days (to be exact 5 days).
The scammer is using an account, Artsy Lizz @lizsthephen, with a blue tick (verified Twitter account) and pretended to be Mutant Shiba Club, a NFT project core member and sharing the minting link. The account is having 36.8k followers, good engagement rate and good following to followers rate.
The @lizstephen has deleted previous old post which has around 2k retweets and likes and make new tweet probably due to too many warning comments from other victims and people. When I clicked the mutantshiba.army, we will see this page.
The page is build using simple html with a Connect Wallet button. I tested it using my dummy wallet. The permission is view only, which is fine and I can’t proceed to let them hack me. I scroll through the Twitter tweet and found out that someone asks why need to pay gas fee and the @lizstephen comments that it is for database recording purpose (we all know this is bullshxt) but I kind of stuck here. So I continue scrolling the Twitter and see people complaining their NFT are being transferred out. I quickly use Etherscan to check their wallet and found out the darkest scamming chain.
Wallets that are involved in this scamming chain are:
1. 0x78807EfF628EEb122Ae8784fa5b3e1654dA22B25
2. 0xdfcf5f22eb55c5619bcf672aefb8144b344c074f
3. 0xb3044267409bf3b0c00b7d7923b0273e08f7b7af
4. 0x32f9e151446a0db1f2f712026453c6b96eac1ca1
5. 0x4b7a61419b46f272c1a95d7eba65618259c63b50
6. 0x06384e3da6e193bce3dd360fe991425906aab6f5
7. 0x34cefd1487417defad704f8d774091f6b872c734
8. 0x1404ff718b5b1621bd975f3a740310fb826e4c65
Wallet 1 is used and connected on smart contract behind mutantshiba.army. Users’ NFT are being withdrawn directly to this wallet address. Those NFTs are sold on Opensea, Looksrare and Wyvern Protocol. Attached are the wallet address relation.
Wallet 4 serves as a purpose of transferring all NFTs to wallet 5 and wallet 6. Not sure the objectives. Wallet 1 has scammed more than 100 Ethereum in less than 7 days, not including the rest wallet. One notably note is the scammer use wallet 5 to mint 5 Ballheads (BHC) 240 days ago. @lizstephen spends 0.03 to mint 3 Ballheads, 0.007 and 0.018 to buy from the rest 2 NFTs. Therefore, we can know wallet 5 was the scammer real account 240 days ago.
I have to stop the investigation for wallet 7 and 8 as I lose my excel sheet data record and feel like stopping the tracking. I might come back and make series 2, compiling all the scam amount and scam project in series 2, who knows, probably.
Regards,
Jeklye Lroyd
March 21, 2022
