The same organisation that was responsible for shutting down the biggest dark web drug marketplace, Silkroad, fell victim to one of the oldest tricks in the books — a phishing attack, resulting in the DEA sending $55,000 to a scammer’s address.
The way this scam was set up an executed is quite fascinating and just goes to show that plain old social engineering is one of the insidious and commonly overlooked vectors of attack. The only thing more fascinating than the execution of the attack is the scammer’s balls to purposefully go after the DEA.
Back in May the DEA seized just over $500,000 USDT from two Binance accounts it suspected were being used to funnel illegal narcotics proceeds, according to a search warrant. The funds were placed in DEA-controlled accounts, stored in a Trezor hardware-based wallet and placed into a secure facility.
The scammer had been watching the activity unfold, and noticed that the DEA sent a small $45.36 test transaction to the U.S. Marshals Service, as part of their forfeiture process. The scammer was quick to take note of the U.S. Marshals wallet address and proceeded to create an address ending in the same 4 characters as the address the DEA used to send the test transaction to.
Half of the work was done at this point. Now for the social engineering part. In order to finalise the scam, the attacker airdropped a token to the DEA’s wallet address in order to add their newly created wallet address to the DEA’s wallet address book. This is known as address poisoning and while it’s normally pretty obvious to detect, making the last 4 characters the same as the recipient’s address was enough to trick the DEA agent responsible for the transfer.
Normally, if you send a test transaction, it’s convenient to navigate to your transaction history and copy that transaction directly from there, which is likely what happened in this scenario. The DEA intern (might as well blame the intern at this point) accidentally copied the scammer’s airdropped address and proceeded to send $55,000 to the wrong address.
Once the Marshals and DEA realised what just happened, they contacted Thether to have the funds frozen, but the scammer had already moved the funds.
Collaborating with the FBI, the DEA established that the funds were converted to Ether and Bitcoin. Subsequently, these funds were transferred to a new wallet. As specified in the warrant, even though the investigators hadn’t managed to pinpoint the individual utilizing that wallet, they did observe two accounts on the cryptocurrency exchange Binance that were covering the expenses related to the scammer’s gas fees. The Binance accounts were linked to 2 separate Gmail addresses, so the FBI’s hadn’t gone cold as they are positive they will be able to find identifying information on the attacker from Google.
The FBI investigation also revealed that the scammer had been transacting significant amount of crypto from their account in recent months and had received over $425,000 since June. Over $300,000 of that amount has been moved to 7 different wallets since.
Naturally, the DEA refused to comment on the incident as they had to eat their humble pie in silence.
Although relatively common, this particular “address poisoning” attack was more effective due to the fact that the scammer was able to spoof the last 4 characters of the Marshals wallet address, making it appear as a legitimate wallet address in the DEA’s transaction history.
In order to avoid falling victim to such an attack, make sure to always confirm the entire address, or to look out for a notification on your wallet that informs you that you’ve “Never sent funds to this address”.
Stay safe out there and hope you’re taking better care of your crypto than the DEA.
Enjoyed this article?
Sign up to the newsletter
You’ll receive more guides, articles and tools via e-mail. All free of course. But if you value this blog and its educational resources, you can subscribe to become a paid member for only $3 a month. This will keep the website open and free.