MultiversX Tracker is Live!

[Post Mortem] - The 84K MOON Hack

All Cryptocurrencies

by COINS NEWS 114 Views

[Post Mortem] - The 84K MOON Hack

Hello crypto bros and gals,

Unfortunately some of you are experiencing your first significant MOON loss today (some will say a Reddit rugpull) with the announcement of sunsetting community points.

Believe me I've been there!

It's been a little over 7 months since I was hacked and lost all of my 84K+ MOONs and then some.

You can see the full details of the hack here - https://www.reddit.com/r/CryptoCurrency/comments/11sksgs/i_got_hacked_and_lost_over_300k_today/

I was one of the few who put real money into MOONs (purchasing the majority of my MOONs between .07 and .10) as I believed in the concept and potential strongly. I was at one point a top 50 MOON holder.

I watched as the price of MOONs continued to rise up and over .40, YAY ????! Then ZAP! All gone! ????

Reading the comments on the initial post, I believe the hack single handily caused the price of MOONs to drop about .10 cents on March 15th.

Post Mortem: What Happened?

The most likely scenario is it was a dark web user name and password compromise. A group targeting retail cloud based notepads and apps stumbled upon my Evernote account and 3 wallets were drained.

We can't rule out that this could be an inside job at Evernote or I had a RAT trojan installed on my computer.

Here's a look inside my wallet of 0x023D8a816A8b6394f3144fD74aA3820689fEcaA0 from 3/15/23 and the days leading up to the Arbitrum Airdrop on 3/23/23.

My 84K+ MOONs were the first to go. Here's the txns on Arbiscan - https://nova.arbiscan.io/address/0xe147a73e7d783166f791f10342a0122db80814c4

I quickly learned how wallet drainers like Inferno, Pink, and Venom work.

https://preview.redd.it/kbtey9b3nuub1.png?1316&format=png&auto=webp&s=29715a0340ea5c0ff26e0a6ea9692fd0752bc1d6

They start draining the coins with the most value and work their way down. Additionally, sweeper scripts get installed sweeping up an incoming crypto transactions. The only way to combat sweeper scripts is through the use of MEV.

The whitehats were able to beat the hackers to the Arbitrum Airdrop using their MEV bots. Yay! It's the small wins that count.

All of my crypto in the MetaMask Wallet and Deadalus Wallet was drained within minutes. The Rocketpool Node, the real prize representing about 275K in assets, was a ticking time bomb.

More on that later!

Where did the MOONs go?

Once the MOONs were inside the hacker's wallet of 0xe147a73e7d783166f791f10342a0122db80814c4, they were swapped to ETH. Most were sent to the Hacker 4 wallet (see visual above) and peeled off further from there.

Below are the intermediary wallets

  • 0x85690F09b37b5B5c27DA2f2996D0C19a83eb7164 - Hacker 3
  • 0x63FfB856C7B0078E92385b88127d252122f70B63 - Hacker 4
  • 0x08aE8dC7A2DfDc3e70841986B882778fe8F1B890 - Hacker 5
  • 0x9E9f8a913D23fBd78b2b47b61af0DA35D1c7cd60 - Hacker 6

Here's a look inside the Hacker's wallet of 0xe147a73e7d783166f791f10342a0122db80814c4. All of the MOONs get swapped to ETH and end up at a Kucoin deposit addresses.

Eventually everything ended up in a Kucoin deposit address. You'll notice all of my stolen funds will end up at a Kucoin deposit address.

For those sleuths interested in tracing, here are the Kucoin deposit addresses used to send my stolen funds through.

  • 0x73d663D2F64773453a5c0082486b0B6Cd6dBA247
  • 0x61A87F9D28435F1b46A4094e7dD2b20a40875b31
  • 0xc1268f7a8EB6880F819d787d6bB7130500230572
  • 0x705a53CCB9579e25E81D9Be131a50D3230bB1Dbc
  • 0x74fe799480211a1E430cC5d2aB5d94B0B73C497f

What's Kucoin's Role in this? They're in on it!

Let me explain.

Imagine for a moment law enforcement issues a request to an exchange to freeze any incoming funds with interactions with 0x......

The exchange replies "Ok! We'll freeze any accounts associated with 0x...."'

Kucoin's actual reply to me when asked about the funds.

2 months go by.

The hacker sends 152 stolen ETH through a single Kucoin deposit address. LE sends 30+ emails requesting the subpoena records for this deposit address. The exchange ignores law enforcement.

Another month and a half goes by.

Media pressure forces the exchange to finally release the records to LE. The 152 ETH is long gone.

Unfortunately, this is the exact scenario that played out.

Here's a look inside the Kucoin deposit Address of 0xB129845c082b3BD6Ce163e8B0369aCc6E929B7bC - Hacker RP Kucoin. Over 152 stolen ETH (My rocketpool node) was sent through through this deposit address over the course of 4 hours.

The hacker was able to somehow move all 152 ETH through a single Kucoin deposit address - 0xB129845c082b3BD6Ce163e8B0369aCc6E929B7bC - on Mother's Day.

Once LE finally received the KYC records of this deposit address, we were appalled at what we found.

We have on-chain and off-chain evidence of Kucoin's role in money laundering.

THE HACKER HAD A NON-KYC LEVEL 1 ACCOUNT - How is this even possible? The limit for non-KYC is 1BTC a day, but somehow this hacker withdrew the equivalent of 10+ BTC with just an email address as verification. In other words, this was non KYC account (Level 1) that somehow was able to launder about 275K.

THE HACKER SWAPPED ALL STOLEN ETH TO MONERO(XMR) BEFORE SENDING FUNDS OUT OF KUCOIN - Another huge red flag. Ironically, Kucoin paused Monero swapping days after this took place - https://www.kucoin.com/news/en-deposit-and-withdrawal-services-of-xmr-temporarily-closed-20230530

THE KUCOIN DEPOSIT ADDRESS WAS CREATED THE SAME DAY THE STOLEN FUNDS WERE MOVED IN AND OUT - Isn't there supposed to be withdrawal limits on brand new accounts? Nope, not in this instance.

Here's a look inside 0x8294b95D303949699167F7579c9dA49F6359D4fF - Hacker RP Withdrawl. You can see the flow of funds through the two intermediary wallets before ending up in the Kucoin deposit address.

For those keeping track at home, here's the wallets used to move my Rocketpool Node.

  • 0x8294b95D303949699167F7579c9dA49F6359D4fF - Hacker RPL Withdrawl
  • 0x6Ce770476203Fd13ce77e98299767FF51b2713Cb - Hacker 7 RP
  • 0xb58088bF3df7309aD22c62BA27310f7F28df0fF8 - Hacker 8 RP
  • 0xB129845c082b3BD6Ce163e8B0369aCc6E929B7bC - Hacker RP Kucoin

What could of been a recovery success story turned into a case of "what if".

What's Next?

My crypto is most likely gone for good. Unfortunately that was most of my life savings.

However, this hack has completely re-routed my career path. I now spend most of my waking hours on my own case as well as helping other victims trace funds across the blockchain. A person goal of mine is to pick up a job in cyber security before the end of the year.

A number of Redditors have reached out wanting help tracking their stolen crypto. We've had a few success cases finding persons of interest and passing intel to law enforcement.

To those MOON holders sitting on big losses today, it does get better over time. Once the initial shock wears off some good will come out of it.

submitted by /u/jbtravel84
[link] [comments]

Get BONUS $200 for FREE!

You can get bonuses upto $100 FREE BONUS when you:
πŸ’° Install these recommended apps:
πŸ’² SocialGood - 100% Crypto Back on Everyday Shopping
πŸ’² xPortal - The DeFi For The Next Billion
πŸ’² CryptoTab Browser - Lightweight, fast, and ready to mine!
πŸ’° Register on these recommended exchanges:
🟑 Binance🟑 Bitfinex🟑 Bitmart🟑 Bittrex🟑 Bitget
🟑 CoinEx🟑 Crypto.com🟑 Gate.io🟑 Huobi🟑 Kucoin.



Comments