Scammers get scammed, thousands worth of crypto stolen
Blockchain and cryptocurrency, cryptocurrency fraud, fraud management and cybercrime
Vann Labbu drained at least $316K from Nine Scamers
Rashmi Ramesh (rashmiramesh_) •
4 October 2022
The best way to steal money is by piggybacking on other thieves, is the apparent motto of a cryptocurrency threat actor who drained hundreds of thousands of dollars worth of digital assets destined for fraudsters.
See also: Now OnDemand | C-Suite Round-up: Connecting the dots between OT and identity
Analysts from Trend Micro call the thief “Water Labbu” and peg the earnings at 316,728 USDT from nine fraudsters so far. USDT is a stable coin whose value is pegged to the US dollar.
Water Labbu targets fraudulent decentralized applications that are collected by scammers who lure victims into investing in a cryptocurrency mining scheme. The websites of the fraudulent decentralized application, to which victims connect their digital wallets, are infected with malicious scripts that allow Water Labbu access to the wallets.
At least 45 fake cryptocurrency-related DApp websites that promise risk-free income through liquidity mining contain Water Labbu code, Trend Micro says. The threat actor injects malicious JavaScript which in turn loads another script that delivers different content based on the victim’s IP address and browser type.
If the victim loads the script from a desktop running Windows, Water Labbu returns another script that displays a fake Flash update message asking the victim to download a malicious executable. If the victim uses a mobile device, Water Labbu delivers a script that connects to the victim’s wallet, assuming the victim has already connected the wallet to the liquidity marketing scam site.
Should the victim’s wallet contain more than 0.005 Ethereum cryptocurrency and more than 22,000 USDT tokens, Water Labbu returns an additional script that displays a popup asking for permission to complete transactions. Every time the victim approves the request, money disappears from the connected wallet.
Water Labbu primarily uses two addresses to seek permissions and transfer victims’ cryptocurrency assets, Trend Micro says. It uses 0xD6Ed30a5ecdeaca58f9abf8a0d76e193e1b7818a to receive token approvals from victims, draining the funds via 0xfece995Fada5011a8bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbedd. It then obfuscates the money flow by transferring the money to several other crypto wallets, exchanging it for other tokens on the Uniswap cryptocurrency exchange, and depositing it into the Department of Treasury-sanctioned mixer Tornado Cash.
The threat actor implements a mechanism to avoid loading a script multiple times from the same IP address over a short period of time, mostly hours, Trend Micro says.
![Analyzing Bitcoins [BTC] unprecedented rally and market reaction](https://www.cryptoproductivity.org/wp-content/uploads/2023/03/AMBCrypto_A_group_of_traders_and_investors_huddled_around_a_scr_fe125ed2-7b45-4c8d-b143-ad8cd263ce9f-1000x600-120x120.png "Analyzing Bitcoins [BTC] unprecedented rally and market reaction")
