CertiK Logo
Products
Company
Back to all stories
Blogs
Exposing Wallet Drainer Scammers: Zentoh & Co.
1/27/2023
Exposing Wallet Drainer Scammers: Zentoh & Co.

Over the last couple of months we have seen a number of scammers utilizing a phishing kit popularly known as Monkey Drainer. This kit is sold by malicious vendors to prospective scammers who are looking to steal user funds. The Monkey Drainer kit and similar phishing tools utilize a technique known as “ice phishing” to trick users into giving the scammers unlimited power to spend their tokens. An ice phishing incident in November 2022 led to the discovery of the wallets used by two scammers involved in the Monkey Drainer scam: Zentoh and Kai.

Our investigation has determined with a high degree of confidence Zentoh and Kai were behind a fake Porsche NFT website. This site, which utilized the Monkey Drainer tool, was active for approximately two weeks through mid to late November 2022.

drainer1 Porsche Monkey Drainer site

The site is now unreachable; but it was promoted heavily across social media by various Twitter users and bots. It seems that @BrieflyCrypto shared this scam site with their followers. One victim with the Ethereum Name Service (ENS) handle “fuckall.eth” replied to a now-deleted tweet from @BrieflyCrypto that a site they had shared had requested permission to spend their WBTC. Despite the fact that the user said they had “rejected” the transaction, it appears that they nevertheless fell victim to the scam as shown in the image below.

drainer2

One victim of this particular scam wallet lost $4.3 million in a single transaction. This is one of the most devastating losses to an ice phishing exploit.

drainer3 Source: Etherscan

The $4.3 million is then quickly transferred to 0x6f7…26aa6 where it is swapped for DAI and then transferred to 0xc29…2cced. The victim then reaches out to the wallet holding the stolen funds with an on-chain message asking to return the $4 million.

Screenshot 2023-01-26 at 10.59.44 AM Source: Etherscan

The scammer returns the victim a message in Russian.

Screenshot 2023-01-26 at 11.00.19 AM Source: Etherscan

Running the message through Google translate, we receive the following output:

“I'm a little discouraged. Where did you get this usdc from? Who are you? And what's going on?”

The victim tries reaching out to the scammer again but doesn’t receive an answer.

Zentoh & Kai

Unexpectedly, the scammer receives another on-chain message from an individual who refers to themself as Zentoh. Not only that, they refer to the individual who is holding the stolen funds as Kai.

Screenshot 2023-01-26 at 11.01.24 AM Source: Etherscan

It appears as though one scammer has betrayed the other by transferring the stolen $4.3 million in crypto to a wallet that a scammer known as Zentoh does not control. In another on-chain message, Zentoh refers to the wallet that received the $4.3 million as “their wallet” suggesting that both scammers had control of the recipient Externally Owned Address (EOA).

drainer4 Source: Etherscan

Even though Kai messaged the victim who lost $4.3 million in Russian, it’s clear that Kai and Zentoh can communicate in English, particularly since Kai returns a message to their former scammer colleague from an additional wallet that they control.

Screenshot 2023-01-26 at 11.02.42 AM Source: Etherscan

It’s not often that we see drama played out between two scammers via on-chain messages. How did these two coordinate before these on-chain communications? The answer appears to be Telegram.

Screenshot 2023-01-26 at 11.03.47 AM Megawhale deal almost certainly referring to $4.3 million ice phishing incident. Source: Etherscan

A Look Into Zentoh

Since the scammer uses the name “Zentoh” and notes that Kai can communicate on Telegram, it’s highly likely that Zentoh is the user name of the scammer’s Telegram account. When we search for Zentoh, we find an exact match. The account has been identified to be running a Telegram group that sells phishing kits to scammers.

drainer5

In a post in the NFT/Crypto drainer channel, a video provides a tutorial on how the wallet drainers work. In the tutorial, wallet 0x4E0…13cD8 is listed.

drainer6 The bottom right desktop settings indicate the individual who took this video is likely located in France. The music in the video is also French rap.

drainer7 Wallet used in drainer demonstration. Source: Etherscan

When we analyze the wallet provided in the demonstration video, we discover a clear connection between it and the wallet used by Zentoh to communicate with Kai.

drainer8 Connection between drainer demonstration wallet and Zentoh. Source: Etherscan

Links To monkey-drainer.eth

There is a direct link between the wallet that Zentoh and Kai controlled and some of the most prominent Monkey Drainer scammer wallets. The two scammers have a direct link to some of the largest Monkey Drainer scam wallets. For example, Zentoh directly funds an EOA with the ENS mountedraf.eth which also formerly held ENS ZachXBT-fan.eth. The wallet that funded mountedraf.eth interacts with 0xD84…6Aaee which receives funds from a wallet holding the ENS federalagent .eth which in turn sent funds to monkey-drainer.eth.

drainer9

The monkey-drainer.eth and federalagent.eth wallets were analyzed by the on-chain sleuth ZachXBT in his initial thread on the Monkey Drainer scams.

A simplified flow can be viewed below:

drainer10

Links To TecOnSellix

Telegram user TecOnSellix has been identified on Twitter by security researcher @PhantomXSec as a seller of the Monkey Drainer phishing kit and is listed as a contact on the NFT/Crypto Drainers Telegram group. TecOnSellix and Zentoh may be the same person, and 0x32Moon could potentially be added to that list. TecOnSellix is listed as the owner of the Telegram channel Crypto Drainers, which Zentoh’s profile said they were the CEO of. When we search for “TecOnSellix” on GitHub we are presented with multiple accounts posting crypto drainer repositories. However, one account in particular stands out: Berrich36.

drainer11

We have identified a number of accounts attributed to GitHub user “Berrich36”. If the links between these accounts are legitimate and not misdirection, we believe we can link to the real world identity of Berrich36, who appears to be a French national residing in Russia.

Posted in one of the repositories by Berrich36 is a Telegram channel titled “NFT/Crypto Fuckers”. When we search for members of this channel, we see that Zentoh has joined the group. This is another Telegram channel where Monkey Drainer tools are being sold.

drainer12

The Telegram channel links to another group that advertises a website where scammers can buy wallet drainers.

drainer13

Monkey Drainer phishing scams remain an ongoing threat to the Web3 community. Users should read our detailed blog on ice phishing to understand the threat of approving permissions on malicious sites, and take the recommended steps to protect themselves.

A number of recent Discord incidents have been directly linked to the Monkey Drainer wallets. Attacks on Yaypegs, Cetus, Sui Name Service and Tsunami Finance Discord servers were related to the wallet 0x0000098a31…f4582 which is related to the Monkey Drainer scam wallets. On 21 January, 2023 CertiK alerted the community that wallets associated with Monkey Drainer phishing activity had deposited 520 ETH (~$859,000) into Tornado Cash.

The Monkey Drainer Telegram channel continues to advertise the success of their drainers.

drainer14

We have demonstrated that Zentoh is a key member in the distribution of wallet drainer tools. These phishing kits make it easy for malicious actors to steal assets from the Web3 community. Based on the on-chain messages between Zentoh and Kai, it is likely that Kai was relatively new to Monkey Drainer scam operations at the time they transferred the stolen $4.3 million to their own wallet. Investors should remain vigilant of potential phishing scams and follow @CertiKAlert on Twitter to keep up to date on Web3 security news. If you suspect that a URL or dApp is malicious, reach out to CertiK’s 24/7 incident response team. Our team of on-chain investigators can help determine whether a site is malicious or not.