Cryptocurrency Employment Scam Incident Report Warpcast 1

{%hackmd C76nuH1pTfedlTW7n2cwbQ %} # Cryptocurrency Scam Incident Report **Date of Report**: April 19, 2024 **Reporting Agency**: Cipher **Report Composed By**: Cipher **Type of Incident**: Social Engineering, Malware **Impacted User Alias**: @kornykory on Twitter, Social Media **Estimated Total Value Loss**: 0.1294 Ethereum **Equivalent in USD (at the time of the incident)**: $396.28 ## Executive Summary > **Overview**: > This report documents a cryptocurrency web3 employment scam incident involving social engineering and malware, executed through digital communication platforms. The scam led to the unauthorized access and theft of user cryptocurrency assets and personal credentials. Malware of the Stealc malware family was employed against the impacted user. | **Key Information** | **Detail** | | ------------------------------------------ | ------------------------------------------------------------------------------------------ | | Incident Date and Time | `April 14, 2024 8:30AM EST` | | Malware and Delivery Site | "Stealc" malware at `cozymeta[.]xyz/join-metaverse` | | Snapshot of Malicious Site | [Website Snapshot](https://tria.ge/240414-ychw7see8v) | | Snapshot of Malicious Site via Second Tool | [Second Website Snapshot](https://app.any.run/tasks/fb0dfd62-bb40-465e-8b2a-74526a160e73/) | **Report Classification**: TLP:WHITE (Suitable for general release) ## Relevant Cryptocurrency Addresses | **Label** | **Cryptocurrency Address** | | ---------------------------- | -------------------------------------------- | | Scammer Wallet Address | `0x06836d23a8b13f2d25a246d43787612ad7fc9009` | | Impacted User Wallet Address | `0x9992031847B43b2Bf0930cC0feaE6CEF7FDA90b6` | ## Incident Background ### Theft Event On `April 14, 2024 8:30AM EST`, `@kornykory`(impacted user) was contacted by `@jane-`(scammer) on the web3 social media platform `Warpcast` through direct message. `@jane-`(scammer) was offering `@kornykory`(impacted user) an employment opportunity as a 'game ambassador' for their up and coming web3 game of 'Cozy World', all that `@kornykory`(impacted user) had to do was download and test the provided game launcher prior to a voice call to secure the role. The impacted user was then misled into downloading and executing a malicious file from `cozymeta[.]xyz/join-metaverse `, once the download completed the user encountered an error message stating, “Unable to initialize program due to missing C++ driver. Please ensure that the required driver is installed.” Shortly after observing this message the user began to notice unauthorized transactions and assets being transferred from their respective accounts to the account of the scammer `0x06836d23a8b13f2d25a246d43787612ad7fc9009`. #### Scammer Details: | Platform | Username | Platform ID | Cryptocurrency Address | |:-------- | -------- |:----------- |:---------------------- | | Warpcast | jane- | 351885 | N/a | ### Malware and Payload Delivery The file "Cozy World Setup.exe" was downloaded from the aforementioned site. Despite initial scans showing no threats, the executable was later identified as a delivery mechanism for the Stealc malware. ### Financial Impact Approximately `0.1294` Ethereum stolen(post aggregation and rounded at around `$396.28` at the time) was stolen through transactions on the `Binance Smart Chain - EVM Chain`. Itemized asset theft values in chart shown below: | Token Name | Token Address | Quantity | Value in USD | |:---------- |:-------------------------------------------- |:----------- | ------------ | | BTCB | `0x7130d2a12b9bcbfae4f2634d864a1ee1ce3ead9c` | 0.00302089 | $195.03 | | CAKE | `0x0e09fabb73bd3ade0a17ecc321fd13a19e81ce82` | 57.35220631 | $156.92 | | BNB | `0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee` | 0.08 | $44.33 | | **Total** | | | **$396.28** | ## Technical Analysis ### Malicious Website and Payload The impacted user was deceived into interacting with `cozymeta[.]xyz/join-metaverse`, they were instructed into entering the code:`B89WB` and directed to download the Windows executable file:`Cozy World Setup.exe`. The payload executed on the impacted user's system, leading to the compromise. A more in-depth analysis of the malware delivery mechanisms, and it's network calls can be provided upon request. ![initial_scam_distribution](https://hackmd.io/_uploads/S1rLQRAeR.png =x500) ![user_given_access_code](https://hackmd.io/_uploads/HkMRf0RlC.png =x500) ![false_missing_drivers_error](https://hackmd.io/_uploads/B19EfR0x0.png =x400) ### Malware Behavior The malware, identified as part of the `Stealc` malware families, an information stealer designed to evade antivirus system detection and steal user cryptocurrency assets along with other user login credentials stored on the compromised machine. ### Theft Transactions Directly asset theft associated transaction hashes and relevant details are documented below for reference: | **chain** | **Transaction Hash** | **time** | **link** | | ------------------- |:------------------------------------------------------------------ | ----------------------------- |:------------------------------------------------------------------------------------------- | | binance smart chain | 0x0bada47859b26c1f029898dd35a166959d82bebb2fd0737fdc5b67821b5fe17d | Sun Apr 14 2024 08:30:44 EST | <https://bscscan.com/tx/0x0bada47859b26c1f029898dd35a166959d82bebb2fd0737fdc5b67821b5fe17d> | | binance smart chain | 0x7fd03c043330feadb0c69876587f69bbdae2b8317276bbe8be7a66465fe9d218 | Sun Apr 14 2024 08:31:41 EST | <https://bscscan.com/tx/0x7fd03c043330feadb0c69876587f69bbdae2b8317276bbe8be7a66465fe9d218> | | binance smart chain | 0x489893f2e30cd66578a9c1ab5a9d98da9551602111a13c8f4fc0156e07f0fadb | Sun Apr 14 2024 08:32:23 EST | <https://bscscan.com/tx/0x489893f2e30cd66578a9c1ab5a9d98da9551602111a13c8f4fc0156e07f0fadb> | ## Report Objectives This report aims to detail the incident comprehensively to assist law enforcement in potential asset recovery and to warn other entities of the modus operandi used in this scam. ## Conclusion This incident highlights the sophisticated methods used by cybercriminals in the cryptocurrency space. It emphasizes the need for heightened awareness and security measures. ### Interactions with Law Enforcement | Agency | Details | |:--------------------------- |:--------------------------- | | **Agencies Notified** | `IC3` | | **Notification Date** | `Monday April 15, 2024` | | **Report Reference Number** | `{Insert Reference Number}` | ## References and Attachments For a detailed visualization of the blockchain addresses and transactions involved, refer to: - [Blockchain Analysis Transaction Visualization](https://metasleuth.io/result/bsc/0x0bada47859b26c1f029898dd35a166959d82bebb2fd0737fdc5b67821b5fe17d?source=966137b9-d9dc-4ae6-8e2d-d34c43f98c47)