This is an automated archive.
The original was posted on /r/cryptocurrency by /u/jbtravel84 on 2024-01-24 05:55:00+00:00.
This is a unique phishing scam making the rounds today where the mail server of websites like Cointelegraph and Wallet Connect appear to be hijacked.
What does this mean?
Basically the phishing emails going out appear to look official with the from address matching the branded from email.
Above is an email that appears to come from WalletConnect.
- Phishing Wallet - 0xe7D13137923142A0424771E1778865b88752B3c7
- Phishing Intermediary Wallet - 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D
- Fixed Float Deposit Adress - 0x4c5D20eFf31A2794C6eef502469DE8f4A1eD55eC
- Railgun Contract - 0x4025ee6512DBbda97049Bcf5AA5D38C54aF6bE8a
One victim wallet appears to have lost 2.64M worth of XB Tokens. I’m showing about 2.7M sitting in the phishing wallet of 0xe7D13137923142A0424771E1778865b88752B3c7, while 518.75K went to 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D.
How did this Phishing Scam Happen
Malware was discovered on the computer belonging to an employee of MailerLite, the email service provider used by websites sending the phishing emails.
Cybersecurity service Hudson Rock believes the malware may have allowed the attacker to gain access to MailerLite’s servers.
In other words, by gaining access to MailerLite’s backend email servers, the attackers were able to impersonate the web3 companies without spoofing the emails.
This appears to be an extremely sophisticated phishing attack exploiting web3 companies relationships with their email subscribers.
Where’s the Money Going?
Most of the funds are still sitting in 0xe7D13137923142A0424771E1778865b88752B3c7. However, the scammers have shown some of their hand by sending about 30K to a burner FixedFloat deposit address and over 500K through Railgun.
I looked through the Railgun contract address and was able to cross reference timestamps to get an idea where the funds went.
Railgun is designed for privacy and scammers use the service to launder stolen crypto. However, the amounts and timestamps appear to be very closely aligned to each other when looking at the txn history.
It’s my belief most of the funds that went through Railgun are in this wallet - 0x6D9Ee5600E7E773Fae2b5cB0c8c0bEc9F644188c, currently at just over 520K in ETH.
It’s only a matter of time before these get moved through another mixer or exchange.