BEOSIN has always been concerned about the security of NFT and aimed at providing relevant solutions. Immediately after Jay Chou’s NFT theft, BEOSIN used Beosin-Trace to carry out on-chain tracking analysis of the stolen NFT. The timeline of the incident and related address analysis are as follows.
Timeline and path analysis of Jay’s stolen NFT
- 2022-04-01 3:07:29
The phishing attacker transferred BAYC #3738 NFT from Jay's wallet address beginning with 0x71dE2148051A7544A082178B3e6A6DD1E0fE97a1 de2 to his own wallet beginning with 0xe34F004BDef6F069b92dc299587D6c8A731072Da.
- 2022-04-01 3:44:49
The attacker sold BAYC #3738 NFT to buyer 1 via LooksRare with the price of 130 WETH. After deducting the transaction fee, transferred the profited 124.15 WETH to the attacker's own wallet starting with 0xe34F004BDef6F069b92dc299587D6c8A731072Da.
- 2022-04-01 3:52:57
Buyer 1 sold BAYC #3738 NFT to Buyer 2 via LooksRare for 155 WETH and transfers the profited 148.025 WETH (deducting transaction fee) to Buyer 1's wallet starting with 0xf794a0880f0ae7854B6e894C965C907Ed05a5c3b.
- 2022-04-01 3:58:28
The phishing attacker started money laundering operation, transferred the stolen money obtained from the sale of BAYC #3738 NFT and the additional stolen money from the sale of 1 MAYC and 2 Doodles held by Jay, totaling 169.6 ETH, to another address under his control starting with 0x6E85C36e75dc03A80F2fA393055935C7f3185b15, and then transferred 168 ETH to the mixer platform Tornado.Cash. Currently 1 ETH has been transferred to address 0x47CE0C6eD5B0Ce3d3A51fdb1C52DC66a7c3c2936; 10 ETH have been transferred to address 0x910Cbd523D972eb0a6f4cAe4618aD62622b39DbF; 100 ETH have been transferred to address 0xA160cdAB225685dA1d56aa342Ad8841c3b53f291.
- As of 2022-04-02 14:23:00
BAYC #3738 NFT is still in Buyer 2's wallet starting with 0x5122c3b4de32D93Efae914382c08d02Fb8348353.
We will use Beosin-Trace to continuously monitor the progress of the incident, and will be the first to share with you if there are any new movements.
Tracing and analyzing the IP address of Phishing Websites
- Phishing website URL: url: https://mutantshiba.army/. The site is currently inaccessible.
- Check the IP results of the domain name: 220.127.116.11, 18.104.22.168, both are Cloudflare, temporarily unable to find the real IP.
- Some of the WHOIS information of the site.
Created at 2022-03-19 05:48:33
Expired at 2023-03-19 05:48:33
Updated at 2022-03-24 05:49:04
Registrant belongs to the organization Anonymize, Inc.
Domain name service provider: Epik, Inc
Domain name server: vivienne.ns.cloudflare.com,sterling.ns.cloudflare.com
Through our tracing and analysis: the domain name has been inaccessible, the IP address that we can find is the CDN IP, and the real IP address cannot be found. No more information can be queried through the search engine. Currently the providers that support the registration of the domain name are: iisp.com, Dynadot, 1198.cn, wvidc.com, GoDaddy, etc.
Our recommendations for Jay Chou
To track down the real identity information of the hacker, users can apply to investigate the information related to KYC credit card payment of the domain service provider, but this is not easy, and may require the assistance and support of relevant judicial procedures. In the end, we certainly hope that Jay's stolen NFT can be recovered.