My @TrustWalletApp just got hacked.. they got it all $10,000😢 I think I’m done— HARV 外人 (@punk_cipher) June 27, 2020
Trust Wallet User Victim of $10,000 Phishing ScamEven though others may have felt too embarrassed to go public, Harv revealed the scam via Twitter early on June 28. With the benefit of hindsight, they’ll be pleased they did. Denley, an antiphishing security expert, revealed that Harv’s Trust Wallet application had been hacked and emptied. A distraught Harv explained that they had lost around $10,000 in cryptocurrency. They added with a sad face emoji:
“I think I’m done.”Amazingly, less than two hours after the original tweet, Denley responded with unexpected good news that would have surely delighted the victim. Denley instructed Harv to direct message him, as he had managed to recover about $4,000 of the stolen funds. Denley promised to reveal how he had managed to reclaim the funds on June 28. And he did just that in a Medium post published on Monday.
Scamming a Scammer: How Denley Recovered $4K in EtherCalling it a “special occurrence,” Denley revealed that the victim in this example had installed a malicious version of the Trust Wallet app. The crypto expert notes that this phishing case was a little different to those that have plagued the cryptocurrency industry for years. The fake version of the software was actually listed on the official Google Play store. Screenshots from the application store show that users had reviewed the Trust Wallet more than 600 times and rated it a respectable three-and-a-half stars. The level of sophistication here is absent from most phishing scams. Malicious APKs like these are usually hosted on third-party websites. Denley ran the app in a sandbox environment and decompiled it. He then discovered that the malicious application loaded a WebView, prompting users to enter their mnemonic key to restore a wallet. Branded as an official application and downloadable from a legitimate source, it’s easy to see why the victim fell for the scam.
Trail of CluesOf course, entering the mnemonic key in the WebView popup did not restore the wallet. In fact, it prompted an error message while simultaneously sending the user’s input to a server-side script. “Shoddy code,” as Denley describes it, meant that a poor configuration with the attacker’s domain left its error log exposed via Telegram. Denley was able to force an error in the messaging application by spamming it with, well, messages. After cracking the Telegram bot’s API keys, he then flooded the Telegram application program interface (API). This caused the program to send all the scammers private chat messages directly to Denley via the error log. He then set up a custom sweeper to empty the contents of wallets that had been stolen using the captured mnemonic phrase. He did this in 180-second intervals. With a few more tweaks, Denley was able to manipulate the attackers’ own bot into reporting the private conversations of the members of the Telegram channel. He discovered the attacker’s Telegram ID, a user who goes by the nickname “George.” The scammers all spoke Turkish.
Sweeping the Wallet ContentsDenley’s counter-attack went undetected for around 15 hours between June 28 and June 29. Eventually, the scammers noticed the flood of messages spamming their chats. They reportedly modified the error log and deleted the Telegram bot. Denley believes the scamsters will have other bots but is committed to spamming bogus private keys to the hacker’s logs in the meantime. This should buy some time for the victims to secure their crypto assets.
Tracking Down VictimsWith the full transaction info, Denley continued to intercept several other attempts to drain wallets. He managed to find the addresses of the impacted wallets and then set about reuniting users with their holdings. He initially combed Twitter for the address of the largest victim, which ultimately led him to Harv. After initiating a conversation, Denley requested that they sign a specific message with their keys. This allowed the expert to return the funds, with confidence, to the confirmed owner. Harv responded with delight at the outcome on Monday:
BE CAREFUL OUT THERE!— HARV 外人 (@punk_cipher) June 29, 2020
Last weekend I got wiped out by a phishing scam via a fake @TrustWalletApp on @GooglePlay App Store, they got $10,000 of crypto..
My man @sniko_ swooped in like a super hero and was able to recover almost $4000 of it!💥 You’re a wizard Harry!❤️Thank You!
Staying Safe Against Increasingly Sophisticated AttacksPhishing attacks typically have major red-flags that stop all but the most vulnerable users from falling victim. For example, BeInCrypto reported in January about scammers impersonating Ledger, the hardware wallet. Bogus YouTube channels under the names of “Ledger” and “Ledger Nano” promoted a compromised web wallet offering free funds. The first red flag, in this case, is the unlikeliness that Ledger would promote a new product exclusively through YouTube. Companies typically release press releases detailing their launches. It’s not difficult to check Ledger’s release archive for information relating to this. The second red-flag is the number of Bitcoin these scam promo’s offer “lucky” winners. Ledger reported videos on Twitter showing up to 2,000 BTC in bonuses. Why on earth would Ledger give away more than $18 million just to launch a web wallet? The Trust Wallet phishing scam, on the other hand, is a lot more subtle. The malicious application comes from the official Google Play store. It has reviews, a positive rating, and carries all the same branding as the official release.
Do Your Own Research (DYOR)Since it was masquerading as an official wallet, the request to enter the mnemonic phrase is hardly a red-flag. Most wallet applications feature options to load an existing wallet from a private key or seedphrase. Or to create a new one on launch. While Trust Wallet did an excellent impersonation job, it’s still possible to protect yourself from such scams. The best way to do this is to always head to the source for any downloads – the official website or GitHub of the project. The official Trust Wallet website does direct users to download directly from the Google Play or Apple stores. However, it also links to the official product, which has many more reviews, downloads, and a higher rating. Some of the above victims may have been aware that Trust Wallet is supported on Google Play and thought they’d save a little time by heading straight there. Unfortunately, a little convenience almost always results in a drop in security. When dealing with large amounts of cash, as in Harv’s case, security should always take precedence over convenience.
Top crypto platforms in the US | December 2023
All the information contained on our website is published in good faith and for general information purposes only. Any action the reader takes upon the information found on our website is strictly at their own risk.