Hello!
A hacker stole my 84K MOONs back in March. That wasn't very nice of them =(
Now it's payback time against those hackers/scammers/rug pullers and other malicious entities who give crypto such a bad reputation.
I went through the exercise of attempting to doxx the hackers who stole 525K from a victim recently https://platform.arkhamintelligence.com/exchange/bounties/4b3c63de-f4fe-4ed5-88ed-ba49fdf8ebe3
The research is all my own! Please feel free to check and cross reference all of my work.
Let's begin!
Part 1 - Hacker 525k 1
0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa - Hacker 525K 1
This address is one of two as outlined by the victim in the bounty. I labeled 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa - Hacker 525K 1 to keep track for my own records.
Above, I noticed numerous interactions between 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA [Pablito147 on Opensea] and 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User]. I moved the shared wallets to the left and shared deposit addresses to the right. Iām pretty confident both are hacker wallets. They are both directly connected to 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa [Hacker 525K 1]
Deposit Addresses
Hereās a list of the shared Deposit Addresses
- 0x0C43FA6f7dFE8DB1f80748C459A2239c6A08e980 - Binance
- 0xc2D54190d9C83Da8d30D302ad39a0Ab488b4032d - OKX
- 0xBf7B0cE8db8883F3E4EC6900079ebFE6AA5573b8 - Kucoin
- 0x2422371A74Ea2674853B15748EFb491BF49CB6Ec - Kucoin
Shared Wallets
Hereās a list of the shared Wallets
- 0xf66d22e57Ffa2BedE37DEa913eF4966cFe872f91
- 0x3fE411272EBbDFfe064640213a3776Ed28c9C67e
- 0xa36547503a98B25650D1EBD8E52A732213a3Da85
- 0x2DFd951577d7de93b363e843B9a4d3c16F9f548A
- 0x36bBa51d19b06Cf07d81cAec249e8056C0F78259
- 0x9b6d18d156ef8ED96A48d75664315C6Eac6F4906
- 0xE984bDDFb8E56c5844CeEe20A7B77193FBfb4ba1
- 0xDBB4Bea4AaaaA6A84a467bA0D22ca93Efc70d4E0
- 0x0e030d4adc123BFeCa43faDec6518ba80584F57D
- 0xD26117c7D5039E1921b1a50B88cBeB00d6544581
Another Victim
I did a quick Google search to see if I can find anything on 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA - [Pablito147 on Opensea] . Below is a victim I found who lost 200K.
Victim YouTube -
https://www.youtube.com/watch?v=splBczgXEEY
Hacker Wallets listed in description
- 0x634CE987dB07BA4197b6Ae9F3478A707e3D7646f [looks like ApeXPool]
- 0x505B5eDa5E25a67E1c24A2BF1a527Ed9eb88Bf04 [looks like Coinweb token]
- 0x52A8845DF664D76C69d2EEa607CD793565aF42B8 [looks like ApeX Token]
- 0x6bB78583889bF9380dB2206e66e2DCd641fB1f39 - High Risk - other comments on Etherscan
- 0x29488E5fD6bF9B3cc98A9d06A25204947ccCBE4D - Fake_Phishing180395
- 0x9b6d18d156ef8ED96A48d75664315C6Eac6F4906
- 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA
- 0xA4CC15cd24316988dfc4310eC3c2664F3c9BBac1
Tracking ENS Interactions
0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User] is in current possession of the below ENS addresses
- ballaboveall.eth
- loveneverfails.eth
- 03161992.eth (Whatās the significance here? Someoneās birthday?)
How did he/she/they acquire these ENS addresses?
Hereās an example
https://preview.redd.it/v869xnuh9knb1.png?width=1272&format=png&auto=webp&s=8a56a71c98bd203eb5f503d3b4ee3540fe14c51b
-0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C- received ballaboveall.eth from Bigpudgy.eth - https://etherscan.io/tx/0xa3f4e48ff498b83e6032069af509f4e6595d87b29e4a1890a9e854c3dbc7124c
--0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D - Bigpudgy.eth aka Calm_tothemoon
Both loveneverfails.eth and 03161992.eth were also transferred in a similar way from 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D - Bigpudgy.eth
Social Info
Social info of Bigpudgy.eth - 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D
Summary
Looking at https://opensea.io/Calm_tothemoon/activity aka bigpudgy.eth, he could be a victim or have direct ties to the hacker. I looked through the boot2thrill twitter account and didnāt see any signs of a hack. Specifically, I was looking at dates around March 6th 2023 and Feb 2nd 2023 as those dates were when most of the NFT transfers to 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C happened.
However, looking inside 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D - Bigpudgy.eth, Iām seeing mostly Coinbase deposit addresses. Coinbase isn't typically an exchange a hacker would use. If this person is a hacker, heās certainly keeping his personal and hacking activity separate.
Part 2 - Hacker 525k 2
0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 - Hacker 525K 2
Hereās the other wallet identified by the victim in the bounty. I labeled 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 - Hacker 525K 2
Looking at the 2nd hacker wallet - 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] I was investigating where the most outgoing txns were going. I came up with 6 wallets. Of most interest was:0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user. I labeled this one with a red arrow in the image above.
Wallets of Interest
Below Iāll make the connection between 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user. I wanted to verify that ā0b2B43ā was indeed a hacker wallet.
Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user, you can clearly see that it was initially funded on 10/9/21 by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]
Tracking ENS Interactions
Below weāll focus on one ENS address, the-oasis.eth. The route this ENS took was very interesting. Starting with the minting of the ENS from Opensea:
-0x5c255c0571be150Fc482Ec3d345f6218188723bD [The-Oasis_Gamemasterā]
--0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]
---0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user - owner
In all three instances, the ENS was transferred between wallets. In no instance was a sale ever made.
I noticed 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user was in current possesion of \"the-oasis.eth\". Where did this wallet receive it from? You guessed it! 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] And, who sent it to the hacker wallet? 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 [The-Oasis_Gamemaster]
The Connection
https://preview.redd.it/cdl2nwdl7knb1.png?width=2536&format=png&auto=webp&s=ff74f1c699c96c5983c7d858a433a60dd810c69f
Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user, I noticed a few interesting things.
- This wallet is directly depositing into Binance accounts frequently used by Hacker 525k 1 and Hacker 525k 2. Thereās more similarities but those appear to be the main ones.
- 0xdBe063ddE9A72F511B64e75a4966F907942FC1a6 - Binance
- 0x2fe55e3d83c9d85cbfBf7520b5F3Df619744d0Af - Binance
- 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user was directly funded on 10/9/21 and represents the first transaction by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]. - Etherscan TXN link
- The wallet 0x5c255c0571be150Fc482Ec3d345f6218188723bD [āThe-Oasis_Gamemasterā] appears to be directly connected to 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user
Interestingly enough, the last ever transactions inside 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The_Oasis_Gamemaster] were to both Hacker 525K Arkham and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user .
Social Info
At the time of this tweet 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The-Oasis_Gamemaster] owned \"the-oasis.eth\". I actually found photos of the owner which I won't post here.
- Twitter - Dartanyan1991
- IG - Dartanyan1991
- Reddit - u/Dartanyan1991
- Bday - 9/15/1991
- Ethnicity - Turkish maybe
Summary
This could very well be a victim or he could be directly connected to the hacker wallet. Similar to the other account, I checked twitter and didn't see any signs of a hack. Very interesting the wallet is no longer in use as of 11/11/2021.
Part 3 - Additional Info
Below is additional information I found. I don't think thereās enough here yet. Itās worth documenting to investigate at a later time.
GankNFT
I found this wallet interacting with Binance deposit address - 0xE3563A1408CE86836857b495c8Cb9E034abbeAC1. I noticed that 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 - Hacker 525K 2 also deposited $200 worth of USDT to this same deposit address with this Etherscan txn.
Social Info
- Name - Chase
- Wallet - 0x86c0F115926544fF39e0b12960Ee1CafEac35ebb - GankNFT
- Twitter - GankNFT
- Notes - Opensea and Twitter profile photo matches
- Additional Wallet - 0x7D00cC2F5539dE3adE7c28975c236A23aa0b406e - āGankNTF on OpenSeaā
Maybe Same person - I couldn't find any on-chain connections but the twitter handle is very similar
- Name - Edwin Enart
- Location - Indonesia
- Wallet - 0xD441Aaf73D3Fa35768B5c3AFE2f3C05d90D4e09F
- Twitter - TheGank_NFT
- Twitter 2 - Dino_Zard
- IG - TheGank_NFT
![[Bounty Hunting] - Attempting to find the 525K "Scumbag Hacker"](https://b.thumbs.redditmedia.com/iSCaBrEau3_6Vq0XUa4ue4kimYeQ4biRFL81uYp045Y.jpg "[Bounty Hunting] - Attempting to find the 525K \"Scumbag Hacker\"")
Manage all your crypto, NFT and DeFi from one place
![Above, I noticed numerous interactions between 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA [Pablito147 on Opensea] and 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User]. I moved the shared wallets to the left and shared deposit addresses to the right. Iām pretty confident both are hacker wallets. They are both directly connected to 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa [Hacker 525K 1]](https://preview.redd.it/t9i1alko6knb1.png?width=1556&format=png&auto=webp&s=1e9029116586da9944ce444b6817ae6a60705940){kind=link}
![Looking at the 2nd hacker wallet - 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] I was investigating where the most outgoing txns were going. I came up with 6 wallets. Of most interest was:0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user. I labeled this one with a red arrow in the image above.](https://preview.redd.it/n539cfp07knb1.png?width=2354&format=png&auto=webp&s=75e5417a9a238e8f58366b8276bc6949971b3436){kind=link}
![Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user, you can clearly see that it was initially funded on 10/9/21 by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]](https://preview.redd.it/74xc8fb67knb1.png?width=1896&format=png&auto=webp&s=0c00690fa361f9a8a15d00a9c594ddd7f2f9753d){kind=link}
![I noticed 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user was in current possesion of \"the-oasis.eth\". Where did this wallet receive it from? You guessed it! 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] And, who sent it to the hacker wallet? 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 [The-Oasis_Gamemaster]](https://preview.redd.it/l42iwgte7knb1.png?width=2678&format=png&auto=webp&s=9f2d12b16c567d41211bf915a992627db6c6c9f4){kind=link}
![Interestingly enough, the last ever transactions inside 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The_Oasis_Gamemaster] were to both Hacker 525K Arkham and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 - Opensea user .](https://preview.redd.it/88m0it3v7knb1.png?width=1668&format=png&auto=webp&s=a44f9ff120309d2508e9f6dd3e20f75e488befff){kind=link}
![At the time of this tweet 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The-Oasis_Gamemaster] owned \"the-oasis.eth\". I actually found photos of the owner which I won't post here.](https://preview.redd.it/nchi0zuo7knb1.png?width=1188&format=png&auto=webp&s=9a058c1f7a0a1e18d49ad0e06606233848f53f18){kind=link}
