Scam as a service: Pink Drainer
Analyzing the flow of money and related fraud services associated with PinkDrainer, we were able to identify a person strongly connected to this organization.
What is a cryptocurrency Drainer?
Crypto Drainers are a specific type of malware designed to steal cryptocurrency funds. They work by infiltrating users’ digital wallets to transfer their cryptocurrencies to an account controlled by the attacker.
What is PinkDrainer?
- Phishing attack on Vitalik Buterin’s Twitter (X) account 🔗
- Phishing attack on Slingshot’s Twitter (X) account 🔗
- Phishing attack on OpenAI CTO’s Twitter (X) account 🔗
- Phishing attack on Orbiter Finance’s Discord group 🔗
The “Scam As a Service” Business Model
Pink Drainer, Angel Drainer, Inferno Drainer, new drainer on the block MS Drainer, and the likes seems to have adopted the same business model.
They offer to individuals and phishing teams that allow them to drain crypto wallets on a turnkey basis, for an initial hefty deposit and claiming a 20–30% cut of the future phishing loot
When Monkey Drainer died, a number of other services launched or ramped up, including MS Drainer, Inferno, as well as the Angel and Pink drainers, Scam Sniffer said. Other major players include Chick Drainer and Rainbow Drainer. One of the best-known drainer scam-as-a-service operations was Inferno Multichain Drainer. Its creators announced it in November 2022, but it didn’t take off until March 2023.
More information about other drainer services here.
Part 1
Context
User got scammed from a fake trading bot from a video on YouTube with an account with 33k followers and 180k views.
YouTube video: https://youtu.be/m0aEc8HVMP0?feature=shared
It also has a twitter account which is now suspended: https://x.com/dr4kzone/status/1768580791137694201?s=46
Scam
After the victim did what the video says [creating a smart contract to configure the trading bot] his funds began moving this way:
Address of victim: 0xf028E79229172bb38C67C3eeBeAb666858DafD86
Create contract: 0xA9738FB4D91776dCBF3d995C78b09ef7A5194e78
After the victim create and fund the contract:
His funds [0.667–2.5k] went to uniswapmempool.eth or 0xc4e1dc397ECdb3b6B218e2070af993aB9Cd5eB86 as seen in the image above.
The next image is a visual representation of the flow of money mentioned:
Inside uniswapmempool.eth, we can see the scammer sending money to addresses where phishing reported wallets also send funds:
0xa2b86739b80c84f4b40ffafc47ce780cc5dfbffe
This address 0xa2b86739b80c84f4b40ffafc47ce780cc5dfbffe receives money from [Fake_phishing270315]
Other example:
In this other example, uniswapmempool.eth receives funds from uniswapv4.eth or 0x2555aB9287E8f5cb9042EEC32629a8e891531E12
Inside uniswapv4.eth we can see he sends to 0x2d60171e82b8218d888b38659b7e77c7ec1f0c6e
Inside: 0x2d60171e82b8218D888B38659b7e77c7EC1F0C6E, we can see this wallet collect more stolen funds from:
Fake_Phishing322874 — Fake_Phishing322873 — Fake_Phishing322880 — Fake_Phishing322954 — Fake_Phishing323124
This is a visual representation of the flow of funds from:
->Victim to:
->uniswapmempool.eth
-> uniswapv4.eth
-> 0x2d60171e82b8218D888B38659b7e77c7EC1F0C6E
Graph: https://www.breadcrumbs.app/reports/10631
PinkDrainer?
After analyzing the phishing reported wallets mentioned above, we can conclude this was made with pink drainer. Since these addresses have traces and many transactions between each other:
In the image above we can see the flow of funds and the addresses mentioned before sending funds between each other. All of them related to pink drainer structure. There also some addresses that caught our attention in this flow of money, that we later will be addressing.
Part 2: Analyzing Pink Drainer flow of money
Analyzing the flow of money in Pink Drainer, we can see some addresses that caught or attention based on their transaction activity. Some of these wallets are recent created with many transactions incoming, high amount of money moved and a few transactions going out.
If we see the big picture in the structure of Pink Drainer we can see some addresses that seems to be too engaged. In the next image we can see some wallets in orange color which seems to send and receives funds from these wallet reported.
Download HQ image: https://postimg.cc/w176x8jF
Image: https://ibb.co/ry7gmgh
This grap show the transaction from the beginning to the step where they begin laundering the funds using CEX and DEX.
In orange some wallets too related that sends and receives money coming from reported addresses labeled as Phishing. Of course they are related to Pink Drainer or are using this service.
In orange some wallets to watch:
Fatfee.eth: 0x7c9eb6df2349820d27d69805193d7806a7689ade
Uniswapv4.eth: 0x2555ab9287e8f5cb9042eec32629a8e891531e12
USDT Main wallet: 0x4861536e04fb526028fee26fc954c46bd1517d1a
Using other visualization tool we can see the same flow of money and the flow mainly to Binance, MXC, Fixedfloat, Rollbit, and Stake:
Graph: https://www.breadcrumbs.app/reports/10512
The flow of money of Pink Drainer show high activity using Centralized and descentralized services to launder the stolen assests. This visualization has been cleaned as the transaction noise they create sometimes makes analysis difficult.
As mentioned before some addresses are too related thus we are going to dig more into them.
Analyzing Fatfee.eth on-chain:
Fatfee.eth: 0x7c9eb6df2349820d27d69805193d7806a7689ade
While checking Fatfee.eth history (high activity since January 2024) transaction it clearly shows being too really close, since there is a relation from more than a month of sending and receiving funds from this wallets labeled as phishing scams which in this case is Pink Drainer.
Some of this inflow looks like a percentage being paid to fatfee.eth and sometimes it is redirected to other addresses with suspcisios transaction behavior, for example in: 2024/03/04
Fatfee.eth has received approximately 50 ETH from Fake_phishing labeled addresses, as seen here:
Fatfee has received more funds from more addresses used to launder money using some CEX, however, just from these wallets marked as fake_phishing, he has received at least 50 eth since November 2023.
Relation with phishing wallets labeled as PinkDrainer [inflow]:
By employing Arkham and Nansen tools, we discovered that his primary counterparties predominantly consist of wallets flagged for phishing activities.
The top 5 wallets that interacted with fatfee.eth according to Arkham and Nansen are the same:
Suspicious behavior and transaction history: 0x1Fe5B69d8066f773Ed6FE619407640A4449A42f2
Wallet send funds to phishing labeled wallets: 0xCc5256D26088B54aF38ADCd914a43181Ee45b3A5
Fake_Phishing322874: 0x4dCb55eb77567fB17CE1Df590b67642e4bF5eB3B
PinkDrainer: Wallet 1 send money here: 0x399bA3bCd62e81Ea795016eCB4F43e18D9671bcd
Relation with PinkDrainer [Outflow]:
Analyzing the next graph we can see the inflow transaction match with Arkham results
The [Outflow] of transx is also related to phishing activities particularly PinkDrainer.
The next is the top 5:
0x8E8ceB9670367eA772F2Bf3e0d001b0382B8b76b: mixed flow with phishing labeled wallets, sending 268 ETH using railgun.
0xef05C2738E74aE5049da08eB871E50BE7Be3aa15: mixed flow with phishing labeled wallets. Funded by a phishing address.
0xb2fD93242A064F00f642Ee4be990741e52B91E3B: spreading funds to different wallets
0xEE260921DFC7B6d9EF190B14891eE0d7eaF954ea: wallet used to send to Paribu (Turkish exchange). Receives funds from scammer reported: spider-verse.eth (pinkDrainer)
0xf6cf3b4D543ED4780db998479a10fbd332C23338: mixed flow with phishing labeled wallets
Fatfee.eth & PinkDrainer
The activity between these addresses appears to be too interconnected reaffirming what was evident before, about the strong relationship of Fatfee.eth with PikDrainer.
The next graph is big picture of how well connected is fatfee with PinkDrainer related addresses:
Download HQ image: https://postimg.cc/NKprSwP4
Graph: https://metasleuth.io/result/eth/0x7c9eb6df2349820d27d69805193d7806a7689ade?source=7bf0b146-ca9e-41a9-a9a6-b585de1a22d5
On-chain behavior, his ubication in the flow of money, and the timing of this drainer let us determine he is part of PinkDrainer.
The pink boxes are the wallets related to PinkDrainer and the orange ones have suspicious activity.
If we simply look at the previous graph, we see that Fatefee.eth:
Has received 28 ETH from Fake_phishing322874
Has received 2 ETH directly from PinkDrainer
Has sent 12.075 DAI to Fake_phishing322873
Fatfee.eth & PinkDrainer 2
Other case that can confirm that fatfee.eth is playing an important role in PinkDrainer is the behavior of some of the addresses that “pay to him”
For example bringing this [Outflow] mentioned before into a deeper investigation:
0xEE260921DFC7B6d9EF190B14891eE0d7eaF954ea: wallet used by fatfee to send to Paribu (Turkish exchange).
In this wallet (oxEE26) Fatfee receives funds from scammer reported: spider-verse.eth (pinkDrainer).spider-verse.eth (pinkDrainer):0x2D86e074C34e1FF2D33e8049Ee28e21Ce3A9Aa16
We can see spider-verse.eth (pinkDrainer) send him:
Who is spider-verse.eth (PinkDrainer): 0x2D86e074C34e1FF2D33e8049Ee28e21Ce3A9Aa16?
This address was reported to be linked with PinkDrainer by ChainAegis:
And Scam Sniffer:
Spider-verse.eth (pinkDrainer) on-chain behavior linked him with PinkDrainer:
Download HQ image: https://postimg.cc/QFwWhqh9
Graph: https://metasleuth.io/result/eth/0x2d86e074c34e1ff2d33e8049ee28e21ce3a9aa16?source=1600f8d8-43be-447e-bf55-bfd003a0fb80
The transactions evidenced and the behavior of fatfee.eth link him to PinkDrainer.
Therefore, this on-chain activity is clear evidence, as well as the flows and methods of sending money that link it directly to this criminal organization.
Fatfee.eth & PinkDrainer 3
Analyzing fatfee.eth [0x7C9EB6dF2349820D27D69805193d7806A7689ade] we have found other people reporting his address related to phishing scams
In this case a user from Reddit reported that a single victim lost about 850K in DEGEN tokens. According to Scam Sniffer, the attack vector was a malicious ERC20 Permit Signature. Someone phished users through fake DEGEN ads in Google. He mentioned to found few other outgoing interesting wallets:
Additionally, he affirmed that he alsofound direct connections to the above Zerolend phishing scam and this one:
Both cases are related to PinkDrainer and other users have begun seen that fatfee.eth could play a role in this phishing scam organization.
Fatfee.eth & PinkDrainer 4
In this case a user from Twitter reported to be scammed and is pointing to fatfee.eth: [0x7C9EB6dF2349820D27D69805193d7806A7689ade]
We can see that the funds went to PinkDrainer related wallets and to fatfee.eth.
These cases are evidence of Fatfee’s connection with PinkDrainer, given the high volume of transactions during specific periods, as evidenced by their wallet.
It is likely that Fatfee.eth is not the person behind PinkDrainer, but their participation in this organization is undeniable given the volume of transactions and the phishing-labeled wallets that flood their wallet. Additionally, there is a flow of money that sometimes mimics the flow of these phishing-related wallets, where Fatfee sends money to specific wallets to which PinkDrainer and even those related to other drainers, send money as well.
Part 3: Who is fatfee.eth? 0x7c9eb6df2349820d27d69805193d7806a7689ade
His on-chain activity caught our attention since his ubication in the flow of money is very close to CEX and wallets that send big amount of money.
We could find this same 0x address in a GitHub repository: owned by him
Is owned by fatBee: https://github.com/FatBeeBHW
In his GitHub he added his Telegram: https://t.me/fatbeebhw
He also claims this GitHub project: “beeproxies.com”
The account https://t.me/twittercrack sells a Twitter cracker:
Some commnets of users forwarded in the channel after using Twitter Cracker:
The channel https://t.me/beeproxies
Sells Proxy services that are great for: “spamming, cracking, checking, account generation”
The channel: https://t.me/twitterfunhouse
Is a market place for ilegal, cracked, and stolen accounts/assests:
The channel https://t.me/fatfees: offer his services as a MM
MM: middleman guarantee smooth buy of stuff between parties:
Taking into account these services like MM, and the flow of money coming from PinkDrainer, we could see they are not recorded in this Telegram channel. Thus, this funds coming from fake_phishing wallets are not related to his services as a MM.
Searching FatBeeBHW:
There is a user with the same id and image in https://www.blackhatworld.com/members/fatbee.859262/
We can see the user is the same and he links his account with Beeproxies.com reaffirming it.
This post also endorsed that this Telegram is: @fatbeebhw
BHW means Black Hat World and it also match his Telegram
In his firts post in Black Hat World in 2015 (that was modified by the moderator):
The response from the other people on the Blog shows that his name is Alek and other user mentions Macedonia. Probably the modification of the post by the moderator hides his name and his country.
Alek is asking if there is any people from Macedonia in the blog
In other post from 2015 he send regards using Alek as his name:
Other post using Alek as his name:
There also some recent post about Discord spam, crypto, proxies: and more treats related to his knowledge and services offered:
Asking questions about Proxies in 2021
There is a post which caught my attention and reveals more personal information of him. In this post:
In that post from 2019 he offers Web Development solutions and more:
Sharing some of the work he do in the company in the same tread:
This same content is in the website of the company Digital Present in the same date he was posting about it:
This case of study was a job for KFC in Macedonia https://kfc-mk.com/ in 2018:
In the same post he adds a flyer of the company called “Digital Present” and more information to contact them:
Some information in this post:
https://digitalpresent.io/work
https://digitalpresent.io
https://www.behance.net/digitalpresent
The admin of the blog posted about his work meaning it is a real person providing real services:
By checking this website we can confirm is a legit company since 2015.
Updated information [6 June 2024]
As i previous mentioned
“And there was a guy called Alek Angelov who worked there in 2019”.
Alek Angelov worked in Digital Present but is not related with FatBee Or fatFee.eth
However there is another “Alek” who worked in Digital Present the same time, but his full name is Aleksandar Mihailovski
This guy worked as a SEO in Digital Present for 4 months the same dates the post were made in BHW blog (he deleted his job experience in Digital Present from his linkedin)
In a website called Tech Behemoths he left a review about Digital Present the same time he was working there: July 2019 — Oct 2019
Since there are two guys with a “similar” name who worked the same time the post was made in BHW
There are some posts that confirm the real “Alek” behind FatBee profile and Fatfee.eth is: Aleksandar Mihailovski and not Alek Angelov as i previous reported
Using the short version of his name, [Alek]sandar published in BHW 3 posts that caught our attention for once again sharing a high degree of detail in personal information.
In the next post he claimed that “Working as a SEO and Marketing Consultant its just fun”:
By the time this post was made Aleksandar Mihailovski was working as a SEO in Digital Present. It matches job role and time working there
In the next post from June 2020 there is more personal information which details colaboration whith other people in developing stuff together
I will delve into this post to explain in details how he worked in cooperation with other people:
“3 years have passed, and last year we end up in a same Company, he as a developer me as Social Media Manager and Lead SEO on 2 projects for the company”.
When fatbee said “he as a developer” it was Dejan Božinoski. When they worked together in July 2019:
“me as Social Media Manager and Lead SEO (Search engine optimization)” it matches his Job description and same time (only worked 4 months in the company):
In the same post in the next line there is more information of this project with Dejan Božinoski and how he teaches him:
“First, ContentBear.co was born in an attempt of his to teach me Node.js basics (you have no clue how simple it is in the background, but it’s doing its job effectively)”
This means Dejan Božinoski developed contentbear.co to teach Aleksandar Mihailovski Node.js basics.
This same story was repeated by him in other post and one user just bring it back, but the main post was deleted. Howevere the replies show the same story:
If we check Dejan Božinoski he already deleted this info from his profile:
However using Waybackmachine we can confirm this site was developed by him
If you click on DB (Dejan Božinoski): it displays a link to Deko96 GitHub — Dejan Božinoski
If you click fatBee or ILearnSEO it links to: Black Hat World
ILearnSEO is FatBee in BHW (he probably changed his name between July 2019 and september of 2019)
He was also sharing his contact information with the ILearn SEO in his Skype:
Contact me on Skype: https://join.skype.com/invite/BX0OlopP5lu3
Contact me via BHW Private Message.
The main reason to change his name was because: “He have to edit the landing page of ContentBear”, as he mentioned:
It means both created Contenbear.co and it also matches the information he gave in the post titled “Launching a SaaS product”
We know Fatfee and FatBee is Aleksandar Mihailovski and the website Contentbear.co was developed by Dejan Božinoski in a attemp to teach Aleksandar Node.js.
Regarding the Digital Present post we mentioned made by fatBee in the BHW blog. It was made on July 19, 2019 the same month/date Aleksandar Mihailovski joined Digital Present
The information to contact in this post is directly linked to the Digital Present official channels of the Company where both worked
However it couldn´t be Dejan Božinoski who did this post since he was already out of Digital Present, because he left Digital Present the same month Aleksandar joined on July 2019.
In the same post the next month (August), the service is still going and the contact information its the official as seen here. Since he was sharing the official contact information of the company, there is only a logical reason that it was someone who is STILL working there at Digital Present
In october 2019, an user shared his thought on his work and FatBee liked the post
This user later posted in the same thread that he have a great experience with this company and mentioned some people: “Nenad”
This user confirm it is a real work done by Digital Present and also mentioned some people of the Digital Present team “Nenad” probably refering to Nenad Milevski
Thus, in this case it was only posible that someone who was working in Digital Present shared official contact information in Black Hat World. By the time Aleksandar Mihailovski was working and the date the post was made, it matches his time working in Digital Present.
To Summarize:
· I did a mistake in pointing to Alek Angelov. thus, Fatfee.eth and the person who posts as FatBee in BHW is NOT Alek Angelov
· Aleksandar Mihailovski is fatfee.eth and (ILearnSEO) FatBee in the Black Hat World Website
· Dejan Božinoski developed contentbear.co to teach Aleksandar Mihailovski Node.js basics.
· Thats why there are posts in BHW who links to Dejan Božinoski Github since they did work together on this project.
Since the first investigation was shared, some people noticed in a telegram group that both of them deleted his connection to the project contentbear.co in their LinkedIn profiles
This was Dejan Božinoski Linkedin some days ago. We can see in his projects he did a colaboration with Aleksandar Mihailovski:
This was Aleksandar Mihailovski Linkedin some days ago. We know by his own LinkedIn profile that he worked in Digital Present and also worked in the contentbear.co project
Also deleted his last name and just used the inital letter: Aleksandar Mihailovski
Why would you change your personal information? or hide where did you work? or what you did in the past?
Since the investigation began both of them make their Linkedin profiles private, deleted the contentbear.co project and Aleksandar Mihailovski deleted his work experience in Digital Present and deleted his full last name.
Aleksandar Mihailovski personal profiles:
The photo used in his LinkedIn and the photo used in the review of Digital Group is the same person:
We could also found his Instagram:
His personal website: https://alek.xyz/
We also found some information regarding personal emails and some phone number which are actually on investigation
Part 4: Aleksandar Mihailovski & FatbeeBHW
On May 13–2024: fatfee.eth — fatbeeBHW -Aleksandar
Began making some changes in their channel as well as introducing new rules and even making them private. His telegram Changed deleting the black market place and the Twittercrack:
He also updated the channels in his Telegram groups on may 13, mentioning that no drainer talk is allowed
Likewise, he make private some groups on may 13 trying to hide most of his activity:
On may 14: Fatbee claim to do some restructure to the Funhouse channel:
On may 16: PinkDrainer announces his retirement:
On may 20: The comeback of Inferno Drainer is announced:
Timing is key
Part 5: Aleksandar Mihailovski on-chain relation with PinkDrainer
Since we found Fatfee.eth is related to PinkDrainer an this same address is publicated in a github of a user called FatBeeBHW. We know this user FatBeeBHW is Aleksandar Mihailovski according to the proofs shown before.
The next graph is a visual representation of the big picture around Aleksandar Mihailovski his friend Dejan Božinoski, and how Aleksandar is too close to this “Scam As Service” called PinkDrainer:
The on-chain relations is clear and the information of who is behind Fatfee.eth also points out to this person called Aleksandar Mihailovski (Doxxed himself in Black Hat World forum).
It is clear that this guy somehow helps to deliver PinkDrainer with his fraudulent scheme of ilegal services like Cracked twitter accounts, phishing websites, ilegal marketplace and more.
Part 6: Fatbee.eth on-chain relation with PinkDrainer and other ENS
According to the services provided by fatfee.eth on his Telegram, and his transactions history it is highly likely that he knows who is he making deals with. Thus, all of those phishing labeled wallets flooding his wallet are not just his services as a MM or his Proxies.
In the money flow of this group called PinkDrainer, there are ENS wallets that have mostly been found to be linked to other scams, even by other drainers such as Angel and Inferno Drainer.
In this context, there are people who play roles in this structure, directly or indirectly contributing to the commission of cybercrimes. These include those who provide obfuscated hosting services, fake identities, fake-stolen Twitter accounts, and other resources to enable these groups, to steal users’ assets.
The following graph is a representation of the wallets and ENS that have been mostly linked with PinkDrainer, and it even shows money flows to other drainers:
The list of addresses reported to be related are here: https://pastebin.com/kRXZXLy1
We can see this flow of money from different perspective:
There is a flow of stolen funds that can be interpreted in many ways, likewise the interconnection between wallets can be confirmed on-chain.
Part 7: Scam As a Service and ilegal marketplaces in Telegram
There is a big industry of ilegal products being sold in Telegram. There are numerous Channels selling products that are used to be in DarkWeb marketplaces and using Tor.
Most of this irregular activity is now in Telegram, and the related activity with cryptocurrency fraud is getting bigger. We can find in these marketplaces different products that can help us hide our trace in internet or most of the time to bypass security controls.
In these black markets we can find a lot of stuff related to identity theft, like fake passports, Id, Bypass KYC , Stolen Credit Cards, Gift Cards, phishing websites, VPN with crypto:
There are also more products and different services that use to be in Darkweb or deepweb.
We can also watch some of the Telegram Channels where they sell different Drainers: Ace Drainer, Medusa Drainer, Cerberus Drainer, Pink Drainer:
Phishing websites most of the time use original logos and misspelling in their url/. In the next example we can see this Phishing website that is supplanting https://www.bit-rock.io/
We can confirm this website is infected and most of the time this new reported websites can bypass Metamask security extensions.
Part 8: Conclusion
We can conclude that there is a relationship between PinkDrainer and fatfee.eth, according to on-chain activity.
- It was verified that Fatfee.eth and FatBeeBHW are the same person.
- I did a mistake in pointing at first to Alek Angelov since his work in Digital Group matched in many ways with the “Alek” who was posting in Black Hat World.
The “Alek” posting in Black Hat World is Aleksandar Mihailovski not Alek Angelov.
- It was demonstrated that Aleksandar Mihailovski doxxed himself in many posts he did in Black Hat World forum, even though the moderator deleted part of his personal information.
- The post where he share personal information as a SEO and his friend role in the company its very detalied and matches his job time and role. It also match his friend role, time working and project cooperation in contentbear.
- It was demostrated that the project Contentbear.co was born in attempt of Dejan Božinoski to teach Aleksandar Mihailovski Node.js basics. As he previos mentioned in his own post.
- The post done in Black Hat World advertising Digital Present could only be made by the time someone was working there, since the information in the post was their official channels. Aleksandar joined Digital Present in july 2019 the same time this post was mas made on Jul 18, 2019 Dejan Božinoski left the same month.
- Aleksandar Mihailovski and Dejan Božinoski still share a project in Linkedin for KIA Motors Macedonia.
- Aleksandar Mihailovski and his friend Dejan Božinoski deleted their project: contentbear.co from their LinkedIn profile
- Aleksandar Mihailovski deleted his job experience in Digital Present from Linkedin and changed his last name with the initial M.
- Aleksandar Mihailovski last job experience was Monks Agency. Where he left on September 2023. The activity of the wallet Fatfee.eth began in November 2023.
- Aleksandar Mihailovski registered fatfeemiddleman.eth on May 27 and changed it as his main ENS addres.
- Fatfee.eth and FatbeeBHW are the same person, and the individual behind these aliases is Aleksandar Mihailovsk.
- fatfee.eth uses Paribu, a Turkish Exchange.
- Fatfee.eth has received approximately 50 ETH only from Fake_phishing labeled addresses. The flow of money is bigger when we analyze other related wallets.
- The on-chain activities of PinkDrainer and fatfee link them together, as there has been a consistent flow of money between them over the past two months.
- Fatfee.eth or Aleksandar Mihailovski have a strong connection to this organization, considering the flow of money they send and receive from these wallets labeled as phishing.
- As mentioned before, any member who directly or indirectly cooperates in facilitating this type of illicit activity is an accomplice to a crime.
- In this case, a person shows a strong connection with the Drainer PinkDrainer, whether by providing services or anyway facilitating his ilegal activity, is an accomplice. Therefore, by identifying some collaborators, we can progress in obtaining more evidence to identify the ones behind this drainer (PinkDrainer).
- The industry known as “scam as a service” using “Drainers” represents a significant threat, as it is an attractive and easily controllable model for those who sell it.
- This industry of criminal organizations focused on cryptocurrency theft is aided by a black market that allows for identity theft, the purchase of legitimate accounts, and bypassing security controls such as KYC for the majority of centralized exchanges.
- Will Aleksandar be able to contribute to the Web3 community and provide evidence of who is behind PinkDrainer?
- What other projects do Aleksandar Mihailovski and Dejan Božinoski have?
Addresses mentioned in this investigation:
Fake_Phishing322874: 0x4dCb55eb77567fB17CE1Df590b67642e4bF5eB3B
Fake_Phishing322873:0x8c63787ded5d352fb0369532898b440f73ade03c
Fake_Phishing322880: 0x67E5Ae3E1Ad16D4c020DB518f2A9943D4F73d6eF
Fake_Phishing322954: 0x33E02eF5BD2De5749D6e9BeC1B6A99C17620cf77
Fake_Phishing322968: 0xde34121EE9805886417132a7215c33f4F7Fc99Aa
Fake_Phishing323124: 0x2ee9A1751B6c8034961CB192bF3a8B9110621edB
Fake_Phishing326266: 0x6c0e83422cd73ffd3a5ec4506638f6a0a8e22b38
Fake_Phishing322945: 0x73dab0309753710f5bc0c86a4ab6283fce2aa063
Fake_Phishing326273: 0xfbdd928bffd75cc02f775d1b3e1b656a639c4931
Fake_Phishing187569: 0xdf934455f686e8a9f405d209ea6d155b38d0d61a
Fake_Phishing306261: 0x6799495925a3464f64c8c9a06dcf1af7277ff616
Fake_Phishing188423: 0x6d0f39306552f5361e3022263317daf51650dbfc
Fake_Phishing156044: 0x8e4390a8e1f8e159de0afeba0588e45341e59bcb
Fake_Phishing328285: 0xdCE9CAEf8A0bFE093C9E1E4A30a2D1ddbC50A681
Fake_Phishing328267: 0xcF51EfEe6AfFb72a112eBA1594Cd80a6B23118b8
Fake_Phishing328295: 0xB768C7C96dA2Cd4721159b268838fb8a058fEd73
Fake_Phishing328340: 0xA70e5d4dc24DBaa3277bf8de4C760b8B3701825C
Fake_Phishing328161: 0xddc0604e3f8cf083bbca21416f70d97630cf7c3a
Fake_Phishing156044: 0x8E4390a8e1F8E159De0afeBA0588e45341e59Bcb
Fake_Phishing187569: 0xdF934455F686e8A9f405D209EA6D155b38d0D61a
Fake_Phishing327303: 0xb28999A7BcD9247dC8e5b1d1E90E6635f762BBC6
Fake_Phishing328285: 0xdCE9CAEf8A0bFE093C9E1E4A30a2D1ddbC50A681
Fake_Phishing328295: 0xB768C7C96dA2Cd4721159b268838fb8a058fEd73
Fake_Phishing328238: 0xcd983774CF19FEC5CdCC73c4027fEAe18eFE748a
Fake_Phishing328147: 0x7df839911CC8d738B8303A1Cf94f1B9a0a6aC8C1
Fake_Phishing180005: 0x1B7612052CB5d3BE59765d8Bd74bDBD298597793
Fake_Phishing187573: 0xa6B8Be288C08D1a7C55f7d4A32E876d6ACfe73B1
Fake_Phishing179685: 0x0dB2e2A4CF21eAB3Eef3A0E86e9e663F2eb65fC3
Fake_Phishing269620: 0xa8b7d28aacc9132f44d9813e44cc1f2d899ae438
Fake_Phishing327263: 0x6b745c2c78e95540b2d71a4e60a38094905e7152
PinkDrainer: contract 1: 0x00000f312c54d0dd25888ee9cdc3dee988700000
PinkDrainer: wallet 1: 0x63605e53d422c4f1ac0e01390ac59aaf84c44a51
PinkDrainer: wallet 2: 0x9fa7bb759641fcd37fe4ae41f725e0f653f2c726
Pink customer: 0xb837d59e71d11610c0d3d0d78016fd682fdd4bab
Pink drainer contract: 0x00000f312c54d0dd25888ee9cdc3dee988700000
Pink Drainer 0xa5e4: 0xa5e4b451d0a3c3d05fc3a8076fda45952b8f4f83
Pink Drainer 0x6337: 0x6337f2366e6f47fb26ec08293867a607bcc7a0db
Angel-drainer.eth: 0x412f10AAd96fD78da6736387e2C84931Ac20313f
FatbeeBHW: 0x7c9eb6df2349820d27d69805193d7806a7689ade
Spider-verse.eth: 0x2d86e074c34e1ff2d33e8049ee28e21ce3a9aa16
Uniswapv4.eth: 0x2555ab9287e8f5cb9042eec32629a8e891531e12
USDT MAIN WALLET: 0x4861536e04fb526028fee26fc954c46bd1517d1a
Uniswapmempool.eth: 0xc4e1dc397ecdb3b6b218e2070af993ab9cd5eb86
imakitten.eth: 0x900413763c65570ab24c1f6a85f5133e9b886a4e
Kittenator.eth: 0x117e38df298d62e7da156b20f2016b5d21b4e6eb
Vkevin.eth: 0xfc117fdb1d26fabe5b85435f17fbb0945c20e1cc
riddance-pool.eth: 0x73a6180c28951840bc13f302ede43a552a6be5e4
0x56F4 Suspicious: 0x56f427fb5563b26c3636d1491a3b36cefe573fb2
riddance-pool.eth: 0x73a6180c28951840bc13f302ede43a552a6be5e4
souspire.eth: 0x100399ac8ffd6c75ca1722c9ffa8c34956e1bbdd
Kemai.eth: 0xd99cf4bcaf4e42a12eee6376bbd6f04339674375
Transaction inflow of labeled wallets to fatfee.eth: 50 eth in 30 transactions aprox: https://pastebin.com/b8ZibSK7
