Documenting data related to activity observed around Tornado_Cash_100eth on the ethereum blockchain network {%preview https://cosmograph.app/run/?data=https://raw.githubusercontent.com/cipher-rc5/supreme-spork/refs/heads/main/tornado-sample_data.csv&meta=https://hackmd.io/@cipher/tornado_cash_100eth_analysis&source=tc_withdrawal_recipient&target=tc_recipient_freq,round_mana_ratio,trace_value_eth,tx_type&gravity=0.15&repulsion=1.5&repulsionTheta=1.5&linkSpring=0.5&linkDistance=20&friction=0.85&renderLabels=true&renderHoveredLabel=true&renderLinks=true&linkArrows=true&nodeSizeScale=1.3&linkWidthScale=1.5&linkArrowsSizeScale=1&nodeSize=size-default&nodeColor=color-column%20type&linkWidth=width-default&linkColor=color-default& %} USDT_Tron_Blacklist_Clusters Dune analytics query utilized to monitor tron usdt blacklist activity, query linked here: dune_analytics_query_5305128 with tron_usdt_blacklisted as ( select to_unixtime(evt_block_time) as unix_time

Case #: [TO BE ASSIGNED] INCIDENT CLASSIFICATION Type: Investment Fraud / Wire Fraud / Identity Theft Category: Cryptocurrency Scam - Fake Venture Capital Firm Priority: High (Six-figure loss) Status: Suspended - Seeking Additional Evidence COMPLAINANT INFORMATION Username/Handle: @esteban232 Date of Report: [TO BE FILLED]

A solution toward the social engineering elements of cryptocurrency address-impersonation attacks. #!/usr/bin/env nu # Enhanced EVM transaction fetcher with translation support and address book def main [--translate(-t), --config(-c), --labels(-l)] { # Configuration check mode if $config { print "Checking environment configuration..." let evm_set = not ($env.EVM_ADDR? | is-empty) let noves_set = not ($env.NOVES_API_KEY? | is-empty)

Date of Report: 2025-05-13Reporting Agency: Cipher Type of Incident: [Under Investigation]Impacted User Alias: 0xPlus7.ethImpacted User Name: [Redacted]Estimated Loss: chain tokenId unitValue historicalUSD ethereum

Submitting instance by Cipher and Aksusarya for the Redacted Hackathon ICO track. Aksusarya worked on token analysis and corresponding composition, Cipher worked on website and supplemental data tooling. instances are publicly available here: aksusarya_write-up_research:https://medium.com/@aksusarya/x-icos-3753aab43291 website:https://redactedhackathon.vercel.app/ cipher_technology_writeup:https://hackmd.io/@cipher/redacted_hackathon_ico

Considering the problem of investors incurring financial losses from Solana cryptocurrency initial coin offerings, we felt the most promising solution as improvements in data/information transparency and accessibility, which is why in addition to our traditional onchain analysis we have composed supplemental technology resources in the forms of a website, custom dune analytics datasets, employing the Arkham Intelligence application programmable interface. Using Arkham we are able to leverage a variety of additional data visualization methods, examples we have opted to include on our high fidelity website prototype available at https://redactedhackathon.vercel.app are currently displaying bar, sankey, and heat chart instances which derive their data from the Arkham intelligence api 'transfers' path, this is ideal because the api best allows for supplemental granularity in the forms of filters such: token type, values greater than, and date after or before. In addition, for this particular instance, we opted to utilize current language learning model solutions for the development of our unit frontend. This choice was made with the objective in mind of: reducing financial losses in the Solana ecosystem, as the instance conveys how thanks to modern technological advancements, nearly anyone can build solutions to remain better informed prior to potentially exposing funds to extraneous risk. Furthermore, from the initial dataset composed in accordance to past works of security researcher ZachXBT, we located initial coin offerings which accrued high value in a very nominal time period and then extracted the respective "update-authority" fields from each of these instances in order to better monitor activity from each project "founder", some of our data can be seen on our shortened CryptoClickHouse link provided below. Custom Dune Analytics Dataset:https://dune.com/queries/5055249?sidebar=none CryptoClickHouse:https://shorten.sydintel.workers.dev/ob5gdKL

Date of Report: 2024 - 12 - 04Reporting Agency: CipherReport Composed By: CipherType of Incident: Social Engineering, PhishingPhishing Target: @TayvannoEstimated Loss: N/A - No user impacts Executive Summary Overview: This report is intended to expand upon the functionalities of a threat actor which research indicates is targeting cryptocurrency companies and developers. Key Information Detail Incident Date and Time

initial_google_drive_link: drive[.]google[.]com/drive/u/1/folders/1cXT5FzX-IvgchroQOKitw3my3yY9Avl8 distribution_url: hxxps[://]github[.]com/TJ9373/stickman-nft/commit/569601319ecf96a4007fee74243ad49268412da9[.]patch analyst_extracted_contents_hidden App.test.js: hxxps[://]hst[.]sh/witoneqogo[.]js

2024 - 12 - 19 details Drainer observed during Pudgy Penguins Pengu token airdrop, instance utilized idn attack vectors along with mobile only detonation to increase effectiveness, when instance was scanned as most scanning platforms default to desktop user-agents instance scan would redirect to legitimate domain: pudgypenguins[.]com, however when interacted with on a mobile platform unit instead phishing user credentials. urlscan detection query hash:"f6b6bb2765d371dda37b91e1eadf0b2829e7cc395624ea6b8474dcd07df62830" NOT domain:pudgypenguins.com link to urlscan search query samples

Infosec Telegram Decoder: URL_Decode() Regular_expression('User defined','(?<=startapp=)[a-zA-Z0-9+/=]+',true,true,false,false,false,false,'List matches') From_Base64('A-Za-z0-9+/=',true,false) Cryptocurrency - Arkham Specific Extract Arkham Used to extract unique ethereum addresses from Arkham Intelligence URL links and return them as line feed instances URL_Decode()

deobfuscated sample from voxiumcalls 2024 - 12 - 06 https://urlscan.io/result/bb84fc45-c42d-4192-a20e-8e760740e403/#transactions url: hxxps[://]voxiumcalls[.]com/room/dev/secr[.]js sender @ReaperCrpt on twitter code from filename: secr[.]js https://urlscan.io/result/9ddf69a0-00fd-46d7-b5e4-4c836fc0cf72/dom/ payload 1: https://www.filescan.io/uploads/675360c8aa7f098f77e804bc/reports/fa4533d3-33e1-41dc-b594-8302c363d201/overview payload 2: https://www.filescan.io/uploads/675360e4f158f0b6a3b2e82a/reports/e0ef806f-2655-4422-ab0e-bf0ce3c39cc8/overview

Case Summary Brief: Victim: Alias Redacted was scammed out of 15.72 Ethereum via a Telegram social engineering attack. The Victim: Alias Redacted, was seeking mentorship in cryptocurrency trading and was contacted by an individual claiming to assist users in learning proper trade analysis and execution. This individual, going by the Telegram username @ranacrypto10x, requested that the user interact with an alleged "Trust Wallet" found at the cowcrypto[.]io website. After interacting with the scam website, the user reported observing funds exiting from their respective wallet with address 0xb43fC04B6a6cc56b0a293cC8541E7779CB058fAf and being sent to 0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6. Event Date: February 27, 2024 Theft Event Ethereum Transaction:0x931660147c0f6e5abe8b1f19984f12f8073d20697ac75f6006764a9ca34a8586 sample from cowcrypto[.]io cowcrypto.io - urlscan.io

Help During Emergencies https://x.com/_SEAL_Org https://securityalliance.org Security Communities https://x.com/BoringSecDAO https://www.boringsecurity.com https://intelligenceonchain.com/ Revoking Malicious Approvals

Fund-X - Cryptocurrency Recovery Scam domain: fund-x[.]pmurlscan: https://urlscan.io/result/342a78df-1f53-441b-a2c6-c86b79c6b1cd/#transactionsimage pivot on filename:fund-x[.]pm/assets/js/demo[.]jsfilehash: 7a710569d96f209f4a0c691c2068f4ab0b117855c95595a60470e827923cba45 7a710569d96f209f4a0c691c2068f4ab0b117855c95595a60470e827923cba45_unique_domains apexcapitalspro[.]com apexglobalfxworld[.]com

Submission Details Verdict Date Tags PartyRoyale.exe 0aef1e1f5f8cef19c63977278ca550ae4196d6ea13d51bc706bb64f03ea64ec6 application/x-dosexec application/x-dosexec Likely malicious

"@Drakannew" - angel drainer telegram name https://privatebin.net/?dbdd67cbd26d924d#8vqyQtDCjD2JgDqhPWtKBjLyg6iZ5XRGsUzJrSbA6FNL Telegram Data All official Angel Drainer representatives are listed below. Don't fall for scam and enjoy your work at Angel 🖤 People @drainer @drakannew @stop

sample likely belongs to traffer unit group not yet confirmed employing varying code structures from previous samples, not observing reference within monitor streams malware_data windows payload sent:https://www.virustotal.com/gui/file/a9165466ad09f37a2c76b8e144025f0bd9fc739b3f0f16a837e31e278914585d anyrunhttps://app.any.run/tasks/69655b22-3b77-4d1d-94ab-c439dfe38ff2 delivered via:hxxps[://]nebulard[.]io/_next/install[.]jsinstall[.]js filehash search 3d3c0037398f0abbe3cf29ae66b022accfc776ed9005a1df427d82e4bfef6b31

Attack-vector summary Malicious actors social engineer users into thinking they are communicating with some form of technical support, direct users toward submitting cryptocurrency wallet credentials into input form on malicious phishing website for exfiltration. First encountered 2023-11-18 Phishing URL:hxxps[://]online-webpanel[.]com/auto/linking/ Initial Scam Sample:https://urlscan.io/result/e18ba105-61cd-4209-8176-90f183ad757a/#summary Seedphishing Sample:https://urlscan.io/result/cc75a707-5983-436f-b4cd-ffdd18091909/ Units Correlated via file line[.]ad93247a[.]pngHash: afba5af5d72ca3fabfa70396b3f18ed7d3b6b45cdb4125faf48070f9d5224aaa

crypteriumplay[.]io data Domain: crypteriumplay[.]ioURLScan Result: View Summary SHA256 Filehash:hxxps[://]crypteriumplay[.]io/js/downloadGameClient[.]js8d3a3947e7441f00364e6447ca1e0aa50c43fc70a4e2c2d0c00bc70429691706URLScan Search Result: Search by Hash Failed Requests:Domain: nanososijhi[.]comURLScan Search Result: Search by Domain Correlation between crypteriumplay[.]io and nanososijhi[.]com domain results show interconnection to app-maverick[.]xyz and additional samples as well; unit indicating attribution of ms-drainer to traffer activity. Data initially observed from reviewing traffer log channels. nanososijhi[.]com data Additional Samples:Domain: jitonetwork[.]onlineURLScan Result: View Summary Domain: zro-participate[.]comURLScan Result: View Summary

Concept Objective Practice utilizing Dune Analytics, Live Fetch functionality for interfacing with external data exposed through api(application programmable interfaces) endpoints. For this use-case, as data is retrieved as opposed to sent, the http_get method was employed. Design Pump.fun was selected for this instance due to relevance and possible extended use-case application. Initial Research Due to the lack of developer documentation, a cursory review of the Pump.fun frontend functionality was done using the Mullvad Browser and developer tools.