This is an automated archive.

The original was posted on /r/cryptocurrency by /u/jbtravel84 on 2024-01-24 05:55:00+00:00.

This is a unique phishing scam making the rounds today where the mail server of websites like Cointelegraph and Wallet Connect appear to be hijacked.

What does this mean?

Basically the phishing emails going out appear to look official with the from address matching the branded from email.

Above is an email that appears to come from WalletConnect.

  • Phishing Wallet - 0xe7D13137923142A0424771E1778865b88752B3c7
  • Phishing Intermediary Wallet - 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D
  • Fixed Float Deposit Adress - 0x4c5D20eFf31A2794C6eef502469DE8f4A1eD55eC
  • Railgun Contract - 0x4025ee6512DBbda97049Bcf5AA5D38C54aF6bE8a

One victim wallet appears to have lost 2.64M worth of XB Tokens. I’m showing about 2.7M sitting in the phishing wallet of 0xe7D13137923142A0424771E1778865b88752B3c7, while 518.75K went to 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D.

Above is the outgoing txns of Phishing Wallet 0xe7D13137923142A0424771E1778865b88752B3c7 sorted by highest outgoing amount.

Above is a different look inside of Phishing Wallet 0xe7D13137923142A0424771E1778865b88752B3c7. You can see the outgoing transfer of 518.70K from 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D to Railgun.

How did this Phishing Scam Happen

Malware was discovered on the computer belonging to an employee of MailerLite, the email service provider used by websites sending the phishing emails.

Cybersecurity service Hudson Rock believes the malware may have allowed the attacker to gain access to MailerLite’s servers.

The above was posted by Hudson Rock. It appears to show the data from the infected MailerLite employee’s computer.

In other words, by gaining access to MailerLite’s backend email servers, the attackers were able to impersonate the web3 companies without spoofing the emails.

This appears to be an extremely sophisticated phishing attack exploiting web3 companies relationships with their email subscribers.

Where’s the Money Going?

Most of the funds are still sitting in 0xe7D13137923142A0424771E1778865b88752B3c7. However, the scammers have shown some of their hand by sending about 30K to a burner FixedFloat deposit address and over 500K through Railgun.

I looked through the Railgun contract address and was able to cross reference timestamps to get an idea where the funds went.

Railgun is designed for privacy and scammers use the service to launder stolen crypto. However, the amounts and timestamps appear to be very closely aligned to each other when looking at the txn history.

I looked at the timestamps of the Railgun contract 0x4025ee6512DBbda97049Bcf5AA5D38C54aF6bE8a. You can see the funds go into Railgun with Phishing Intermediary Wallet - 0xef3d9A1a4Bf6E042F5aaebe620B5cF327ea05d4D at 12:38:59. Just over an hour later at 13:45:47, it appears to come out in 0x6D9Ee5600E7E773Fae2b5cB0c8c0bEc9F644188c.

It’s my belief most of the funds that went through Railgun are in this wallet - 0x6D9Ee5600E7E773Fae2b5cB0c8c0bEc9F644188c, currently at just over 520K in ETH.

It’s only a matter of time before these get moved through another mixer or exchange.