Full Report
Crypto scammers use fake YouTube bots, AI videos, and obfuscated smart contracts to steal $900K+, targeting unwary traders.
Analysis Summary
# Tool/Technique: Stolen Crypto Smart Contract Drainer
## Overview
This refers to malicious and weaponized smart contracts, primarily written in Solidity for the Ethereum blockchain, disguised as legitimate cryptocurrency trading bots or tools. Their sole purpose is to trick users into deploying them, which subsequently allows the attacker to drain the victim's linked cryptocurrency wallet funds (EOA).
## Technical Details
- Type: Malware (Malicious Smart Contract)
- Platform: Ethereum Virtual Machine (EVM) compatible blockchains (e.g., Ethereum)
- Capabilities: Funds extraction via obfuscated wallet addresses, deception used in promotion.
- First Seen: Campaigns ongoing since at least early 2024.
## MITRE ATT&CK Mapping
Since this is a supply chain/application-layer attack targeting blockchain assets specifically, direct mappings are conceptual:
- **TA0001 - Initial Access** (Via social engineering/deceptive promotion)
- **T1566 - Phishing**
- T1566.002 - Spearphishing Link (Link to contract code via video description)
- **TA0010 - Exfiltration**
- **T1048 - Exfiltration Over Alternative Protocol** (Transferring stolen ETH off-chain)
## Functionality
### Core Capabilities
- **Deception:** Posing as legitimate crypto trading bots promoted via social media (YouTube).
- **Deployment Facilitation:** Providing links to weaponized Solidity code hosted on public services (Pastebin, TinyURL, etc.).
- **Unauthorized Transfer:** Executing functions upon deployment/interaction that transfer the user's assets to the attacker's wallet.
### Advanced Features
- **Address Obfuscation:** Employing various techniques to hide the destination Externally Owned Account (EOA) address where stolen funds are routed:
- **XOR Obfuscation:** XORing two 32-byte constants (sometimes named `DexRouter` or `factory`) to derive the wallet address.
- **String Concatenation:** Assembling the address from fragmented strings.
- **Large Decimal to Hex Conversion:** Converting a 256-bit integer to `uint160` to extract the address, discarding high bytes.
- **Laundering:** Utilizing different associated EOA addresses across various contract versions.
## Indicators of Compromise
- File Hashes:
- SHA256 (Solidity Contracts analyzed):
- `2923cdf2caba3a92e0ea215d14343ce73e8f08a5`
- `464aead7901305f689fe80326c83ffd7d0cd6a75`
- `47d567e799f0403bcd4057bff50244125cac926a`
- `9e71f537669e87ef10844266dc8d058a23199074`
- `da1c5eb2b5cfc80173651a6ba552e1c110f06351`
- `f0a34770f03428c8abc9e73df93263f10f8320b1`
- File Names: N/A (These are contract definitions, not file names, though they can be saved under various names during local compilation).
- Registry Keys: N/A
- Network Indicators:
- URLs Hosting Smart Contract Code (Defanged):
- `hxxps://pastebin[.]com/raw/8Yar7QyU`
- `hxxps://www[.]is[.]gd/SvLp4d`
- `hxxps://www[.]tinyurl[.]com/m89fj9wm`
- `hxxps://codeshare[.]io/0bV94e`
- Behavioral Indicators: Deployment of a Solidity contract via Remix IDE that initiates unauthorized token transfers upon subsequent interaction.
## Associated Threat Actors
- Unnamed threat actors operating widespread cryptocurrency scams, potentially leveraging AI-generated video content for distribution.
- Actors associated with the specific EOA addresses:
- `0x2eEE3A0ed51AE22813050212E8D9Fa216bd51df4` (ToddTutorials contract EOA)
- `0x7359EA6AA3343b3238171e76F97e6aA3cDB8d696` (SolidityTutorials contract EOA)
- `0x872528989c4D20349D0dB3Ca06751d83DC86D831` (JazzBraze contract EOA, linked to $900k+ profit)
## Detection Methods
- Signature-based detection: Detecting known byte patterns or strings associated with the specified obfuscation techniques within new Solidity source code.
- Behavioral detection: Monitoring smart contract deployments for functions that request or execute excessive `transfer` or `transferFrom` calls to external, previously unseen EOAs immediately after interaction/deployment.
- YARA rules: Creating YARA rules based on the unique code structures or obfuscation constants discovered in the XOR methods.
## Mitigation Strategies
- **User Education:** Treat promotional content for trading tools or bots found on unverified social media (especially YouTube) with extreme suspicion.
- **Verification:** Never deploy a smart contract provided via external links in video descriptions without thorough, expert review.
- **Code Review:** Use expert analysis to check Solidity code for obfuscation techniques targeting EOA addresses before deployment.
- **Wallet Security:** Use dedicated wallets for high-value interactions and ensure multi-factor authentication or hardware wallet confirmation where possible.
## Related Tools/Techniques
- Social Engineering via Video Content (Leveraging aged YouTube accounts, potentially using AI-generated presenters).
- Solidity Compilation/Deployment via Remix IDE (The utilized platform for deploying malicious code).
- Cryptojacking/Worm Scams (General category of financially motivated blockchain attacks).