Cryptocurrency Employment Scam Incident Report Warpcast 2

{%hackmd C76nuH1pTfedlTW7n2cwbQ %} # Cryptocurrency Scam Incident Report **Date of Report**: April 18, 2024 **Reporting Agency**: Cipher **Report Composed By**: Cipher **Type of Incident**: Social Engineering, Malware **Impacted User Alias**: @muertosas on Twitter, Social Media **Estimated Total Value Loss**: 0.1402 Ethereum **Equivalent in USD (at the time of the incident)**: $422.668 ## Executive Summary > **Overview**: > This report documents a cryptocurrency web3 employment scam incident involving social engineering and malware, executed through digital communication platforms. The scam led to the unauthorized access and theft of user cryptocurrency assets and personal credentials. Malware of the Stealc malware family was employed against the impacted user. | **Key Information** | **Detail** | | -------------------------- | ----------------------------------------------------------------- | | Incident Date and Time | April 16, 2024, 06:11:03 PM UTC | | Malware and Delivery Site | "Stealc" malware at `cozymeta[.]xyz/join-metaverse` | | Snapshot of Malicious Site | [Website Snapshot](https://tria.ge/240417-c4rgrsda4z/behavioral1) | **Report Classification**: TLP:WHITE (Suitable for general release) ## Relevant Cryptocurrency Addresses | **Label** | **Cryptocurrency Address** | | ---------------------------- | -------------------------------------------- | | Scammer Wallet Address | `0xE8c8dC22Bacf97D48a20C3Bc493878E262D935C3` | | Impacted User Wallet Address | `0xafa32d1d7df7937b6b2a12b16febae4b84a15cda` | ## Incident Background ### Theft Event On `Apr-16-2024 06:11:03 PM +UTC`, `@muertosas`(impacted user) was contacted by `@lampa`(scammer) on the web3 social media platform `Warpcast` through direct message. `@lampa`(scammer) was offering `@muertosas`(impacted user) an employment opportunity as a temporary moderator in the Discord server of their up and coming web3 game of 'Cozy World', all that `@muertosas`(impacted user) had to do was download and test the provided game launcher prior to a voice call to secure the role. The impacted user was then misled into downloading and executing a malicious file from `cozymeta[.]xyz/join-metaverse `, once the download completed the user encountered an error message stating, “Unable to initialize program due to missing C++ driver. Please ensure that the required driver is installed.” Shortly after observing this message the user began to notice unauthorized transactions and assets being transferred from their respective accounts to the account of the scammer `0xE8c8dC22Bacf97D48a20C3Bc493878E262D935C3`. #### Scammer Details: | Platform | Username | Platform ID | Cryptocurrency Address | |:-------- | ---------- |:----------- |:------------------------------------------ | | Warpcast | Lampa | 372912 | 0x47ad1c7ea118f740fd54cdad14f776c66f814440 | | Telegram | @Lampa_eth | N/A | N/A | ### Malware and Payload Delivery The file "Cozy World Setup.exe" was downloaded from the aforementioned site. Despite initial scans showing no threats, the executable was later identified as a delivery mechanism for the Stealc malware. ### Financial Impact Approximately `0.1402` Ethereum stolen(post aggregation and rounded at around `$422.668` at the time) was stolen through transactions on the `Base - EVM Chain`. Itemized asset theft values in chart shown below: | Token Name | Token Address | Quantity | Value (in USD) | | ----------- | -------------------------------------------- | ------------------------- | -------------- | | DEGEN Token | `0x4ed4e862860bed51a9570b96d89af5e1b0efefed` | 10,174.160613484555349033 | $228.92 | | Base Token | `0x70737489dfdf1a29b7584d40500d3561bd4fe196` | 71,201.705232095980549606 | $193.748 | | **Total** | | | **$422.668** | ## Technical Analysis ### Malicious Website and Payload The impacted user was deceived into interacting with `cozymeta[.]xyz/join-metaverse`, they were instructed into entering the code:`RFWEF` and directed to download the Windows executable file:`Cozy World Setup.exe`. The payload executed on the impacted user's system, leading to the compromise. A more in-depth analysis of the malware delivery mechanisms, and it's network calls can be provided upon request. ![image](https://hackmd.io/_uploads/BJ4_qQCeA.png =x500) ![malware_installed_muertas_pc](https://hackmd.io/_uploads/SkVxUVCgR.png =x500) ### Malware Behavior The malware, identified as part of the `Stealc` malware families, an information stealer designed to evade antivirus system detection and steal user cryptocurrency assets along with other user login credentials stored on the compromised machine. ### Theft Transactions Directly asset theft associated transaction hashes and relevant details are documented below for reference: | **chain** | **Transaction Hash** | **time** | **link** | | --------- | ------------------------------------------------------------------ | ------------------------------- | --------------------------------------------------------------------------------------------------- | | base | 0xda0a7c150fec4facdb96d9881f1e7ca2612e6b5b69944d47d4b8ad6720f55a6f | Tue Apr 16 2024 06:11:03 PM UTC | <https://app.dedaub.com/base/tx/0xda0a7c150fec4facdb96d9881f1e7ca2612e6b5b69944d47d4b8ad6720f55a6f> | | base | 0x56ae1b0134e7bf4d074ed46a633b34b3b28cdfdb02448c1c74981eceb32e8bc8 | Tue Apr 16 2024 06:11:13 PM UTC | <https://app.dedaub.com/base/tx/0x56ae1b0134e7bf4d074ed46a633b34b3b28cdfdb02448c1c74981eceb32e8bc8> | ## Report Objectives This report aims to detail the incident comprehensively to assist law enforcement in potential asset recovery and to warn other entities of the modus operandi used in this scam. ## Conclusion This incident highlights the sophisticated methods used by cybercriminals in the cryptocurrency space. It emphasizes the need for heightened awareness and security measures.