Sybil Attacker Report

[deshawelafi]

Related Safe Addresses

GROUP1

0x05dfa0c431be5bac64f70f41c3a988cc1a25ab8e
0x940c482baa6f5c9b8f0bf292d16b1e4485ba5a40
0x44f7a0d7bb5f4865827846551274245c9add1763
0x7732180bf4aed2f633dee5ca866462ca4f9cf6d6
0x73656c82b0e49c4f325c76d178e4a032e7e0b6b9
0xc9f630771683475d848e00ba78a32439e2a4260f
0x2cf1c9f8ad0c7ce7e8778f112f775e4dc2a7e534
0x091363d7ebfa721df6c5adadc59314d466d75d56
0x86eb953124045621eff249cc05d111f12139318a
0xd4613b0b7c9e6bd88867c931b8e538927016e028

Reasoning

from	create_safe_address	safe_address	transfer_ETH_Tx
-	0xb9b93bf2db3678b010e71ef701d763aee144e93e	0x05dfa0c431be5bac64f70f41c3a988cc1a25ab8e	-
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0xe89b519abd57be6fe2c9cf1c3ce2488f5d810a44	0x940c482baa6f5c9b8f0bf292d16b1e4485ba5a40	0xfbb1647871d78a5fe962a56f15d1ff716be986933d8facc5d332024d519736ce
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0xf196836b53e8f03e32f5186c7909acbb8b742615	0x44f7a0d7bb5f4865827846551274245c9add1763	0x4edf6eaac8be99b06ebad7c4be43f1417590cad4bbf73bdee695645d1eab7c0f
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0x513b4fb84df4f8e05c05cdcbbb8d04c482ec0b4b	0x7732180bf4aed2f633dee5ca866462ca4f9cf6d6	0x797fa06c56288a800ff27c4200a977e46893500e746bfacf7c7d76943e069764
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0xc34d931cc6290dae177a6fc645db444a132a442f	0x73656c82b0e49c4f325c76d178e4a032e7e0b6b9	0xde918bacca67726cb77a8da5063e3a20e7a6ff5a101ef5d2395ea4b493ad192a
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0xce436e5b28918df04ed04d14b06081797e31ed77	0xc9f630771683475d848e00ba78a32439e2a4260f	0x64c9e197f7632bc66d6101fe9fc52fb7007f18797a45a03e1f0a58d519e646b9
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0xded77410241c3bcc3997c1f92ad622b9eacb2c6d	0x2cf1c9f8ad0c7ce7e8778f112f775e4dc2a7e534	0xc356d2403aeb6fd4500844c0675ee7f3ae4feb10a2c7ef637b0677586ec36c1e
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0x12734f36e365ed769b16b4157e26b9ee7180e8ca	0x091363d7ebfa721df6c5adadc59314d466d75d56	0x1b8344988d18e4a1394734c61e54f817976749291a456f6204800d4cff91bf7c
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0xaf72e36d1d16ae80b6811a99909cb92396d18777	0x86eb953124045621eff249cc05d111f12139318a	0xe639775f54170c85648c850148aa2e96f2d8b21d776a52cd503eea25b2e5e8d8
0xb9b93bf2db3678b010e71ef701d763aee144e93e	0x12cb4ca94136b6e8fb11636c55f47d0885f3dc64	0xd4613b0b7c9e6bd88867c931b8e538927016e028	0x241b2c0b036e1c14ffd5a492fab1c8b6f3f9ee807d60c45575ed1e4dacf06fe5

1. This is a list about '0xb9b93bf2db3678b010e71ef701d763aee144e93e' sending MATIC to 9 other addresses on the POLYGON network. These tx record the first time a MATIC transaction is received at these 9 addresses.

2. The number of MATICs received for the first time for all 9 addresses is 0.3 MATIC.

3. Same time. The first address was received at Mar-22-2021 07:23:39 PM +UTC, the other eight addresses were received within three minutes (Mar-20-2021 11:15:08 AM +UTC) ~ (Mar-20-2021 11:18:08 AM +UTC)

4. 0xb9b93bf2db3678b010e71ef701d763aee144e93e Only 486 transactions so it won't be a CEX address.

5. These addresses have a low balance on the polygon and have the same token, for example: GHST/amUSDC/amDAI/amETH ......

6. These addresses always get the same ERC-721 NFT - Galaxy OAT (OAT) at the same time,for example: :https://polygonscan.com/address/0xf196836b53e8f03e32f5186c7909acbb8b742615#tokentxnsErc721 https://polygonscan.com/address/0x12cb4ca94136b6e8fb11636c55f47d0885f3dc64#tokentxnsErc721 https://polygonscan.com/address/0xce436e5b28918df04ed04d14b06081797e31ed77#tokentxnsErc721 https://polygonscan.com/address/0x12734f36e365ed769b16b4157e26b9ee7180e8ca#tokentxnsErc721

7. The ens of these addresses are always related to numbers, for example: sixpistols.eth enset10.eth ninenueve.eth bboy3.eth

8. These addresses have 40-60 transactions on the main ethereum network.

9. Most of the addresses have only 4 ERC-721 TOKEN which are ENS/DNA/ZKNFT/ZRPG and only have 1 ERC-1155NFT (ZAPPER)

10. They call the same contract at the same time on the ethereum network,for example: Arbitrum: Delayed Inbox - Sep-07-2022 Optimism: Teleportr Deposit - Sep-06-2022 Aztec: Connect - Jul-31-2022

Methodology

In the first step, I used the code to get the address where the safe was created. In the second step, I found out the address where the safe was created and the event of MATIC was received for the first time. In the third step, I counted the number of times an address sent MATIC to different subaddresses.

import requests
import json
api = 'https://api.polygonscan.com//api?module=account&action=txlist&address=%s&startblock=0&endblock=99999999&page=1&sort=desc&apikey=YOUR API KEY' % list1[i]
                    r = requests.get(api)
                    if r.json()['status'] == "1":
                        index_item = r.json()['result'][-1]
                        addr = addr+str(i)+'|' + index_item['from']+'|' + index_item['to']+'|' + index_item['hash']+','

                    else:
                        print(r.json())
                    i = i+1

In the fourth part, I analyzed the events distributed exceptionally in the third step to determine if it was a Sybil Attacker

Safe Address

0x4B605c1ac2Fd74b5d6B619940B6fF9fe1C4ca83a

[tschubotz]

This report is about Polygon, however the Safe allocations are only for mainnet, hence closing. cf. https://forum.gnosis-safe.io/t/new-proposal-reworked-safe-distribution-for-users/594

[deshawelafi]

This report is about Polygon, however the Safe allocations are only for mainnet, hence closing. cf. https://forum.gnosis-safe.io/t/new-proposal-reworked-safe-distribution-for-users/594

I'm sorry I didn't express my point clearly.

This report is about Mainnet , because these safe addresses are created on the main ethernet, not polygon's safe addresses

But I analyzed the data both on polygon and mainnet , points 1-6 are about polygon and points 7-10 are about ethereum mainnet.