Slow Fog: 2024 Q2 MistTrack Stolen Form Analysis

Author: SlowMist AML Team

With the rapid development of blockchain technology, security incidents such as theft, phishing, and fraud targeting users are increasing, and the methods of attack are diverse. SlowMist receives a large number of requests for help from victims every day, hoping we can provide assistance in tracking and recovering funds, including many victims who have lost tens of millions of dollars. Based on this, this series aims to analyze common or rare malicious methods through the statistical analysis of stolen forms received each quarter, using desensitized real cases to help users learn how to better protect their assets.

According to statistics, the MistTrack Team received a total of 467 stolen forms in Q2 2024, including 146 overseas forms and 321 domestic forms. We provided free evaluation community services for these forms (Ps. The content of this article only pertains to cases submitted through forms, excluding cases contacted via email or other channels).

Among them, the MistTrack Team assisted 18 stolen clients in freezing approximately $20.6641 million in funds across 13 platforms.

Top 3 Reasons for Theft

The most common malicious methods in Q2 2024 forms are as follows:

Private Key Leakage

According to the statistics from Q2 forms, many users store their private keys / mnemonic phrases in cloud services such as Google Docs, Tencent Docs, Baidu Cloud, and Shimo Docs. Some users send their private keys / mnemonic phrases to trusted friends via tools like WeChat, and some even use WeChat's image recognition feature to copy the mnemonic phrases into WPS spreadsheets, then encrypt the spreadsheet and enable cloud services, while also keeping it on their local hard drives. These seemingly secure behaviors greatly increase the risk of information theft. Hackers often use "credential stuffing" methods, attempting to log into these cloud storage services by collecting publicly leaked username-password databases. Although this is a probabilistic behavior, once successful, hackers can easily find and steal cryptocurrency-related information, which can be seen as passive information leakage. There are also cases of active leakage, such as victims being induced by scammers impersonating customer service to fill in their mnemonic phrases, or being deceived by phishing links on chat platforms like Discord, leading to the input of private key information. Here, the MistTrack Team strongly reminds everyone that under no circumstances should private keys / mnemonic phrases be disclosed to anyone.

In addition, fake wallets are also a major cause of private key leakage. This has been a well-known issue, yet many users still inadvertently click on ad links while using search engines, leading to the download of counterfeit wallet applications. Due to network reasons, many users choose to download relevant applications from third-party sites. Although these sites claim their applications are sourced from Google Play mirror downloads, their actual safety is questionable. The SlowMist security team previously analyzed wallet applications on the third-party app market apkcombo and found that the imToken version 24.9.11 provided by apkcombo is a non-existent version and is currently one of the most common fake imToken wallets on the market.

We have also tracked some backend management systems related to fake wallet teams, which include complex cryptocurrency control functions such as user management, currency management, and recharge management. The advanced features and professionalism of such phishing behaviors exceed many people's imagination.

For example, there was a relatively rare case in Q2: a user searched for "Twitter" on a search engine and accidentally downloaded a counterfeit Twitter application. When the user opened this application, a prompt appeared claiming that due to regional restrictions, a VPN was needed, and guided the user to download a fake VPN bundled with the application, resulting in the user's private key / mnemonic phrase being stolen. Such cases remind us once again that any online application and service should be carefully reviewed and verified to ensure its legality and safety.

Phishing

According to analysis, many theft assistance incidents in Q2 were due to users clicking on phishing links in comments under tweets from well-known projects. The SlowMist security team previously conducted targeted statistical analysis: about 80% of well-known project parties have their first comment in the comment section occupied by scam phishing accounts after posting a tweet. We also found numerous groups on Telegram selling Twitter accounts, with varying follower counts and posting frequencies, allowing potential buyers to choose based on their needs. Historical records show that most of the accounts for sale are associated with the cryptocurrency industry or internet celebrities.

In addition, there are websites specifically selling Twitter accounts, offering accounts from various years, and even supporting the purchase of highly similar accounts. For example, the counterfeit account Optimlzm closely resembles the real account Optimism. After purchasing such highly similar accounts, phishing gangs use promotional tools to increase the account's interaction and follower count, thereby enhancing the account's credibility. These promotional tools not only accept cryptocurrency payments but also sell various social media services, including likes, retweets, and follower increases. Using these tools, phishing gangs can obtain a Twitter account with a large number of followers and posts, mimicking the information release dynamics of project parties. Due to the high similarity with the real project party's account, many users find it difficult to distinguish between the real and fake, further increasing the success rate of phishing gangs. Subsequently, phishing gangs carry out phishing actions, such as using automated bots to follow the dynamics of well-known projects. When the project party posts a tweet, the bot automatically replies to seize the first comment, attracting more views. Given that the disguised accounts of phishing gangs are extremely similar to the project party's accounts, if users are careless and click on phishing links on fake accounts, then authorize or sign, it may lead to asset loss.

In summary, phishing attacks in the blockchain industry primarily pose risks to individual users in two core areas: "domain names and signatures." To achieve comprehensive security protection, we have always advocated a dual protection strategy, namely personnel security awareness defense + technical means defense. Technical means defense refers to using various hardware and software tools, such as the phishing risk blocking plugin Scam Sniffer, to ensure asset and information security. When users open suspicious phishing pages, the tool will promptly pop up risk warnings, thus blocking risks at the first step of their formation. In terms of personnel security awareness defense, we strongly recommend that everyone read and gradually master the "Blockchain Dark Forest Self-Rescue Handbook" (https://github.com/slowmist/Blockchain-dark-forest-selfguard-handbook/blob/main/README_CN.md). Only through the mutual cooperation of these two defense strategies can we effectively combat the ever-changing and evolving phishing attack methods and safeguard asset security.

Fraud

There are many types of fraud, and the most common fraud method in Q2 is the Pi Xiu scheme. In legend, Pi Xiu is regarded as a magical creature said to be able to swallow everything without excreting it. The fable states that treasures such as gold and jewels, once swallowed, cannot be taken out. Therefore, the Pi Xiu scheme is used to metaphorically describe a digital currency that cannot be sold once purchased.

One victim described their experience: "I asked a question in a Telegram group, and someone enthusiastically answered many of my questions and taught me a lot. After chatting privately for two days, I thought he was quite nice. Then he suggested taking me to the primary market to buy new tokens and provided me with a contract address for a token on PancakeSwap. After I purchased it, the token kept rising sharply. He told me this was a once-in-a-half-year golden opportunity and suggested I immediately increase my investment. I felt something was off and didn't follow his advice, and he kept urging me. When I realized I might be deceived, I asked others in the group for help, and it turned out to be Pi Xiu coin. I also tried it and found I could only buy but not sell. When the scammer saw I wasn't adding more funds, he blocked me."

This victim's experience reflects the typical pattern of Pi Xiu fraud:

1. The scammer sets up a smart contract with traps and throws out bait promising high profits;

2. The scammer strongly attracts the target to purchase the token, and after the victim buys it, they often see the token rapidly appreciating, leading the victim to decide to wait until the token's increase is significant enough to try to exchange it, only to find they cannot sell the purchased token;

3. Finally, the scammer withdraws the victim's invested funds.

It is worth mentioning that the Pi Xiu coins mentioned in the Q2 forms all occurred on BSC, as shown in the image below, where many transactions of Pi Xiu coins can be seen. The scammer also sent the held tokens to wallets and exchanges, creating the illusion of many participants.

Due to the inherently concealed nature of Pi Xiu schemes, even experienced investors may find it difficult to see the truth. Nowadays, the popularity of memes and various types of "meme coins" have a certain impact on the market. Because the price of Pi Xiu schemes can rise rapidly, people often impulsively follow the trend to purchase, and many market participants who are unaware of the truth desperately chase this wave of "meme coin fever," inadvertently stepping into the trap of Pi Xiu schemes, and after purchasing, find they can no longer sell.

Therefore, the MistTrack Team advises users to take the following measures before trading to avoid financial losses due to participation in Pi Xiu schemes:

• Use MistTrack to check the risk status of relevant addresses, or use GoPlus's Token security detection tool to identify Pi Xiu coins and make trading decisions;
• Check on Etherscan and BscScan whether the code has been audited and verified, or read relevant comments, as some victims may issue warnings in the comments section of scam tokens;
• Understand relevant cryptocurrency information and consider the background of the project party to enhance self-prevention awareness. Be wary of virtual currencies that offer extremely high returns, as high returns usually imply greater risks.