FOLLOW-UP: SCAM ALERT - Phishing attempt against Celsius Network - Whereabout of the Victim's Funds

FOLLOW-UP: SCAM ALERT - Phishing attempt against Celsius Network - Whereabout of the Victim's Funds


This is a follow-up to a post by scubiedoo warning about scammers began to exploit the compromised wallets from Celsius Network phishing scam published on 11st May: https://www.publish0x.com/mycryptolife/follow-up-scam-alert-phishing-attempt-against-celsius-networ-xerwqqg

The exploit seems to be fully automated and programmed to take away every ETH from victim's wallets. For ERC20 tokens, scammers would send just enough ETH to unstake them from Uniswap or convert them to ETH. Based on this behaviour, I believe the scammers are big fan of Ethereum and Uniswap. They're probably Twitter followers of Vitalik Buterin.

Some hints about how to locate the Scammers:

If Vitalik Buterin is seeing this post, it'll be great if he can provide a full list of his Twitter followers. I'm pretty sure the scammers would be in the list. Same for Uniswap. They must be on the Uniswap telegram announcement group too.

Next Steps for Victims:

1. I'll be sharing some more insights and analysis of the transactions happened in the scammers' addresses and in the money laundering process. It'll probably help investigators to locate who they are.

2. Report to your case to your Cryptocurrency Exchange provider and Law Enforcement (Police).

Here's a short analysis of the whereabout of the Victim's funds. If you happen to be one of the victims of the Celsius Networking phishing scam, please provide the information below to your Cryptocurrency Exchange provider and Law Enforcement (Police).

 

Information to be provided to your Cryptocurrency Exchange provider and to Law Enforcement (Police):

Victim's address: Your address

My funds were transferred into the Scammer's address (0xa850345f03be2e6e689f57ac5060f93758716d54) and ultimately flowed into KuCoin and Binance for money laundering via the following transactions:

 

Outflow transactions:

1) 5 ETH at block 12477076

1.1 TXID: 0x3c002b335d2ab0a57ecd38182e760d6224826c804e68523f667da5385f14a6d8

1.2 TXID: 0x82ef75b3fa4ad4bee3e3eac1e620455c5b8b26ee2b1122fb2394dd2fcb42adbd

1.3 TXID: 0x09c65332f28ce45a48df3aca535944623590e19c2396b30b6ca0c0b944561bd0

The last wallet address before ETH laundered in KuCoin: 0xc2c3Ae450662DE36B3992b1490E273F9E57b3Fbd

9c342787948e1ff5bb29c51dab8a94e90a74dfcb2c31b43e93197b366932952f.png

2) 7 ETH at block 12477142

2.1 TXID: 0x8bea7e7c8da28b655d2bfc85788feca23c62dee19d1406c32d0fd05e0546bceb

2.2 TXID:0x71a29d1d5bca12ed2d092e68389de70e19b6f311c41cd3cab5392dc4e60afc3d

2.3 TXID:0x35b142897361a193d02369c41347ecdcae0d2f6bed294f995a747c5c8e86a2c0

The last wallet address before ETH laundered in Binance: 0x6F39fA0096b075beCdB2C46C62976E92F03cA104

21144eab6bd0d2d4f2364f1962513890bcf66f961ffa512ecd2eb03de8f8afc4.png

3) 6.35 ETH at block 12477957

3.1 TXID: 0x16c4363c502f6bfc759ded38a3bca5a5e628ae3e8c6e0a9459164a50b5322b1d

The proceeds were divided into 3 parts:

3.1.1 TXID:0xe344222374a3b5eee7a0cc8f043e94a135718fbddd23b8212268967f5c8b8fb1

3.1.1a) TXID:0x80d7566883944aac5275083850683300add9159f10dd142904710bd1be2ecbae

The last wallet address before ETH laundered in Binance: 0x6F39fA0096b075beCdB2C46C62976E92F03cA104

 

3.1.2 TXID:0xc5819a2b66a6c5c93110935281a517fbb4a9de6981ce1c031688143e4128467f

3.1.2a) TXID:0x7e458654a66c6d08d6b3210bd3391132a131aed06736968e0e9c85dd4d6c37b2

The last wallet address before ETH laundered in KuCoin: 0xc2c3Ae450662DE36B3992b1490E273F9E57b3Fbd

 

3.1.3 TXID:0x57ab37bf85d80e1f107bd66b5c1dfeed0db9799247568a46cc19511e6f81b9d9

3.1.3a) TXID:0xde3d9ac3f232136baee7fc6a5aff2eb4b3c99c0dc17750318156631c9e671f0c

The last wallet address before ETH laundered in KuCoin: 0xc2c3Ae450662DE36B3992b1490E273F9E57b3Fbd

 

4) 4.81 ETH at block 12709513

4.1 TXID: 0x28f92898e0720208d1daaf6d357c51af5f21a5cae6465e759fb4d259a47a7a28

The proceeds were divided into 2 parts:

4.1.1 TXID: 0x3741a2abc84c1c12249a894374aae56a0e4d5e7501cafcc4e5ae52e56148a765

4.1.1a TXID: 0x66f5767193c443a78be5f06314b9de35670e695e5203501be2509607e243d3f9

The last wallet address before ETH laundered in Binance: 0x6F39fA0096b075beCdB2C46C62976E92F03cA104

 

4.1.2 TXID: 0x5962824387b088c430f6754f864f7d26fb2b233034f94e3fe47882d1c2849092

4.1.2a TXID:0xe53eced0f9732f4f41ddf9593f8c1e28447f9b038fa0a0d9aa236e0b66c7baa2

The last wallet address before ETH laundered in Binance: 0x6F39fA0096b075beCdB2C46C62976E92F03cA104

With regard to the money laundering, I've seek advice from KuCoin and Binance. KuCoin refused to provide any information while Binance provided that the wallet address depositing ETH to Binance 0x6F39fA0096b075beCdB2C46C62976E92F03cA104 belongs to a Company called nrnb.io.

Information about NRNB.IO:

There're very limited information about nrnb.io. It seems to be a dodgy business registered in the middle of nowhere using fake KYC information. It's basically a P2P merchant that helps its clients (Some scammers I guess) to buy and sell tokens in different exchanges.

The business owner is likely to be Russian as it is using a Russian email.

 

Name NRNB.IO

Registry Domain ID D503300001190270669-LRMS

Registrar WHOIS Server whois.godaddy.com

Registrar URL http://www.godaddy.com

Updated Date 2021-03-15T17:53:48Z

Creation Date 2020-11-24T22:00:24Z

Registry Expiry Date 2022-11-24T22:00:24Z

 

Phishing website (https://wallet-celsius.network/):

Domain Name: wallet-celsius.network Registry Domain ID: c517a45e592d4a1abde544c6a583b339-DONUTS Registrar WHOIS Server: whois.tldregistrarsolutions.com Registrar URL: http://www.tldregistrarsolutions.com Updated Date: 2021-04-27T03:06:19Z Creation Date: 2021-04-19T22:54:46Z Registry Expiry Date: 2022-04-19T22:54:46Z Registrar: TLD Registrar Solutions Ltd. Registrar IANA ID: 1564 Registrar Abuse Contact Email: abuse@tldregistrarsolutions.com Registrar Abuse Contact Phone: +44.2034357304 Domain Status: clientHold https://icann.org/epp#clientHold Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: inactive https://icann.org/epp#inactive Registrant State/Province: New York Registrant Country: US

 

Because of that, I believe the scammers are likely Russian too.

How do you rate this article?


17

0

MJangry
MJangry

Angry Bird


Celsius Network Phishing Attack Victims
Celsius Network Phishing Attack Victims

Calling for all victims suffered from Celsius Network phishing attack

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.