Serial Phishing Scammer Uses a Mix of Laundering Techniques, Including Coin Swaps and a Mysterious OTC
Scammers have stolen millions in crypto pretending to be HitBTC, a little known crypto exchange founded in 2013, the team of MistTrack crypto compliance platform said in a tweet Monday morning. MistTrack belongs to the SlowMist company, which is focused on cybersecurity in crypto.
According to the researchers, someone has set up the website hitbt2c.lol, mimicking the authentic website of HitBTC, hitbtc.com, and enticed crypto traders to connect their wallets or deposit crypto as onto a real exchange. If the users follow instructions, instead of a legitimate exchange, they would deposit money to scammers’ addresses, and the funds would be gone.
MistTrack located four blockchain addresses that the scammers used to receive funds from unassuming users. These wallets accumulated over $15 million worth of crypto over the time of their existence, the researchers estimated. According to SlowMist, there are many similar phishing websites active at the moment, including fake clones of the Coinone exchange and Ledger hardware wallet maker.
“One of the victims from this scam reached out to us asking for help,” MistTrack team member told CoinDesk via Twitter direct messages. “The earliest activity we saw from these address was in June of 2022, but it could have been earlier. There’s only one address that’s still active, we believe that’s main address the scammer uses,” they added.
CoinDesk looked into where the money went.
DeFi, CEX and mysterious OTC
MistTrack flagged four addresses, one for Bitcoin blockchain, two for Ethereum, and one for Tron:
3BvQyAZwBXxk7rEStd6burfQgQ5AD2FFsq (BTC), TCV1cN2iRG1F1NHwr3GnujhNkEbBoXdZs8 (USDT on Tron),
0xB59299A0F15a282Bfc671BC0c2231184292C01b1 (ETH) and 0xdc961cF2F71dd0ab4f83eA294dBfEF1970ae15c6 (ETH).
The Bitcoin address has been active since July 2022 and received over 52 BTC over time. Most of these funds have been later sent to an address that might be an over-the-counter (OTC) trading service allowing users to buy and sell crypto outside of big exchanges.
The address of the supposed OTC has been flagged multiple times by victims of various scams before, suggesting that either the fake HitBTC phishing scam is just another one in a row of shenanigans by a serial fraudster, or that multiple scammers are using the same service to cash out their ill-gotten crypto.
According to the Bitcoin Abuse Database, the wallet received money from phishing scams resembling the one against HitBTC, as well as the so-called “pig butchering scams,” in which scammers start an online romance with a victim and then entice them to “invest” in a lucrative crypto project (which does not exist). Some users suggested that this might be an OTC broker chosen by cybercriminals.
This supposed OTC has an interesting way of processing bitcoin: whoever operates the wallet in most cases swaps bitcoin for wrapped bitcoin (wBTC) on Ethereum, using a service launched in 2018 by BitGo, Kyber Network and Ren. The wallet sends large batches on bitcoin to an address on the official proof-of-reserves list for wBTC, meaning it belongs to one of authorized wBTC custodians.
The Ethereum address from MistTrack’s tweet, active since June 2022, received SHIB tokens worth $247 in September, and then sent them to the centralized exchange OKX, according to the Etherscan data.
The same wallet received over 11.5 million in various stablecoins over the past year and a half, including 8.3 million USDT, 2.4 million USDC and 833,000 DAI. The address also received over 47.87 wrapped BTC.
The address often interacts with Tokenlon DEX to swap wrapped ether (WETH) for USDT. It also sent USDT to addresses belonging to the OKX centralized exchange several times. One of the OKX addresses in question regularly received money from another wallet previously labeled as a phishing scam on Etherscan. That wallet hasn’t been active since December 2022.
Other two wallets attributed to the scam by MistTrack offer little insight: A Tron-based Tether address only received 242 USDT last September, and one more Ethereum address listed by MistTrack is empty and has never received any funds.
The data suggests that the owner of the wallets flagged by MistTrack might have been running multiple scams, including phishing, and using decentralized finance (DeFi) tools to cover their tracks, swapping cryptocurrencies one for another. But they also actively use centralized ways to cash out crypto, like a centralized exchange and an OTC broker.
OKX has not responded to CoinDesk’s request for comment by press time.
HitBTC has reported around $400 million of daily trading volume recently, according to CoinGecko and CoinMarketCap. The exchange has not reacted to MistTrack’s tweet so far. There has been no mentions of the phishing threat on the exchange’s official website, Twitter page or Telegram channel at the time of writing. The exchange has not responded to CoinDesk’s request for comment.