Coinbase Logo

Zero Transfer Phishing Investigation - Part 2 - Phishing Campaigns

Tl;dr: Building a better and more secure crypto ecosystem means building a better, more equitable future for us all. The Unit 0x team was formed to make life hard for threat actors and to build trust in crypto by being at the forefront of zero day blockchain threats including smart contract exploits, phishing tactics, and other bad actor techniques. Our purpose is to proactively discover, assess, and mitigate these threats before they happen and impact the ecosystem. In this three part blog series we will discuss one such threat plaguing crypto wallets around the world called zero transfer phishing also known as poison transactions. In Part 1, we will deep dive into the attack vector used by the phishing campaigns and explore mitigations. In Part 2 we will explore various campaigns on Ethereum blockchain and share detailed indicators. Last but not least, we will uncover the threat actors behind one of the campaigns in Part 3.

By Heidi Wilder, Peter Kacherginsky

Engineering

, February 15, 2023

, 4 min read time

Coinbase

Continuing our discussion of the zero transfer phishing attack in Part 1 of the series, we will now explore the actual techniques used by live phishing campaigns, their profitability, and what makes each of their approaches unique. We found that in-depth analysis of phishing smart contracts as well as on-chain asset tracking was the best way to identify individual actors. Let’s look at the phishing contracts first.

Phishing Contracts

Attackers often batch together multiple spoofed transfers to save on gas. Below is a sample helper contract used by attackers:

Screenshot 2023-02-15 at 1.50.36 PM

Image 1: Sample zero transfer transaction batching contract

The above can be used to quickly target multiple addresses with spoofed zero transfers as simulated in the local environment below:

spoofing

Image 2: Foundry emulation of spoofed zero transfers Based on our on-chain analysis we have observed 39 unique phishing contracts targeting Ethereum users. By analyzing these contracts we were able to cluster them into 16 distinct campaigns actively based on the following unique attributes:

  • Decompiled functionality of helper contracts used to batch transactions.

  • Unique function 4byte signatures used in helper contracts.

  • Unique error message used in helper contracts.

  • Destination spoofed addresses

  • Source of funds used to deploy helper contracts.

  • Addresses used to aggregate stolen assets.

Below are the Top 3 most profitable campaigns:

Screenshot 2023-02-15 at 3.45.05 PM

Table 1: Top 3 zero transfer phishing campaigns.

See Appendix A for a complete list of all 16 campaigns.

Campaign types & evolution

As of January 12, 2023 we found that only 9 of the 16 campaigns were profitable. These campaigns together have raised over $14m in proceeds since November 27, 2022.

Below you can see a graphic that breaks down each of these campaigns earnings over time. 

Screenshot 2023-02-15 at 3.46.02 PM

Image 3: Campaign profits over time

Campaigns #2 and #3 have raised less than Campaign #1, but have more consistently raised funds. Campaign #1 - which initially raised very little in comparison - netted in about $3.8m in one transaction alone in January. Thus proving that these campaigns are not necessarily successful on their breadth but on their targeting of specific unsuspecting victims. 

Further breaking down the funds raised by these campaigns by specific tokens, we immediately find that most proceeds are by far raised in USDT, followed by USDC and DAI. We suspect that victims are more likely to fall for sending stablecoins versus other tokens because stablecoins are more widely used as payments to others and are just generally more widely used.

Screenshot 2023-02-15 at 3.47.14 PM

Image 4: Tokens stolen over time

Breaking down the top three campaigns, we find that certain campaigns have been more active over time compared to others.

Assessing unique attack transaction count over time, we see that Campaigns #2 and #3 initially sent the bulk of transactions daily. Around January 6, 2023 Campaign #1 began to take off in terms of unique daily transaction count. We suspect this is due to Campaign #1 suddenly being successful in netting in that $3.8m from one victim on January 5, 2023.

Screenshot 2023-02-15 at 3.48.07 PM

Image 5: Campaign transactions over time

However, when analyzing these campaigns by their unique daily victims over time, we see that Campaign #1 began sending batch transactions to several thousand victims daily back in mid December. We see that Campaign #3 has out of all of the campaigns been the most consistent in terms of transaction count and victim count (although smaller than Campaign #1).

Screenshot 2023-02-15 at 3.48.52 PM

Image 6: Campaign victims over time

The following section will dive into the exact tactics, techniques, and procedures used by the top 3 campaigns above.

Top 3 most successful campaigns

Campaign #1 

Campaign #1 started their activity on Ethereum blockchain on December 6, 2022 when they deployed a series of phishing contracts from 0x068b…48a7. None of these contracts were used for phishing and were used by the attacker to debug the contract in production. These contracts did not properly handle USDT transactions since the token contract transfer function does not have a return value. 

On December 6, 2022 22:04 0x068b…48a7 deployed a stable version of the phishing contract 0xc46c…f907 which they proceeded to actively use to send spoofed transfers.

On January 9, 2023 the attacker deployed the next iteration of phishing contracts 0x6194…f13c and 0x95aa…e775 which removed a smart contract function set() used for debugging.

Starting on January 10, 2023 the attacker started deploying updated phishing contracts such as 0xdfad…fd0d with a modified 4byte 0x45e2e8b7 (previously 0xd48e983d). Further optimizations were introduced on February 1, 2023 when attackers removed symbol() method with contracts identified with a 4byte 0x44bc90af.

It should also be noted that this campaign was liberal in not only going after EOAs, but also well known and active contracts. 

We can see below that this new contract format that the attackers deployed on January 10 wasn’t useful enough to fully pivot to because the attackers still continue to use the contract that they first deployed in December.

Screenshot 2023-02-15 at 3.50.37 PM

Image 7: Campaign #1 - Unique transactions and 4bytes

Analyzing the 4bytes by their success rate for Campaign 1, we see that 0xd48e983d is by far the most successful one:

Screenshot 2023-02-15 at 3.51.29 PM

Image 8: Campaign #1 - Funds raised

As of February 12, 2023, Campaign #1 earned over $8.8m. 288 unique victims were hit successfully, leading to 309 unique transactions to spoofed addresses, indicating that some victims fell for the attack multiple times.

Interestingly, the graph above shows that the attacker primarily earned the bulk of their proceeds on January 5, 2023 through one victim alone who sent $3.8m to a spoofed address.

Although this campaign has thus far been the highest earning of those on Ethereum, this shows that just having one victim is all that a campaign needs.

Where did the money go?

This particular campaign does the following in terms of cashing out: a) topping up new addresses which initiate transactions with spoof contracts or b) cashing out through Tornado Cash. Strangely before doing any of this, the attackers will consolidate funds at 0x437643b8ce08153fab758d32cb9d83122c7b5c54 and then proceed on with either a) or b). We suspect, this is how Campaign #1 is staying organized in terms of accounting.

Screenshot 2023-02-15 at 3.52.50 PM

Image 9: Campaign #1 - Moving stolen funds

Campaign #1 was primarily funded by FixedFloat and Tornado Cash.

Campaign #2

The actor behind the class of phishing contracts using 4bytes 0xcac40eb0 and 0xfeac8cc7 started their activity on Ethereum blockchain on November 29, 2022 when they deployed a series of test phishing contracts at addresses 0x130d…b666 and 0xee19…5253 respectively. 

Just like Campaign #1, the two test contracts were faulty due to improperly handling USDT token transfers. The bad actor corrected the issue and deployed 0x9c78…b516 the following day on November 30, 2022 which they used to actively send spoofed transactions. Smart contracts deployed by this actor are unique in their use of access controls and token identifiers in each transaction as opposed to sending the full token address. The latter was implemented using registerNewToken() method which stores the address in a map. This approach yields gas savings in each transaction. 

Unlike Campaign #1 that’s still using two different contract types, Campaign #2 seems to have rapidly shifted from using one specific 4byte code to another on December 21, 2022 and never looked back.

Screenshot 2023-02-15 at 3.53.58 PM

Image 10: Campaign #2 - Unique transactions and 4bytes

Breaking down Campaign #2 funds raised over time, we see that its most successful 4bytes is 0xcac40eb0, the first 4byte code it used for the campaign. Strangely though, this isn’t the bytecode they’ve been employing in recent weeks.

Screenshot 2023-02-15 at 3.54.41 PM

Image 11: Campaign #2 - Funds raised

Where did the money go?

Campaign #2 uses a very different - more expensive - method of moving funds along. When a spoofed address in Campaign #2 receives funds, it sends funds along to another spoofed address, which usually has received funds from another victim. This process continues like a chain, until the attackers send their proceeds along to SideShift, TransitSwap or to swap those through Metamask Router for ETH and to use those funds for gas to transfer other proceeds along. Besides gas coming from some victim proceeds, gas was also received from Fixed Float and Binance.

Screenshot 2023-02-15 at 3.56.15 PM

Image 12: Campaign #1 - Moving stolen funds

The funds going to TransitSwap primarily go to Tron and to various exchangers.

Campaign #2 was primarily funded by FixedFloat and SwftSwap and later by victim funds.

Campaign #3

At first glance campaign #3 appears to be the most diverse campaign with at least 17 phishing contract variants. However, further analysis revealed that the actors behind the campaign tend to perform only minor source code modifications. For example, contracts 0x0C353D…6041C0 and 0x0f1290…f1808c use different batch transfer methods identified with their 4bytes 0x39670f1c and 0xbcdff8b0 respectively. Further analysis of decompiled contracts revealed that the two contracts are functionally identical:

Screenshot 2023-02-15 at 3.58.16 PM

Table 2: Batch transfer methods used in phishing contracts

The campaign uses two contract variants. Variant A allows attackers to submit arrays of token, victim, and spoof addresses. Variant B allows attackers to only submit arrays of victims and spoof addresses with a token address hard-coded in the contract.

The first Variant A contract 0x5fcb9b…4f4322 was deployed on November 27, 2022. Unlike previously mentioned campaigns, campaign #3 did not deploy any test contracts indicating an off-chain testing environment. 

The first Variant B contract 0x0c353d…6041c0 was deployed on January 10, 2023 with a simple modification of a hard-coded token address. The Variant B was likely introduced to save attackers on gas by avoiding duplicate token address parameters.

Campaign #3 is unique due to a large number of contracts with only minor modifications to source code and function names.

Screenshot 2023-02-15 at 3.59.15 PM

Image 13: Campaign #3 - Unique transactions and 4bytes

While some may initially suspect that these are likely a diverse group of campaigns amalgamated into one, their overlapping usage of unique 4bytes and unique spoof addresses used on victims suggests that they are a part of the same organization.

Screenshot 2023-02-15 at 3.59.59 PM

Image 14: Campaign #3 - Funds raised

Further analyzing the ten most successful 4byte combinations, we find that a variety of combinations were successful over time. However, it does not appear that the attackers were using success of funds raised as a means to further predict the success of new contracts deployed.

Campaign #3 is by far the most diverse campaign in terms of different byte codes. We suspect this is likely an operation by a team. As one of the earliest campaigns it evolved significantly over time. This can also be seen by the funds they’ve raised over time in the graph above.

Unlike the above campaigns, Campaign #3 seems to have more consistently raised funds over time from more victims, although netting often less big fish than the other two above discussed campaigns. As of February 13, 2023,  this campaign received 221 unique transactions from 200 unique victims. In total, this campaign has raised $5.4m. 

Where did the money go?

Campaign #3 uses a mix of tactics employed by Campaign #1 and #2. Similar to Campaign #2, when a spoof address receives funds, it sends those along to another spoof address that received from another victim and so on.This process continues on until one of two things happen: funds are cashed out through Huobi, FixedFloat, Tornado, or TransitSwap or they’re consolidated in order to top up deployer addresses in order to create new spoof contracts.

Funds flowing to TransitSwap are bridged over to Tron, where they’re cashed out at Huobi. 

Screenshot 2023-02-15 at 4.01.17 PM

Image 15: Campaign #3 - Moving stolen funds

This campaign is funded primarily by Fixed Float and SwftSwap, as well as funds by victims.

Appendix A: Phishing Contract Variants

Screenshot 2023-02-15 at 4.05.05 PM

Appendix B: Indicators

Campaign #1 Indicators

Contracts:

0x77c6d2b21e39161a0d57438fd8768cd0aeb49e82 (testing)

0x82de2530150f623f52d254b3cf60e06caa11931a (testing)

0x4497144b312b5f04248080277c9e2d843864e0b6 (testing)

0xe8dbf27de799762c9dec7cda2c5a5785d2fe8a5c (testing)

0x241e94382cf7394aa4b0ce6eba8809770ddb260e (testing)

0x8f0766b1084e071124d9c28133d64812b98c937b (testing)

0xcd03499cc62bc4264992cb554c11e9317ef32365 (testing)

0xd3c6d65fa6285e8cd75a40c7bf6d35dac54b3f13 (testing)

0xfbe353c9e20c05d3ba84e7a7d2a9894fbe8ebc92 (testing)

0x452eba6aa5d4d78fcf5b0959a0d948c3a62f218a (testing)

0xc46cd1a4b3d14451f76fda8c33374f8af749f907 (version1)

0x78d6b37406943fb9b93f2662a61c1fb7c147b918 (version1)

0x9c1edb42667cfd1cf5817e31a37e5ecc6854c4c4 (version1)

0x739a041aa1be83399da98c610e157f9d4555e933 (version1)

0x0236427a451c7116d06ca6d69f119939c0f1d623 (version1)

0x958e87a9c74bdf7c956483465f37e1f26aca98e3 (version1)

0x484983dab7d7a1bd87e767386c3b9575f3181bc9 (version1)

0xb57dece7d4d96a652d0f11f0497b20f68175d1ef (version1)

0x26ba4d09fb19171a9c0b6e6ecb6de8154923ef43 (version1)

0x2f918c464f999a30f178424e9e611bf4eeab1654 (version1)

0xea596687728f1ee1bf6146a9b2eca885dcdd12e6 (version1)

0xe0174028f9c4bc3d93a428e0d459ba4f5fde97d7 (version1)

0xe903970558f5d4357cdc01a77f57c9a98fd818ec (version1)

0x960f13cdd0990f2e821cd2e412f6685553d257eb (version1)

0xcd7757f9ed16584f5bb3b2af1479caf345b827d5 (version1)

0x5692c260cb88616dfbe92a55a012a4b9a9bae377 (version1)

0xd15f314320e266702bbdfbd82581f83d841ced59 (version1)

0x696643b13c140bc14e15349bcaa54533e1d310f5 (version1)

0x0ea134cedad40c8bbb41fbd1c698a69a52c377cc (version1)

0xb9fd08a3b7bb7ff8e726cfe3443fafd895028d0a (version1)

0x785f5107212e395ffdbb51d99c0676335e536e98 (version1)

0x6194d66c438bcdb64ba2edbe7aaaf77c844cf13c (version2)

0x95aa6a3b201c252b6a997eaf3c08d822b3fce775 (version2)

0x6424b7d5e807a6a16c5f10eccf444bc1ed0784e6 (version1)

0x909f7882926e51985b6475444b507477812d7932 (version1)

0xa27348fd57450f05bc5f6e2b0d1d64a7fb8ae8e0 (version1)

0x8ca6e4ac3d4e9fae67ba0745552ad5504b52af92 (version1)

0xdfad44e8a865d095a4628b32bae05038189efd0d (version2)

0x0267c59e2e89f219182fdf50d8167f89e8eb600b (version2)

0x7ac5080a9dd20b597356dd9bba27258088c6d4d0 (version2)

0x216320ed138aaa701f7f20a9805505c418354110 (version2)

0xad6810485282ecd7a654ebb9adab4bbeb79a293d (version2)

0x4e4ad77e82629942774fdb9d2c06288cea7efb2c (version2)

0xabddf7d3c42f2c9efe339a93db841f8ee5ebc39f (version2) 0xcede490de14fda2af83c96ac9e6a7354fafb7ae9 (version2)

0xb25ddefb88a40a27028307cefe3aaad5903a8065 (version2)

0x36a3a37f7d705d016fa2edfa0bd35ea63bcf418b (version2)

0xb10d4af8938b5e7de374db31718ca83f0811f6a3 (version2)

0x641038b2eed0c548899bd7b05ec19d0893974ecc (version2)

0x1b544323cf4a82832dd2a38944c6dc4ab19777a7 (version2)

0xa47c0ac58003b9332eb74f85245bcb1cd81ab2f0 (version3)

0x23dd46e8df827031c84c4a84037eac92d9cd0544 (version3)

0x4189ff00b794abd9804097970af3139f06b1860c (version3)

0xb768d62968e2b808a448df36cecf3525babbf8ec (version3)

0x750dfd2578f4012f68e7feeade914346f673ef3e (version3)

0x5efaa38163e1a11ac7ba7e848943efb125d5ef61 (version3)

0x1d1cbdd1b22801121929e0a64929b4e65bea5723 (version3)

0xff02c46684a87f05c9dfacc1831277adfff48d4f (version3)

Deployment Addresses:

0x068b840987fca4c7efa80d3c5c71cd3ca6a848a7

0x979c211ca8d5e20af9863686f8a078e04a40e047

0x8b8c1f30fa558fedc42bce881b82a67a2ba9c574

0x4d89f3bb07b556ed5ee4c3de19cea1929aa05fe1

0xaab78450eb5be6791339391ce9a81ad5227fdb02

0xadc14d2a39c81baa32f9773a76913d380e19a4c7

0x423a18a13b84aca9f63ceb76aabfef319903b4e6

0x40ac2da5ad4cf7699f94e5a0e2df5f341e1c7a57

0xf10caa403971255cc295de04744424e3aa2a1514

0x7af765b6cf1911b07f4f50a8386489ded99b7300

0x72d2603947cf343de622d1cf12b209186b0e9e75

0x5b563b5ffc9725ea1a12cffe2b48b69c350b289d

0xd18543a81b6b066881b845e994eb66204d7ddd43

0x409638a416fb503800ae8182198c047884e65d79

0x3df1ef477eb952f80955e5f80b39444b58630f3d

0x31cf0c289248a564f4e70ebf5261db1594691c96

0x437643b8ce08153fab758d32cb9d83122c7b5c54

0xaca7aa8fd64f645b4992d1a29e8d3527ce5a69c9

0xe50ab9fc3d63286007bbe17d8586ae387bf797f4

0x171a2b8a44a90e5c3376622fea0e686ff0c686b4

0xca1a4d1f5ee401333b5879865ea45608005eed3f

0xe9f48001d6f9e3ed51b87b4c251bff99f3d085b2

0x47d0a52a6dff8953b7808f2e014379d1e5562b14

0xfd962055fe9be6b9a10927dc642a7812eab3b7a5

0x46a04391873d20c51c6dc8b4f6efaaf0d22f5952

0x53b2a109ef86bde89d20d2bae844740906de8a53

0x2111618227e3920b20d307d72f8bc7ada4ece171

0xed0ae35d0f50ea15af96f962150c8b25c7e3040c

0x226eb3176eaf8baeaa85ed4bf0c08b9d6e926aa4

0x46fe2e452fbdb2e1724f501478f4b18ab65f84d2

0xd1905d0739be25ca8b05b1441c928f578acffe26

0xeb5e062824b501649af1fd3c93398c0ca398316a

0xd6c390762a112855a651141f18ecb77c7d3899ec

0xee48afda799abdc9ffb0f5202cdea3e2fab46fdb

0xa8e96e6c3c1828727ec88616d48b21bfddf9451e 0xa8e96e6c3c1828727ec88616d48b21bfddf9451e

0x36e92af745d1bdddcd26b12dca55c4408f43d52a

0xe798b636117cd115b3289896369c53798713d8fa

0xe25726d5ffee0be863af5c2603f8edceca42eb49

0x6a3728df04388125018bef382b047ab63a203339

0xef21bd22a80cbcc48e1ea1f8c55cf36739c74f93

0x45c23ed336ecee9c738f9433853acce9f84aa3fa

0xff77336c73d801b08ecb1c24b95a160978b21cb6

Campaign #2 Indicators

Contracts:

Ethereum:

0x130d451221c65e88e5a1ec8ed91aa1538b42b666 (testing)

0xee192bdbc2c5dc8019c1dfca7c88caab74515253 (testing)

0x9c787db997c38bba78cac3b43363b8a55930b516 (version1)

0xf2a0ef4672d76403b90dc7d7dd8d12c4f9d013b3 (version1)

0x23dd013da6d35b3271c9199e38d659e763e38463 (version2)

0x734160dae3ad1a6c81a474e6ed7f4d05e57af809 (version2)

0xc24eb9ff63327dffe2d8b1cda0a0b7afdb1ca534 (version2)

0x600f8fcfe5313fca9d8a4fb15e4bd13f72ead310 (version2)

0xa740623fa9b110b3f0a085ff23f9263df50ccacc (version2)

0x5d9a3cbbe368b5a8c0cd8441d413e8b88be815d1 (version2)

0xb27f2f983f49c24eed6f898dc5c06fe465a5200e (version2)

0xf632e14514cc73d86a13ac2f6c65039eefef3995 (version2)

0xec2770031a5eab5bdfb0248e128936c400c6ba44 (version2)

0xf663e1ad5b8e708aaaf5953a5b0c2522e89bac33 (version2)

0xdf100e76fef40ac6f3045b3bf0eef22d7ab53101 (version2)

BSC: 0x00000000bc49c7c26b8be1cb842057e0e19f9e7a (version1) 0x6cec6512213e3e5cee18cab76c40240cb38d44d7 (version1) 0x15896edf19ba96d5e6b89bc6f607d310146ae5c7 (version1) 0x8ee60e48d8f3fbb47bd57b052895d8f04c0e9f35 (version1) 0x5fa0db86c0b727be3cb1ff83c832356bde084aa9 (version1)

Polygon: 0x1ceb9e00546052fb04f907fc7bffd54ef263a1f2 (version1) 0x3dcd70ffd4527fd8fd9daba93cdd37afd39fe810 (version1) 0xc30dc5f9177aafcf50b85591773fdae8486dbea0 (version1)

Deployment Addresses:

Ethereum:

0x363557a8c4fcf0ee97da15f957abc7867a89475c 0x86ca29a53f501c6e606a6edc63c8b3157735d0a8 0x86ca29a53f501c6e606a6edc63c8b3157735d0a8 0xb2cc8d6011b7fcbe948244af01e014fedb86d210 0x27978bb9f5a79b3942d19ebc989d6bc5185b5e02 0x27978bb9f5a79b3942d19ebc989d6bc5185b5e02 0xd1b6791231a6daa733a5ba10fe57c457ff995fdd 0xbe7b6a41f542f86bbbb19a0512db8ee60924068e 0x4ac921faae3d8a69adddfec493fd4e57e589f649 0x0531a655b116f2e703ee8891ca9fc695038437a3 0x2bfc6cb9c7a47e1eb3ef2722523cf49130a76cbd 0xd6616bc6fd0cd5d310f1ece2a539455381c01809 0x9a30ea81330e6e2036bc73cb6604fb9a9088eaf4 0xdbc90fcd6596fe6cbc9ff5a3192d18f30e2dde88 0x6ecfa6b96ecec166ec63e6f3f6527e95a55ebf01

BSC:

0x16c56868be95297a0cdf24c87cd21ddc773f13de 0x15f35d0ec5a3d88067e0db4fbb93ad6bc91c395c 0xb2b6ddce993ae8892704fc441b82c223ba7b9959 0xfd201bf61fc863cb412aa9b55008340ac4ca4087 0xa2e8c80a26be460bfc087b25e4e6451b583cb6f2

Polygon: 0x86ca29a53f501c6e606a6edc63c8b3157735d0a8 0x86ca29a53f501c6e606a6edc63c8b3157735d0a8 0x5f86dc31475f6bb8273557b9d4b593dfb4ac1eb6

Campaign #3 Indicators

Contracts: 0x5fcb9b0eb22c61dae8183eabddee8263964f4322 (version1) 0x8c83628cc563a8dd506f50b637af96b4db27c17f (version1) 0x5f46e368bd36a090c94e11dc95104eb9da597e1e (version1) 0x9c04cff06eb21e157dc7db0024f75039e4f94e52 (version1) 0xd8ea235fccf0d475c4135722b8422a209819d2dc (version1) 0x2b88623709bb6c75454d9fb376f7e3755acb8f27 (version1) 0x6bbac2148d8fae59a01f8b230b87650c40e5c08e (version1) 0x5111c558df785cea0b3ab61ad616e57f870e8820 (version1) 0xf570f2b89ce1a549dd5492ef5b175489b817d535 (version1) 0xad5232a5898f004e5fad6c1e6a49985c684fae6f (version1) 0x0c353da155054bc3a0d701e0ce06c165076041c0 (version2) 0x1f96bb30638212be5cb693a2e1f92c0d3055cb59 (version1) 0xd10cc2227cc70bb067fcaa552bccaf8206dd1c1e (version2) 0xbde26717c6d0445a13b9e0488a766935c3f8e23d (version2) 0xa56adf043c84b5fc5823d660852f60d56b233502 (version2) 0x795fc5502562c1664be1a3ac235f67cd50949e19 (version2) 0x9615b7cfa0579a5a0487ef2ab55cc2ce5b2635cc (version2) 0x1f9845831194de83b1bd6d2d8a969ef33dc652b6 (version2) 0x8bc3163dd36d550d01392625fc1c207cf1eaf146 (version2) 0xc5883d509eb7260a07b9144cd4045dda5418dbd7 (version2) 0xcbec57f1744dfc614c0fe028864510d96665e825 (version2) 0xb2902973958846f18b9c491e65bd5d7497a574cc (version1) 0x7e9538781e9b7d9a0ee06650ca9ebb4a048c6c65 (version1) 0x732e9b5f59c9a442db18f7d57dd2bbfc804281cb (version1) 0x85ea77cfdc1000413f33481b23e18825859eb12d (version2) 0xe00ececa4b90d379cbc656437b535250ed8f40f2 (version1) 0x4197939450e1cb5dd713fa8893988e367decd49c (version1) 0x803fd2669f289a761f7d98fce118cae1fc042b18 (version1) 0x0f1290c4e5c6dff5bb1dfeb98060d86457f1808c (version2) 0xdbc2b9d335c2fed8933793d505d17d6539ca9be1 (version2) 0x7f4c4a051703d6c09d9e20eda69c09060bb8133d (version2) 0xaf40ee20ae737eb496a2efaf10e3fade27006d77 (version1) 0x0d79cc0910407efdcbfa6eece5c369312fdd2f6f (version2) 0x18fecb8de2b19a6c7248c7a3a1937e3c6ddf3881 (version2) 0x8588f06bb0cd95be0e8e1eceef320d6998bb812d (version1) 0xa6692d3188aff29606506b9d1df2aa98bc926acd (version1) 0x4c691503c7ebe7418d712b12fc27e16c7747c611 (version1) 0x161470753dda8815e68d0aadba2d24165851badf (version1) 0xfc89883ee1fb598ca5424e9ac9394918c447a74a (version2) 0xa0a73259d107092acd2ede33e4c5cb7529b47ae7 (version2) 0xac353889db27baad890bb00723bf88d70aa66a78 (version2) 0x03a30946b42f7eb5077ca68293f873fea423e7ac (version2) version 1 - 3 arrays (tokens, victims, spoofs) version 2 - 2 arrays (victims, spoofs) hard-coded token

Deployment Addresses: 0xa838e0300e77b01ec0428114304cf70cdf81bf01 0x125a4b5f3ca52520685e150c90b0c92cc0d7fd21 0xcfabef41fc0076f9736ede647a39468a426667ca 0x80e0be7599fbb0847da48b327d5414a0202b9416 0x5883e93de98a71b153cfd20c9638ae35a399d354 0xa8d76fb82cdc96c8e826726c00c103ee63e024ee 0x8e15fd9a9b7ff8fcbfba97417da3b55e06983993 0x29958b805b37928dbff926ad14d2f382542ed360 0x0d517beccf772a2219bb466ba35060b845fec3e9 0x4e3d2a9aa3631335447bea87547c9cccaef375e4 0xcfabef41fc0076f9736ede647a39468a426667ca 0x4e3d2a9aa3631335447bea87547c9cccaef375e4 0x2017afe23eb6766988e2546fe88ee4ee16b781f6 0x5883e93de98a71b153cfd20c9638ae35a399d354 0xd272b29d50f69a5045f46947da794f1de051d69e 0x2c92ffaf5c28147ebea53c6c0ee8d57a8e4e214c 0x6207354f274b789a402a359198dfdd781207c3ac 0x2c8a259d4d4f727a20c68d3fd4c868cf12eba891 0x53dbed9d71966c42693473a08865586ea1d8a3c0 0xe009b660a6a99a00b7c3cb6c849520a9236dc960 0x4e3d2a9aa3631335447bea87547c9cccaef375e4 0x84eb60e6732848f837f48402dcfff25e3d3d9304 0xb15d6c899fe88083841ad30a954b9248a9464488 0x9c642bbccde2f71742be0400bd80a62802c85c94 0x4e3d2a9aa3631335447bea87547c9cccaef375e4 0x884fb264e21931ae95f8f9e4b8f0c666c6b8bd54 0x8b3ab45c4b29dae9a78812247fbba6c357e756fa 0x73746c28c1cf7eabbb82a6cbc61ba2e0634932b5 0x8b3ab45c4b29dae9a78812247fbba6c357e756fa 0x8b3ab45c4b29dae9a78812247fbba6c357e756fa 0x7a3311f05a26ce5bf0ffb51fb1992cc1a8a327c1 0x5883e93de98a71b153cfd20c9638ae35a399d354 0xc9dabc9caa36adc9a23c5cadff0cf6e07dc7f5c6 0x1116b90ceb2dcf17db7443d1f7ebb057bad6fcec 0x49b3d9bfe754a1c68c6e4d5777f904598123740e 0xfb2c0fb0c1f2c1d240d134248d6c2b61df72bea2 0x846e6387937f02848f9e5036c0e41d3ce6999694 0x112980de8812aba416bfd73ad87a209c8830683b

Appendix C: Phishing Contract Source Code

Campaign #1: Decompiled batch transfer function

Screenshot 2023-02-15 at 4.15.37 PM

Campaign #2: Decompiled batch transfer function

Screenshot 2023-02-15 at 4.16.20 PM

Campaign #3: Decompiled batch transfer function

Screenshot 2023-02-15 at 4.17.23 PM

Sample contract with published source code: https://etherscan.io/address/0x6dc6b1ea66bf3634aa8901d210a2eb9fc6e9bdde#code

Screenshot 2023-02-15 at 4.18.11 PM

Coinbase logo