SlowMist has shared its latest 2024 Q3 MistTrack Stolen Funds Analysis.
Every day, SlowMist / MistTrack claims that it receives numerous requests for assistance from victims seeking help in tracking and recovering stolen/lost funds.
According to the update, these cases often involve significant funds, with some victims losing millions of dollars.
In this latest crypto and blockchain industry report, the team has provided a detailed analysis of the theft cases submitted during Q3 of 2024.
Their aim is to highlight common as well as “less known” attack methods and/or vectors, drawn from real, “anonymized” cases.
Their stated goal is to raise “awareness” and offer useful tips in order to help users better protect their assets and stay safe from “potential risks.”
In Q3 of 2024, MistTrack received a total of 313 theft reports, including 228 from domestic users and 85 from international users.
This represents a decrease when compared to Q2 2024 (details of which can be found in our Q2 analysis).
As part of our community service, we provided free evaluations for each case (Note: this analysis only includes “cases submitted via our form, not those received through email or other channels).”
In Q3, MistTrack assisted 16 victims in freezing “approximately $34.39 million across 16 platforms.”
Main Causes of Theft:
Private Key Leaks
Private key leaks were the leading cause of asset theft in Q3. Based on their analysis, the leaks fell into several categories:
- Account Purchases Leading to Key Leaks: Victims who purchased accounts from untrustworthy sources (such as WPS memberships or overseas Apple IDs) often stored their private keys or recovery phrases in easily accessible places like notes or documents. The sellers then exploited these stored keys, gaining access to the victims’ assets.
Incident Description:
On July 2nd at 07:21 AM, the victim was using an iPhone and had “purchased a US-based ID to download software.”
But the ID password was changed, and unfortunately, “the wallet’s private key had been stored in the notes.”
Although the funds were still intact on July 1st, by midday on July 2nd, the victim discovered that the assets (denoted as “U”) had already been transferred out.
Improper Key Storage: Storing private keys improperly was a frequent issue.
Common mistakes include:
- Saving keys as photos in phone notes or cloud storage.
- Storing recovery phrases in email drafts or unencrypted files (such as .txt or .xlsx).
- Saving keys on cloud platforms or local devices without proper encryption.
- Taking screenshots of recovery phrases and storing them in photo galleries.
One case involved a victim whose funds were allegedly “stolen by a friend who had access to their private key.”
Overcome with guilt, the friend eventually returned the funds.
To prevent such incidents, users should store their private keys securely, such as “writing them on paper and keeping them in a safe physical location or using a hardware wallet.”
If electronic storage is necessary, files should be “encrypted and stored offline.”
– Downloading Fake Apps
Asset theft caused by fake wallet apps is “a well-known issue, but the threat extends beyond just fake wallet applications.”
— “Voluntary” Private Key Input
This type of theft occurs when victims, perhaps in “moments of lowered vigilance, unknowingly enter their private keys.”
The three common scenarios include:
While binding a wallet to a bot, victims inadvertently “disclose their private keys to fake bots.”
During participation in projects, scammers provide scripts and “trick users into providing funds, then use the private keys to steal the rewards and profits.”
Victims asking for help on platforms like Discord or X are contacted by fake “official” support agents, who then guide them “to phishing links where they are asked to input their private keys.”
Reminder: Never disclose your private keys under any circumstances.
Always seek help through official customer support channels provided on the project’s official website, and “never trust third-party bots or customer service agents.”
Phishing
In Q3, phishing attacks were one of the most common reasons for asset theft.
Many victims reported falling for phishing links “posted in the comments under tweets from well-known projects.”
SlowMist’s security team conducted an analysis showing that around 80% of the first comments under “project tweets are from phishing accounts.”
There are also websites that sell X (formerly Twitter) accounts, some of which even offer accounts that closely resemble official “project accounts, making it difficult for users to distinguish real from fake.”
Phishing groups often use automated bots in order to “monitor high-profile project tweets.”
As soon as a project posts a tweet, the bot quickly posts a reply, “occupying the top comment to gain visibility.”
These fake accounts look highly similar to official project accounts, so when users click on the phishing link and “authorize the transaction or sign in, they may end up losing their assets.”
Additionally, a considerable number of theft cases stemmed from phishing websites appearing in search engine ads.
For instance, when users searched for Rabby Wallet on Google, the top two results were phishing ads.
In certain cases, these ads “deceptively” displayed Rabby Wallet’s official website address, but after multiple proxy changes, they redirected users to the phishing domain rebby[.]io, which “frequently changed to evade detection.”