Sentinel Protocol
Published in

Sentinel Protocol

Operation Cook: Massive Crypto Giveaway Campaign Impersonating Trust Wallet

By: Athul Harilal (Security Researcher) and Nobel Tan (Head of Engineering & Product)

In this article, we unravel the operations of the alleged threat actor group behind a large scale Crypto Giveaway campaign impersonating . According to our investigation, we found the threat actors using 3 techniques to conduct their operation and they have been active since June 2020. We have found evidence hinting at laundering of funds through the Waves blockchain. Our intuition tells us that the threat actors could be of Indonesian origin due to the numerous Bahasa Indonesian words found during the analysis. We have shared the entire list of IOCs for interested individuals .

Modus Operandi

During our investigation, we found 3 major techniques used by the threat actor group to conduct fake giveaways. We summarize the modus operandi of these techniques below.

Technique 1

Fig 1. Fake giveaway response of Technique 1

Using this technique, the threat actor group lures the victims to a fake giveaway page such as app[.]trustwallet[.]rewards-erc20-airdrop[.]monster, whose response is illustrated in Figure 1. The victim is asked to enter their backup phrase in order to claim the tokens, which allows the threat actor to create a copy of the victim’s wallet and drain their funds.

Fig 2. HTML code block of Technique 1 Giveaway Form

The analysis of the html code block revealed that the victim’s backup phrase was being posted to a php application hosted within the same domain as the fake giveaway page. However, we also found instances where the backup phrase was sent to a domain different from the fake giveaway domain, that could be created specifically for accepting backup phrases as shown in Table 1.

Table 1. Dedicated Domains for accepting Victim Backup phrases
Fig 3.a & Fig 3.b (Code Block of & Code Block of Giveaway Page)

We also observed a striking resemblance of the giveaway page with that of the decentralized exchange platform waves[.]exchange¹. Waves is a blockchain platform founded in 2016 which enables the creation of custom tokens that can be easily traded within their built in decentralized exchange (DEX) waves[.]exchange². operates with coinomat[.]com gateway to introduce fiat cash into the Waves blockchain³. It operates as an instant exchange by interfacing with other centralized exchanges. Unlike centralized exchanges, Coinomat does not ask users for KYC⁴ information for crypto to fiat or vice versa conversion, and provides fast service. This appears to be lucrative to malicious actors.

Coming back to the striking resemblance, Fig 3 shows the variable WavesApp used by both and the giveaway page that contains configuration data such as ‘coinomat’ used for exchanging tokens to fiat, and state space information such as ‘state’ that represents the current state of WavesApp.

Fig 4.a CSS files of
Fig 4.b CSS files of fake giveaway sites

We also observe similarities between the UI of and the Giveaway page due to similar css files loaded as shown in Figure 4.

From the following, we can deduce that malicious actors could be laundering their funds through the Waves platform using and coinomat exchange for conversion to fiat or vice versa.

Technique 2

Fig 5. Fake giveaway response of Technique 2

Using this technique, the malicious actors create a similar web page as the original Trust Wallet site, with an inclusion of the giveaway code block to claim crypto tokens. Figure 5 shows the response of one such giveaway site claimbnb[.]fun.

Fig 6. HTML block of button CLAIM PRIZE

The html code block for claiming the giveaway tokens redirects the page to claim[.]html as shown in Fig 6, whose response is equivalent to the giveaway page response introduced in technique 1, running code base of in the background.

Fig 7. Redirection links to fake giveaway page

While most of the giveaway urls rendered a response shown in Fig 5, we also found some urls that served merely as a redirection to the giveaway landing page as shown in Fig 7. Table 2 lists a few landing pages we found, leveraging on hosting providers prohoster⁵ and 000webhostapp⁶.

Table 2. Giveaway landing pages for Technique 2

Finally, analyzing the list of urls utilizing this technique, we found the majority of the giveaways using Binance Coin (BNB)⁷, followed by Stellar (XLM)⁸ and Ethereum (ETH)⁹.

Technique 3

Fig 8. Response of Technique 3

Using this technique, the malicious actors have gone one step further from technique 2 by creating a similar page as the original Trust Wallet with very subtle differences. Upon inspection of the url alltrustedwallet[.]com, we found additional download links of Trust Wallet in comparison to the original Trust Wallet site as shown in Fig 8. The original Trust Wallet site does not have links for macOS and Windows.

Fig 9. HTML Code block of Trust Wallet download links in Technique 3

Analysis of html code block revealed that the giveaway page hosted malicious versions of the Trust Wallet application for android, macOS and windows, shown in Fig 9. However, malicious actors hosted these applications only for a short duration of time. identified the android version of Trust Wallet as malicious. We also found an article briefly summarizing the execution of TrustedWallet.apk¹⁰. However macOS and Windows version of impersonated Trust Wallet are still unknown.

Timeline of Malicious Actor Activity

Fig 10. Timeline of Malicious Actors across different techniques

We have summarized the activity of the threat actors in Figure 10 by mapping the number of giveaway URLs created for each technique, across the duration of their operation until the writing of this article.

We observe that the threat actor has been active since June 2020 using only the technique 1 based URLs in the beginning, while URLs related to techniques 2 and 3 were only observed since October 2020. In the first quarter of their operation, their activity peaked in July with 23 active URLs. However in the second quarter, they reached a new peak in October with 29, 126 and 1 active URLs across the 3 techniques respectively. We could only find 1 URL belonging to Technique 3 as of the writing of this article.

While most of the ip addresses that resolved to the giveaway URLs were short lived spanning only a few days, ip addresses and were fairly long lived spanning more than 3 months.


Fig 11. HTTP response of threat actor domain

This operation is termed as Operation Cook because one of the domains of the threat actor returned the http response shown in Fig 11, which is derogatory in Bahasa Indonesian. This was our first clue regarding the origin of the threat actors. Later, we also found a number of other Bahasa Indonesian words upon analyzing the web files, such as (kata mutiara : ‘words of wisdom’, babi: ‘pig’, bakup: ‘backup’, pantek: ‘abstinence’). These factors contributed to our understanding of the threat actor origin.

Uppsala Security is headquartered in Singapore and has branch offices in Seoul, South Korea and Tokyo, Japan. Follow Uppsala Security on , , , and .

[1] “Waves.Exchange.” . Accessed 16 Nov. 2020.

[2] “What is Waves? (WAVES) | Kraken.” . Accessed 17 Nov. 2020.

[3] “Coinomat — Exchange service for Waves Blockchain ….” . Accessed 17 Nov. 2020.

[4] “Latest News on KYC | Cointelegraph.” . Accessed 17 Nov. 2020.

[5] “ProHoster: 🥇 Купить надежный хостинг для сайтов с ….” . Accessed 16 Nov. 2020.

[6] “000WebHost.” . Accessed 16 Nov. 2020.

[7] “Use BNB | Binance.” . Accessed 16 Nov. 2020.

[8] “Lumens — Stellar.” . Accessed 16 Nov. 2020.

[9] “Home |” . Accessed 16 Nov. 2020.

[10] “Android Quickie: TrustedWallet Impersonation — Tilden Swans ….” 10 Nov. 2020, . Accessed 16 Nov. 2020.



Together we can overcome the disadvantages of decentralization by transforming them into an advantage for security.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sentinel Protocol Team

Operating on blockchain technology, Sentinel Protocol harnesses collective cyber security intelligence to protect crypto assets against hackers, scams and fraud