Ethereum Threat Actors Part 3 — Phishings/Scams using Smart Contracts

QuoScient GmbH
Apr 3, 2019 · 4 min read

Executive Summary

In part three of our mini-series (see part #1 & part #2) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a phishing tactic that used a smart contract address. Interestingly, this smart contract is not unique and the exact same closed-source bytecode is used in more than 130 thousand smart contracts.

In this blogpost, we provide a quick analysis of the closed-source bytecode inside those smart contracts. We will also explain the process to find similar contracts and how to leverage this information to find the cryptocurrency exchange behind them.

Phishing on Forums/Telegram.

The focus of our analysis is based on observed phishing attempts related to the smart contract account 0x70305B080eFc49eB5DFb9bdA78Aea516c398f804.

Based on our observations the account owner is targetting forums and private channels (such as Telegram) discussing low value cryptocurrency tokens. For example, multiple scam messages were observed on forums related to Crypterium (CRPT), Envion (EVN) and Substratum (SUB).

Image 1: Different scam messages posted by the actor and listing the same Ethereum addresses on various discussion forums.

In the above forums, the actor is enticing the users to make Ethereum payments to the address in question in order to receive awards. Based on the various languages used in the spam messages, the author speaks English, Croatian and Russian. Although, it is unclear if the author is fluent in the observed languages. One moderator of etherscan.io also found the same scam message on a private (fake) channel on Telegram.

Image for post
Image for post
Image 2: Scams over a private Telegram group about Crypterium token

At the time of writing, this address has received a total of 457 transactions, with roughly 350 ETH received (USD 82 thousand). While the address has been flagged for malicious phishing activity, it is unknown how many of the transactions were the result of this scam.”

Quick analysis of the Smart contract Bytecode

The bytecode of the smart contract can be found in the “Code” tab on etherscan.io or by using the getCode method available in the Ethereum JS library web3js.

In order to reverse the bytecode, we used our open-source tool Octopus to generate the control flow graph (CFG) of the smart contract.

Image for post
Image for post
Image 3: CFG of the 0x7030 smart contract bytecode on Octopus

This smart contract is really short, with only 365 bytes in size, 1 function, 5 basic blocks, and 110 EVM instructions. The most interesting part of the contract bytecode is the hardcoded address 0xaf1931c20ee0c11bea17a41bfbbad299b2763bc0. This address is used as the second argument for the CALL (offset 0x77) instruction, meaning that every transaction to the 0x7030 contract will directly go through 0xaf1931c20ee0c11bea17a41bfbbad299b2763bc0.

This smart contract is a typical automated proxy that forwards every Ether received to the 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0 Ethereum address. We observe confirmation of this behavior by looking at the “Internal Txns” tab on etherscan.io.

Image for post
Image for post
Image 4: Internal transactions between 0x7030 contract and 0xaf19 address on etherscan.io

Who is behind 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0?

After a relationship analysis of the 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0 transactions, we discovered that this address in controlled by the Luno.com cryptocurrency exchange.

Image for post
Image for post
Image 5: Relationship graph using QuoLab

We determined the following role for each address:

  • 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0: Luno user wallet receiver
  • 0x416299aade6443e6f6e8ab67126e65a7f606eef5: Luno hot wallet
  • 0x2E05A304d3040f1399c8C20D2a9F659AE7521058: Luno user wallet contract generator
  • 0x1570073BFd8b1b19435fBc79713138e80287fEd8: Luno cold wallet

Similar Luno user wallets Used for Phishing

As we previously observed and explained in part #1 of this mini-series, you can use Google BigQuery to request and retrieve a complete list of all smart contracts, with a specific bytecode pattern, available on the Ethereum blockchain.

Image for post
Image for post
Image 6: Smart contracts with the exact same bytecode listed using Google BigQuery

The above query returns roughly 130k results. After correlating this list of addresses with known phishing addresses tagged by Etherscan.io and EtherscamDB, we found eight similar Luno user wallets involved in phishing scams.

List of other Luno user wallet tagged as phishing/scam:

  • 0x7355e49ba13082D3f83fD828Ee6FDA39738F1E55
  • 0x1aBC65765FD0DF7D997635EBE3027384BCF7923E
  • 0x82B36a7410796a3bD2a0B206abb402b899B0A388
  • 0x42265e06267D5857CE0d28094A122f453EE66d37
  • 0x0Da4eB121142879Db7cB4bCA6693c94154D07339
  • 0xB7741854BDB50e086A85722f6E280CD0515B9230
  • 0xBa663f63eE6eF36d8778615dB2b90679F605D8B4
  • 0x6Ef982f9E7F09d4bF4a70398707c82970a6Dc31E

Conclusion

In total, Luno user wallets (0x7030 included) tagged as phishing/scam have received 678 ETH i.e. USD 190,000. While it is possible additional Luno user wallets were used for phishing/scam purposes, this blog only focuses on the ones tagged by Etherscan.io and EtherscamDB.

Analysis and reversing of this smart contract was useful to understand its behavior and to determine if this smart contract was generic. Similar crypto-exchanges (like Bittrex) user smart contract can be found with the Solidity source code associated.

Additionally, you can check out our open source tool Octopus to analyze Ethereum transaction and reverse Ethereum Smart Contracts. Moreover, please also find our conference presentations about this subject in our QuoScient media center.

Feedback is as always welcome! Don’t hesitate to use the comment section below!

Patrick Ventuzelo, Security Researcher at QuoScient

Twitter / Medium / LinkedIn

Indicators of Compromise

Ethereum addresses:

  • 0x70305B080eFc49eB5DFb9bdA78Aea516c398f804
  • 0x7355e49ba13082D3f83fD828Ee6FDA39738F1E55
  • 0x1aBC65765FD0DF7D997635EBE3027384BCF7923E
  • 0x82B36a7410796a3bD2a0B206abb402b899B0A388
  • 0x42265e06267D5857CE0d28094A122f453EE66d37
  • 0x0Da4eB121142879Db7cB4bCA6693c94154D07339
  • 0xB7741854BDB50e086A85722f6E280CD0515B9230
  • 0xBa663f63eE6eF36d8778615dB2b90679F605D8B4
  • 0x6Ef982f9E7F09d4bF4a70398707c82970a6Dc31E

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store