BAYC phishing scammers have been exposed by on-chain sleuth @Zachxbt, who discovered the identities of the thieves perpetrating the scams, and in so doing exposed some of the limits of Tornado Cash.
In a Medium post he detailed a few examples of people who had had their Apes stolen after signing malicious contracts. This isn’t a new phenomenon by any stretch of the imagination, but it appears as though many Ape holders willingly signed transactions in the hope that a computer programme would animate their NFT.
Unfortunately, what happened instead was that their NFTs were withdrawn to another address and quickly sold on OpenSea.
Crypto mixers not as anonymous as one might have thought
The first crypto mixers were used for anonymising Bitcoin on the deep web, often with the hope of obfuscating Bitcoin that had been spent or earned at the Silk Road marketplace. Due to Bitcoin’s lack of Turing completeness, this was not an easy process to automate and many of the sites on the deep web at the time were not reliable.
When CoinJoin was implemented into Litecoin people were optimistic about the potential, and shortly afterwards the functionality was added to Bitcoin. It was somewhat controversial at the time given that many people believe there are huge merits to a public ledger that doesn’t optimise for privacy, but on the whole it was supported.
Nowadays, CoinJoin isn’t very controversial at all, given how useless it is as a means of hiding one’s Bitcoin. Indeed, when RazzleKhan (the Bitfinex hack money launderer turned amateur rapper) was busted earlier this year, Chainalysis revealed that one of the ways they were able to track down some of the Bitcoin was through the weaknesses of CoinJoin. Chainalysis can now probabilistically determine wallet owners who use CoinJoin.
Not only this, but it is very obvious when someone uses CoinJoin (a problem that Tornado Cash also has). Unlike Bisq, which can be used for moving between BTC and XMR without leaving as much of a trail, both CoinJoin and Tornado Cash show that a wallet’s BTC/ETH have used these services before.
The Bitcoin blockchain uses an accounting system of UTXOs, whereas the Ethereum blockchain uses an “account model”. This meant that coin mixers such as Tornado Cash were fundamentally different to the early iterations that worked for Bitcoin, and they ought to be a lot more difficult to crack than CoinJoin. Tornado Cash makes use of zero-knowledge proofs to cryptographically obfuscate any plausible trail. Or so one might have thought…
@Zachxbt’s online sleuthing has shown that “[the hackers] were not careful about covering their tracks when it came to withdrawing the funds from Tornado”.
In the case of the first victim Dilly Dilly, the attacker made 73 ETH and sent it to Tornado Cash in seven sets of 10 and three sets of one. On the exact same day, December 13th 2021, seven sets of 10 and three sets of one ETH were all withdrawn from Tornado Cash to the wallet mathys.eth.
It transpired that this pattern continued for the next two victims, for another 150 ETH of profits to mathys.eth. Mathys.eth then sent to the funds (a total of $1.09m) through centralised exchanges Kraken, Bitpanda and SideShift.
Who is mathys.eth?
This next part of the exposé is a rather impressive example of investigation. It appears that the source code contained a reference to the developer’s Telegram handle @mtscam, whose profile picture ultimately led to a Twitter account run by someone called Mathys, and his response to allegations that he committed these crimes. It appears that he most likely is guilty, and yet he is the one pursuing legal proceedings thanks to how this has damaged his reputation and the way that people have treated him since the news broke.
It appears that Mathys was working with his friend Camille, and that they have been doing this sort of thing for some time. Mathys posted on his Twitter braggadociously several times about 100 ETH withdrawals he’d made from Tornado Cash and appears to own a large amount of XMR – only time will tell what will happen to him.
Relevant news:
- NFT Artist DeeKay Twitter Hacked, Phishing Attack Steals $150k
- BAYC Could Be ‘Media Business’ Like Disney – Alex Salnikov
Tamadoge - The Play to Earn Dogecoin
- '10x - 50x Potential' - CNBC Report
- Deflationary, Low Supply - 2 Billion
- Listed on Bybit, OKX, Bitmart, LBank, MEXC, Uniswap
- Move to Earn, Metaverse Integration on Roadmap
- NFT Doge Pets - Potential for Mass Adoption