On-chain investigator ZachXBT recently detailed a significant BTC phishing operation that resulted in the theft of 3,520 BTC from a single wallet. The funds, reportedly owned by an elderly investor, were siphoned off in a highly personalized scam.
The scam came to light amidst a rally of Monero (XMR) to a one-year high, as it appeared the perpetrators were attempting to liquidate their ill-gotten gains through the privacy-focused cryptocurrency. However, their efforts were not entirely successful, as ZachXBT reported that $7M of the stolen funds were subsequently frozen, thanks to the joint efforts of other on-chain investigators and the security team at Binance.
The suspected culprits of the heist are two UK-based social media personalities, known by their online handles as Nina/Mo and W0rk. Despite their attempts to cover their tracks by deleting their social media presence, traces of their illicit activity were still detectable on the Bitcoin blockchain.
The victim, a US-based investor and early Bitcoin adopter, reportedly moved the funds to a new address about a month ago, which investigators believe may have inadvertently exposed the wallet to the scammers. They are still unsure whether the victim was deceived into exposing his wallet or transferring the funds, or whether his security measures were inadequate. No evidence of malware or smart contracts has been found, suggesting a more traditional con may have been employed.
It’s worth noting that the majority of Bitcoin heists are relatively rare, primarily due to the fact that the coin is not typically held in easily accessible Web3 wallets. However, this phishing team managed to breach this norm.
A portion of the stolen funds are still detectable, having been moved to new addresses and divided into smaller sums of approximately 5 BTC. Over 17 BTC ended up in a KuCoin hot wallet, providing investigators with an opportunity to intercept the funds.
The victim’s address sent multiple transactions to the hacker’s address, the largest of which was for 2.78K BTC. However, it remains unclear whether these transactions were made willingly by the victim or if the wallet’s keys were compromised.
While most confidence scams involving cryptocurrency typically use stablecoins, this case stands out for its use of BTC. The pattern of targeting elderly investors, however, is a familiar one. Stablecoins can be more easily hidden, often through peer-to-peer markets like Huione Guarantee.
Following the theft, XMR’s price remained high, at over $280. Nearly half of all XMR activity was concentrated on KuCoin, a South Korean exchange. One potential hurdle for the scammers could be the inability to withdraw XMR from the exchange, a fact that may have led to elevated trading volumes as other traders seized the opportunity.
While KuCoin publicly discloses its reserves of BTC, ETH, and stablecoins, it does not provide data on actual XMR available for withdrawal. Consequently, while XMR is on the exchange, it offers no real privacy. Notably, KuCoin was not mentioned in ZachXBT’s report as assisting in the interception of the stolen funds. The MEXC exchange was also implicated in some of the swaps, although it too has not disclosed its available reserves of XMR or other cryptocurrencies.
