Tracking a hacker that stole $10M from NFT projects

May 25, 2022
 · 
7 min read

How our discord hack led us to find one the most notorious discord scammers in web3, and why this info needs to be spread.

TL;DR

  • We were able to find and report a scammer who stole at least 10 million dollars from dozens of projects, including @BoredApeYC discord hack.
  • We waited for more than a month for an investigation to get going, but nothing seems to be moving. In the meantime the scammer kept stealing and made millions more .
  • Our goal is to get victims and competent people to come together and start a prosecution

On the 18th of April one of our admins was compromised, a fake minting page was posted in our discord and the hacker stole NFTs that he sold for 33 eth.

Scam announcement posted by the hacker on our Discord

We quickly announced that we will refund everyone, and have done so since then (around 37 eth were refunded).

Post-hack announcement about refunds

We then started a discord audit, and in parallel an investigation. The hack was done through a phishing discord invite.

Our admin got into a fake discord with a fake verification bot (fake captcha.bot website). First we looked into the admin hacked, he is a doxxed team member. After making sure he was indeed a victim, we moved on to our collab manager who brought the link.

Fake Captcha.bot website with the “Drag Me” button trick phishing discord tokens

This sent us through a rabbit hole for 48h. We exhausted many leads, looking through on-chain transactions and off-chain clues. While doing that, one of our co-founders went into our logs and found a discord ID that got a mod role during our hack :

Discord profile of the hacker

We contacted this account and to our surprise he answered and asked us to contact him on a different account. He confirmed that he is the hacker (which we already knew through the logs). He claimed that he had stolen more than 10 million dollars from more than 50 projects (bellow is a screenshot of one of his wallets).

Hacker stating that he stole over 10m with his friends
A wallet of the hacker he shared during a call with one of the founders

He also gave us the names of some projects with which he claims to have done insider jobs with some of their team members. Here is a picture, made by @zachxbt mapping some of his hacks to a wallet holding 3.9M dollars.

Mapping of scammer wallets by @Zackxbt

Immediately after contacting him he shared a picture of his place with his discord open (The picture bellow is a blurred version of the original picture) to “flex” on us. But this picture had a clue !

Picture sent by the hacker showing his conversation with the co-founder on discord, and a towel.

In the corner of the picture there is a towel, and on the side of this towel, spanning just a few pixels, there is the name of a sort of hotel. We went out looking for this place, without much hope. Most probably the towel was brought on from somewhere else …

Surprisingly, the hotel matched the outdoor trees and nature in the picture on google street view. We were still not a 100% sure it is his place, maybe the photo was doctored to include some fake indices. Maybe he didn’t make a mistake, but he was messing with us …

So, our co-founder kept contact with him. He ended up in a voice call with him, and the scammer tried to convince our co-founder to help him scam 9Tales again. We saw this as an opportunity to get more info on him.

In parallel we assembled all the proofs we had, called the local police in that area, and gave them all the information/evidence we have.

Next, the scammer did a video call with our co-founder. He did not show his face, but was walking around his place and showing the surroundings …

Discussion between our co-founder and the hacker

This meant that we were able to confirm that the picture he sent earlier was not doctored!! The video was not prerecorded either, as the voice interactions with our co-founder and some lag during the calls could not have been predicted by the scammer.

He was indeed in that place, and he overestimated himself. We also saw his feet which confirmed to us his ethnicity. But, as this place was a sort of hotel, there was a risk that he will move out soon. And indeed, he confirmed that he was there just for a few days.

We again started calling the local police, trying all we can to convince them to at least go get his identification information before he moves. As he is US citizen, and we had no one in the US. The police was very reluctant on doing anything.

After spending what looked like an eternity trying to convince them, an officer was sent to his place. He took his identification from the hotel, he confirmed that there were people staying just for the week-end in that place, and that one of them matched our description.

Funnily enough, our co-founder was in a video call with the scammer when the officer was looking for him, we have a recording of the scammer wondering why a police officer was looking around… Unbeknownst to him, the officer was actually sent by us!

But all of this did not help, the local police refused to do any more work and their report with identification info is now sitting in an office … We contacted the FBI many times, their answer was to just fill an IC3 complaint and wait. Which we did.

Meanwhile, the scammer was still working, we witnessed four attacks linked to him. We watched but could not do anything to stop him. We believe that he must have got millions of dollars after our complaint was filled. And he stated to our co-founder that he was also involved in the TicketTools bot hack, that affected many big discord servers like @BoredApeYC , @doodles , @KaijuKingz@squiggles and more.

We asked the FBI if the investigation was advancing and got no answers. We also asked them if we could make an announcement or try to get other victims with us so we can push the investigation more and file a complaint were he lives. We got no answer to that either.

Given the situation: The fact that our complaint might not even have started an investigation and the growing number of victims of this scammer. And after trying everything we can, we feel like we have exhausted all our options.

Hacker stating that he was behind the Mad Meerkat hack few moments after the hack happened

We are not the police, and we are not detectives. We cannot fly to the US and work on this for months while our project is on hold. This whole story already made us delay our mint, and put the project that we have poured our souls into in jeopardy.

Our last resort was to go public about this, and hope that other victims and competent people will reach out to us in order to build a strong case against him. We will tag all the projects that are allegedly victims of his scams and that we know of. Please reach out to us.

Here’s the list of affected projects we know of :

@JRNYclub@MekaVerse@RareBearsNFT@MadMeerkatNFT@FlurETH@MinTechBots@DreamProtocols@WTPhunksNFT@8700ronin

Ticket Tools hack (linked to him): @BoredApeYC@doodles@KaijuKingz@squiggles@shamanzs@nyokiclub

Like we said before, The hacker also claimed to have worked with some projects to do insider jobs. However, we will not share these projects names here and will leave that to the authorities. We hope that this case will bring down the crooked projects who scammed their own members, and the people who helped this scammer achieve his goals.

As for the proofs and doxxing material, we have already shared that with our partners (advisors, investors …). If any person, trusted in the space or competent, believes he can help speed up this investigation, and would like to verify our claims, we invite you to contact us and we will be happy to share our documents with you once an NDA is signed.

This also shows that scammers are not immune. They make mistakes too and can get caught, and teams should pursue investigations and do everything possible to recover funds.

As a final note, we hope that this scammer and the people around him will be caught and that this will be a small step toward making the web3 space cleaner.

Copyright 2022 - 9Tales

This is a cookieless website

 

Back to top Arrow