August 13, 2022 (Updated August 14). While reviewing the transactions related to the Bitnity rug pull, we noted that there is one address (0x2382bdec2a7311da61383d1604141fd0de6ba1e3) that has significant funds exchanged to other token contracts.
We dug in and identified a massive serial rug pull scammer that has rugged over $1.59M across 28 known contracts so far, dated from July 30, 2022 (data were updated to include the additional scam contracts identified/rugged since the original analysis).
As originally predicted on 8/13, GEMDAO was rugged.
We identified this morning that BIKEN token at token address:
https://bscscan.com/address/0x89b0e3418a69469d8e7b1ae328e080403cdce93f
is being setup for a rug pull. Based on the rug puller historical average rug pull time from adding LP to exit, we expect this event to take place within 7 hrs (avg of 7.8 hrs with a StDev of 7.4 hrs) or so. We also predict that the first method, described below, will likely be the method of which the scammer will rug the token contract.
These rug pull events have been fully verified and logged in the web3rekt database.
Let take an example and break that down in more details. We will use the HashFree rug pull.
https://www.web3rekt.com/hacksandscams/hashfree-1023
From the token contract, we can observe that the deployer minted 10,000,000,000 for itself.
Furthermore, by examine the token contract filtered by the deployer, we can observe additional transactions performed by the deployer:
By reviewing the details of the Add Liquidity method, we observed that 6,000,000,000 tokens were added to the LP for the pairs along with 210 wBNB from the scammer.
The scammer then swapped 960,000,000,000 HashFree tokens for 350 wBNB and sent that to address 0xb4e31c7741FA60B0b7F129C700444Cf93089Be05. How is this possible when the scammer from prior transaction has much less than that in the number of HashFree tokens?
Well, as they say, the devil is in the details. From the transactions related to address 0xb4e31c7741FA60B0b7F129C700444Cf93089Be05, we noted that prior to the swapped transaction into this address, there was another transfer method.
By examining this highlighted transaction we realized the following:
It appears that the scammer may have rigged the contract so that the event for the tokens transferred was not broadcasted. However, we know that the transaction was completed successfully, and was not reverted as denoted by the Success indicator.
This observation is also noted by the blockchain solution as one of possible issues as noted from the BSCScan below.
So there you have it folks! We believe the lack of event notification was an intended action to obfuscate the token transfer.
As we go through several of the scam token contracts, we noted that this serial scammer has developed two patterns:
The use of obfuscation of token transfer similar to the one we have just discussed.
The use of a second mint performed by another EOA.
The second pattern follows very closely to the first pattern. Instead of obfuscating the token transfer, the scammer simply minted and transferred additional tokens using an oddly name method 'Mit' as shown in this transaction related to the Too Token. This may fool a person looking for 'mint' method.
Next, we traced the creator the earliest scam contract from this scammer -
https://www.web3rekt.com/hacksandscams/arcadia-token-1042
From this address we ended our trace with funds provided to this campaign funded from Tornado.Cash.
We conclude from our review of these token contracts and their transactions that they are all related to one scammer based on the following:
Similar tactics and transactional patterns
Intertwining of funds across multiple contracts
Usage of Tornado.Cash to obfuscate source of funds to setup and execute contracts.