Scammers Get Scammed, Crypto Worth Thousands Stolen'Water Labbu' Drained at Least $316K From 9 Scammers
The best way to steal money is by piggybacking onto other thieves - that is the apparent motto of a cryptocurrency threat actor who drained hundreds of thousands of dollars' worth of digital assets destined for scammers.
Analysts from Trend Micro dub the thief robber "Water Labbu" and peg its takings as 316,728 USDT filched from nine scammers so far. USDT is a stablecoin whose value is pegged to the U.S. dollar.
Water Labbu targets fraudulent decentralized applications created by scammers who entice victims into investing in a cryptocurrency mining scheme. Websites of the fraudulent decentralized application, to which victims connect their digital wallets, are infested with malicious scripts that allow Water Labbu access to the wallets. The threat actor does not appear to have added any new victims since August. The group, Trend Micro researches tell Information Security Media Group, "appear to be preparing for next campaign."
This isn't the first instance of a threat actors infecting other threat actors, but it is "pretty rare" to see an example of a thief piggybacking on another thief in this space, Trend Micro says. The group likely comprises Chinese-speaking individuals and has been active since at least 2019, the company says.
The similarity in the themes of the fraudulent DApp websites Water Labbu targets likely means the scammers use the same toolkits to run these platforms.
If the victim loads the script from a desktop running Windows, Water Labbu returns another script showing a fake Flash update message asking the victim to download a malicious executable file. If the victim is using a mobile device, Water Labbu delivers a script that connects to the victim's wallet, provided that the victim has already connected their wallet to the liquidity marketing scam site.
Should the victim wallet contains more than .005 Ethereum cryptocurrency and more than 22,000 USDT tokens, Water Labbu returns an additional script that displays a pop-up window asking for permission to complete transactions. Any time the victim approves the request, money disappears from the connected wallet.
Water Labbu primarily uses two addresses to seek permissions and transfer the victims' cryptocurrency assets, Trend Micro says. It uses
0xd6ed30a5ecdeaca58f9abf8a0d76e193e1b7818a to receive token approvals from victims, drains the funds via
0xfece995f99549011a88bbb8980bbedd8fada5a35 and sends the money to
0x3e9f1d6e244d773360dce4ca88ab3c054f502d51. It then obfuscates the flow of funds by further transferring the money to multiple other crypto wallets, swapping them for other tokens on the Uniswap cryptocurrency exchange and depositing them in the Department of Treasury-sanctioned mixer Tornado Cash.
The threat actor implements a mechanism to avoid loading a script multiple times from the same IP address over a short period of time - mostly hours, Trend Micro says.
The fraudulent DApps Water Labbu uses to scam other threat actors, they say, include coin-bingo.com, defi.cb-ef.com, defi.cb-ef.net, defi.cw-eth.net, defi.defi-usd.net, defi.eth-def.net, defi.hy-eth.net, defi.sbi-usd.cc, defi.usd-defi.org, defi.usdt-def.net, defi.usdt-def.org, defi.usdtdefi2.com, defi.yby-etoro.com, eth-bank.vip, eth-cpus20.org and eth-lobsang.net.
Update Oct. 5, 2022 18:37 UTC: Adds detail throughout from information supplied by Trend Micro.