A scammer or group of scammers have used a fake phishing version of the crypto exchange HitBTC’s website to steal some $15 million worth of crypto.
According to a Twitter thread from crypto compliance firm MistTrack, the phishing website that was used looked almost identical to HitBTC’s real website, except for a minor difference in the URL, which was hitbt2c[.]lol instead of hitbtc[.]com.
The stolen assets include Bitcoin (BTC), Ether (ETH), Tether (USDT), and other cryptocurrencies, MistTrack said in the Twitter thread, where it also outlined how the entire scam website worked.
Once users click “Approve” on their browser-based wallets like MetaMask while on the phishing website, the hackers can potentially get free access to all of the users’ holdings, MistTrack warned.
Attacker addresses
In the Twitter thread, MistTrack also identified four crypto addresses that it said belonged to the scammers, with one of them being a Bitcoin address, two being Ethereum addresses, and one a Tron address.
- Bitcoin: 3BvQyAZwBXxk7rEStd6burfQgQ5AD2FFsq
- Tron (USDT): TCV1cN2iRG1F1NHwr3GnujhNkEbBoXdZs8
- Ethereum: 0xB59299A0F15a282Bfc671BC0c2231184292C01b1
- Ethereum: 0xdc961cF2F71dd0ab4f83eA294dBfEF1970ae15c6
At the time of writing, the Bitcoin address did not contain any funds, but has since its creation in July 2022, transacted more than 400 times and received over 52 BTC, worth some $1.4 million by today’s price.
The Tron address contained 242 USDT received in a single transaction, while the first Ethereum address contained a few thousand dollars of stablecoins after having transacted for millions of dollars with many different ERC-20 tokens since its creation in June 2022.
The last Ethereum address listed by MistTrack has so far not recorded any activity.
The large number of transactions to and from some of the wallets suggests that they have been used extensively for illicit purposes for close to a year now.
In total, approximately $15 million have been received by the wallets.
Several phishing sites active
In addition to warning about the ongoing HitBTC phishing attack, MistTrack also said that many other phishing websites appear to be active and under the control of the same hackers.
According to a screenshot shared by the firm with a list of websites that used a filename identical to one used by the hackers, a large number of phishing sites have been active for up to three months.
The operation “seems to be a big sha zhu pan,” the firm wrote, using the Chinese term for a so-called “pig butchering” scam, a type of scam where victims are tricked and manipulated over a long period of time.
Phishing scams are among the most common types of scams in crypto, and have been a serious issue in particular for exchanges that are having their websites copied and used in the attacks.
The best way to prevent becoming a victim of a phishing attack is to always carefully check the URL in the browser’s address field, and make sure it matches exactly what the URL of the real website should be before logging in or depositing any funds on a platform.
HitBTC has so far not published any comment regarding the ongoing phishing attack.
A scammer or group of scammers have used a fake phishing version of the crypto exchange HitBTC’s website to steal some $15 million worth of crypto.
According to a Twitter thread from crypto compliance firm MistTrack, the phishing website that was used looked almost identical to HitBTC’s real website, except for a minor difference in the URL, which was hitbt2c[.]lol instead of hitbtc[.]com.
The stolen assets include Bitcoin (BTC), Ether (ETH), Tether (USDT), and other cryptocurrencies, MistTrack said in the Twitter thread, where it also outlined how the entire scam website worked.
Once users click “Approve” on their browser-based wallets like MetaMask while on the phishing website, the hackers can potentially get free access to all of the users’ holdings, MistTrack warned.
Attacker addresses
In the Twitter thread, MistTrack also identified four crypto addresses that it said belonged to the scammers, with one of them being a Bitcoin address, two being Ethereum addresses, and one a Tron address.
- Bitcoin: 3BvQyAZwBXxk7rEStd6burfQgQ5AD2FFsq
- Tron (USDT): TCV1cN2iRG1F1NHwr3GnujhNkEbBoXdZs8
- Ethereum: 0xB59299A0F15a282Bfc671BC0c2231184292C01b1
- Ethereum: 0xdc961cF2F71dd0ab4f83eA294dBfEF1970ae15c6
At the time of writing, the Bitcoin address did not contain any funds, but has since its creation in July 2022, transacted more than 400 times and received over 52 BTC, worth some $1.4 million by today’s price.
The Tron address contained 242 USDT received in a single transaction, while the first Ethereum address contained a few thousand dollars of stablecoins after having transacted for millions of dollars with many different ERC-20 tokens since its creation in June 2022.
The last Ethereum address listed by MistTrack has so far not recorded any activity.
The large number of transactions to and from some of the wallets suggests that they have been used extensively for illicit purposes for close to a year now.
In total, approximately $15 million have been received by the wallets.
Several phishing sites active
In addition to warning about the ongoing HitBTC phishing attack, MistTrack also said that many other phishing websites appear to be active and under the control of the same hackers.
According to a screenshot shared by the firm with a list of websites that used a filename identical to one used by the hackers, a large number of phishing sites have been active for up to three months.
The operation “seems to be a big sha zhu pan,” the firm wrote, using the Chinese term for a so-called “pig butchering” scam, a type of scam where victims are tricked and manipulated over a long period of time.
Phishing scams are among the most common types of scams in crypto, and have been a serious issue in particular for exchanges that are having their websites copied and used in the attacks.
The best way to prevent becoming a victim of a phishing attack is to always carefully check the URL in the browser’s address field, and make sure it matches exactly what the URL of the real website should be before logging in or depositing any funds on a platform.
HitBTC has so far not published any comment regarding the ongoing phishing attack.