Community blog

Hedera’s March 9 exploiter — a prolific scammer within the Hedera ecosystem

Article by


This article was originally published March 31, 2023 on Hederadev's Medium Blog.

Side notes: this has been a self-initiated activity, without funding, support or any official affiliation with Hedera, spanning over five full days. The tracing process has been done manually, and there could definitely be errors in my findings. In this article for simplicity sake I have only focused on the attacks directly related to the same binance memo that was used by the March 9 exploiter (0.0.2015717 ) — though there are many other scams that have caught my eye. There is info I have not published in this article, as this might give the attacker an advantage.

One of the victims of a dusting attack


  • Exploiter ‘2015717’ (read: Analysis & Remediation of the Precompile Attack on the Hedera Network) has been active at least since November 2022, through an elaborate scam announcing fake HBAR airdrops through microtransactions
  • At least 24 victims got their wallets drained
  • More than 600k HBAR were lost by these victims between nov ’22 and feb ‘23
  • As it would need a victim to put in their seed phrase on a malicious website, it shows there is need for extra awareness on best security practices
  • Many more scams have been identified — that for some other day


Early March an attacker exploited the Smart Contract Service code of the Hedera mainnet, raking in around $600k in tokens. As the account ID was 0.0.2015717, we will call the attacker from here on ‘2015717’. 2015717 transferred the funds via Hashport to an Ethereum address, through the in-app exchange of Atomic wallet, and as well through Binance to a second Ethereum address. This has been well documented by different entities so far.

In this article we will look into the activity of 2015717 before the exploit — scamming the Hedera community through a certain scam called “Dusting Attack”. Many have fallen victim to this attack unfortunately, even though it is a fairly simple scam tactic. So far I have identified at least 24 victims and hundreds of thousands of HBARs that were lost — directly related to attacker 2015717.

And you thought 2015717 hid in a hole after the exploit? Nothing like that — the moment proxies were enabled again the dusting attacks were back in full force.

What is a dusting attack?

With a dusting attack, currently widely employed by this scammer on the Hedera network, the attacker sends memos to tens of thousands accounts. This memo holds an url with a message, always something in the style of “claim your free HBAR reward at” (link redacted). Your wallet is not directly in danger, it is only if you decide to go to that link, by putting it manually in your browser, that you will start following the path the scammer has laid out for you — even then, you will be the only one that can complete the attacker’s plan, by giving out your seed phrase. Many people are aware of not following unknown links, or giving out your seed phrase, but by sending these messages to hundreds of thousands of accounts, there will always be a few that the scammer will be successful with.

In this case, people would land on a website that would look exactly like the Hedera website, announcing an enormous HBAR airdrop. Continuing to the next website would lead you to a fake ‘myhbarwallet’ copy, inviting you to put in your seed phrase. Once you have done this, your wallet will be instantly drained.

Making the tracing graph (or spiderweb)

Using the binance memo employed to transfer the funds, I found several accounts that used the same. The deduction you can make from this, is that it automatically means 2015717 had access to those wallets, therefore owned or gained access to those wallets.

From there on, I traced every single transaction, as well as account creations, and established a graph allowing me to visually represent the activity of 2015717. Starting out systematically, visualising every trace, though after a little while I focused only on the most important transactions that would show a combination of a malicious url received in memo + wallet drained afterwards. I cross-checked this with reports on and messages on social channels.

The initial graph had me go very deep in the rabbit-hole, depicting other scams as well.

The dusting attack (on the right), and other malicious activities on the left (perhaps related or not)

As the purpose of this article is to shed light and create awareness on the specific dusting attack that is still ongoing, I have only made available the hi-res version of the attacks directly related through the binance memo of 2015717.

The dusting attack by 0.0.2015717

Download here the full version of the graph (PNG).

Sometimes the victim would send messages to the attacker, pleading to give back the funds. Of course, always ignored.

The following accounts have used the same memo to send funds to Binance:


These are both accounts created or taken possession of by the attacker.

What do these results tell us?

Following the activity of 2015717, resulted in finding at least the following victims and funds lost;

  • 20+ victims
  • 638k HBAR lost (NFTs and other tokens have not been taken into account at this point — one victim lost 100m HSUITE, around 300k HBAR)
Victims: date, account ID, HBARs lost and the account used to send to funds to Binance

2015717 has been very successful with the dusting attacks, making it worthwhile to continue attacking the Hedera community. My assumption is that this person has been active for a long time, and will continue to do so as long as it is a lucrative activity.

The attacker also leveraged the fact that Hedera’s native staking rewards get triggered with a transaction — therefore sending a microtransaction can result in a significant staking reward to be triggered, making the prospective victim think the potential “airdrop” is plausible.

Hashpack has introduced a functionality to try and filter out unknown links or give a warning, a great initiative to reduce exposure to these dusting attacks. Hopefully many will not even see those links anymore, though awareness on secure practices needs to stay a priority for onboarding people to Web3.

Personally, I was shocked by the sheer number of victims. I tended to ignore those dust messages, therefore becoming unable to see the extension of the problem. They (the victims) will often not come forward themselves, as they might feel ashamed having fallen for a scam — though I really encourage anyone to report on (or contact me directly). You will never know if your report may be the key to finding the attacker. One of the victims actually gave me information that connected the attacker to a whole new spiderweb — that’s probably for another day.

Take-home message

  1. Never give out your seed phrase
  2. Be careful in visiting unknown websites
  3. Are you a victim? Please report it on chainabuse (or you can contact me directly, but reporting it on chainabuse ensures it will be publicly available).

This has been a personal effort by Milan (HederaDev).

Please reach out if you have questions, suggestions or insights.

Back to community blog