Imagine falling foul of a phishing attack that stole a significant portion of your crypto savings, only to discover that a good Samaritan had returned it to you out of the goodness of their heart.
It might sound unrealistic, but that’s the exact experience a recent phishing scam victim had. Twitter user Harv (@punk_cipher) recently tweeted that phishing scammers had emptied their Trust Wallet Application.
Later the same day, security researcher Harry Denley informed them that he had managed to intercept the attackers and secure around half of the stolen digital currencies.
Trust Wallet User Victim of $10,000 Phishing Scam
Even though others may have felt too embarrassed to go public, Harv revealed the scam via Twitter early on June 28. With the benefit of hindsight, they’ll be pleased they did.
Denley, an antiphishing security expert, revealed that Harv’s Trust Wallet application had been hacked and emptied. A distraught Harv explained that they had lost around $10,000 in cryptocurrency. They added with a sad face emoji:
“I think I’m done.”
Amazingly, less than two hours after the original tweet, Denley responded with unexpected good news that would have surely delighted the victim. Denley instructed Harv to direct message him, as he had managed to recover about $4,000 of the stolen funds.
Denley promised to reveal how he had managed to reclaim the funds on June 28. And he did just that in a Medium post published on Monday.
Scamming a Scammer: How Denley Recovered $4K in Ether
Calling it a “special occurrence,” Denley revealed that the victim in this example had installed a malicious version of the Trust Wallet app. The crypto expert notes that this phishing case was a little different to those that have plagued the cryptocurrency industry for years.
The fake version of the software was actually listed on the official Google Play store. Screenshots from the application store show that users had reviewed the Trust Wallet more than 600 times and rated it a respectable three-and-a-half stars.
The level of sophistication here is absent from most phishing scams. Malicious APKs like these are usually hosted on third-party websites. Denley ran the app in a sandbox environment and decompiled it. He then discovered that the malicious application loaded a WebView, prompting users to enter their mnemonic key to restore a wallet.
Branded as an official application and downloadable from a legitimate source, it’s easy to see why the victim fell for the scam.
Trail of Clues
Of course, entering the mnemonic key in the WebView popup did not restore the wallet. In fact, it prompted an error message while simultaneously sending the user’s input to a server-side script.
“Shoddy code,” as Denley describes it, meant that a poor configuration with the attacker’s domain left its error log exposed via Telegram. Denley was able to force an error in the messaging application by spamming it with, well, messages. After cracking the Telegram bot’s API keys, he then flooded the Telegram application program interface (API).
This caused the program to send all the scammers private chat messages directly to Denley via the error log. He then set up a custom sweeper to empty the contents of wallets that had been stolen using the captured mnemonic phrase. He did this in 180-second intervals.
With a few more tweaks, Denley was able to manipulate the attackers’ own bot into reporting the private conversations of the members of the Telegram channel. He discovered the attacker’s Telegram ID, a user who goes by the nickname “George.” The scammers all spoke Turkish.
Sweeping the Wallet Contents
Denley’s counter-attack went undetected for around 15 hours between June 28 and June 29. Eventually, the scammers noticed the flood of messages spamming their chats.
They reportedly modified the error log and deleted the Telegram bot. Denley believes the scamsters will have other bots but is committed to spamming bogus private keys to the hacker’s logs in the meantime. This should buy some time for the victims to secure their crypto assets.
Tracking Down Victims
With the full transaction info, Denley continued to intercept several other attempts to drain wallets. He managed to find the addresses of the impacted wallets and then set about reuniting users with their holdings.
He initially combed Twitter for the address of the largest victim, which ultimately led him to Harv. After initiating a conversation, Denley requested that they sign a specific message with their keys. This allowed the expert to return the funds, with confidence, to the confirmed owner.
Harv responded with delight at the outcome on Monday:
Staying Safe Against Increasingly Sophisticated Attacks
Phishing attacks typically have major red-flags that stop all but the most vulnerable users from falling victim. For example, BeInCrypto reported in January about scammers impersonating Ledger, the hardware wallet. Bogus YouTube channels under the names of “Ledger” and “Ledger Nano” promoted a compromised web wallet offering free funds.
The first red flag, in this case, is the unlikeliness that Ledger would promote a new product exclusively through YouTube. Companies typically release press releases detailing their launches. It’s not difficult to check Ledger’s release archive for information relating to this.
The second red-flag is the number of Bitcoin these scam promo’s offer “lucky” winners. Ledger reported videos on Twitter showing up to 2,000 BTC in bonuses. Why on earth would Ledger give away more than $18 million just to launch a web wallet?
The Trust Wallet phishing scam, on the other hand, is a lot more subtle. The malicious application comes from the official Google Play store. It has reviews, a positive rating, and carries all the same branding as the official release.
Do Your Own Research (DYOR)
Since it was masquerading as an official wallet, the request to enter the mnemonic phrase is hardly a red-flag. Most wallet applications feature options to load an existing wallet from a private key or seedphrase. Or to create a new one on launch.
While Trust Wallet did an excellent impersonation job, it’s still possible to protect yourself from such scams. The best way to do this is to always head to the source for any downloads – the official website or GitHub of the project.
The official Trust Wallet website does direct users to download directly from the Google Play or Apple stores. However, it also links to the official product, which has many more reviews, downloads, and a higher rating.
Some of the above victims may have been aware that Trust Wallet is supported on Google Play and thought they’d save a little time by heading straight there. Unfortunately, a little convenience almost always results in a drop in security.
When dealing with large amounts of cash, as in Harv’s case, security should always take precedence over convenience.