Case #5
Malicious software
With the development of blockchain technology and the growing popularity of cryptocurrencies, the world has encountered new types of fraud that exploit their technical features.
One such scheme is the spoofing of the recipient’s address in transactions, known as "crypto fraud via clippers or ENS (Ethereum Name Service)".
The essence of this scheme is that fraudsters introduce malware (clippers) or manipulate trust services (ENS) to change the address of the wallet to which the victim is going to transfer funds. As a result, the user unknowingly sends their money to the attacker’s address.
The popularity of this scheme is due to a combination of several factors. First, there is a high level of trust in the blockchain environment, where transactions are considered secure and irreversible. Second, most users are not sufficiently aware of possible threats or neglect to verify information before sending funds. And, of course, the lure of large profits makes such schemes particularly tempting for fraudsters. These incidents illustrate the key vulnerabilities of cryptocurrency transactions and the need to improve literacy among users.
The popularity of this scheme is due to a combination of several factors. First, there is a high level of trust in the blockchain environment, where transactions are considered secure and irreversible. Second, most users are not sufficiently aware of possible threats or neglect to verify information before sending funds. And, of course, the lure of large profits makes such schemes particularly tempting for fraudsters. These incidents illustrate the key vulnerabilities of cryptocurrency transactions and the need to improve literacy among users.
Variations of fraud incidents
Address spoofing scams are one of the most insidious forms of attacks in the cryptocurrency sphere. Attackers are constantly finding new ways to defraud users by utilizing technical features of the blockchain and human errors. Let’s take a look at the main variations of incidents that users may encounter.
1
Clipper (malware, clipboard spoofing)
Clippers are malicious programs that infect victims' devices and run in the background. Their job is to monitor the contents of the user’s clipboard. When the user copies the cryptocurrency wallet address for a transfer, the clipper automatically replaces it with the attacker’s address. If the victim does not check the copied address before the transaction, the funds are irretrievably sent to the fraudsters.
Such attacks are particularly dangerous due to their stealth: the clipper is inactive except for data substitution and often remains invisible to antivirus programs unless they are updated.
Clippers are malicious programs that infect victims' devices and run in the background. Their job is to monitor the contents of the user’s clipboard. When the user copies the cryptocurrency wallet address for a transfer, the clipper automatically replaces it with the attacker’s address. If the victim does not check the copied address before the transaction, the funds are irretrievably sent to the fraudsters.
Such attacks are particularly dangerous due to their stealth: the clipper is inactive except for data substitution and often remains invisible to antivirus programs unless they are updated.
2
ENS Scam (creating a fake ENS)
ENS (Ethereum Name Service) is a convenient way to interact with wallets, replacing long cryptocurrency wallet addresses with understandable names such as wallet.eth. However, scammers often create ENS addresses that are visually similar to legitimate ones, such as using similar characters or intentionally misleading users.
Example: a legitimate address may look like 0xbac1…y3bd, but an attacker creates the address 0xbac1…y3bd.eth. Victims, not noticing the differences, send funds to the spoofed address, resulting in loss of funds. This is especially true in situations where the ENS name is advertised through phishing sites or fake correspondence.
ENS (Ethereum Name Service) is a convenient way to interact with wallets, replacing long cryptocurrency wallet addresses with understandable names such as wallet.eth. However, scammers often create ENS addresses that are visually similar to legitimate ones, such as using similar characters or intentionally misleading users.
Example: a legitimate address may look like 0xbac1…y3bd, but an attacker creates the address 0xbac1…y3bd.eth. Victims, not noticing the differences, send funds to the spoofed address, resulting in loss of funds. This is especially true in situations where the ENS name is advertised through phishing sites or fake correspondence.
3
Hacking accounts and spoofing messages
Scammers often resort to social engineering and hacking into social media or messenger accounts. After gaining access to an account, attackers start communicating with the victim’s friends or partners on their behalf. In the process of communication, they provide fake addresses for sending funds, pretending to be the actual ones.
Such attacks are typical for group conversations, where cryptocurrency transfers are often made between participants. The user may not check the provided address, relying on trust in the sender, and transfer money to the scammers.
Scammers often resort to social engineering and hacking into social media or messenger accounts. After gaining access to an account, attackers start communicating with the victim’s friends or partners on their behalf. In the process of communication, they provide fake addresses for sending funds, pretending to be the actual ones.
Such attacks are typical for group conversations, where cryptocurrency transfers are often made between participants. The user may not check the provided address, relying on trust in the sender, and transfer money to the scammers.
Interviewing
AML Crypto was contacted by a victim of a Dust attack scam. The victim (identity withheld to protect personal data) told her story, providing key information about the events that led to the loss of funds.
It all started with a routine transfer of funds between the victim and her regular counterparty, with whom successful transactions had previously taken place
They had been exchanging digital assets for several months, and the victim had no reason to doubt the honesty of her partner. However, the latest transfer attempt ended with an unexpected problem.
The victim said that she received a request from her counterparty to transfer a certain amount of money. For convenience, she decided not to ask him for his address again, but simply to use the one in her transaction history. She selected the last address from which the counterparty had previously sent funds and made the transfer. However, some time later, the counterparty claimed that the funds had not reached him.
The victim said that she received a request from her counterparty to transfer a certain amount of money. For convenience, she decided not to ask him for his address again, but simply to use the one in her transaction history. She selected the last address from which the counterparty had previously sent funds and made the transfer. However, some time later, the counterparty claimed that the funds had not reached him.
In an attempt to understand, the victim checked the blockchain history and saw that the transaction had been successful: the funds had been sent to and received by an address that matched her choice. Convinced of this, she decided that the counterparty was scamming her in an attempt to get additional funds. But to make sure, she enlisted the help of AML Crypto.
When analyzing the data provided, the AML Crypto team discovered that the victim had fallen victim to a Dust attack.
A Dust Attack is a type of blockchain cyberattack in which attackers send a small amount of cryptocurrency (known as dust) to a victim’s wallet in order to either identify the wallet owner or mislead the user and subsequently gain access to their funds.
There are more sophisticated variants of the Dust attack, in which attackers create fake tokens and prescribe fictitious information about the movement of tokens in their smart contract. As a result, the attacker can artificially provide the victim’s address as the sender of their token. This will result in a record appearing in the victim’s transaction history that the victim’s address allegedly sent a certain number of tokens to another address.
This manipulation may mislead the victim, because when he checks his transaction history, he will see a transaction that he did not actually make. Such actions can cause mistrust or confusion, especially if the victim is not well versed in the principles of blockchain and smart contracts.
There are more sophisticated variants of the Dust attack, in which attackers create fake tokens and prescribe fictitious information about the movement of tokens in their smart contract. As a result, the attacker can artificially provide the victim’s address as the sender of their token. This will result in a record appearing in the victim’s transaction history that the victim’s address allegedly sent a certain number of tokens to another address.
This manipulation may mislead the victim, because when he checks his transaction history, he will see a transaction that he did not actually make. Such actions can cause mistrust or confusion, especially if the victim is not well versed in the principles of blockchain and smart contracts.
In this incident, the attackers created a fake token and intentionally recorded a bogus transaction in the victim’s transaction history. The fake transaction was designed to match the amount of the victim’s last real transaction, and the recipient’s address was generated to look like the real one (matching first and last characters). When the victim decided to repeat the transfer, she did not check the address manually, but simply remembered that she had previously sent a similar amount to an address with certain characters. When the victim saw the data match in the bogus transaction, she copied the attacker’s fake address, unaware of the substitution. This is similar to when someone puts a fake key in your pocket that looks like your real key — and you try to open the door without looking.
The victim admitted that this was the first time she had heard of this method of deception. She also regretted not verifying the address directly with the counterparty, relying on her transactional history. This situation served as a reminder of the importance of checking addresses and being vigilant even when dealing with trusted counterparties.
The victim admitted that this was the first time she had heard of this method of deception. She also regretted not verifying the address directly with the counterparty, relying on her transactional history. This situation served as a reminder of the importance of checking addresses and being vigilant even when dealing with trusted counterparties.
Blockchain Investigation
Part I: investigating the path of funds laundering by the attacker
In Part I of the investigation, we will examine the flow of funds that were stolen in this incident.
To further analyze the attacker’s actions related to the laundering of funds on the blockchain, we consider a layered diagram that illustrates the connections between the addresses of the victim, the attacker, and the centralized services on the blockchain (interconnection graph):
The AML Crypto team obtained the transaction data of the victimized party, including the address to which funds were transferred to invest in a particular service, in order to conduct a blockchain investigation.
Step 1: Theft of funds and distribution to transit addresses
In the first step, the attacker receives funds from the victim’s address [1] to his address [2]. After receiving the funds, he proceeds to distribute them to his transit addresses [4], [5], [6], [7], [8]:
A transit address is a wallet belonging to the same entity from which the clustering process starts. Such an address is characterized by the fact that the volume of incoming funds fully corresponds to the volume of outgoing funds, as a result of which its balance always remains zero (or close to zero).
Step 2: The attacker obfuscates his tracks
In the second step, the attacker takes actions to cover his tracks to make it difficult to track transactions without the use of specialized tools. In this case, he used addresses [9], [10], [11], [12], [13], [14], [15], [16], [17], [28], which also acted as transit addresses.
This paper presents a simplified example of how an attacker obfuscates his traces. However, in practice, much more complex laundering schemes can be used, involving token exchanges, transitions between blockchains, and the use of various networks and services to anonymize transactions. These methods make the investigation of such incidents much more time-consuming and complex.
This paper presents a simplified example of how an attacker obfuscates his traces. However, in practice, much more complex laundering schemes can be used, involving token exchanges, transitions between blockchains, and the use of various networks and services to anonymize transactions. These methods make the investigation of such incidents much more time-consuming and complex.
Part of the funds went to address [21], which is the deposit address of the @Wallet wallet (a cryptocurrency wallet and exchange in Telegram). We made a sample request to this exchange and after the response, we were provided with information that the attacker withdrew all the funds to address [25].
Step 3: Laundering stolen funds through centralized services
In the final step, the attacker transferred all stolen funds using transit addresses [22], [23], [25] to the deposit addresses of Binance [26] and MEXC [27] exchanges. It is noteworthy that all stolen assets were consolidated on two deposit addresses of these platforms. Subsequently, requests were sent to the exchanges to provide information about the account holders associated with these addresses.
The address [24], indicated by the orange area, is highlighted in the graph. Although it is not directly related to the current incident and was not involved in the laundering of funds, this address plays an important role because it links addresses [26] and [25]. This automatically includes address [24] in the cluster of addresses associated with the attacker’s activity. For the Crypto Investigation Expert, this provides an additional point to analyze and examine the attacker’s connections to centralized services, which can be an important lead in an investigation.
Blockchain Investigation
Part II: gathering additional leads on the blockchain about the attacker
The second part of the investigation focused on the dummy token that the attacker used to populate the victim’s address [17].
Analyzing the attacker’s address [11] revealed an address [8] associated with the creation of fake tokens. The process of issuing tokens is relatively simple for experienced market participants and requires only a small cost for smart contract interaction fees. The transactions involved in token creation have been identified through links between address [8] and other addresses [1], [6], [7], [9], [10].
Address [8] used funds withdrawn from centralized exchanges (addresses [2], [3], [4], [5]) to cover commissions. These links provide an opportunity to direct formal inquiries to the exchanges in order to obtain data on the account owner who initiated the withdrawal of funds to realize the fraudulent scheme.
Addresses [12], [13], [14], [15], [16] belong to unknown users who, presumably, are also victims of this scheme, but are not directly related to the victim from the described incident.
Recommendations For users who have realized that they are being tricked
Stop the transaction
If you have not yet confirmed the transfer, stop the transaction and make sure the recipient’s address is correct. Compare it with an official source or re-request the address from the counterparty.
Check your device
Make sure your device is not infected with malware (e.g. clipper). Use antivirus software and update it regularly. Pay special attention to programs that access the clipboard.
Consult experts
If you still have doubts about a transaction, seek help from specialized blockchain research companies or experienced users.
Recommendations For users who have already fallen victim to the scheme
Save all data
Record the addresses associated with the fraudulent transaction, the hash of the transaction, the date and amount of the transfer. This data will be useful for investigation.
Reach out to blockchain investigators
Companies such as AML Crypto can help trace the path of funds and identify the addresses associated with the fraudster, increasing the chances of recovering funds.
Make a formal complaint
File a complaint with law enforcement or regulatory authorities in your country. Include all evidence and explain the situation.
Check your devices
Make sure your wallet, device and accounts are not compromised. Change passwords and make sure private keys and seed phrases are protected.
Incident Results
positive
Funds were returned to the client
Disclosure of fraud scheme: The investigation uncovered a multi-step fraud scheme involving social engineering, fake platforms, and sophisticated methods of hiding transactions through transit addresses and centralized exchanges.
Only through AML Crypto's tools and databases was it possible to link the fraudsters to these exchanges. The police, with the help of our company, made a qualified inquiry in response to which the services provided personal data of the scammers.
Identification of key addresses: During the investigation, the addresses of the attackers, as well as transit and deposit addresses associated with the centralized exchanges were identified, which made it possible to send official requests to obtain data on account holders.
Awareness raising: The incident served as a reminder of the importance of data verification during transactions, increasing cybersecurity and user diligence when dealing with cryptocurrencies.
Only through AML Crypto's tools and databases was it possible to link the fraudsters to these exchanges. The police, with the help of our company, made a qualified inquiry in response to which the services provided personal data of the scammers.
Identification of key addresses: During the investigation, the addresses of the attackers, as well as transit and deposit addresses associated with the centralized exchanges were identified, which made it possible to send official requests to obtain data on account holders.
Awareness raising: The incident served as a reminder of the importance of data verification during transactions, increasing cybersecurity and user diligence when dealing with cryptocurrencies.
We also recommend