phishing scam

Notorious Monkey Drainer crypto scammer says they’re ‘shutting down’

The scammer behind the crypto wallet draining kit even recommended an alternative and gave advice to budding cybercriminals.

The cryptocurrency phishing scammer behind some of the most high-profile and high-value Web3 thefts claims to have packed up shop, saying it was “time to move on to something better.”

The scammer with the pseudonym Monkey Drainer posted to their Telegram channel on March 1 that they “will be shutting down immediately” and all “files, servers and devices” related to the drainer “will be destroyed immediately” and it “will not return.”

Monkey Drainer’s full message posted to Telegram recommending an alternative service. Source: Telegram

The scammer even gave advice to budding “young cyber criminals” saying they shouldn’t “lose themselves in the pursuit of easy money” and only those “with the highest level of dedication” should operate a “large scale cybercrime” outfit.

Monkey Drainer even recommended a “flawless” alternative service to the one they once offered, named “Venom Drainer,” and pointed to a Telegram account for the service that was created only a day before Monkey’s announcement.

Blockchain security firm PeckShield tweeted on March 1 that within the last day, Monkey Drainer’s wallet deposited around 200 Ether (ETH) worth $330,000 into the crypto mixing service Tornado Cash, attempting to obscure their funds. There was 840 ETH, worth $1.4 million, still in their primary wallet.

Blockchain security firm CertiK also shared Monkey’s message on a March 1 tweet, saying the crypto wallet-draining kit they offered is understood to take a 30% “commission” of funds stolen funds from others’ use of the software.

Wallet-draining kits from other providers have copied the model, and CertiK pointed to other vendors already reporting an uptick in requests since Monkey Drainer announced the shutdown.

Monkey Drainer is understood to have operated since late 2022 and is estimated to have stolen up to $13 million worth of cryptocurrencies and nonfungible tokens since that time.

Related: Monkey Drainer-linked scammers possibly exposed after an on-chain quarrel

Other copycat phishing scammers and wallet-draining kits have stolen much more. A report from Web3 bug bounty platform Immunefi revealed $3.9 billion worth of crypto was lost to hacks, frauds, scams and rug pulls in 2022.

Possibly one of the single most high-profile and high-value theft by a wallet drainer in recent times was the January attack on Kevin Rose, the co-founder of the Moonbirds NFT collection.

Rose’s wallet was drained after he approved a malicious signature on a phishing website that transferred over $1.1 million worth of his personal NFTs to the attacker.

Monkey Drainer-linked scammers possibly exposed after an on-chain quarrel

The scammer referred to their pseudonym during a blockchain message argument that may have revealed their actual identity, according to CertiK.

Blockchain security firm CertiK believes to it has found the real-life identity of at least one scammer allegedly linked to the “Monkey Drainer” phishing scam.

Monkey Drainer is the pseudonym for a phishing scammer who uses smart contracts to steal NFTs through a process known as “ice phishing.”

The individual or individuals behind the phishing scam have stolen millions of dollars worth of Ether (ETH) via malicious copycat nonfungible token (NFT) minting websites. 

In a Jan. 27 blog, CertiK said it found on-chain messages between two scammers involved in a recent $4.3 million Porsche NFT phishing scam and was able to link one of them to a Telegram account involved in selling the Monkey Drainer-style phishing kit. 

One message revealed a person referring to themself as “Zentoh” and referred to the person who stole the funds as “Kai.”

Zentoh was seemingly upset at Kai for not sending over a slice of the stolen funds. The message from Zentoh directs Kai to deposit the ill-gotten gains “at our address.”

An on-chain message from a person referring to themselves as “Zentoh,” upset they didn’t receive a portion of phished funds from a person they address as “Kai.” Source: CertiK

CertiK deduced the joint wallet was the address that received the $4.3 million in stolen crypto. The firm added there is a “direct link” between the joint wallet and “some of the most prominent Monkey Drainer scammer wallets.”

The wallet address tied to Zentoh is in turn tied to numerous addresses linked to the Monkey Drainer scam. Source: CertiK

Zentoh revealed in another message that the pair used Telegram to communicate. CertiK found an exact match for the pseudonym on the messaging app and identified it “to be running a Telegram group that sells phishing kits to scammers.”

The company found numerous other online accounts possibly linked to Zentoh, including one on GitHub that posted repositories for crypto drainer tools.

If the links between the accounts are legitimate, it reveals the identity of a French national living in Russia.

Cointelegraph reviewed accounts potentially related to the person and found public accounts that seemed to be interested in cryptocurrencies. Cointelegraph contacted the person but did not immediately receive a response.

Cointelegraph is not publishing the name of the person due to privacy concerns.

Related: Hackers take over Azuki’s Twitter account, steal over $750K in less than 30 minutes

Crypto wallet-draining phishing scams have unfortunately been used to great effect recently.

The co-founder of the Moonbirds NFT collection, Kevin Rose, fell victim to such a scam that led to over $1.1 million worth of his personal NFTs being stolen.

The influencer known on Twitter as “NFT God” suffered a similar fate after they downloaded malicious software from a Google Ad search result, with ETH and high-priced NFTs pilfered from their wallet.

Sam Bankman-Fried deepfake attempts to scam investors impacted by FTX

A faked video the FTX founder created by scammers has circulated on Twitter with users poking fun at its poor production quality.

A faked video of Sam Bankman-Fried, the former CEO of cryptocurrency exchange FTX, has circulated on Twitter, attempting to scam investors affected by the exchange’s bankruptcy.

Created using programs to emulate Bankman-Fried’s likeness and voice, the poorly made “deepfake” video attempts to direct users to a malicious site under the promise of a “giveaway” that will “double your cryptocurrency.”

The video uses appears to be old interview footage of Bankman-Fried and used a voice emulator to create the illusion of him saying “as you know our F-DEX [sic] exchange is going bankrupt, but I hasten to inform all users that you should not panic.”

The fake Bankman-Fried then directs users to a website saying FTX has “prepared a giveaway for you in which you can double your cryptocurrency” in an apparent “double-your-crypto” scam, where users send crypto under the promise they’ll receive double back.

A now-suspended Twitter account with the handle S4GE_ETH is understood to have been compromised, leading to scammers posting a link to the scam website — which now appears to have been taken offline.

The crypto community has pointed to the fact that scammers were able to pay a small fee in order to get Twitter’s “blue tick” verification in order to appear authentic.

Meanwhile, the video received widespread mockery for its poor production quality, with one Twitter user ridiculing how the scam production pronounced “FTX” in the video, saying they’re “definitely using […] ‘Effed-X’ from now on.”

At the same time, it gave many the opportunity to criticize the FTX founder, one user said “fake [Bankman-Fried] at least admits FTX is bankrupt,” and YouTuber Stephen Findeisen shared the video saying he “can’t tell who lies more” between the real and fake Bankman-Fried.

Related: Crypto scammers are using black market identities to avoid detection: CertiK

Authorities in Singapore on Nov. 19 warned affected FTX users and investors to be vigilant as websites offering services promising to assist in recovering crypto stuck on the exchange are scams that mostly steal information such as account logins.

The Singapore Police Force warned of such a website which prompted FTX users to log in with their account credentials that claimed to be hosted by the United States Department of Justice.

Others have attempted to profit from the attention FTX and its former CEO are receiving. On Nov. 14, shortly after Bankman-Fried tweeted “What” without further explanation, some noticed the launch of a so-called memecoin called WHAT.

Deepfake videos have long been used by cryptocurrency scammers to try to con unwitting investors. In May, faked videos of Elon Musk promoting a crypto platform surfaced on Twitter using footage from a TED Talk the month prior.

The video caught Musk’s attention at the time, who responded: “Yikes. Def not me.”

Beeple’s Discord URL ‘hijacked,’ directing users to wallet drainer

Other users in the Crypto Twitter community believe lax security management is to blame for the latest phishing scam aimed at Beeple’s fans and followers.

Nonfungible token (NFT) artist Mike “Beeple” Winkelmann has found himself the target of phishing scammers yet again, warning users that the URL link to his official Discord server was “hacked” — sending unaware new members to a wallet-draining Discord channel if they follow the link. 

In an Oct. 3 post, the NFT artist warned users not to go into the “fraudulent” Discord channel and verify as it will “drain your wallet.”

However, Beeple wasn’t the first to notice the URL sleight-of-hand, with Twitter user maxnaut.eth noting in a post hours earlier that the Discord link connected to the Beeple: Everydays — 2020 Collection on NFT marketplace OpenSea may have been “hijacked.”

The screenshot shared by maxnaut.eth suggests that the URL points to a “CollabLand wallet drainer,” showing a Collab.Land Bot on Discord which directs members to verify account ownership — instead it works to drain their wallets, noting:

“Your Discord URL probably got hijacked and your team didn’t update it on OS. You need to change that ASAP or people going to get rekd.”

While Beeple claims the URLs were hacked and that Discord is to blame, other Crypto Twitter community members are arguing that lax security measures are truly to blame.

NFT analyst and blockchain detective OKHotshot replied to the artist’s announcement, stating the URLs were not hacked but instead alleging, “Mismanagement of discord URLs allows this happen, probably just like it happened to CryptoBatz.”

While cybersecurity firm Black Alchemy Solutions Group commented their belief that it was not “a Discord problem.”

“This is a problem with a mismanagement of the Beeple Information Security apparatus. If you haven’t already, hire a vCISO (Security Officer), web3 doesn’t = Natively Secure.”

It appears that the misdirecting Discord URLs have been fixed by the artist, according to maxnaut.eth, noting that it “Seems Beep Man picked it up and has fixed it now.”

At the time of writing, the Discord link in the affected OpenSea listing also appears to be gone.

Related: 8 sneaky crypto scams on Twitter right now

Beeple’s social media and messaging platforms appear to be a popular target for scammers and hackers, having sold some of the most expensive NFTs on record, including the First 5,000 Days, a compilation of 5000 pieces of artwork that sold for $69.3 million.

Elon Musk’s spacecraft manufacturer Space X, tech giant Apple, luxury brand Louis Vuitton and other high-profile companies and individuals are all listed as clients on Beeple’s website.

In May, a phishing scam netted $438,000 in crypto and NFTs through a hijacking of his Twitter account, linking to a raffle purporting to be related to a Louis Vuitton NFT collaboration. 

In Nov. 2021, his Discord was part of another scam, where an admin account was compromised and a fake NFT drop was advertised, netting the scammers an estimated 38 Ether (ETH), worth roughly $176,378.14 at the time.

Beeple did not disclose how many users may have been impacted by the current malicious Discord links.

Cointelegraph has reached out to Beeple but has not received an immediate response at the time of publication.