Monkey Drainer, a multi-million-dollar bandit gang: fishing techniques, money tracking and team portraits

Original: "Slow Mist: “Unraveling” the mystery of the multi-million dollar gang Monkey Drainer

Author: Slowmist Security Team

Event Background

On February 8, 2023, SlowMist received security intelligence from its partner ScamSniffer that a victim had lost more than $1,200,000 in USDC due to a long-standing phishing address.

• Hacker address: 0x69420e2b4ef22d935a4e2c194bbf3a2f02f27be1;
• Profit address: 0x9cdce76c8d7962741b9f42bcea47b723c593efff.

()

On December 24, 2022, SlowMist Technology disclosed the “North Korean APT Large-scale NFT Phishing Analysis” for the first time globally, and this phishing incident is linked to another NFT phishing gang we track, Monkey Drainer. Due to some confidentiality requirements, this article only analyzes some of the gang’s phishing materials and phishing wallet addresses.

Phishing analysis

After analysis, we found that the main phishing method is to post fake NFT-related bait sites with malicious mints through fake influencer Twitter accounts, Discord groups, etc., which are sold on platforms such as OpenSea, X2Y2, and Rarible. The Monkey Drainer organization targeted more than 2,000 domains in phishing for Crypto and NFT users.

A search for information about the registration of these domains revealed that the registration date dates back to 4 months ago:

Initially, the Monkey Drainer group promoted phishing through fake Twitter accounts:

At the same time, the first phishing in the NFT direction began to appear: mechaapesnft[.] art：

Let’s take a look at two specific correlational characteristics:

The trace is then associated with a combination of features:

After sorting, we tracked more than 2,000 NFT phishing and other URLs with the same characteristics from 2022 to the present.

We used ZoomEye to conduct a global search to see how many phishing sites were running and deployed at the same time:

Among them, the latest sites have those disguised as Arbitrum airdrops:

**Unlike the North Korean hacking group, the Monkey Drainer phishing organization does not have a special website for each site to count victim access records, but uses a simple and crude way to directly fish and deploy in batches, so we guess that the Monkey Drainer phishing organization uses a phishing template to deploy automatically in batches. **

We continued to track the supply chain and found that the supply chain used by the Monkey Drainer NFT phishing organization is a template provided by the existing gray industry chain, such as the advertisement sales description:

Phishing Supply Chain Support Features:

Judging from the introduction, the price is favorable and the functions are perfect. Due to space limitations, I will not go into detail here.

Analysis of Phishing Techniques

Combined with the previous “NFT zero-yuan purchase phishing” released by Slowfog, we analyzed the core code of this phishing event.

The analysis found that the core code used obfuscation to induce victims to sign Seaport, Permit, etc., and at the same time used the offline authorization signature mechanism of Permit usdc, etc., to upgrade the original phishing mechanism.

Find a random site to test and it will show up as “SecurityUpdate” phishing:

Then look at the data visualization:

By the way, the Rabby plugin wallet does a good job of visualizing and making it readable. More analysis will not be repeated.

On-chain aerial view

Based on the analysis of the above more than 2,000 phishing URLs and the associated Slowmist AML malicious address database, we analyzed a total of 1,708 malicious addresses related to the Monkey Drainer NFT phishing gang, of which 87 addresses were initial phishing addresses. The relevant malicious addresses have been entered into the MistTrack platform () and the SlowMist AML malicious address database ().

Using the 1708 malicious addresses associated with the on-chain analysis dataset, we can get the following conclusions from the phishing gang:

• Example Phishing Deals:

• Timeframe: The earliest active date for the on-chain address set is August 19, 2022, and it is still active in the near future.

• Profit size: Approximately $12.972 million in total profits from phishing. Among them, the number of phishing NFTs was 7,059, with a profit of 4,695.91 ETH, or about $7.61 million, accounting for 58.66% of the funds obtained; ERC20 Token made a profit of about $5.362 million, accounting for 41.34% of the funds obtained, of which the main profitable ERC20 Token types are USDC, USDT, LINK, ENS, and stETH. (Note: ETH prices are based on 2023/02/09, data source CryptoCompare.) ）

Take Profit ERC20 Token Details are as follows:

(Profit ERC20 Token details table for phishing gang addresses)

Traceability analysis

The MistTrack team of SlowMist conducted on-chain traceability analysis of the malicious address set, and the flow of funds was as follows:

According to the Sanky chart, we traced a total of 3876.06 ETH of the profitable funds transferred to physical addresses, of which 2452.3 ETH was deposited to Tornado Cash, and the rest was transferred to some exchanges.

The sources of fees for the 87 initial phishing addresses are as follows:

According to the histogram of the source of fees, 2 addresses have fees from Tornado Cash, 79 addresses have transfers from personal addresses, and the remaining 6 addresses have not accepted funds.

Typical example tracking

On February 8, the hacked address that lost more than $1,200,000:

0x69420e2b4ef22d935a4e2c194bbf3a2f02f27be1 Gain access to the victim’s address via phishing and transfer 1,244,107.0493 USDC to it

0x9cdce76c8d7962741b9f42bcea47b723c593efff, after USDC is exchanged for ETH through MetaMask Swap, part of the ETH is transferred to Tornado Cash, and the remaining funds are transferred to the previously used phishing address.

Gang Portrait Analysis

Finally, thanks to ScamSniffer and NFTScan for their data support.

Summary

This paper mainly explores a relatively common NFT phishing method, discovers the large-scale NFT phishing station group organized by Monkey Drainer, and extracts some of the phishing characteristics of the Monkey Drainer organization. As Web3 continues to innovate, so do the ways to target Web3 phishing.

For users, it is necessary to understand the risk of the target address in advance before performing on-chain operations, such as entering the target address in MistTrack and viewing the risk score and malicious labels, which can avoid falling into the situation of losing funds to a certain extent.

For the wallet project team, first of all, it is necessary to conduct a comprehensive security audit, focusing on improving the security part of user interaction, strengthening the WYSIWYG mechanism, and reducing the risk of users being phished, such as:

Phishing website alerts: Gather all kinds of phishing websites through the power of ecology or community, and provide eye-catching reminders and warnings of risks when users interact with these phishing websites.

Identification and reminder of signatures: Identify and remind requests for signatures such as eth_sign, personal_sign, and signTypedData, and highlight the risks of blind signing of eth_sign.

What you see is what you sign: The wallet can perform a detailed parsing mechanism for contract calls to avoid Approve phishing and let users know the details of the DApp transaction construction.

Pre-execution mechanism: The pre-execution mechanism can help users understand the effect of the transaction after the execution of the broadcast, and help the user predict the execution of the transaction.

Scam reminder with the same tail number: When displaying the address, the user is reminded to check the complete target address to avoid fraud with the same tail number. The whitelist mechanism allows users to add commonly used addresses to the whitelist to avoid attacks with the same tail number.

AML Compliance Reminder: When transferring money, the AML mechanism reminds users whether the destination address of the transfer will trigger the AML rules.