# Cryptocurrency Phishing Incident Report **Date of Report**: November 18, 2023 **Reporting Agency**: Cipher **Report Composed By**: Cipher **Type of Incident**: Social Engineering **Impacted User Alias**: @0nlyPabs on Twitter, Social Media **Approximate Value Stolen in USD (at the time of the incident)**: $11,000 <br /> ## Executive Summary > **Overview**: > Victim fell subject to a social engineering attack via Telegram group `t[.]me/autonolas` while attempting to stake ERC-20 tokens. They were lured to a counterfeit staking platform, which was in fact a phishing website. The website was designed to malfunction during user interactions, prompting users to fill out a 'support form' recommended by a supposed developer `t[.]me/Devsupports`. Form was a ruse to illicitly obtain users' credentials. Consequently, a diverse set of ERC-20 tokens and Ethereum were stolen from the victim, with the combined market value of these assets amounting to approximately $11,000 USD (comprising $7,700 in ETH and $3,253 in $HERA, according to current rates as of November 18, 2023). Detailed transaction hashes, token addresses, and timestamps are provided in the JSON structure below. <br /> | **Key Information** | **Detail** | | ------------------------- |:--------------------------------------------------------------------------------------------------------------- | | Incident Date and Time | `November 16, 2023 14:09:23 (UTC)` | | Phishing Website | `resolverstring[.]net/en/wallets` | | Snapshot of Phishing Site | [Website Snapshot via Urlscan.io](https://urlscan.io/result/4aae0744-9b16-468d-b287-334c063a7eb0/#transactions) | #### Relevant Cryptocurrency Addresses | **Label** | **Cryptocurrency Address** | |:---------------------------- | -------------------------------------------- | | Scammer Wallet Address(ETH) | `0xC47e5d32f7be0Cc171740eBbb3f26F78488cd22F` | | Impacted User Wallet Address | `0x7CB3CbE678d6375E4aa701D95eA10e1ba3096472` | ![social_engineering](https://hackmd.io/_uploads/HkYMdAHZC.jpg =250x500) Image above depicts social engineering attack vector #### Scammer Details: | Platform | Username | Platform ID | Link | |:-------- | ----------- |:----------- |:------------------ | | Telegram | Devsupports | N/A | t[.]me/Devsupports | | Telegram | autonolas | N/A | t[.]me/autonolas | **Assets stolen transaction visualization:** ![tx_visualization](https://hackmd.io/_uploads/rkAwu0rZC.png) source: [platform.arkhamintelligence.com](http://platform.arkhamintelligence.com/) **Metis Transaction:** Alongside the previously mentioned assets valued at [$7,700 ETH], additional ERC-20 tokens on the Ethereum L2 chain (Andromeda-Metis) were stolen. The victim lost 765.33 units of the token $Hera (`0x6F05709bc91Bad933346F9E159f0D3FdBc2c9DCE`). As of November 18, 2023, with the market price of each $Hera unit at approximately $4.25 USD, the total victim’s holdings value in $Hera can be approximated to $3,253 USD. [https://andromeda-explorer.metis.io/tx/0x5e2249c9e17fd3b8bcb2ed11d492e92d38f6ae733b4ba48a8da1efcaab4f1a8e](https://andromeda-explorer.metis.io/tx/0x5e2249c9e17fd3b8bcb2ed11d492e92d38f6ae733b4ba48a8da1efcaab4f1a8e) **Transfer data csv/json:** | transactionHash | from_label | from_address | from_chain | to_label | to_chain | type | blockTimestamp | blockNumber | blockHash | tokenName | tokenSymbol | tokenDecimals | unitValue | tokenId | historicalUSD | chain | tokenAddress | |:------------------------------------------------------------------ | ----------------- | ------------------------------------------ | --------------- | ------------------------------------------ | --------------- |:-------- | -------------------- | ----------- | ------------------------------------------------------------------ | ------------- | ----------- | ------------- | -------------------- | --------- | ------------------ | --------------- | ------------------------------------------ | | 0x3ddb8328dcaacd199873c276882d7bd91a4f544f2018433b11db33b8430d3b83 | "6472 on OpenSea" | 0x7CB3CbE678d6375E4aa701D95eA10e1ba3096472 | ethereum | 0xC47e5d32f7be0Cc171740eBbb3f26F78488cd22F | ethereum | external | 2023-11-16T14:13:11Z | 18584969 | 0xf1b0fe229a800ffbed2e2bccac6a7e6b4203c1f7dbdac56650642641d0c1b522 | Ethereum | ETH | 18 | 0.012758416981869672 | ethereum | 25.933779030706845 | ethereum | | | 0x26bff60f90d304138cf096ec0acb8e2aeb00ae2049c82b90648f3355978da36b | "6472 on OpenSea" | 0x7CB3CbE678d6375E4aa701D95eA10e1ba3096472 | ethereum | 0xC47e5d32f7be0Cc171740eBbb3f26F78488cd22F | ethereum | token | 2023-11-16T14:12:11Z | 18584964 | 0x1ef3a9898770f1f46f50da3e95ac381afa974991e0cabd26154ddcb9b9bb2dd3 | SmarDex Token | SDEX | 18 | 242782.46998540248 | smardex | 3153.452946146396 | ethereum | 0x5DE8ab7E27f6E7A1fFf3E5B337584Aa43961BEeF | | 0x24450652c7df6632b9a93476ee387212af2e76f68b1d404710486b005fbadabb | "6472 on OpenSea" | 0x7CB3CbE678d6375E4aa701D95eA10e1ba3096472 | ethereum | 0xC47e5d32f7be0Cc171740eBbb3f26F78488cd22F | ethereum | token | 2023-11-16T14:09:35Z | 18584951 | 0xbebd47f7c28b78a5dd683bb8a2d90b8c95f46273316590f128314338f784d50c | Autonolas | OLAS | 18 | 703.2418216524788 | autonolas | 1146.2841692935406 | ethereum | 0x0001A500A6B18995B03f44bb040A5fFc28E45CB0 | | 0xc8b8894c89ea32542e18025b5490ac75c8e1f53a5321dd1e77313e58682c4a4a | "6472 on OpenSea" | 0x7CB3CbE678d6375E4aa701D95eA10e1ba3096472 | ethereum | 0xC47e5d32f7be0Cc171740eBbb3f26F78488cd22F | ethereum | token | 2023-11-16T14:09:23Z | 18584950 | 0x0c00dc297bd41358687ba36c81a237b07b5277715c6f0da5b99a23c81077d203 | Sandclock | QUARTZ | 18 | 5487.44680311 | sandclock | 1687.603902381646 | ethereum | 0xbA8A621b4a54e61C442F5Ec623687e2a942225ef | | 0x5e2249c9e17fd3b8bcb2ed11d492e92d38f6ae733b4ba48a8da1efcaab4f1a8e | "6472 on OpenSea" | 0x7CB3CbE678d6375E4aa701D95eA10e1ba3096472 | andromeda-metis | 0xC47e5d32f7be0Cc171740eBbb3f26F78488cd22F | andromeda-metis | token | 2023-11-16T14:09:23Z | 9373121 | n/a | Hera | $Hera | 18 | 765.3689 | Hera | 3333 | andromeda-metis | 0x6F05709bc91Bad933346F9E159f0D3FdBc2c9DCE | > [Transfer data as JSON via visualizer](https://jsoncrack.com/editor?json=247808b42e760b099c515d21) <br /> ## Technical_Analysis <br /> **Reported website interacted with was:** ``` resolverstring[.]net/en/ ``` **Reported malicious domain:** ``` resolverstring[.]net ``` **Nov 17, 2023** Link was initially reviewed externally using 'urlscan.io', and later directly interacted with via a virtual machine. ![Malicious website, observed while conducting analysis](https://hackmd.io/_uploads/SyvPKCBZR.png) Malicious website, observed while conducting malware analysis **Shodan.io returned the IP:** 172[.]67[.]166[.]117 for `resolverstring[.]net/en/` ![ip_connected_entry](https://hackmd.io/_uploads/rJuctCBb0.png) IP data while connected to entry **Clicking on the connect button, appends 'wallets' to the url:** ``` resolverstring[.]net/en/wallets ``` **DNS data table from [dnsdumpster.com](http://dnsdumpster.com/) for the /wallets endpoint:** | Hostname | IP Address | Type | Reverse DNS | Netblock Owner | Country | | --------------------------------- | --------------- | ---- | ---------------------------------------------- | -------------- | ------------- | | http://resolverstring.net/ | 172.67.166.117 | A | | CLOUDFLARENET | United States | | http://quincy.ns.cloudflare.com/. | 108.162.195.39 | NS | http://quincy.ns.cloudflare.com/ | CLOUDFLARENET | United States | | http://serena.ns.cloudflare.com/. | 108.162.192.220 | NS | http://serena.ns.cloudflare.com/ | CLOUDFLARENET | United States | | 10 mx1.titan.email. | 52.7.62.22 | MX | http://ec2-52-7-62-22.compute-1.amazonaws.com/ | AMAZON-AES | United States | | 20 mx2.titan.email. | 52.7.62.22 | MX | http://ec2-52-7-62-22.compute-1.amazonaws.com/ | AMAZON-AES | United States | **IP data validation:** ![Data cross-referenced and validated using BGP tools](https://hackmd.io/_uploads/H1H3YCBWR.png) Data cross-referenced and validated using BGP tools <br /> ### Website_Analysis **Successful http response code 200: only occurs via /en path** ``` website: resolverstring[.]net/en/wallets ``` **Interaction sample:** ![site_interaction](https://hackmd.io/_uploads/ByMCFCHZ0.png) website interaction **Path:** /en/wallets ``` resolverstring[.]net/en/wallets ``` ![Website structure under **`/en/wallets`** path, wallets page](https://hackmd.io/_uploads/ByiAYRr-A.png) Website structure under **`/en/wallets`** path, wallets page **Like credential theft mechanism:** ![Possible credential stealing mechanism: `resolverstring[.]net/en/wallets/js/js1.js`](https://hackmd.io/_uploads/BJz1qCS-A.png) Possible credential stealing mechanism: `resolverstring[.]net/en/wallets/js/js1.js` **Unit requesting user's enter EVM compatible credential into potentially malicious form:** ![Credential-entry form observed at: `resolverstring[.]net/en/wallets`](https://hackmd.io/_uploads/BJC1cRBZA.png) Credential-entry form observed at: `resolverstring[.]net/en/wallets` **Request Flow:** ![request_flow](https://hackmd.io/_uploads/rkOe5CrbA.png) Overall website request flow, sourced using live interaction while using Burpsuite Community Edition **Logging via Zoho:** ![Source: Burpsuite Interceptor Proxy](https://hackmd.io/_uploads/rye-5CS-R.png) Source: Burpsuite Interceptor Proxy **Post data entry:** ![`resolverstring[.]net/en/wallets/success.html`](https://hackmd.io/_uploads/BytZqRBZC.png) `resolverstring[.]net/en/wallets/success.html` **Successful data entry:** ![Source:`resolverstring[.]net/en/wallets`](https://hackmd.io/_uploads/B1Efq0rbA.png) Source:`resolverstring[.]net/en/wallets` **JS2 activity:** ![js2_activity](https://hackmd.io/_uploads/BkiG50BZR.png) `resolverstring[.]net/en/wallets/js/js2.js`