Oct 6, 2022 at 07:20Contents
Twitter user ZachXBT investigated a phishing attack on the followers of famous NFT artist Beeple (his real name is Mike Winkelmann). As a reminder, on May 22, the graphic designer’s account was compromised. Hackers posted a phishing link that allowed the scammers to obtain various expensive non-fungible tokens and cryptocurrencies worth 225 ETH (~$450 at the time of the theft).
How did his account become compromised?
About the hackers, in fact, as always, almost nothing is known except for their addresses. Here they are:
- 0xF305F6073CFa24f05FF15CA5b387DD91f871b983;
- 0xcad7fc974F61A08ADEF110D1BA446fa5b5B5Bb27.
And here is what the post they put together to attract the audience’s attention looked like. As you can see from the picture below, Beeple was giving away 200 totally unique pieces, but only as it turned out later, the graphic artist was not giving away any free stuff.
According to ZachXBT, the way Beeple lost access is similar to Cam Redman (SIM swapper), who has been accused of hacking several Twitter accounts recently. You can see more about this in the video below, but in the meantime, let’s move on.
The brand new newsletter with insights, market analysis and daily opportunities.
Let’s grow together!
Where is the money?
However, all that matters is not how Beeple lost access to his account but that he recovered it only a few hours after the attack, which in the digital world is long enough. During that time, the scammers poured the stolen funds into Tornado Cash 
a smart contract that accepts different quantities of ETH and ERC-20 deposits.
Here’s how it was:
- On May 5th at 7:20 pm UTC, the attacker sent 3×10 ETH and 6×1 ETH (36 ETH) from 0xf30 to Tornado Cash. Just <2 hours later, 0x664b withdrew 3×10 ETH and 6×1 (36 ETH) from Tornado Cash and sent the 36 ETH to FixedFloat exchange.
- At 4:17 pm UTC the attacker sent 100 ETH, 6×10 ETH, 3×1 ETH (163 ETH) from 0xd15 to Tornado Cash. Just minutes later 0x2fc withdrew 100 ETH, 6×10 ETH, 3×1 ETH (163 ETH) from Tornado Cash.
According to ZachXBT, address 0x2fc belongs to a scammer named Two1/Youssef. More details about how the author came to this conclusion is given here.
In early July, Two1 sent the ETH to a wealthy individual.eth before depositing it all into Tornado Cash. Consistent with previous behaviors, Two1 only left the ETH in Tornado Cash for ~2 hours before withdrawing it all Tornado to:
- 0x2FA030d5a64FDA8e69048a2A6DB4C534889E3BA2
It was moved then moved to 0xe84 where 152/225 ETH from the Beeple hack currently sits: 0xE84D4E6451119f49F24f13cAf13FBda331C2245f. This address has since been flagged for phishing by the Etherscan team after ZachXBT’s first Two1 thread was posted.
- On May 23rd at 3:27 am UTC, the attacker began to send 2×10 ETH and 5×1 ETH (25 ETH) from 0x5c25 into Tornado. Just minutes after each deposit, the attacker once again withdrew 2×10 ETH, 5×1 ETH (25 ETH) from Tornado to 0x702 0x702De97D9030B83ce04CD3BC5509CBeAd42Ec41d
Looking closely, you’ll notice 6×1 ETH was withdrawn from Tornado in total from that address.
Where does that extra 1 ETH come from?
Also, it turns out that attackers hacked the Webaverse Discord and sent it to the same 0x702 wallet as the Beeple hack funds.
- The 25 ETH from the Beeple hack was then moved from 0x702 to 0xf20 where it currently sits: 0xf2000037a148ea53d3f9c24f3b8607c847b60091
So, after the above points, we knew how Cam and Two1 were both involved in the hack, but according to ZachXBT, there’s one more person. After the author’s preview Tweet, he deactivated his account. You can find his deleted account by the @bandage nickname.
Moreover, after ZachXBT’s preview, Tweet Lockvert (Lock), a phishing scammer who’s friends with Two1 & Shayan, messaged him on Twitter to ask for details about the thread.
Summary
Cam sold Twitter panel access to Two1 and Shayan, enabling them to hack Beeple. After the attack, Two1 deposited the savings into Tornado Cash but withdrew the funds immediately in similar amounts, making it easy to trace.
So, according to ZachXBT’s investigation, Beeple’s funds sit here:
- 0xE84D4E6451119f49F24f13cAf13FBda331C2245f
25 ETH of the funds here:
- 0xf2000037a148ea53d3f9c24f3b8607c847b60091
The rest of the funds were sent through FixedFloat and would likely need to be subpoenaed for additional info.
That’s all. If the criminals have not yet converted the funds into dollars, then at the current exchange rate, their account is at ~$309K. This is much less than four months ago, but still a significant amount. The money will probably never be returned to users, but Beeple created art specifically for ZachXBT to thank him for the investigation.
NO PLACE TO HIDE pic.twitter.com/aFTl0thYBL
— beeple (@beeple) October 4, 2022
9
