[Bounty Hunting] – Attempting to find the 525K “Scumbag Hacker”
8 min read
Hello!
A hacker stole my 84K MOONs back in March. That wasn’t very nice of them =(
Now it’s payback time against those hackers/scammers/rug pullers and other malicious entities who give crypto such a bad reputation.
I went through the exercise of attempting to doxx the hackers who stole 525K from a victim recently https://platform.arkhamintelligence.com/exchange/bounties/4b3c63de-f4fe-4ed5-88ed-ba49fdf8ebe3
The research is all my own! Please feel free to check and cross reference all of my work.
Let’s begin!
Part 1 – Hacker 525k 1
0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa – Hacker 525K 1
This address is one of two as outlined by the victim in the bounty. I labeled 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa – Hacker 525K 1 to keep track for my own records.
![Above, I noticed numerous interactions between 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA [Pablito147 on Opensea] and 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User]. I moved the shared wallets to the left and shared deposit addresses to the right. I’m pretty confident both are hacker wallets. They are both directly connected to 0x3833F1ADdFe7952ca9c577939549D6c6062cb6Fa [Hacker 525K 1]](https://preview.redd.it/t9i1alko6knb1.png?width=1556&format=png&auto=webp&s=1e9029116586da9944ce444b6817ae6a60705940){kind=link}
Deposit Addresses
Here’s a list of the shared Deposit Addresses
0x0C43FA6f7dFE8DB1f80748C459A2239c6A08e980 – Binance 0xc2D54190d9C83Da8d30D302ad39a0Ab488b4032d – OKX 0xBf7B0cE8db8883F3E4EC6900079ebFE6AA5573b8 – Kucoin 0x2422371A74Ea2674853B15748EFb491BF49CB6Ec – Kucoin
Shared Wallets
Here’s a list of the shared Wallets
0xf66d22e57Ffa2BedE37DEa913eF4966cFe872f91 0x3fE411272EBbDFfe064640213a3776Ed28c9C67e 0xa36547503a98B25650D1EBD8E52A732213a3Da85 0x2DFd951577d7de93b363e843B9a4d3c16F9f548A 0x36bBa51d19b06Cf07d81cAec249e8056C0F78259 0x9b6d18d156ef8ED96A48d75664315C6Eac6F4906 0xE984bDDFb8E56c5844CeEe20A7B77193FBfb4ba1 0xDBB4Bea4AaaaA6A84a467bA0D22ca93Efc70d4E0 0x0e030d4adc123BFeCa43faDec6518ba80584F57D 0xD26117c7D5039E1921b1a50B88cBeB00d6544581
Another Victim
I did a quick Google search to see if I can find anything on 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA – [Pablito147 on Opensea] . Below is a victim I found who lost 200K.
Victim YouTube –
https://www.youtube.com/watch?v=splBczgXEEY
Hacker Wallets listed in description
0x634CE987dB07BA4197b6Ae9F3478A707e3D7646f [looks like ApeXPool] 0x505B5eDa5E25a67E1c24A2BF1a527Ed9eb88Bf04 [looks like Coinweb token] 0x52A8845DF664D76C69d2EEa607CD793565aF42B8 [looks like ApeX Token] 0x6bB78583889bF9380dB2206e66e2DCd641fB1f39 – High Risk – other comments on Etherscan 0x29488E5fD6bF9B3cc98A9d06A25204947ccCBE4D – Fake_Phishing180395 0x9b6d18d156ef8ED96A48d75664315C6Eac6F4906 0xAfF6dB2974315B21b578eFAdb60a08603eb8EDeA 0xA4CC15cd24316988dfc4310eC3c2664F3c9BBac1
Tracking ENS Interactions
0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C [Opensea User] is in current possession of the below ENS addresses
ballaboveall.eth loveneverfails.eth 03161992.eth (What’s the significance here? Someone’s birthday?)
How did he/she/they acquire these ENS addresses?
Here’s an example
-0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C- received ballaboveall.eth from Bigpudgy.eth – https://etherscan.io/tx/0xa3f4e48ff498b83e6032069af509f4e6595d87b29e4a1890a9e854c3dbc7124c
–0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D – Bigpudgy.eth aka Calm_tothemoon
Both loveneverfails.eth and 03161992.eth were also transferred in a similar way from 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D – Bigpudgy.eth
Social Info
Social info of Bigpudgy.eth – 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D
Coinbase wallet – https://nft.coinbase.com/@boot2thrill Twitter – boot2thrill Reddit (maybe) – u/Boot2Thrill Github(maybe) – boot2thrill Bitcointalk thread – https://bitcointalk.org/index.php?topic=5086106
Summary
Looking at https://opensea.io/Calm_tothemoon/activity aka bigpudgy.eth, he could be a victim or have direct ties to the hacker. I looked through the boot2thrill twitter account and didn’t see any signs of a hack. Specifically, I was looking at dates around March 6th 2023 and Feb 2nd 2023 as those dates were when most of the NFT transfers to 0x3B380f3Be0db93161E6Cb7a53DE4958BF457A33C happened.
However, looking inside 0x3b10f088D7a83E92E91D4A84FE2c656AF92a801D – Bigpudgy.eth, I’m seeing mostly Coinbase deposit addresses. Coinbase isn’t typically an exchange a hacker would use. If this person is a hacker, he’s certainly keeping his personal and hacking activity separate.
Part 2 – Hacker 525k 2
0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 – Hacker 525K 2
Here’s the other wallet identified by the victim in the bounty. I labeled 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 – Hacker 525K 2
![Looking at the 2nd hacker wallet – 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] I was investigating where the most outgoing txns were going. I came up with 6 wallets. Of most interest was:0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user. I labeled this one with a red arrow in the image above.](https://preview.redd.it/n539cfp07knb1.png?width=2354&format=png&auto=webp&s=75e5417a9a238e8f58366b8276bc6949971b3436){kind=link}
Wallets of Interest
Below I’ll make the connection between 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user. I wanted to verify that “0b2B43” was indeed a hacker wallet.
![Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user, you can clearly see that it was initially funded on 10/9/21 by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]](https://preview.redd.it/74xc8fb67knb1.png?width=1896&format=png&auto=webp&s=0c00690fa361f9a8a15d00a9c594ddd7f2f9753d){kind=link}
Tracking ENS Interactions
Below we’ll focus on one ENS address, the-oasis.eth. The route this ENS took was very interesting. Starting with the minting of the ENS from Opensea:
-0x5c255c0571be150Fc482Ec3d345f6218188723bD [The-Oasis_Gamemaster”]
–0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]
—0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user – owner
In all three instances, the ENS was transferred between wallets. In no instance was a sale ever made.
![I noticed 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user was in current possesion of “the-oasis.eth”. Where did this wallet receive it from? You guessed it! 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2] And, who sent it to the hacker wallet? 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 [The-Oasis_Gamemaster]](https://preview.redd.it/l42iwgte7knb1.png?width=2678&format=png&auto=webp&s=9f2d12b16c567d41211bf915a992627db6c6c9f4){kind=link}
The Connection
Looking inside 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user, I noticed a few interesting things.
This wallet is directly depositing into Binance accounts frequently used by Hacker 525k 1 and Hacker 525k 2. There’s more similarities but those appear to be the main ones. 0xdBe063ddE9A72F511B64e75a4966F907942FC1a6 – Binance 0x2fe55e3d83c9d85cbfBf7520b5F3Df619744d0Af – Binance 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user was directly funded on 10/9/21 and represents the first transaction by 0x8d50d2EEEED7ea1De60C51Ba3f767e48dFbD2320 [Hacker 525K 2]. – Etherscan TXN link The wallet 0x5c255c0571be150Fc482Ec3d345f6218188723bD [‘The-Oasis_Gamemaster”] appears to be directly connected to 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user
![Interestingly enough, the last ever transactions inside 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The_Oasis_Gamemaster] were to both Hacker 525K Arkham and 0x834A683d81CeFafA9A97c2549d9D3fB0bF0b2B43 – Opensea user .](https://preview.redd.it/88m0it3v7knb1.png?width=1668&format=png&auto=webp&s=a44f9ff120309d2508e9f6dd3e20f75e488befff){kind=link}
Social Info
![At the time of this tweet 0x5c255c0571be150Fc482Ec3d345f6218188723bD [The-Oasis_Gamemaster] owned “the-oasis.eth”. I actually found photos of the owner which I won’t post here.](https://preview.redd.it/nchi0zuo7knb1.png?width=1188&format=png&auto=webp&s=9a058c1f7a0a1e18d49ad0e06606233848f53f18){kind=link}
Twitter – Dartanyan1991 IG – Dartanyan1991 Reddit – u/Dartanyan1991 Bday – 9/15/1991 Ethnicity – Turkish maybe
Summary
This could very well be a victim or he could be directly connected to the hacker wallet. Similar to the other account, I checked twitter and didn’t see any signs of a hack. Very interesting the wallet is no longer in use as of 11/11/2021.
Part 3 – Additional Info
Below is additional information I found. I don’t think there’s enough here yet. It’s worth documenting to investigate at a later time.
GankNFT
Social Info
Name – Chase Wallet – 0x86c0F115926544fF39e0b12960Ee1CafEac35ebb – GankNFT Twitter – GankNFT Notes – Opensea and Twitter profile photo matches Additional Wallet – 0x7D00cC2F5539dE3adE7c28975c236A23aa0b406e – “GankNTF on OpenSea”
Maybe Same person – I couldn’t find any on-chain connections but the twitter handle is very similar
Name – Edwin Enart Location – Indonesia Wallet – 0xD441Aaf73D3Fa35768B5c3AFE2f3C05d90D4e09F Twitter – TheGank_NFT Twitter 2 – Dino_Zard IG – TheGank_NFT
***UPDATE 1 – Thank you all for the kind words! To be clear, this wasn’t my hack I was investigating. I was looking into another victim who lost 525K recently. The details of my hack I posted back in March here – https://www.reddit.com/r/CryptoCurrency/comments/11sksgs/i_got_hacked_and_lost_over_300k_today/
submitted by /u/jbtravel84
[link] [comments]
