Language and region

Zero Transfer Phishing Investigation - Part 3 - Hashlinked

Tl;dr: Building a better and more secure crypto ecosystem means building a better, more equitable future for us all. The Unit 0x team was formed to make life hard for threat actors and to build trust in crypto by being at the forefront of zero day blockchain threats including smart contract exploits, phishing tactics, and other bad actor techniques. Our purpose is to proactively discover, assess, and mitigate these threats before they happen and impact the ecosystem. In this three part blog series we will discuss one such threat plaguing crypto wallets around the world called zero transfer phishing also known as poison transactions. In Part 1, we will deep dive into the attack vector used by the phishing campaigns and explore mitigations. In Part 2 we will explore various campaigns on Ethereum blockchain and share detailed indicators. Last but not least, we will uncover the threat actors behind one of the campaigns in Part 3.

By Heidi Wilder, Peter Kacherginsky

Engineering

, February 16, 2023

, 15min read time

In this last part of the series, we will explore one of the threat actors that we were able to link to an NFT project using a unique smart contract 4byte clustering approach discussed in Part 2 as well as other on-chain indicators. Check out Part 1 and Part 2 of the series for more information on the zero transfer attack and various phishing campaigns exploiting it.

Test Deployment

While enumerating phishing smart contracts belonging to Campaign #2, we were able to identify a series of test deployments that all shared a unique 4byte value 0xcac40eb0 such as 0x130d45…42b666. This contract did not have any phishing transactions but matched based on decompiled code and other characteristics described in Part 2. For example, just like other contracts in the campaign, it used a token ID mechanism to save on gas.

The phishing contract 0x130d45…42b666 was deployed on November 29, 2022 by 0x363557…89475c which in turn was funded by a nexus of addresses likely belonging to a single group:

fgram.eth (0xd772c0…bcea53)

0xdadb65…6fc5ae

0xc76f37…698060

The diagram below shows the relationship between the three funding addresses as well as known exchange cash out points.

Image 1: Addresses funding a test phishing contract.

The 0xdadb65…6fc5ae address has been active since January 19, 2022 when it was first funded from Binance.

In the next few sections we will show definitive proof that both the phishing contract and addresses used to deploy it are directly related to Hashlink and Tico World NFT projects. We will also discuss social media and other indicators pointing to identities of the operators behind these projects.

Hashlink Transactions The ENS domain fgram.eth (0xd772c0…bcea53) sent and received funds from an address 0x363557…89475c that the attackers initially used to deploy a broken campaign contract 0x130d45…42b666 (tx).

Image 2: fgram.eth interacting with the top up address.

Analyzing 0x363557…89475c address on the Ropsten testnet, we see that it and another address, 0x1ac9a9…4f831c, interacted with a token called HashLINKV10 deployed on June 4th, 2022. 0x1ac9a9…4f831c was the deployer of that contract.

Image 3: Hashlink deployer and administrator addresses.

Similarly, 0x1ac9a9…4f831c deployed a HashLinkV10 contract on BSC Testnet. On June 4th, 2022 0x1ac9a9…4f831c set 0x363557…89475c as an operator for the HashLINKV10 BSC contract further solidifying the link between the Phishing Campaign #2 and the Hashlink Project:

Image 4: Hashlink operator transaction. Source: Bscscan.

Image 5: BSC Testnet hashlink contract and deployer.

On June 9th, 2022, a production Hashlink contract was deployed on the BNB Chain at 0xcc1d1d…2f8d7c.

Hashlink Contracts

The Hashlink source code includes a number of Chinese comments indicating developer origin:

Image 6: Hashlink 0x81401f and 0xcc1d1d smart contract source

Interestingly, the phishing contract 0x130d45…42b666 includes a number of unique functions taken directly from the Hashlink contract 0x81401f…1adacc. For example, the following decompiled snippet in the phishing contract corresponds to a unique enrollOperatorAddress function in the Hashlink contract:

Table 1: Decompiled phishing contract and hashlink source snippets. Source: Dedaub

Other unique borrowed functions include disableOperatorAddress, enrollOperatorAddress, getOperatorEnable, getTime, getUnlockTime, and others. These functions are not necessary for the operation of the phishing contracts, but were still included as artifacts of the source Hashlink contract. Furthermore, the function 0xcac40eb0 in the phishing contract used to mass send zero transfers appears to be derived from the enrollInviters function in the Hashlink contract:

Image 7: Hashlink enrollInviters function snippet.

Just like enrollInviters in the Hashlink contract, the phishing contract in Campaign #2 uses arrays of addresses and address identifiers to perform batched transactions.

Hashlink Website

The Hashlink website https://hashlink[.]space is currently down. An archived copy of the website is available on Archive.org as well as the project's documentation page. Hashlink advertises itself as a “hyper-deflationary token”:

Image 8: Hashlink project website. Source: http://docs[.]hashlink[.]space

Based on the DNS history, hashlink[.]space was previously hosted on Hostinger and later on Alibaba cloud in Singapore.

Image 9: Hashlink[.] domain historical data. Source: SecurityTrails

Although the HashLink website is down now, its Twitter account is still active which advertises a collaboration with Tico World, which seems to also be funding Hashlink:

Image 10: Hashlink Twitter

Tico World is another NFT/Metaverse/GameFi project very similar to Hashlink. Kentth appears to also be a mod of the Telegram channel. Only the project’s Twitter account is currently live:

Image 11: Tico World Twitter

Another related project is Magic of Universe which is managed by multiple Hashlink members on Telegram:

Image 12: Magic of Universe (MoU) Twitter

All three projects operate on the BNB Chain.

Hashlink Operators

The Hashlink website notes that developers are anonymous:

Image 12: Hashlink team notice

However, an archived copy of the website lists four anonymous operators Kenth, Sevenus, Howie, and Maine as well as their roles in the project:

Image 13: Hashlink team profiles. Source: http://docs[.]hashlink[.]space

Image 14: Hashlink team organizational chart. Source: http://docs[.]hashlink[.]space

An archived project whitepaper is sparse, but does refer to three developers under completely different names (link):

Image 15: Hashlink whitepaper.

PDF document properties for the whitepaper above reveal the original author “haoyi” which may correspond to “Howie”:

Image 16: Hashlink whitepaper PDF properties.

As previously mentioned, fgram.eth (0xd772c0…bcea53) and 0x363557…89475c both sent to and received from another address 0xdadb65…6fc5ae. This address in turn, sent to kentth.eth (0xb221d7…d1bddd). Analyzing the other ENS domains kentth.eth holds, we see that it also holds ticoworld.eth, which is the same domain that HashLink partnered with.

Image 17: ENS domains owned by 0xb221d7…d1bddd

Social Media

Hashlink operators Kentth, Sevenus, Howie, and Maine have a strong presence on Discord, Telegram, and other social media projects. The Hashlink Discord channel is primarily managed by Chenn (aka C Maine) and “! Howie - Will Not DM First” (aka Howie).

We also find fgram.eth - who has used multiple NFTs as their profile picture, including a Wealthy Ape owned by 0xdadb65…6fc5ae, and a Rare Bunni.

Image 18: fgram.eth Instagram

The RariBunni displayed as their profile picture is owned by mag75 on OpenSea. Further analyzing the Hashlink profile picture used by fgram.eth on Telegram, we find that it belongs to the Hashlink team member Sevenus, according to the Hashlink docs. The diagram below outlines the connection between fgram and other team members:

Image 19: Hashlink social media and on-chain diagram

Conclusion

This above investigation into the zero token transfer phishing Campaign #2 reveals that on-chain sleuthing, coupled with contract and open source analysis is a powerful approach to identifying bad actors.

In this final part of the series, we identified a test contract used in a phishing campaign and were able to definitively link it to the Hashlink and Tico World projects.

We hope that information and techniques discussed in this blog series will inspire a new generation of on-chain and open source investigators to help restore trust in the ecosystem and bring bad actors to justice.