Ethereum Threat Actors Part 3 — Phishings/Scams using Smart Contracts

Executive Summary

In part three of our mini-series (see part #1 & part #2) describing how cybercrime actors are using the Ethereum blockchain for fraudulent means, we analyze a phishing tactic that used a smart contract address. Interestingly, this smart contract is not unique and the exact same closed-source bytecode is used in more than 130 thousand smart contracts.

Phishing on Forums/Telegram.

The focus of our analysis is based on observed phishing attempts related to the smart contract account 0x70305B080eFc49eB5DFb9bdA78Aea516c398f804.

Image 1: Different scam messages posted by the actor and listing the same Ethereum addresses on various discussion forums.
Image 2: Scams over a private Telegram group about Crypterium token

Quick analysis of the Smart contract Bytecode

The bytecode of the smart contract can be found in the “Code” tab on etherscan.io or by using the getCode method available in the Ethereum JS library web3js.

Image 3: CFG of the 0x7030 smart contract bytecode on Octopus
Image 4: Internal transactions between 0x7030 contract and 0xaf19 address on etherscan.io

Who is behind 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0?

After a relationship analysis of the 0xAf1931c20ee0c11BEA17A41BfBbAd299B2763bc0 transactions, we discovered that this address in controlled by the Luno.com cryptocurrency exchange.

Image 5: Relationship graph using QuoLab
  • 0x416299aade6443e6f6e8ab67126e65a7f606eef5: Luno hot wallet
  • 0x2E05A304d3040f1399c8C20D2a9F659AE7521058: Luno user wallet contract generator
  • 0x1570073BFd8b1b19435fBc79713138e80287fEd8: Luno cold wallet

Similar Luno user wallets Used for Phishing

As we previously observed and explained in part #1 of this mini-series, you can use Google BigQuery to request and retrieve a complete list of all smart contracts, with a specific bytecode pattern, available on the Ethereum blockchain.

Image 6: Smart contracts with the exact same bytecode listed using Google BigQuery
  • 0x1aBC65765FD0DF7D997635EBE3027384BCF7923E
  • 0x82B36a7410796a3bD2a0B206abb402b899B0A388
  • 0x42265e06267D5857CE0d28094A122f453EE66d37
  • 0x0Da4eB121142879Db7cB4bCA6693c94154D07339
  • 0xB7741854BDB50e086A85722f6E280CD0515B9230
  • 0xBa663f63eE6eF36d8778615dB2b90679F605D8B4
  • 0x6Ef982f9E7F09d4bF4a70398707c82970a6Dc31E

Conclusion

In total, Luno user wallets (0x7030 included) tagged as phishing/scam have received 678 ETH i.e. USD 190,000. While it is possible additional Luno user wallets were used for phishing/scam purposes, this blog only focuses on the ones tagged by Etherscan.io and EtherscamDB.

Indicators of Compromise

Ethereum addresses:

  • 0x7355e49ba13082D3f83fD828Ee6FDA39738F1E55
  • 0x1aBC65765FD0DF7D997635EBE3027384BCF7923E
  • 0x82B36a7410796a3bD2a0B206abb402b899B0A388
  • 0x42265e06267D5857CE0d28094A122f453EE66d37
  • 0x0Da4eB121142879Db7cB4bCA6693c94154D07339
  • 0xB7741854BDB50e086A85722f6E280CD0515B9230
  • 0xBa663f63eE6eF36d8778615dB2b90679F605D8B4
  • 0x6Ef982f9E7F09d4bF4a70398707c82970a6Dc31E

Built by operators for operators, QuoScient provides customers across all industries with its technology QuoLab & expertise against digital threats of all kinds