Bitget App
Trade smarter
Buy cryptoMarketsTradeFuturesCopyBotsEarn
ZachXBT's latest investigation: How professional players of "Fortnite" used meme scams to steal 3 million dollars?

ZachXBT's latest investigation: How professional players of "Fortnite" used meme scams to steal 3 million dollars?

ChaincatcherChaincatcher2024/11/29 14:44
By:ZachXBT

Hacker Serpent controlled 9 accounts including McDonald's and Kabosu on X and Instagram, launched a meme coin scam, stole approximately 3.5 million dollars, and used it for casino gambling.

Author: zachxbt, On-chain Detective
Original Translation: zhouzhou, BlockBeats

Editor’s Note: This article analyzes how the hacker Serpent took control of 9 accounts, including McDonald's, Kabosu, and others on X and Instagram, launched a meme coin scam, stole approximately $3.5 million, and used it for gambling in casinos. Serpent was a former professional player of "Fortnite" who was released for cheating. In 2022, the NFT project DAPE he co-founded experienced a rug pull, and the ERROR project launched in 2024 also faced a rug pull, ultimately leading to his ban from X.

The following is the original content (reorganized for better readability):

Over the past few months, I have been tracking a series of related leak incidents involving McDonald's, Usher, the owner of Kabosu, Andy Ayrey, Wiz Khalifa, SPX 6900, etc., which resulted in approximately $3.5 million being stolen through the release of the Pump Funmeme coin.

ZachXBT's latest investigation: How professional players of

On August 21, 2024, McDonald's Instagram account was hacked, and a post promoting the bundled meme coin GRIMACE was published, after which the hacker began to spoof. From this pump and dump, over $690,000 was funneled into two wallets.

4RiNhTwBxYWgb4MSCtt9vXgVk2yuPhoQR3DR9pMVPU1W

2vjnmxwTYNJvTmFhtqxZkPiuCHkaKZK5rcxTLuoC2dPB

ZachXBT's latest investigation: How professional players of

On September 3, 2024, the McDonald's attacker transferred 101.5 SOL to two addresses after the X account of actor Dean Norris was hacked, and these two addresses deployed and targeted SCHRADER.

ZachXBT's latest investigation: How professional players of

4s9Uz9pTBXcEaEtcjs8eg98r2TVte3rq3JUm3rVTFMudfewGbNKmqNyYs9bSAMDUaTbTcuA1v39sWr7GRqkDJ6EM

1gxo1pjTqjbee7rHW4cGvuNffX1qP4F8fP17g6SSC5EYbQrnktDrKSFB1uh4ju7PxQjprWFin37WUsAe225b9c6

ZachXBT's latest investigation: How professional players of

On September 6, 2024, the funds obtained from the McDonald's APT (Account Takeover) were transferred to a casino deposit address.

CuNzegC9DE4CxCMn31ZcYLvtDaYsLD9RX8eRvmtZQrnB

By conducting a time analysis, follow-up withdrawals shortly after the deposits can be identified.

B2fwZt5nTbdrnJ2CPsgrYMPuB4UnhN82EAM34dXDARLh

ZachXBT's latest investigation: How professional players of

On September 12, 2024, B2fw transferred 110 SOL to two addresses that participated in the meme coin rush promoted during the Usher leak incident.

4FUrwoHz1fuUf4eR6YEAYSG9d9rN5fzbowMXtbjwJAhTDtHXjpnTb1sz6aeF6T79JaiMFyT2xX2EuTxqT5UhFfKD

427zpHF1WWgYgKxcSiUzwXLg2UqsF6xq7K13PU3mh6Wr99mipiVA6GcDTwi7EY93RJeRuEUDZAK9BnoMeki7sU6C

ZachXBT's latest investigation: How professional players of

Subsequently, B2fw transferred 4868 SOL to the casino deposit address ECb5v, which is also directly related to other APT (Account Takeover) incidents, including the leaks of Andy Ayrey and Enoshima Aquarium.

Ecb5vsomUG3MEnLCgiFvkdnnqpggTEXtN17z62iDPuU3

ZachXBT's latest investigation: How professional players of

On October 15, 2024, the X account of Enoshima Aquarium was hacked and promoted a bundled meme coin. On that day, 84 SOL obtained from the scam were transferred to ECb5v.

5PDjh74JTLMPW4dXr6fKm3Yue2j3vhbxLSK5dPbQ3oEGK4axE7fua1ngBMas4xpRY6dBr92Ccps7b1WwcLdnxXWL

ZachXBT's latest investigation: How professional players of

On October 29, 2024, the X account of Andy Ayrey (founder of Truth Terminal) was hacked for several days and promoted 6 meme coin scams. 3GVUs was one of the addresses involved in the token rush.

3GVUs2gNr161ohqnVXjUeoNQmf3cELxKSiPrxyQu6pjd

On October 30, 2024, 3GVUs transferred 169 SOL to Ecb5vs.

67nwsLLE3aGua4VeH8p6qHc3SL3rpxi9omMxRnfpeyZVsBpZawnUHo4Pt4tdT5Vxny2uRNRDH3vSZ1fzvKkNCML4

ZachXBT's latest investigation: How professional players of

Of the $2.178 million obtained from the Andy Ayrey ATO, $750,000 was deposited into the casino deposit address Apc3e.

Apc3eA9ScQksuZvfURQswZwVkusEYRaqeKEv4eXXbRZm

The 0.1 SOL from the Kabosu ATO funded an address that participated in the Andy Ayrey ATO.

ZachXBT's latest investigation: How professional players of

On October 17, 2024, the Instagram account of Kabosu's owner was hacked and promoted a meme coin scam.

On that day, 191 SOL obtained from the scam were transferred to the casino deposit address:

6kwZ7tz8Xs7jaVqVJXZSRrZ2FtS2PPChEVuLXKrmMgCm

ZachXBT's latest investigation: How professional players of

The APT incidents of Kabosu and Andy Ayrey are directly related to the APT incident of Wiz Khalifa.

On November 3, 2023, the attacker posted a wallet address on Wiz Khalifa's account. 29 SOL were transferred to 6kwZ7, just like what happened in the Kabosu ATO.

NFCs23ddXQc9Zff2VJotEn2zaSAh4tvw6U6kb7fdXovZ8YPQgJMGQkXmtWiTutqnoBf6wR2khaKvFpyEKNhHfjJ

ZachXBT's latest investigation: How professional players of

The funds from the WIZ deployer came from the Andy Ayrey ATO. Other addresses involved in the token rush transferred all profits obtained through instant exchanges to the casino deposit address 0x83ee.

0x83ee6b53a0ae76b71bed0c32721a451776dbdb3a

ZachXBT's latest investigation: How professional players of

On October 16, 2024, 0x83ee received 0.54 ETH from the deployer of the scam, while SPX 6900 was hacked on October 11, 2024.

On Solana, another scam promoted by the hacked SPX 6900 account was funded by the Ken Carson attacker.

ZachXBT's latest investigation: How professional players of

To further demonstrate the connections between the Kabosu owner, SPX 6900, Ken Carson, and Enoshima ATO, each meme coin deployer provided funding to the previous deployer address through instant exchange funds, attempting to obscure the source of the funds.

ZachXBT's latest investigation: How professional players of

Investigate how the threat actor Serpent transitioned from a professional Fortnite player to helping steal $3.5M through meme coin scams initiated by leaks from over 9 accounts on X and IG, and used the proceeds for online casino gambling.

ZachXBT's latest investigation: How professional players of

Serpent (SerpentAU) is a former professional Fortnite player from Australia who was released by the esports organization "Overtime" in June 2020 after being found guilty of cheating. He then co-founded the NFT project DAPE in March 2022, which later rug pulled.

ZachXBT's latest investigation: How professional players of

In March 2024, Serpent launched another project called ERROR, but the project rug pulled, leading to his ban from the X platform.

Deployer address:

0x8233873ee35547097ccb9098adbab955d7120ee8

ZachXBT's latest investigation: How professional players of

On October 23, 2024, the ERROR deployer transferred a total of 29 ETH to two instant exchanges.

By conducting a time analysis, it can be seen that these funds were received in Solana and transferred to the same casino deposit address.

Ecb5vsomUG3MEnLCgiFvkdnnqpggTEXtN17z62iDPuU3

ZachXBT's latest investigation: How professional players of

Multiple ATOs (Aggressive Trading Activities) directly connected to the deposit address Ecb5vs include: McDonald's, Usher, Andy Ayrey, Dean Norris, and Enoshima Aquarium. (For detailed tracking content, please refer to the beginning section)

ZachXBT's latest investigation: How professional players of

Serpent gambles millions of dollars monthly on Roobet, Stake, BC Game, and Shuffle, and often shares his screen with friends on Discord.

I obtained recordings of him gambling, which inadvertently leaked multiple deposit and withdrawal addresses.

Discord ID: 1269557350486904945

ZachXBT's latest investigation: How professional players of

In a screen share on November 1, 2024, Serpent shared a $100K deposit and a $200K withdrawal, transferring to the following address.

When mapping the transaction graph, it was found that this address had a high exposure to addresses related to McDonald's, Andy Ayrey, and Usher ATO.

0xb8c9c8a5756a7992df65f949b7c1423eeb435aa5

ZachXBT's latest investigation: How professional players of

In the Andy Ayrey security breach incident, another threat actor participated in seizing these scam projects, using the alias "Dex" (from Massachusetts, USA).

He started to panic after I mentioned him in my Telegram channel last week and concocted a story about being extorted, claiming he lost $700K. ZachXBT's latest investigation: How professional players of

Currently, the funds related to these security breaches are stored at the following addresses:

0xeb60a5242c1c97eb54195ec83de43bb26813c0d1

0x2355ac2929bb7051814de3c48670fccbb515d8be

4jjWZ8RaXZBqntnhu2JFidXEQWXgfKRbJQZdTHrdaqbv

Today, after the first part of my investigation was published, Serpent began deleting all his posts on his new X account. I suspect there are still some related ATOs (Aggressive Trading Activities) that I have not been able to track directly on-chain. Regarding one of the account takeover incidents, I have shared a detailed investigation report with a victim I am collaborating with.

ZachXBT's latest investigation: How professional players of

0

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.
APR up to 10%. Always on, always get airdrop.
Lock now!

You may also like

ILV breaks through $50

Cointime2024/12/18 07:11

AAVE breaks above $370

Cointime2024/12/18 07:11

PENGUUSDT now launched for futures trading and trading bots

Bitget has launched PENGUUSDT for futures trading with a maximum leverage of 75, along with support for futures trading bots, on December 18, 2024 (UTC+8). Welcome to try futures trading via our official website (www.bitget.com) or Bitget APP. PENGUUSDT-M perpetual futures: Parameters Details Listi

Bitget Announcement2024/12/18 07:00