Open in app

Sign in

Write

Sign in

The Anatomy Of A Crypto Scam

OSINT Stan
11 min readNov 25, 2021

The cryptography behind Bitcoin, Ethereum, and other coins may be solid, yet crypto scammers have flourished. This post will explore the cryptocurrency threat landscape and how I became a victim myself.

Note: This is an ongoing situation unfolding in real time. This post may be updated frequently with further information as needed.

Note 2: If you prefer YouTube to long-read blog posts, CryptoNutrition made a video about his experience.

Setting The Stage

The way crypto is discussed in media these days, you could be forgiven for thinking that it has been embraced by the mainstream. In fact, although it’s hard to fully trust the estimates on this, only about 1 in 10 Americans are believe to own crypto, and, worldwide, about 100 million people.

That being said, most people knowledgeable about the technology believe that it is primed for explosive adoption any day now.

Right now all the hype seems to be around NFTs. Something that doesn’t get mentioned in the high-level discussion around NFTs though is the deluge of scam and spam messages you are subjected to when you start signing up for various communities.

In spite of people trying to scam me literally multiple times every day about NFTs, it wasn’t an NFT at all that caused me to finally take the bait. It was the promise of a sweet, juicy, “air drop.”

Getting In Over My Head

Part of the intrigue of cryptocurrency is just how rapidly things are changing. ‘Smart contract’ tech in particular has so many theoretical applications and promises to change modern life in ways that are hard to imagine. There are many applications out there that could be the next big thing that is comparable to buying Bitcoin for $10 in 2010.

On this particular day (which happens to have been today, actually), I was researching ZK-Rollups.

As I understand it, a ZK-Rollup is essentially a way to batch process cryptocurrency transactions in a way that significantly reduces costs (currently transaction costs are the main negative to the smart contract system). There are different, competing, ZK-Rollup organizations that are vying to take the lead as the premier ZK-Rollup.

One obvious way they can do this is by issuing their own ‘token.’ A token is… well, it’s sort of an NFT actually. But it’s an NFT that grants holders voting rights on organizational policies and so on. This type of blockchain-based organization is called a Decentralized Autonomous Organization, or DAO.

While the organization itself will determine who is eligible for the tokens and how they are distributed (i.e. whether they are gifted or sold), it is widely believed that all you have to do to be targeted for an air drop of one of these tokens is open up a wallet on the service and have some minimal funds in it. The air drops are designed to reward the early adopters. It is roughly analogous to being grated stock in an early stage start up that you work for.

As I was researching ZK-Rollups, one such organization, zkSync, came up in my research as one that seems highly likely to air drop their token and become a DAO in the very near future.

Mistake #1: Being a little too eager to get my ETH into zkSync.

Although zkSync is legit, I was EXCITED about this chance to get an air drop and eager to get some ETH moved over. Unfortunately it paved the way for a series of mistakes on my part that directly led to the successful scam.

Mistake #2: Multitasking while I was making an important (and complex) financial transaction. I was doing all of this during a brief break from my full time job. Big mistake. I was in a rush to get this done while having work stuff on my mind.

Mistake #3: Not paying close enough attention to a process that I have been through many times.

The Trap

When I first tried to deposit some ETH from my MetaMask wallet to zkSync, it went a little wonky. The transaction seemed to complete and the ETH was deducted from my wallet, but I was not seeing my balance on the zkSync side.

Thinking that was odd, I went searching for their own Discord community, which every website, NFT, and YouTube channel seems to have these days. I found it and started going through the sign-up process which requires a number of steps:

  • Click the invite link
  • Accept the terms
  • Agree to the rules by performing some kind of action
  • Complete a captcha verification

I was doing this part on my phone, which involved being led through this process by a bot. The process is similar for just about every discord server. Some Discord servers may have additional bots sending you welcome messages at the same time and so on.

Mistake #4: I was in a state of confusion and slightly panicked.

I was trying to cut through all the BS and get into the Discord ASAP to see if there was any talk about a system-wide problem. Sure enough, in the “Announcements” channel of the Discord there was an official announcement posted minutes before stating that there was a technical problem with the website and not to worry, everything would shortly be fine. This allayed my fears.

Right at that moment, just when my anxieties had been soothed and I trusted zkSync again, the following message appeared:

I thought that I was still in the Announcements channel, but in reality I had pressed a notification for a DM (I probably looked away for a second or something), and was taken to a private discussion room. This “zkSync Announcements” was an imposter account (NOT the internal discussion channel of the same name), directing people to click a link to an imposter website.

It made sense to me their system would be having issues while they were launching their coveted token. Yes, it was unbelievable luck that it was being launched right at that time I first signed up, but hey, stranger things have happened. To put it another way, the technical glitches I experienced actually reinforced for me that everything was on the up and up.

I think of myself as a skeptic by nature, but given my confused state of mind that I had just come out of (and into a state of relieved euphoria), I was quite literally not in my right mind.

I jumped at the chance to get a piece of the action.

The UX Of The Scam

Honestly, the website was amazing. It matched the zkSync branding perfectly. It was very simple in a way that is not out of line with other Web 3.0 websites that connect to your wallet rather than rely on a login and username:

Note the counter that reads 765/777. When you first land on the website it started at a surprisingly hight number like 201 and counted up at a slow pace in large jumps. In other words it went from something like 201 to 333 to 425 and so on. If you were sitting there looking at this page, debating whether or not you want in on this, seeing the numbers jump up like would have you on the edge of your seat. The end result is that it moveds just fast enough to give a false sense of urgency, but not so fast that a person would not be able to connect their wallet and send some ETH.

My first inkling that something was off was when I noticed that the number had frozen on 765, but I had already sent my ETH at that point.

Tracking the Breadcrumbs

Is it possible they left some kind of trail?

We can at least look into the Etherscan data and see what we can learn about the scammer. Etherscan allows us to look at the entire transaction history of the scammer’s address. As of this writing, the wallet contains 39 ETH; roughly $163k. However, they have also been making regular payments out during the day. I would not be surprised if they’ve made $500k off of this scam so far.

As you scroll through this data you can really get the feeling that you are watching more and more ETH being stolen from people live.

The outgoing transactions go through an Aztec.network address that appears to be a crypto tumbler of sorts (mixes up transactions and pays them out at random intervals making them nearly impossible to trace further).

Next I turned to the website itself. It’s a pretty simple site and it didn’t have any gems like a Google Analytics ID or anything, but it did have one interesting tidbit. Check out the green text below in the source code:

Indeed the ‘fat ape club’ at fatapeclub.io seems legit. However I’m not sure about mint-fatapeclub[.]art. It seems to be a similar fake website, probably for an NFT project that doesn’t really exist. And maybe run by the same scammers.

It is interesting, if not entirely useful, to note the program they used to copy entire websites called HTTrack Website Copier. They used this program to clone the mint-fatapeclub[.]art site and then customize the colors and images to match the zkSync brand.

Finally, I turned to the old standby, ViewDNS.info to look up information on the domain. I did not expect to get any useful information from it. Lo and Behold, I was able to determine the web hosting company.

I reached out to the web host, expecting to either be ignored or threatened, and to my surprise they responded very favorably and promised fast action. It was honestly a very good experience chatting with their Twitter manager about the whole experience. I was notified a couple hours ago that access to the web host has been revoked.

As of right now the website itself still seems to still be live, but refreshing Etherscan shows that no more inbound transactions have happened for a few hours (up until now they were happening multiple times per hour), and whoever controls the wallet has ramped up efforts to empty the wallet via Aztec.

The web host assures me the incident is being reported to law enforcement, so maybe the website itself is being left as part of that investigation, with the functionality disabled. I will continue to watch the wallet to confirm.

De-Briefing

At the end of all this, here is what we know:

  • Wallet address and list of transactions
  • Crypto tumbler service they use to mask their crimes
  • Web Hosting company name (and have a contact there)
  • A second website the actor may be operating
  • One of the software programs they use

It’s not a lot, and I doubt that it would ever be possible to track down any specific people down, but it was clearly enough to get a positive response from the web host, so we can still say that we have some actionable intelligence.

Looking back on the whole situation, there are really only three clear warning signs I should have seen:

  • Date in the original fake DM (Nov 27th) did not match today’s date (Nov 24)
  • Counter stopped just short of the end of the countdown
  • Original DM came from a counterfeit account/I was in a DM and not in the Announcements channel

It’s honestly pretty scary to me that these three red flags are the only ‘mistakes’ on the part of the scammers. Everything else was entirely about my own state of mind. In this case, a perfect storm of bad timing, my own emotional state, and an expert phish got me hook, line, and sinker.

Moving forward

My money is gone.

There’s no getting away from that. There’s just not.

Thankfully it’s not an amount that I’ll lose any sleep over, but as I refreshed that Etherscan page, it ate away at me that more money just kept flowing into that wallet bit by bit. Some people were sending as much as 2 ETH, which sits between $8k and $9k currently.

Time permitting, there are three loose threads that could still be tugged on:

  • The Fat Apes Club site that is possibly fake as well
  • Aztec[.]network could use some exploration into their whole enterprise. It could be worth reaching out to them as well to ban the suspect wallet from the platform. [Update: I have reached out to them on Twitter. Waiting on a response]
  • Further OSINT on the HTTrack website Copier to try to find other groups that use it.

The reality is, outside of doing our best not to get scammed, it’s the social media platforms that could do the most to prevent these thefts. Simply making UI changes that would make it obvious when you are in a DM chat versus a channel of a Discord server would be one measure that could have prevented myself and others from falling for it.

My true goal for sitting down to write this whole blog post is to drive home this one point:

If it happened to me, it can happen to you.

I hope that others can learn from my experience and use it to help themselves and their loved ones stay a little bit safer yourself.

Day 1 Update: While there was a mid-day lull in transactions on the wallet making me think the web host had hampered the scammers somehow, it appears the scam is now firing on all cylinders again. As of right now, over 50 ETH ($226k) has been sent to the account in the last two days. It seems that restricting access to the account hasn’t hampered the scam.

Day 2 Update: Confirmed that the website has changed its web host to nameservers at myserverbox[.]me. In turn, this site uses another web host called “porkbun” as well as Cloudflare nameservers. If you visit that domain it shows a similar scam website. I’m not quite sure exactly what this means as the branding of the second site doesn’t match with the domain name, although I am happy that seem to have inconvenienced them at least for some time and hopefully prevented at least one other person from getting scammed. I have reached out to both PorkBun and Cloudflare about the issue and am awaiting their responses.

Day 3 Update: Still no action or word from PorkBun or Cloudfare. The first wallet continues to see payments flowing into it. An additional ETH address has been reported by some victims. Confirmed that the Arbitrum community is simultaneously being attacked. The Arbitrum scam and the zkSync scam both seem to be hosted by myserverbox[.]me running on PorkBun LLC servers.

Osint
Crypto
Scam
Ethereum
Cryptocurrency

--

--

OSINT Stan

Written by OSINT Stan

20 Followers

Practical vigilance powered by OSINT, InfoSec, and loads of coffee.

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams