Threat Hunting Case Study – A Tale of Bots & Stolen Funds

Grab your popcorn and detective hats, folks! Today, we’re diving into a gripping tale of a threat-hunting project we tackled. We can’t spill all the beans for privacy reasons, but we promise this is one rollercoaster of a story. 

The Phishing Scam 

Our tale begins with a simple message promising users on social media a fast track to the crypto millionaires club. After being bombarded with TikTok videos of crypto millionaires flaunting their flashy Lamborghinis while preaching how easy it was to get rich quick,, the user couldn’t help but think, “Now it’s my turn!”

After clicking on the website and logging in excitedly, almost $1.5 million suddenly appears on the screen. The user becomes overwhelmed at the prospect of finally being able to quit their job and retire to a sandy beach somewhere,  and without thinking twice, clicks on the “withdraw” button.

But not without needing to approve the transfer first!

After signing the transaction with their wallet to approve the swap, there was no sign of the user’s wallet being compromised. It seemed that the user really had just become rich! Everything looked just fine, and the contract had been executed without a hitch… So, there wasn’t any risk involved. Right?

Not quite…

Unfortunately for this user, these attackers are crafty. They design an unsuspecting UI/UX that looks to be completely safe. Behind this innocent facade, they’re quietly draining all the USDT the victim had been stashing in hopes of investing it in the next 10,000X Altcoin.

But how exactly do they orchestrate this sneaky operation? Keep reading to find out.

Sayfer’s Mission

In this wild goose chase of a research project, we were on a mission to crack down on the scale of this operation, sniff out all of their known domains and addresses, and unmask the culprits behind it all. Over several months, we solved most of our initial questions, plus a bunch of surprise brain ticklers we hadn’t even thought to ask at the start!

Let’s dive in…

How it started:

We concluded that the best strategy was to attack on all fronts, but before proceeding, we needed to gather more information. To acquire the necessary information, we began by exploring all the available leads we had.

1. The malicious Twitter account
2. The malicious website
3. The malicious smart contract

What we found:

Bots Bots Bots

We initially suspected the account was a bot. Through further investigation, we were able to confirm that our instincts had been right. The bot had a small number of followers and was only following a few accounts. It had posted some tweets promoting scams and using generic photos and AI-generated text. To give us some clues and help to find similar pages, we closely analyzed the Twitter page for unique features. We began by searching for specific emojis in the description, which led to many irrelevant results. Just when we thought we were hitting a dead end, we had our breakthrough! A zero-width space (ZWS) between two emojis proved to be a crucial element in our fingerprinting process.

🚀​🪙

Now, to the human eye, there’s nothing out of the ordinary here… However, upon closer inspection, there’s an additional, unseen character nestled between them. This minute detail was instrumental to our research.

We hypothesized that this could be a glitch in the bot’s script. Following this discovery, we identified over 300 bots sharing the same peculiar character, each promoting a variety of crypto scams and linking to their websites. With this list in hand, we moved on to the next front.

Bad Websites

Following our successful bot discovery, the next step was researching these fraudulent websites. This involved a comprehensive reconnaissance that encompassed analysis of the server’s subdomains and folders, gathering information from open sources (OSINT), server fingerprinting, use of specific search terms (dorks), Google Analytics ID discovery, Certificate Transparency checks, and more. During this process, we discovered a custom back-end for the website, which wasn’t linked to the official site.

We followed the breadcrumbs, and with the help of one of our Google dorks, we found that this admin interface had been mentioned in a Pastebin post a few months prior. This post contained a list of hundreds of similar websites that used the same back-end.

Fortunately, one of these sites had uploaded their sourcemaps. This gave us access to the complete front-end code, including comments. From this, we discovered the real name of the scam platform! Later, we found out the code was being sold as a crypto scam framework on the Darknet

Thanks to our thorough analysis, we identified the cybercrime group based in Asia responsible for the scam and shared this information with law enforcement to bring them to justice.

While identifying the perpetrator was a huge feat, we still needed to understand their methods. This led us to the next avenue of investigation: the smart contract.

Tricky Smart Contract 

During our investigation into their smart contracts, a review of the malicious transactions revealed that the contract was deceitfully asking the user to “approve all,” giving the smart contract permission to remove all funds from the user’s wallet. We were not surprised as this type of scam is prevalent due to the high-risk nature of Dapps (You can read more about this in a great piece by our colleagues at Zengo).

But we needed to dig even deeper to understand how this was done, so we decided to reverse-engineer the contract. Our analysis uncovered a strange opcode triggered when the user attempted to withdraw funds. The contract checked the global variable block.basefee, represented by the 0x48 EVM opcode in EIP-3198. If these variables were equal to 0, all contract funds would be transferred to the victim – the exact opposite of a scam.

(Stay tuned for our upcoming tutorial on how to reverse engineer contracts using ChatGPT).

We continued to dig and found that many transaction simulation tools allow users to preview the outcome of a transaction without actually executing it. These tools are mainly wrappers for the Ethereum node implementation of trace_call/debug_traceCall.

The attacker successfully deciphered the implementation of the trace_call and crafted code that behaves differently in a simulation compared to real life, ensuring no suspicion from users. This means that in a simulated environment, it appears as if the victim receives funds, while in reality, no transaction occurs.

This type of malware is seldom found in the wild. To our knowledge, this represents the first instance of anti-VM EVM-based malware.

Conclusion

In conclusion, this threat-hunting project underscores the importance of comprehensive, multifaceted research in detecting and understanding crypto scams. A myriad of techniques were used, varying from bot fingerprinting and website reconnaissance to smart contract analysis. These techniques demonstrated how in-depth analysis can reveal an operation’s true nature, provide insights into its motivations, and even identify the perpetrators.

Furthermore, this case study emphasizes the need for vigilance and caution in online transactions, particularly in cryptocurrency. In this case, the attackers successfully created a convincing UI/UX, emphasizing the need to inform users about phishing scams and the importance of verifying the authenticity of websites and transactions. Doing so can reduce the risk of fund theft and foster a safer, more secure online environment.

The End.