January 17th, 2022

Introduction

After the CityDAO Phishing Scam - January 10th 2022 I discussed the event with the CityDAO team and we dug into on chain transactions. While we didn’t find any smoking guns, it was immediately clear that the attacker is not very concerned with covering their tracks.

Accounts from other attacks are clearly linked, and scam accounts continue to be re-used. Lyons.eth from CityDAO identified the address used in at least one related scam and believes others are also linkable. The paper trail was very surprising to see, and turns out to be a pretty interesting case study; one does not need to be an expert to see all of the connections.

I hope this is helpful for others who are interested to know about these details. I learned a lot about the different transaction types, token transfers, and approvals.

On-Chain Analysis

Untitled

Experienced analysts would probably chuckle at my rudimentary approach of expanding the Breadcrumbs graph, reviewing related accounts and transactions, and trying to identify patterns which seem questionable. Nevertheless, I was able to identify what happened and was surprised to see a few things stand out on the public ledger:

CityDAO Phishing SCAM Account

Address: 0xa6964e26b6e49510934164ceab2dd73fd397509f

Used to extract funds from victims of CityDAO Phishing Scam - January 10th 2022

CityDAO Phishing DRAIN Account

Address: 0x1129b2591a7dfdff453c3520fd22a4c98dcf463a

The CityDAO attackers sent a significant amount of funds to this account, which at time of writing holds 72 ETH (up from 46 ETH after the CityDAO scam only one week ago). Someone suggested that this is likely to accumulate 100 ETH before being dumped to Tornado Cash. There are multiple other accounts which led to this account, but this only scratches the surface of a couple of them. Based on related activity I suspect all accounts which feed this account will prove to be of interest.

Origin Account

Address: 0x248bd50ca84291ee68fddb970bd126f738b64335

This has been identified by multiple sources as a significant account. I’ve labeled it the “Origin Account” because it is the first account to send money to the CityDAO Phishing SCAM account, but it is clearly so much more. The Origin Account sent unrelated funds after the scam completed, as well as directly to the CityDAO Phishing DRAIN account. This account received funds from the Jan 6 Redacted Phishing SCAM account, and other suspicious accounts (mentioned below). This address has also come up in discussions multiple times with the CityDAO team and others. Many have pointed to this account as being related to other scams.