Removing the mask from the July attacker (part 1)
The attack on DeFiPIE in July 2021 was carried out from 2 different addresses:
- 0xf6f43f77ef9e561dcb2997d8e7ec1d685b6c0fe1 (in Ethereum и BSC networks)
- 0xce1f4b4f17224ec6df16eeb1e3e5321c54ff6ede (in Polygon)
We managed to establish the identity behind the second address.
So far, we have not been able to find a relationship between these addresses. The second address attacked DeFiPIE some time after the first, so for now we are sticking to the version that the second attacker carried out a copycat attack.
The second attacker was able to withdraw 2.2 million PIE from the protocol on the Polygon network.
https://polygonscan.com/tx/0x80ba7f8a84d360da0b09f15912296ec21e0d47e1ceac495e1a04f6f10e8b88c5
And so, let’s move on to the investigation
If we go to blockscan at this address, we will see that this address was active in 7 different networks: https://blockscan.com/address/0xce1f4b4f17224ec6df16eeb1e3e5321c54ff6ede
including the Kovan Testnet network: https://kovan.etherscan.io/address/0xce1f4b4f17224ec6df16eeb1e3e5321c54ff6ede
After reviewing all transactions, we found that this address received test ETH through Kovan Faucet.
Go to Kovan Faucet: https://gitter.im/kovan-testnet/faucet and enter this address into the search and see his request for ETH:
Here is a screenshot of his profile on gitter:
After we tried to contact him, he deleted his profiles, website and everything else. But even now it remains possible to trace the entire chain linking the address and the identity
Judging by his avatar (url of his avatar: https://avatars0.githubusercontent.com/HiramWHL?v=4&s=30), we see that this user was registered via github and his account name is “Hiramwhl”.
Go to his GitHub account: https://github.com/HiramWHL
Look at the saved version in the web archive: https://web.archive.org/web/*/https://github.com/HiramWHL*
We find a link leading to the main page of some repository, for example: https://web.archive.org/web/20210124205655/https://github.com/HiramWHL/CCHESS
We see in the “About” block a link to his personal website: https://hiram.wang/
Let’s look at the site in the web archive: https://web.archive.org/web/20200919045455/https://hiram.wang/
Here we also see a link to his GitHub account: https://github.com/HiramWHL and his email: hiram@wanghailin.cn
There was also an article on his website dedicated to the investigation of the attack on DeFiPIE: https://hiram.wang/defipie-flashloan-attack/, unfortunately, the web archive has not indexed it.
We wrote to this email and offered to return the stolen funds, but we did not receive a response to it. Instead, this hacker started deleting information about himself on the Internet — his blog, which he has been running since 2013, GitHub and Gitter accounts. This action meant only one thing, that he received our letter and did not intend to return the money.
We look at what is on the domain wanghailin.cn and we see that there is a redirect to hiram.wang
We look at who the domain is registered to his email wanghailin.cn: https://icp.365jz.com/wanghailin.cn/
Let’s see who the domain is registered to: https://icp.365jz.com/wanghailin.cn/
And so, based on the available data, we get the following information:
- Full name: Hiram Wang Hailin
- Location: Chengdu, China
Move on.
We find in the archive of his website the QR code leading to his WeChat profile.
We go to him, there is also a link to his blog. Thus, confirming that this is the site owner’s account https://hiram.wang/
Hiram keeps an archive of his personal photos here in his WeChat profile:
Now we are investigating and identifying the person hiding under the second account (0xf6f43f77ef9e561dcb2997d8e7ec1d685b6c0fe1). Perhaps soon we will publish the second part of our investigation. We are also ready to pay you for assistance in identifying it.
If you have any information that will help us in identifying this attacker, please contact us by mail: contact@defipie.com
