Key Takeaways
- Hackers have used Google advertisements to make the scam URL precisely the same as the actual website and have stolen around 100 ETH, i.e., 200K USD.
Here is an example of a scam URL that hackers use.
After clicking on the Google Ad, We will be redirected to one of these phishing sites. Below is the same screenshot of multiple phishing links.
When users visit this site, it immediately asks us to connect our Metamask wallet. Below is the same screenshot of the MetaMask pop-up.
Twitter Userย Serpentย has found that there were multiple phishing contracts, but they all led to one wallet. Below is the same screenshot by Serpent.
After searching the wallet address,ย Serpentย has found one Twitter post, which is now deleted. Below is the same screenshot of that Twitter post.
This address belongs to the NFT project called “Px Skull”. Below is the screenshot of its Instagram profile.
All these phishing sites are hosted on a Ukraine hosting service. Below is the same screenshot of the hosting.
During his investigation,ย Serpentย joined the Telegram and contacted the owner,ย Predator. He then asked to know more about the project and offered to donate to their cause. Meanwhile, Predator has replied to him,ย No thanks, I don’t need any donations. I have paid for everythingย then Predator left the chat. Below is the screenshot of the Telegram chat.
After that,ย Serpentย directly confronted the Predator for the scam. As a result, Predator has deleted the Telegram group and blockedย Serpentย from all his social media. Below is the screenshot of the blocked Instagram account.
At this point, there was no way to go, but Serpent went to PxSkull’s first-ever post on Instagram and found a private account by the name of tuzemecc was the first like on PxSkull’s every post. Below is the screenshot of tuzemecc‘s first like.
Serpentย also found that The first-ever domain hosted on the same IP address as the phishing websites also led to a website development service. Below is the web development service screenshot on the same IP address.
After that,ย Serpentย requested to follow theย tuzemecc‘s private Instagram account. But as a result, that account is also deleted now. Below is the same screenshot of deleted Instagram account.
Also, as of now, all the phishing websites are taken down.
So we want to advise our readers that many scammers are out there in full force. So users should always be highly suspicious when connecting their wallet to a website, and they should never type their seed phrase. Users should always make sure that they are on the correct URL, and they should never confirm random transactions. Also, they can use a cold wallet for better security,