Open 314159265359879 opened 1 year ago
SP30F77CBR0DSZAET7A5WYMGDHRNDQYDHCPK5SWMC
WonSTX scammer
from SP30F77CBR0DSZAET7A5WYMGDHRNDQYDHCPK5SWMC off-ramped to this likely exchange address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V With this memo: jSJasoaKNXvG2ta https://explorer.hiro.so/txid/0xdfe12827821dcaae43955ec8789b08dd6e35abe21a4f949658e0a025bcdbcc6a?chain=mainnet
Very much in support of this, great initiative @314159265359879
This will be helpful for users. I'm 100% align with the proposal
Date: june 15th 2023
A: SP20ATZMT9K27BE5VSSMHKAFZQGMV8AV8YFMY4DAD To: Exchange Kucoin - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS Memo: 1910082500 (the scammers' account on Kucoin) B: Fake iOS app C: https://explorer.hiro.so/txid/0x8b8ce176bf3f495e852ad88e01346b7df7d218c0a5e8c43641edbc232b71372e?chain=mainnet
Date: July 13th 2023
A: SP2KW0M6MBSSAV1BFDKH56VFNZK73Z36C0N369K9M B: wonstx scam C: https://explorer.hiro.so/txid/0x6829fa018ff0642fbc90255a8d3901e38f7f763c89c8fad629a2cbec01efaa63?chain=mainnet
likely similar cases, other incoming transactions on the scammers' address: https://explorer.hiro.so/txid/0x5c562632474759b6454a31f26edaaae5661bdc261722acb7dd6df28435d4d6bf?chain=mainnet https://explorer.hiro.so/txid/0x9913dba3951dddc7c3a02d7bd84a0b258195374f5c2cadebc57b026b667c89d4?chain=mainnet
June 15th
A: SP20ATZMT9K27BE5VSSMHKAFZQGMV8AV8YFMY4DAD To: Exchange Kucoin - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS Memo: 1910082500 (the scammers' account on Kucoin) B: Fake iOS app C: https://explorer.hiro.so/txid/0x010ba51215b02f062be3d80fa3355bda5dd2c34cee6f1557c4f1e28e3bfa9738?chain=mainnet
June 17, 2023
A. Scammers addresses:
SP6RBV6HPPVJQ319AGK5Z7YA23YSNNZGX5QDTESG https://explorer.hiro.so/address/SP6RBV6HPPVJQ319AGK5Z7YA23YSNNZGX5QDTESG?chain=mainnet
SP1S7XGG3Z9K2163E6F63RYMQC5KXPKEGBFM9EHNY https://explorer.hiro.so/address/SP1S7XGG3Z9K2163E6F63RYMQC5KXPKEGBFM9EHNY?chain=mainnet
B. Fake iOS/Android app
C. In this final transaction, 11,658 STX were sent to Kucoin Exchange: https://explorer.hiro.so/txid/0x26d027e73889a1efa1bd60233beb87a089a660861bdc5291de99869288a802df?chain=mainnet
Sent to: Exchange Kucoin - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS https://explorer.hiro.so/address/SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS?chain=mainnet Using Kucoin Exchange Memo: 1913375219
October 6, 2023
A. SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT https://explorer.hiro.so/address/SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT?chain=mainnet
B. Unknown phishing scam
Scammer sent funds to Simpleswap.io: SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V using this memo: CWf47qnFVud48mL https://explorer.hiro.so/txid/0x5bad49b0bff83e1bf41a7b2a26da157277288d133a94834b5e3c791d9f1165a3?chain=mainnet
The thiefs account has swapped or transferred funds to other accounts:
10,210.371718 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK https://explorer.hiro.so/txid/0x177a9802e531434c5d82f07f04b4344c675000c69d9adf5661ebcb2b619b18c3?chain=mainnet SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK swapped STX (10k) to xBTC https://explorer.hiro.so/txid/0x831af9d38174b3222f5597430ff9a6e31089e9e052b4a0ed7cb41879d61073ec?chain=mainnet
SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT swapped STX (10k) to xBTC https://explorer.hiro.so/txid/0x6d682afc91ea2c82b5706a88a720e8df7e33dab1c98f31b7cac8cb481be73668?chain=mainnet
20,500 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP3JED59RPM3QNRPC17KATCTNCC8PPHGG5C2RF22N https://explorer.hiro.so/txid/0x3ab18ca02b854f291264a76b83471df6d0f2339b098ad7cdacefdb8119fbfc6a?chain=mainnet 20,499.50 STX from SP3JED59RPM3QNRPC17KATCTNCC8PPHGG5C2RF22N to SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V (received by likely exchange, used this memo: sZSVJdpT5iFwXLT ) https://explorer.hiro.so/txid/0x971edb07e0e968d5cedefa94f2bd7b86c3800229dcc283e49843e055ead252f4?chain=mainnet
21000 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP9HWJAZTKXWNPM39N7P1FXVPMMJMCPCW5KM25B7 https://explorer.hiro.so/txid/0x4d3d8ef8ac7b0521c3791fb4a96a8595e21e6284313e01602ee2cf14266b8f79?chain=mainnet 20,999.50 STX from SP9HWJAZTKXWNPM39N7P1FXVPMMJMCPCW5KM25B7 to SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V (received by likely exchange, used this memo: BdsndVXdWV74sAd ) https://explorer.hiro.so/txid/0xe5318def7bc3b2a2a3b5ce6426378153c37a609112a6f4277047ce147573f490?chain=mainnet
21,500 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP3Y8G53WQ7QHTAVY4809GKM8K5D5RQNZB258SJBW https://explorer.hiro.so/txid/0xed81c83b4480ff56649d157f12a1e30e8576dc038ecd3a2aecafb2d0642ba1dd?chain=mainnet
21,200 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SP2VFNF4KWECVEVBD910S1DDVTXTTFK6Y4VBKQ2NY https://explorer.hiro.so/txid/0x05947d51f9690be02a973bb8aeb451eab4161f30a483e1445eec9dc098a980ef?chain=mainnet
26,511.639477 STX from SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT to SPV8W17TNHHQPY3BRAG79TSEWWECV1D949ADKEEN https://explorer.hiro.so/txid/0x38e0d34ea39131c6f4b27c7064fcf2d12871be3e4b3dd76a872c38ae4c177fc3?chain=mainnet
last checked 08.00h GMT / 10.00h CET / 04.00h EDT
Accounts with stolen funds related to this theft (likely owned by the thief): SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK SP3JED59RPM3QNRPC17KATCTNCC8PPHGG5C2RF22N SP9HWJAZTKXWNPM39N7P1FXVPMMJMCPCW5KM25B7 SP3Y8G53WQ7QHTAVY4809GKM8K5D5RQNZB258SJBW SP2VFNF4KWECVEVBD910S1DDVTXTTFK6Y4VBKQ2NY SPV8W17TNHHQPY3BRAG79TSEWWECV1D949ADKEEN
Used Simpleswap.io bridge with these memo's: CWf47qnFVud48mL, sZSVJdpT5iFwXLT, BdsndVXdWV74sAd SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V
Update October 18th 2023
SP2T8R1SSNJ9YQNPG7T1HBB7VF5FXJJP0KVN3JNRT swapped xBTC to STX https://explorer.hiro.so/txid/0xd0c9b8fa3bc31b138e89cc52f5894d86604be4d3d9d26f4cb26d58674dc10ec9?chain=mainnet Then send 9325 STX to simpleswap.io address: SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo 57aZcFc1acTP27P https://explorer.hiro.so/txid/0x03ff40e5b2e3e3f8a4f8eacddccac34eb5b1183b118760ceb444f7b556ab58ac?chain=mainnet
SP3ZDEKW41WWVS3MF50TN33PW99YN9XF6N63BRANK swapped xBTC to STX https://explorer.hiro.so/txid/0x6fdd33f3334d2c5269957865417d5aa99ef55a38486ea99858f6de6ff72105e9?chain=mainnet 9900 STX to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo bu8wjpBCyx68WRu https://explorer.hiro.so/txid/0xaed3a982fe4e5399911a2d3ceb3a6e423012bb19bff3f841ebf0afbbd7389ef3?chain=mainnet
SP3Y8G53WQ7QHTAVY4809GKM8K5D5RQNZB258SJBW 21499.50 STX send to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo HhUd5sLHoYBLQzU https://explorer.hiro.so/txid/0xf01d7f02a0b9e845158dd67be890de5379b584f6f175e185d587f62c001b628f?chain=mainnet
SP2VFNF4KWECVEVBD910S1DDVTXTTFK6Y4VBKQ2NY 21199.50 STX send to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo CusRSXfTssVJCQu https://explorer.hiro.so/txid/0x5cd30fc57799d75e2895d7bea4814ca76c84e2411ef25d07ccda96d20d9796b7?chain=mainnet
SPV8W17TNHHQPY3BRAG79TSEWWECV1D949ADKEEN 26511 STX send to simpleswap.io address SP22GF51PH2HRMWME1HJMDB54VFY5YMZXCMXKZ26V with memo ZTiQXpoRfbssKtC https://explorer.hiro.so/txid/0x831c6b2e213a4bcd7806c56414b8ceb04306c99d4735d4e4bf583cb8cb7df70d?chain=mainnet
Simpleswap.io memo's used: 57aZcFc1acTP27P, bu8wjpBCyx68WRu, HhUd5sLHoYBLQzU, CusRSXfTssVJCQu, ZTiQXpoRfbssKtC
A: SP2KW0M6MBSSAV1BFDKH56VFNZK73Z36C0N369K9M --> SPNP4WKB4WHDSEM72CX9RT4ZAXRA9DY35XR93Z3Q --> SP1SFPCMWKJ3MBBEQ6JKF3FKA17W65AHRG2NJG2A1 --> (likely the offramp to exchange: SP3AP6DRSQ6P4FETB5M33D082Q2ABGJW60MT6103Q) B: wonstx scam C: https://explorer.hiro.so/txid/0xa2efd1884e897c29ea4e0e170606e05cac93d18be613b94ce606647b3fdbade2?chain=mainnet
Like similar cases reported here earlier: https://github.com/leather-wallet/extension/issues/3931#issuecomment-1637156448
October 30th 2023
A. SPTKWPQKKNF2SKXZHX98SJ0PVP1AS2ZVXXE5BH06 and SP37FW4WK2CZ0E9ESMHYJ2XS6D5T2EY5Y4GTTHVDY B. C. first transaction by thief 9:36:26 PM 10/30/2023 (CET) https://explorer.hiro.so/txid/0x71c0d3a154f98e4e7a32224a33183c2392f56eb6807e1781484a765384b83cbf?chain=mainnet And all transaction by thief upto 11:20:26 AM 10/31/2023 (CET) https://explorer.hiro.so/txid/0xb481fdf9a99cd3681783d3d5f8e21f41e40f2955f72331547805f83036da6336?chain=mainnet
From SPTKWPQKKNF2SKXZHX98SJ0PVP1AS2ZVXXE5BH06 had about 53k STX yesterday the address holds 337 STX now it used this bridge contract yesterday: https://explorer.hiro.so/txid/0x5c01d7551ee54d70de83588a24a8eea3b79fb7cb4b7915a243312abddea55608?chain=mainnet https://explorer.hiro.so/txid/0x0060e0478fabe39f584e69abd184f4de637ec50beb5a0627cf7595a486f9e2d0?chain=mainnet
SP37FW4WK2CZ0E9ESMHYJ2XS6D5T2EY5Y4GTTHVDYhad 1.6k STX yesterday the address holds 26 STX now it used this bridge contract yesterday: https://explorer.hiro.so/txid/0xf4c28e7738d284d40da14eaf6752f9f187dce9676668b4805748566b5821dbcf?chain=mainnet
A. SP3CF28QZ3EQ9T8SD7MTBXAGK4MZXQB672NDRR0XB B. input Secret key via a phishing website C. https://explorer.hiro.so/txid/0x96712af57853365e5e85c3422d26a32dd41f809ac0a22110e0f89600fcaeb09e?chain=mainnet
A. Stacks Address(es) (of hacker/scammer), SPSXHDCRH4XKW5PYQY29RW5VYD5V40MCN1PQFWYC
B. Very short description of hack/scam (max three words), Compromised Secret Key, how is not yet determined
C. Involved transaction(s) id or explorer links. https://explorer.hiro.so/txid/0x1d2e2bc52373a3e4c4d3f63218246b3847e143e168fb471c007047184c3c6e8f?chain=mainnet https://explorer.hiro.so/txid/0x3d41ee56ef61a78f7f5b7fe515f66cc674d5514355f59014be1c34590175bf88?chain=mainnet https://explorer.hiro.so/txid/0x27eb4e8d139d286f8ebbe8ee407b3cf28224d9b26a7e896aeb760333318cb892?chain=mainnet
The scammer used this bridge transaction https://explorer.hiro.so/txid/0x703fff7423a9218a9182cea47d4adf8bb6e0c23d6a60e510c6dd5e70c7359760?chain=mainnet
A. Stacks address of the scammer/hacker SP1MECCFNV7BM2DRSSPE1G408EMTWGPNCZ4NN6RXH
B. Short description Used fake Leather/Hiro wallet app on App store to phish user's Secret Key
A. SP229ZRR5W3FGCNBHCW71QA30XJ4K7D6J6MRXD6SC To: Exchange - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS Memo: 2081669650 B. Fake iOS app (Used fake Leather wallet app on App store) C. https://explorer.hiro.so/address/SP229ZRR5W3FGCNBHCW71QA30XJ4K7D6J6MRXD6SC?chain=mainnet
A. SP2MGA2YR7FHXR6YDXN1KJM74RYWNBFYZGQ8JV9WK and --> SP8EN907FP4WKMM27B5EPG2HFMHV3BT14FPD8HZA (and many others) To: Exchange - SPX8T06E8FJQ33CX8YVR9CC6D9DSTF6JE0Y8R7DS (Kucoin) Memo: 2081843542, 2081843542 2081843542 2081860014 B. Fake iOS app (Used fake Leather wallet app on App store) C. Theft transaction from user who reported this: https://explorer.hiro.so/txid/0x682dd9d885e3a8f110fbca41147257bae9261109b6325b55d1e8eb5051a68025?chain=mainnet Subsequent transaction https://explorer.hiro.so/txid/0x136db2131441327560f31ac9d8e1ec2fd4b415c24ff8b6f19f624f08f50822c9?chain=mainnet from which it was send to exchange (transactions listed above with memo's)
April 16, 2024
A. Scammers Addresses: SP25MMGERHCRRBBQ0GHHFK1JVAHX7RSQMVJ9Q3BS6 and ---> bc1pzy5gz33a2cf8jmeaex829zuu3dx5xnhpupzm0wua7wzn6gtukhxs5crr5e
B. Unauthorized transfer/Compromised Secret Key.
C. Involved Transactions: Stacks tx: https://explorer.hiro.so/txid/0x4bce34568d6dd3fd40ba32666e22f790a98616c106d2b2a3cda0d8a5eb770955?chain=mainnet BTC tx: https://mempool.space/tx/091b843f9ab02074e2d7749771ca4c5a49dcf63dd7aa28fa6bc22862c60e1dfe
July 1st 2024
A. Scammer addresses SP2AKYDTTKYD3F3NH57ZHNTJD0Z1QSJMG6NYT5KJG ---> SP36WZV3YE1YHYSTBR8BJGMF8VTSN3J9F8XPS3E6N
B. scam token lured user to scam dapp to use function call "claim" that is created with post-conditions in "allow mode".
C. Related "claim" transaction that drained the wallet https://explorer.hiro.so/txid/0x3826c9ce79607ccf9a45d134bad31ec4fcc8119c7f3d3bda15e3d6ffa54869ec?utm_source=leather-wallet&chain=mainnet thief transferred funds subsequently https://explorer.hiro.so/txid/0x6538cf8db95de80131153ea17bc57caa818729b697e35e8f4f2805a1b56d4613?chain=mainnet
This topic is to collect addresses from known hackers/phishers/abusers.
For users who have fallen victim to a hack, phishing scam or otherwise you can report here and additionally are advised to report to local Police. If your issues are related specifically to bitcoin addresses report here (too):
Add the following details: A. Stacks Address(es) (of hacker/scammer), B. Very short description of hack/scam (max three words), C. Involved transaction(s) id or explorer links.