April 2, 2023
Article by
This article was originally published March 31, 2023 on Hederadev's Medium Blog.
—
Side notes: this has been a self-initiated activity, without funding, support or any official affiliation with Hedera, spanning over five full days. The tracing process has been done manually, and there could definitely be errors in my findings. In this article for simplicity sake I have only focused on the attacks directly related to the same binance memo that was used by the March 9 exploiter (0.0.2015717 ) — though there are many other scams that have caught my eye. There is info I have not published in this article, as this might give the attacker an advantage.
Early March an attacker exploited the Smart Contract Service code of the Hedera mainnet, raking in around $600k in tokens. As the account ID was 0.0.2015717, we will call the attacker from here on ‘2015717’. 2015717 transferred the funds via Hashport to an Ethereum address, through the in-app exchange of Atomic wallet, and as well through Binance to a second Ethereum address. This has been well documented by different entities so far.
In this article we will look into the activity of 2015717 before the exploit — scamming the Hedera community through a certain scam called “Dusting Attack”. Many have fallen victim to this attack unfortunately, even though it is a fairly simple scam tactic. So far I have identified at least 24 victims and hundreds of thousands of HBARs that were lost — directly related to attacker 2015717.
And you thought 2015717 hid in a hole after the exploit? Nothing like that — the moment proxies were enabled again the dusting attacks were back in full force.
With a dusting attack, currently widely employed by this scammer on the Hedera network, the attacker sends memos to tens of thousands accounts. This memo holds an url with a message, always something in the style of “claim your free HBAR reward at hbarxzy.com” (link redacted). Your wallet is not directly in danger, it is only if you decide to go to that link, by putting it manually in your browser, that you will start following the path the scammer has laid out for you — even then, you will be the only one that can complete the attacker’s plan, by giving out your seed phrase. Many people are aware of not following unknown links, or giving out your seed phrase, but by sending these messages to hundreds of thousands of accounts, there will always be a few that the scammer will be successful with.
In this case, people would land on a website that would look exactly like the Hedera website, announcing an enormous HBAR airdrop. Continuing to the next website would lead you to a fake ‘myhbarwallet’ copy, inviting you to put in your seed phrase. Once you have done this, your wallet will be instantly drained.
Using the binance memo employed to transfer the funds, I found several accounts that used the same. The deduction you can make from this, is that it automatically means 2015717 had access to those wallets, therefore owned or gained access to those wallets.
From there on, I traced every single transaction, as well as account creations, and established a graph allowing me to visually represent the activity of 2015717. Starting out systematically, visualising every trace, though after a little while I focused only on the most important transactions that would show a combination of a malicious url received in memo + wallet drained afterwards. I cross-checked this with reports on chainabuse.com and messages on social channels.
The initial graph had me go very deep in the rabbit-hole, depicting other scams as well.
As the purpose of this article is to shed light and create awareness on the specific dusting attack that is still ongoing, I have only made available the hi-res version of the attacks directly related through the binance memo of 2015717.
Download here the full version of the graph (PNG).
Sometimes the victim would send messages to the attacker, pleading to give back the funds. Of course, always ignored.
The following accounts have used the same memo to send funds to Binance:
0.0.106507
0.0.1455100
0.0.1456057
0.0.1457120
0.0.1457124
0.0.1457188
0.0.1460319
0.0.1460324
0.0.1460332
0.0.1552754
0.0.1703325
0.0.1724050
0.0.1724157
0.0.1737400
0.0.1783395
0.0.1784289
0.0.1930077
0.0.1933612
0.0.2015717
0.0.627238
These are both accounts created or taken possession of by the attacker.
Following the activity of 2015717, resulted in finding at least the following victims and funds lost;
2015717 has been very successful with the dusting attacks, making it worthwhile to continue attacking the Hedera community. My assumption is that this person has been active for a long time, and will continue to do so as long as it is a lucrative activity.
The attacker also leveraged the fact that Hedera’s native staking rewards get triggered with a transaction — therefore sending a microtransaction can result in a significant staking reward to be triggered, making the prospective victim think the potential “airdrop” is plausible.
Hashpack has introduced a functionality to try and filter out unknown links or give a warning, a great initiative to reduce exposure to these dusting attacks. Hopefully many will not even see those links anymore, though awareness on secure practices needs to stay a priority for onboarding people to Web3.
Personally, I was shocked by the sheer number of victims. I tended to ignore those dust messages, therefore becoming unable to see the extension of the problem. They (the victims) will often not come forward themselves, as they might feel ashamed having fallen for a scam — though I really encourage anyone to report on chainabuse.com (or contact me directly). You will never know if your report may be the key to finding the attacker. One of the victims actually gave me information that connected the attacker to a whole new spiderweb — that’s probably for another day.
This has been a personal effort by Milan (HederaDev).
Please reach out if you have questions, suggestions or insights.
.png)
