Upon request of one of our clients the TokenScope Team conducted an investigation of the theft of funds from the Metamask wallet.
According to our client on October 29, 2021 his wallet 0x34fae6017418cfd13b546cdec699e13e38145a8f registered on Metamask website was hacked. Funds in the amount of 89.7 ETH were transferred to 0x8b8912bd924a024065da268576df68678b07bd44 by 2 transactions:
- transaction in the amount of 89.7 ETH 0x375cac2e81b0f0673c3058205f901ee9662b9fdf33102a21d6eb907c54f94b8c
- transaction in the amount of 0.000001 ETH 0x1c0bf3aa047ebb61aab60172dd609dd9ca4fed6713466c0cfa0fef757776d255
Later the funds were transferred to the wallet of the scammers 0x8b8912bd924a024065da268576df68678b07bd44, on the 4th of November, 2021 and on the 12th of December, 2021 by 15 outgoing transactions. Mainly the funds were transferred to the wallet of the «Tornado. Cash proxy» anonymization service 0x722122df12d4e14e13ac3b6895a86e84145b6967.
Further examination of the incoming transactions of the address 0x8b8912bd924a024065da268576df68678b07bd44 shows that on April 27, 2021 it was replenished by 80.6 ETH from the address 0x45ae6606356286d1603828001f0907faf4278c061, which in turn was replenished by several transactions from the address 0x8f54972f4ca40bd3ffc8b085f6ece1739c40c65f (address turnover is 131 000 ETH).
According to www.roundtablefinance.com the address, 0x8f54972f4ca40bd3ffc8b085f6ece1739c40c65f is known to be associated with a phishing service spoofing Metamask through which on the 23rd of December, 2020 over $40 million was stolen. The withdrawal of funds was carried out via the Changenow.io exchange through the chain of addresses.
Further analysis of the transactions of the address 0x8f54972f4ca40bd3ffc8b085f6ece1739c40c65f allowed to reveal the source of replenishment of the specified address. The replenishment was conducted on March 24, 2021 from address 0xa4e5961b58dbe487639929643dcb1dc3848daf5e, and on April 08, 2021, from address 0x4356ff583413836ce64fe99dd8b3ef452d9add96, which reportedly received funds from addresses associated with phishing.
Also studying the outgoing transactions of the address 0x8f54972f4ca40bd3ffc8b085f6ece1739c40c65f, the transfers of funds conducted on April 14, 2021 are worth paying attention to:
- 23.8 ETH were transferred to the address 0xa305fab8bda7e1638235b054889b3217441dd645 on the Binance exchange, which is reportedly linked to several hacking attacks, including an early 2021 attack on the DODO service, $2 million were stolen.
- 0.42 ETH were transferred to 0xe14b7a30e141a5a79f7c4b6786e81cebde7a21d5 on the Binance exchange, which is known to receive 1000 TXN (2 100.54 ETH) from an address associated with a phishing wallet.
As a result, TokenScope Team traced the transactions chain of the stolen funds, which were transfered to the Tornado mixer service. In addition, we received confirmation that the addresses of the chain have been caught on the radar as being related to illegal activities.
Successful investments in cryptocurrency projects and don't forget to check addresses for risks. You can start with "Crypto scam victim, easy steps to avoid it" by TokenScope Team - it can help to save your funds!
Also, you can report us any cases related to specific cryptocurrency addresses and the considered risks at TokenScope.com via "Reporting a cryptocurrency address" form. This will help to protect other users from the risks of interacting with such addresses and their owners.