Ryan J. Shaw on Warpcast

kenny 🎩 pfp

can any onchain sleuths help out rookiest? his wallet was drained and all funds sent to the address in the screenshot below his wallet is: https://basescan.org/address/0x9b11c256cf485C0120e03caC843386Dcc8979E9b

5 replies

4 recasts

12 reactions

Ryan J. Shaw pfp

It looks like a native transfer? That requires a private key or remote access, unless I'm misreading it. Also interesting: 1. Attack happened shortly after DEGEN was sold for ETH 2. Attacker sent the victim some ETH 100 blocks before the attack and BEFORE the DEGEN -> ETH swap (2) usually indicates an address history poisoning attack, but the preceding transaction was 21 hours before, so that doesn't make sense. It could be the attacker had access to the private key or remote access to the machine, but is an automated process that only supports ETH and not DEGEN, so it only struck when ETH was in the wallet, hence (1)? Still doesn't explain (2). Would love to know what happened here.

5 replies

0 recast

2 reactions

Ryan J. Shaw pfp

Did the victim sell the ETH and then try to immediately send it out to a different wallet but used their history (i.e. address poisoning attack)? I'm still not sure how the attacker anticipated all of this even if that's the case... Doesn't seem like it could be MEV because it's a 44 block lead, that's 88 seconds on Base...

0 reply

0 recast

0 reaction

ChristianØ pfp

My gut feel was address poisoning, but in this case the previous amount (as you mentioned) was 21 hours prior to the other tx (which was an NFT Mint tx not a Send Token tx). AND, I used our software to double check anyway. But no, our software would have indicated "Address Poisoning". This was a native transfer, almost certainly due to remote access. Had to have been a file or something downloaded by the user.

3 replies

0 recast

4 reactions

RJ (replyor) pfp

4000 $degen remainder of bounty @bountycaster - fyi

1 reply

0 recast

1 reaction

kenny 🎩 pfp

thank you for the great analysis! 5000 $DEGEN @rookiest ^

1 reply

0 recast

1 reaction

RJ (replyor) pfp

looks like this was it, based on the OP confirmation later he installed something malicious. i'll send the rest tomorrow. then some to @rookiest the day after bc fk scammers =/

1 reply

0 recast

1 reaction