A CyberNews investigation uncovered a network of wallet addresses used by a scammer group to store and cash out millions in crypto stolen from thousands of victims.
Mindaugas (who wished his last name not to be disclosed publicly), an executive at a UK-based company, unknowingly fell for a scam when he tried to claim a £60 bonus supposedly offered by Coinbase, a mistake that resulted in £15,000 lost to fraudsters in minutes.
When he reported the scam to Coinbase, the company responded by urging him to change his account password and told him that Coinbase would be unable to help him win back his money. Later, when Mindaugas went to the police, his case was promptly closed due to ‘lack of evidence.’
After Mindaugas reached out to CyberNews, our investigators were able to follow the scam group’s money trail and locate a network of wallets used by the group to store and cash out Mindaugas’ stolen crypto, along with millions in cryptocurrency plundered from thousands of other victims. Mindaugas then forwarded this information to a UK cyber police unit that had previously closed the case citing lack of tangible evidence.
What you are about to read is the story of how Mindaugas fell for the scam, and how we followed the crumbs left by the scammers to find millions stashed away across multiple wallets, cryptocurrency exchanges, and even an online casino account.
Falling for the scam
On March 24, 2021, Mindaugas received an email that purportedly came from Coinbase, claiming that he was eligible for a bonus on Coinbase.
Shortly before the IPO, Mindaugas received an email from a stock trader website, which claimed that if he were to buy initial Coinbase stock via the website, Mindaugas would be eligible to receive a monetary bonus on the exchange. He was then asked to fill in and submit a contact form, which he did.
“At the time, he was really interested in crypto, and he was eagerly waiting for Coinbase to go public as he saw their stock as a great investment opportunity,” Mindaugas’ wife Loreta told CyberNews.
Weeks later, about a month prior to the IPO, Mindaugas received an email, which, by the looks of it, came from a Coinbase support agent, claiming that he’s eligible for a £60 bonus. To claim the bonus, Mindaugas had to agree to receive a call from a Coinbase employee.
Unfortunately for Mindaugas, the email didn’t come from a support agent at all. For an untrained eye, the email itself might look rather genuine. In reality, it was sent by a scammer, and the CLAIM BONUS button led to a phishing website, which Mindaugas didn’t notice at the time.
“Being caught at work and in a hurry, he thought nothing of it and simply clicked the button.“
Loreta told CyberNews.
Minutes later, Mindaugas received a call.
The person at the other end of the line introduced himself as a Coinbase support agent and claimed that he was calling to confirm that Mindaugas was eligible for the bonus previously referenced in the email.
According to Loreta, the agent sounded surprisingly knowledgeable and professional and didn’t ask Mindaugas for any contact details. “He told Mindaugas that all he needed to do in order to receive the bonus was to prove his identity by sending the agent his two-factor authentication code,” Loreta told CyberNews. “It’s no surprise his defenses were down.”
At a glance, everything seemed legitimate: the email looked like it came from Coinbase, the phone number appeared proper, and the caller sounded like someone from Coinbase.
Mindaugas was asked to confirm his identity by entering a two-factor authentication code to log in. Needless to say, this was another ruse intended to harvest his 2FA credentials. As soon as he entered the code, it was game over for his crypto.
“So, Mindaugas gave them his authentication code, which was his biggest mistake.”
Four minutes later, Mindaugas was notified that the ‘support agent’ accessed his account via the Coinbase app. Being an iPhone owner, Mindaugas didn’t notice that the verification email he received was for the Android version of the Coinbase app used by the fraudsters.
The scammers didn’t waste any time. Unbeknownst to Mindaugas, nine minutes after they logged in, the criminals converted Mindaugas’ entire cryptocurrency balance to Ethereum (ETH) and Ripple (XRP) tokens, which they immediately sent to their own wallets.
All in all, the scammers stole more than 11 ETH and 1,500 XRP from Mindaugas.
Shortly after, he received email notifications confirming that his crypto was being converted to ETH and XRP and transferred to another wallet.
Right after the call, Mindaugas logged back into his Coinbase account to see whether he received the bonus.
To his shock, what he saw was an empty account balance.
“It was zero. He had about £15,000 in there. Thank God, he transferred most of his balance to another exchange a couple of days beforehand,” says Loreta.
“At first, we thought it might be some kind of mistake or a glitch. But since their knowledge base had no option that covered any bugs or glitches, we decided to inform Coinbase that my husband’s account has been compromised. But all we got back was a password reset request.”
The double dip
Less than 30 minutes after he changed his account password, Mindaugas received a second call from the supposed Coinbase support agent. The agent told him that Coinbase was responding to the open support ticket concerning his compromised account and promptly began to interrogate Mindaugas about the incident.
“So, we told him what happened. We were even pleasantly surprised by the swift response from Coinbase. I remember Mindaugas telling me that they must have noticed the hack on their end.”
After Mindaugas explained the situation, the support agent offered him two options.
“Either we call the police, in which case there is no guarantee that we’ll ever get our money back, or they give us a refund without getting involved with the authorities,” Loreta told CyberNews. “My husband was still in shock and rather disoriented, so at that moment, he agreed to proceed with the second option.”
As soon as Mindaugas chose to let Coinbase refund the balance, the agent proceeded to tell him that, once again, Coinbase had to confirm his identity.
“He said ‘We see that you have an account at Binance, and since Coinbase and Binance are sister companies…’ And that’s when I saw he was trying to dupe us,” explained Loreta, who was aware that Coinbase and Binance are separate companies.
“Next thing I hear, he’s telling us to prove our identity either by transferring £5,000 from our Binance account to Coinbase, or by giving them our Binance authentication code so that they can transfer the missing £15,000 to my husband’s Binance account. That’s when I took the phone from my husband and asked the scammer if I heard him right,” Loreta told CyberNews.
“I demanded he immediately tell me his name and phone number. The scammer told me whatever his fake name was, then began reciting some numbers. A few moments later, he dropped the call.”
That was the last Loreta and Mindaugas heard from the scammers.
“After the call, I told my husband that companies like Coinbase don’t call their customers. They communicate by email. Sorting out things like this through official channels is a long process,” says Loreta.
Still in shock after what happened, Mindaugas and Loreta were hesitant to report the incident to law enforcement.
“The strangest thing is that the scammers’ calls were not logged anywhere. We couldn’t find them on the phone, and there was no trace of them on my husband’s mobile carrier account.”
Loreta told CyberNews.
Thinking that there was insufficient evidence, the couple did not contact the police until about a month following the incident, after they contacted CyberNews.
“After reviewing the case, the police told us that too much time had passed since the scam, and they just closed the case,” said Loreta.
“We’re still waiting for an answer. And since ‘only’ £15,000 was stolen, we’re not very hopeful that the police will do anything about it,” said Loreta.
“Right now, all we hope for is that Coinbase takes a hard look at their security procedures and improves them so that situations like ours don’t happen to others.”
Following the money
On April 16, Mindaugas reached out to CyberNews and told us his story.
We were aware that the likelihood of seizing his crypto back from the scammers wasn’t high. That said, we were confident that we would be able to follow their tracks and, at the very least, produce enough evidence for the police to reopen the inquiry. So, we jumped at the opportunity to help the couple in any way we could.
On April 17, we began to dig into the scam group’s money trail. It took time, but in the end, we managed to follow the scam group’s tracks far enough to find out the exact locations where the scammers keep their stolen crypto.
With that in mind, let’s take a look at how this particular scam group works to cover their tracks, and where they eventually cash out the crypto stolen from countless unsuspecting victims.
Where the stolen millions roam
The results of our investigation show that once the scammers gain access to a crypto exchange account, the group immediately transfers the victim’s entire cryptocurrency balance to a temporary holding wallet. This wallet is not associated with any crypto exchanges and seems to be the first stop for cryptocurrencies stolen from multiple victims of this particular scam group.
After the victims’ crypto reaches the first wallet, its next stop is what appears to be an automated coin mixing wallet.
(Multiple new wallets automatically created for coin mixing by the scam group)
The scammers use this wallet to make their crypto transactions harder to track by automatically mixing the newly stolen cryptocurrency tokens within a larger crypto pool and then sending smaller batches of the mixed tokens to the scammers’ other addresses, mostly Kraken and Bitpanda cold wallets.
After being ‘laundered’ through multiple coin mixers and temporary wallets, the victims’ crypto is then transferred to a single central Ether wallet, which appeared to have more than $700,000 in stolen crypto being stored by the group at the time of writing:
This central wallet appears to be the nexus used by the scammers to gather the mixed crypto in one place and spread it out via multiple transactions. While most of those transactions lead to numerous smaller wallets that show no subsequent activity, a large part of the stolen crypto travels to two destinations that bear further examination.
A criminal gamble
One of the destinations for freshly ‘laundered’ tokens seems to be an account on a cryptocurrency gambling website, where the scammers have currently amassed a whopping $5.1 million (and counting) in crypto:
While it’s unclear why the crypto ends up in an online casino, the scammers might simply want to increase their profits even further by using it for gambling.
On June 30, we contacted the website about our findings and warned them that one of their wallets may be used by scammers for malicious purposes. A representative from the website denied that the wallet is tied to the online casino, indicating that there have been “2 withdrawals” from the website to the wallet.
We immediately followed up with additional information about the wallet address but did not receive a follow-up response from the representative at the time of writing.
Keeping stolen money in broad daylight
The other notable destination for transactions coming from the group’s central wallet is an address that has apparently been flagged by other users as a scammer wallet.
The victims, or perhaps investigators working on their behalf, have left multiple comments on the wallet where they call out the scammers for using the wallet for malicious purposes.
Shockingly, the very first comment on the wallet was posted more than three years ago:
This, along with the massive sums of money being stored in these wallets, might indicate that this particular scam group has defrauded thousands of victims over their career.
Be that as it may, this wallet is not managed by a centralized cryptocurrency exchange that would be able to take measures to freeze it or even seize the stolen crypto. As a result, the scam group can keep using it with impunity, even after being outed as criminals by other users.
The Ethereum balance of the flagged wallet is constantly shifting, with dozens of incoming and outgoing transactions executed by the fraudsters every day. At the time of writing, the group held 58.7 Ethereum tokens worth $152,184.17 in the wallet.
From the flagged wallet, the stolen crypto finally seems to arrive at addresses hosted by centralized cryptocurrency exchanges like Binance, Kraken, and Bitpanda, which the scam group appears to be using to cash out their spoils.
We reached out to Kraken and Binance in order to inform the exchanges about fraudulent transactions coming from the scam group.
According to a Kraken spokesperson, the exchange could not comment on any potential investigation of fraudulent activity that may or may not be in the process.
“However, we take these matters very seriously and have invested significantly in the proper compliance measures to ensure our platform remains safe, secure and free from criminals. We regularly respond to law enforcement requests and are obligated to report any suspicious activity to FIUs,” the spokesperson told CyberNews.
“Anyone who attempts to use our systems for criminal activity will be subject to investigation. The safety of our clients has always been our number one priority and we will continue to take all steps necessary to ensure criminals never have a home here at Kraken.”
Binance, on the other hand, declined to comment on our initial inquiry, claiming that “there isn’t enough evidence to suggest” that the wallet addresses were created by threat actors. We provided the exchange with additional information, and will update the article as soon as we receive a response from Binance.
Having gathered the data about the scam group during our investigation, we contacted a UK cyber police unit about our findings on June 18.
“This is a classic phishing scam campaign”, says CyberNews researcher Mantas Sasnauskas. “They come in many different forms. It’s vital to be conscious about the emails you receive and not to click on any suspicious links within.”
According to Sasnauskas, it’s always better to log in to your accounts directly. “Before proceeding to enter your credentials, always check the sender’s email address, and verify that the link is original,” cautions Sasnauskas.
“When it comes to crypto exchanges, they would benefit from enacting stricter controls in detecting malicious or anomalous activity, and blocking anything suspicious before fraudulent transfers are made.”
If you want to know How to protect yourself against phishing scams, reads the full article available here
About the author: Edvardas Mikalauskas
(SecurityAffairs – hacking, wallet)