Ongoing Investigation: Exit Scammers Attempting to Cash Stolen Tokens

Author: Nobel Tan, Head of Security Operations, Sentinel Protocol

In a span of 7 days, the crypto community has been affected by two major incidents involving crypto exchanges.

On November 7, a reputable crypto exchange, Gate io, reported[1] that their website had been compromised. Their website’s Javascript code, provided by a third party web analytic service provider, StatCounter, has been hacked. We have already determined that this is a Supply Chain Attack and Cross-Site Scripting (XSS) attack.

The attacker inserted malicious code specifically designed to steal cryptocurrencies from victims performing transactions on affected exchanges. At the time of the incident, there were close to 700,000 websites suspected to have been using StatCounter analytic services. However, as per the ESET initial analysis[2] of the malicious code, it was only affecting the Gate.io exchange services. The total amount of damages could not be ascertained due to the fact that this malicious code provided different receiving wallet addresses targeting each individual victim.

Just a couple of days later, a South Korean ICO, Pure Bit, was reported[3] to have pulled an exit scam on its private sale investors, mostly from the Korean community. The ICO raised an amount exceeding 13,678 ETH, worth approximately $2.8 million USD. They had promoted themselves as a new crypto exchange promising returns as high as 90%.

The ICO was proven a scam when the Pure Bit community managers began banning users from their official communication channel on Kakao, before they shut it down along with their website. The identity of the Pure Bit team members remains a mystery at this point.

What went wrong with Pure Bit? As we retraced their actions, we spotted red flags.

1. Their ICO had already been banned in South Korea[4], but Pure Bit still indicated that their company registration is within South Korea using a fake business registration number. According to the website, their business registration number is 220–88–91836.

Figure 1

2. No details on any of their team members have been found. Pure Bit did not reveal any details about their team, or any possible partnerships or investors. They only mentioned the name of their CEO, “HWANG, JUNG SIK”.

3. Their project contained no security assurances. Pure Bit was trying to collect funds from investors in the shortest time frame possible, so they made no attempt to collect any form of KYC information to validate the identity of each investor. They also did not use a smart contract to audit their transactions for distributing their tokens at later stage.

4. At first glance, it appears they spent effort in developing their website. However, in fact, they had merely copied a theme — https://codex-themes.com/thegem/gem-cryptocoin/. The original operative website can be viewed at Archive.Org[5] for comparison.

5. According to their WHOIS records, their domain name was setup only 7 days prior to the initial pre-sale ICO. In normal circumstances, any start up would have locked down their company branding well before their presale or ICO date.

Once the news broke, the Uppsala Operations Team jumped straight into an investigation. We blacklisted the compromised wallet addresses in the Sentinel Protocol Threat Reputation Database (TRDB). This information is accessible in real time, and available to all users of the UPPward Chrome/Firefox Extension, as well as the exchanges using our latest solution, ICF API (Interactive Cooperation Framework API).[6]

Where is the money now?

Pure Bit indicated that the wallet address used to receive the investors’ funds on the web page as 0x7DF1BD58e8Fd49803E43987787adFecB4A0A086C.

As the Uppsala Operations Team tracked the movement of funds, we noticed that the tokens transferred to this address are now being cashed out through various exchanges such as Upbit, BlockTrades, and Cashierest.

Below is the flow of money constructed using our partner’s analytic tool, Bloxy.info.

Figure 2: Transaction analysis conducted for Case ID 80412, 80430 and 80433 which resides in TRDB.

As shown below in Figure 2, this is a detailed overview of where the 13,678 ETH is being held now. We noticed that 32.117 ETH had been traded through an exchange named Cashierest. We have confirmation that “0x72bcfa6932feacd91cb2ea44b0731ed8ae04d0d3” is a wallet address belonging to the Cashierest exchange. Their policy allows for email authentication together with simply just a mobile number. With an authenticated account, any member could deposit unlimited tokens and withdraw up to a daily maximum of 30 million Korean won. This policy seemed to suit the suspects as it allowed them to liquidate the stolen tokens easily. However, the team believes the scammers have decided to use other exchanges due to Cashierest’s low daily volume (or demand) for ETH.

Based on reports by blockinpress[7], this exit scam has thus far identified a wallet address “0x007174732705604bbbf77038332dc52fd5a5000c” belonging to US-based crypto exchange, Poloniex. However, per our detailed investigation and in contrast to other analysts, we have confirmation that “0x007174732705604bbbf77038332dc52fd5a5000c” is a wallet address that belongs to a decentralized exchange (DEX) called BlockTrades. BlockTrades is registered in the Cayman Islands, a British Overseas Territory.

As shown in Figure 3, we completed a small transaction to validate our findings using the BlockTrades exchange service and the destination wallet address correlated to the scammers’ flow of money.

Figure 3

After the crypto community pointed out that the scammers has transferred 750 ETH to an UpBit wallet, the exchange suspended withdrawal of the wallet address[8].

The Uppsala Operations Team strongly believed that the scammers then selected BlockTrades to switch their coins as there are no KYC requirements on the platform. Also, the hotwallets of BlockTrades has not been identified until now, which grants the scammers additional time to wash their funds on BlockTrades , as well as, slow down the subsequent analysis of the money flow. There is also a number of trading options with sufficient liquidity and anonymity coins such as Monero and Dash on BlockTrades to allow the scammers to wash their funds.

Figures 4, 5 and 6

At the time of writing, we have identified that the scammers have washed a total of 697.6ETH through BlockTrades on 3 separate wallet addresses. Each deposit wallet associated with BlockTrades is likely used for a different coin or destination wallet address. There is a possibility that the Pure Bit scammers have had to split the trades into different transactions as the conversion amounts allowed by BlockTrades depends on liquidity. This gave us the opportunity to notify the exchanges to attempt halting these transactions using our Interactive Cooperative Framework API (ICF API).

Our attempts to reach BlockTrade have so far been unanswered. However, there is a silver lining as the BlockTrades Terms and Conditions states that they would comply with law enforcement requests for information about the trades. We hope that BlockTrades would work closely with the law enforcement to protect the crypto community.

“3. Your trades are NOT Private (Privacy Statement):

  • When you choose to trade on any BlockTrades site, you are trading directly with BlockTrades International Ltd., a Cayman Islands company. We collect all relevant information and comply with all law enforcement requests and all legal requests.
  • All trades are performed on public blockchains and should be considered public transactions. Transactions to and from BlockTrades are public and easily correlated. Law enforcement has full access to blockchain information that goes in or out of BlockTrades’ system.”

Between November 9 and November 12 , the transactions from the Pure Bit scammers amounted to 88% (697.6ETH/794.63ETH) of the total number of transactions in ETH on BlockTrades. This was an increase of 1300% from the preceding 3 days of ETH traded (57.456ETH) on BlockTrade, indicating that there is a limited amount of transactions on BlockTrades before the Pure-bit scammers began using BlockTrades to wash their stolen funds.

The number of ETH transactions did not significantly increase between November 6–8 and November 9–12. In the November 6–8 period, there were 140 transactions. On November 9–12, there were 178 transactions.

The team has also questioned whether the scammers’ intention was to swap the ETH tokens using BlockTrades into other tokens such as Steem (STEEM), Monero (XMR), or LiteCoin (LTC) as these tokens have higher transaction volumes in BlockTrades.

However, if the Steem tokens were the intended swap, due to the strong cognizance in the Asian community, we were led to conclude that the scammers may trying to liquate the token in one of those countries. The Uppsala Operations team is still monitoring on the flow of money to further confirm the investigation.

Since Centralized Exchanges are regulated in most countries like Japan, Korea, and the United States, scammers will likely struggle to liquidate stolen tokens. As it seems, scammers are opting for decentralized exchanges with high volume in an attempt to cash out to their intended fiat currency.

The Uppsala Operations Team has since notified the affected partner crypto exchanges about the wallet addresses involved in this incident. Partners or exchanges who have implemented the ICF API will be notified in real time when malicious wallet addresses trade or sell crypto funds using their platforms. Meanwhile, users can stay safe by downloading the complimentary UPPward Chrome/Firefox Extension by Sentinel Protocol (https://uppward.sentinelprotocol.io/ or https://addons.mozilla.org/en-US/firefox/addon/uppward-by-sentinel-protocol/), to verify if wallet addresses are legit before transactions. Users can also report hacks, scam and fraud by using the “Report now” feature on the extension.

We hope to prevent the stolen tokens from being liquidated and to provide information on suspects involved with stealing cryptocurrencies to investigations conducted by the authorities.

[1] https://www.zdnet.com/article/hackers-breach-statcounter-to-hijack-bitcoin-transactions-on-gate-io-exchange/

[2] https://www.welivesecurity.com/2018/11/06/supply-chain-attack-cryptocurrency-exchange-gate-io/

[3] https://bitcoinmagazine.com/articles/fraudulent-south-korean-exchange-pure-bit-nabs-28m-ico-exit-scam/

[4] https://www.ccn.com/south-korea-remains-firm-on-ico-ban-despite-calls-for-legality-for-now/

[5] https://web.archive.org/web/20181108125211/https:/pure-bit.com/

[6] https://medium.com/sentinel-protocol/sentinel-protocol-launches-the-interactive-cooperation-framework-api-d75e12a3ca9a

[7] https://blockinpress.com/archives/10404

[8] https://www.upbit.com/service_center/notice?id=618.