DiegoPapi6 TrustWallet Theft

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 12:49, 27 April 2023 by Azoundria (talk | contribs) (Another 30 minutes spent. All sources sorted through.)
Jump to navigation Jump to search

Notice: This page is a new case study and some aspects have not been fully researched. Some sections may be incomplete or reflect inaccuracies present in initial sources. Please check the References at the bottom for further information and perform your own additional assessment. Please feel free to contribute by adding any missing information or sources you come across. If you are new here, please read General Tutorial on Wikis or Anatomy of a Case Study for help getting started.

Trust Wallet

DiegoPapi6 is a trucker from Arizona who was tricked into downloading malicious software onto his Android smartphone, through a phishing link which was designed to look like a software upgrade being pushed by his provider, TMobile. The malware appears to have enabled the draining of his TrustWallet on his smartphone. All assets were quickly sold by the attacker. DiegoPapi6 continues to participte fully in the blockchain ecosystem, and has not pursued any sort of further legal action or investigation to have funds returned.

About DiegoPapi6

DiegoPapi6 is a Christian[1] trucker[2][3][4] from Mesa[5], Arizona[6][7][8], primarily operating in Texas[9][10]. He was 43 as of November 4th, 2021[11], and is happily married[12][13] with a son named Emillian[14] who was 19 between September 6th, 2021 and October 27th, 2021[5][14][15][16]. He has been a user of Reddit since August 11th, 2020[17], and had used primarily Facebook prior to that point[18].

He is a regular and enthusiastic investor in Shiba Inu[19][20][21][22][23] since June 2021[5][16][24], ZombieInu[25][26][27][28], VeThor[29][30], Ethereum[30][31], Bitcoin[30][31], BNB[31], Cardano[30], Dogecoin[32], CoinMerge[33], and BitRise[34][31]. He previously held an investment in Wink[35][36], Luna[31], BabyShibaInu[31], iBNB[31], and Locklet[34]. He does a high degree of research for every project he invests in[21][37]. According to his profile, he has been a crypto investor since 2016[17].

DiegoPapi6 used an Android smartphone on the TMobile network.

About TrustWallet

TrustWallet is a wallet available as a browser extension or mobile download for IOS or Android[38]. The wallet was originally released in November 2017[39]. TrustWallet was acquired by Binance on July 31, 2018[39].

The most trusted & secure crypto wallet

Buy, store, collect NFTs, exchange & earn crypto. Join 25 million+ people using Trust Wallet.

Wallets within TrustWallet are typically secured by a 12 word seed phrase[40].

Just like your bank account login or email credentials, your recovery phrase needs to be kept in a secure, hidden location. You need to write it on a piece of paper (or engrave it in metal) and ensure that the order of words is followed.

The Reality

Malicious links can often be sent to smartphones via text messages, and may be able to download malware onto a phone[41][42][43][44]. On Android, malicious applications can only be installed from outside the Play Store if install permissions have been explicitly set to "allow unknown app"[43]. Once installed, applications can either trick users into providing the desired permissions or exploit vulnerabilities to gain administrator level permissions and access sensitive data[44].

There is some speculation that phishing attacks are assisted through data that was acquired from privacy breaches on mobile carriers throughout 2018[42].

What Happened

According to private messages later received from DiegoPapi6, he received a text messages which he believed at the time was an update from TMobile for this Android smartphone. The provided link prompted him to download and install malware on his smartphone, which was then able to harvest his TrustWallet credentials and drain his wallet account.

I believe it was a down load via text that appeared to come from T-mobile that got me. Because all I remembered was accepting the download and then a few hours later my wallet was getting drained in real time 😱 I was able to witness 2 sells 😳

Key Event Timeline - DiegoPapi6 TrustWallet Theft
Date Event Description
July 28th, 2021 10:20:26 AM MDT Purchase of Locklet Token DiegoPapi6 purchases 120,497.324468532005704917 Locklet tokens for 5.705739941367457907 WBNB[45].
July 30th, 2021 4:55:17 AM MDT First Attacker Transaction The attacker performs their first transaction in their wallet, transferring in a small amount of BNB[46]. They also use Ethereum shortly thereafter[47][48].
July 30th, 2021 5:03:02 AM MDT Purchase Of BitRise Tokens DiegoPapi6 pays 14.453749256986768434 BNB for 547,378,480,000 Bitrise tokens[49]. TBD fill in.

TBD more transactions on thief's wallet[50]. TBD more transactions on DiegoPapi6's wallet[51].

July 31st, 2021 1:09:57 PM MDT BitRise Liquidation Transaction The very first unauthorized transaction is found on the blockchain, which is liquidating BitRise tokens for 5.533666193138193418 BNB[52].
July 31st, 2021 1:10:31 PM MDT LockLet Liquidation Transaction A second transaction liquidates DiegoPapi6's Locklet tokens for 3.429139695919401803 BNB[53].
July 31st, 2021 1:12:55 PM MDT Theft Transfer Transaction A blockchain transaction transfers 9.249016167190047758 BNB from DiegoPapi6's wallet to the attacker's wallet[54].
July 31st, 2021 2:03:53 PM MDT Wrong Subreddit Thread DiegoPapi6 originally posts about their situation in the wrong BitRise subreddit[55][31].
July 31st, 2021 2:14:42 PM MDT Original Reddit Post DiegoPapi6 posts on Reddit about their situation[56]. They include the attacker's wallet address[50][57]. TBD more review.
July 31st, 2021 4:46:55 PM MDT No Idea How They Got In DiegoPapi6 reports having no idea how they got into his wallet, and that he's "blessed financially"[58].
July 31st, 2021 7:56:45 PM MDT Reports Clicking Suspicious Link DiegoPapi6 reports that his Trust Wallet was drained "over 9 BNB" after he "clicked on a link that was supposed to show me how much BNB Bitrise had sent me". He reports when he "started asking questions they kicked [him] out/Banned from Telegram"[59][60].
July 31st, 2021 9:28:29 PM MDT Original Reddit Post Unknown event to find.
July 31st, 2021 10:33:22 PM MDT Wrong Subreddit Post Deleted The post on the wrong subreddit is removed[61].
August 2nd, 2021 2:00:32 PM MDT Safepal Hardware Wallet DiegoPapi6 posts about security measures he's taking including switching phones and purchasing a SafePal hardware wallet[62].
August 8th, 2021 3:24:32 PM MDT Attacker Moves To New Wallet The attacker moves all of their Ethereum funds from the reported wallet address to a new wallet address[63][64].
September 4th, 2021 7:40:21 AM MDT Attacker Moves To New Wallet The attacker moves all of their Ethereum funds from the new wallet address to another wallet address[64][65][66].
September 18th, 2021 11:22:00 AM MDT Attacker Moves To New Wallet The attacker moves all of their Ethereum funds from the other wallet address to yet another wallet address[66][67][68].
November 30th, 2021 9:33:02 PM MST Shiba Hacking Response DiegoPapi6 responds to another user who was hacked with support and recounting valuable lessons he's learned in the process of his own loss[69].
December 14th, 2021 2:47:32 PM MST anonymizeme Reddit Response DiegoPapi6 posts additional details on a Reddit thread by anonymizeme multiple months later[70].
February 1st, 2022 5:38:11 PM MST Attacker Splits Funds To Multiple Wallets The attacker starts to split those funds among multiple wallets further[68][71].

Total Amount Lost

DiegoPapi6 has described their losses as both "$6800"[72] and "$7700"[69][70]. He mentioned the stolen assets were sold for either 9 BNB[73] or 14 BNB[70]. It would appear based on blockchain data that 14 BNB is what he paid for the assets[49], while the thief[50] was able to sell them for 9.249 BNB[54]. He has confirmed by private message that there was only a single theft, and we were also able to locate and confirm his blockchain wallet[51] and the specific theft transactions[52].

The closing market price of BNB on July 31st, 2021 was $333.55 USD[74]. Taking his numbers at face value, this would make the value of 14 BNB at that time $4,669.70, which would be an extremely high degree of slippage when liquidating his assets, however that may make sense given a token with less liquidity.

TBD historic price of BitRise token[60]. TBD more on his wallet?[51]

Immediate Reactions

DiegoPapi6 posted on Reddit with some high level details of what happened[56].

"I really didn't want to post this here today but I have exhausted all avenues and can't seem to get anywhere. I have the address to where the [individual] who sold two of my Tokens for BNB and then sent them off to his or her wallet.

My question is.., Is there there anything I can do at this point? Or should I just move on, dust myself off and try again?

Anyone with knowledge or advice on what I can do please go ahead and shoot it straight. I can handle it"

One of the responses believed that he had bought a scam coin:

"You didn't get hacked and trust wallet is safe. You bought a scam coin that was a smart contract. You should always be careful when you sign a smart contract because it's literally a contract."

Ultimate Outcome

DiegoPapi6 later posted about the situation on Reddit in response to anonymizeme's similar theft situation[70].

"Been there done that... I completely feel your pain. I had $7700 siphoned out of my old TW which would have translated to over $200,000 in today's price in $BRISE which was sold back in June for 14 BNB.

Good luck in getting your funds back. It will be near impossible but good luck."

DiegoPapi6 took the following measures to improve his security since the situations:

  • He purchased a SafePal hardware wallet to store his tokens[62].
  • He never clicks on any email/link, even from a company he does business with[69].
  • He switched from using an Android phone to an IOS-phone (which could arguably be more secure due to standard hardware)[62].
  • He also does not connect his phone to wifi (which is of questionable significance)[69].

    I know the feeling... I to, lost $7700 in BNB about 3 months ago and it happened while I was connected to my wifi at home. I never connect my phone to Wi-Fi...EVERπŸ’―. Learned a very expensive but valuable lesson. I also never click on just any email/link. Even if it says it's from paypal or any company I do business withπŸ˜…


    DiegoPapi6 no longer uses TMobile, however that is unrelated to this situation.


DiegoPapi6 posted that he feels that scammers in the cryptocurrency space should be regulated[75].

Way too many scammers- That definitely need to be regulated

He has continued to invest in the space[76], investing in Centcex[76][77] and making large gains from Shiba Inu. As of September 2021, he reported being the proud owner of a 535i MSport Beemer[78]. From follow up discussions with DiegoPapi6 on Reddit, it would appear that DiegoPapi6 has lost track of many details of his wallet and is not pursuing any further investigation.

It’s been a while and I don’t remember where I put this information. But no worries, I’ve made 50x that amount since then

Total Amount Recovered

Based on the final comment from DiegoPapi6[70], there do not appear to have been any funds recovered in this case. This was also confirmed by private message.

Ongoing Developments

There are no remaining developments likely in this case.

General Prevention Policies

Store most funds offline, double check all transactions.

Individual Prevention Policies

No specific policies for individual prevention have yet been identified in this case.

For the full list of how to protect your funds as an individual, check our Prevention Policies for Individuals guide.

Platform Prevention Policies

Policies for platforms to take to prevent this situation have not yet been selected in this case.

For the full list of how to protect your funds as a financial service, check our Prevention Policies for Platforms guide.

Regulatory Prevention Policies

No specific regulatory policies have yet been identified in this case.

For the full list of regulatory policies that can prevent loss, check our Prevention Policies for Regulators guide.

References

  1. ↑ DiegoPapi6 - "GOD (The Creator of Heaven & Earth) works on all those who believe and trust in HIM." - Reddit (Mar 9, 2023)
  2. ↑ DiedoPapi6 - "for us truckers" - Reddit (Mar 9, 2023)
  3. ↑ DiegoPapi6 - "I have trucker friends with 30 plus years experience and I have broker/dispatcher friends with 14 plus years experience" - Reddit (Mar 9, 2023)
  4. ↑ DiegoPapi6 - "β€œWe” truckers are the life line to this whole economy" - Reddit (Mar 9, 2023)
  5. ↑ 5.0 5.1 5.2 DiegoPapi6 - "I bought a little over a Billion back in early June" - Reddit (Mar 16, 2023)
  6. ↑ DiegoPapi6 - "Proud of my State" - Reddit (Mar 14, 2023)
  7. ↑ DiegoPapi6 - "Straight from the Desert" "State.... AZ" - Reddit (Mar 16, 2023)
  8. ↑ DiegoPapi6 - "It's my home State: ARIZONA" - Reddit (Mar 16, 2023)
  9. ↑ DiegoPapi6 - "I’m already here in Dallas" - Reddit (Mar 9, 2023)
  10. ↑ DiegoPapi6 - "In Laredo but honestly I’ve never had it that bad" - Reddit (Mar 9, 2023)
  11. ↑ DiegoPapi6 - "I'm 43 y.o. and I know how the majority of people are." - Reddit (Mar 15, 2023)
  12. ↑ DiegoPapi6 - "I have been with my wife for over 20 years" - Reddit (Mar 15, 2023)
  13. ↑ DiegoPapi6 - "She is definitely the best friend I needed in my life" - Reddit (Mar 15, 2023)
  14. ↑ 14.0 14.1 DiegoPapi6 - "19y.o. son's name. Emillian" - Reddit (Mar 16, 2023)
  15. ↑ DiegoPapi6 - "I even got my 19y.o. to invest" - Reddit (Mar 15, 2023)
  16. ↑ 16.0 16.1 DiegoPapi6 - "my 19 y.o. invested his 1,800 dollars" - Reddit (Mar 16, 2023)
  17. ↑ 17.0 17.1 DiegoPapi6's Profile - Reddit (Mar 15, 2023)
  18. ↑ DiegoPapi6 - "I haven't used FB since the start of 2020" - Reddit (Mar 16, 2023)
  19. ↑ DiegoPapi6 - "I’m on this game, on the daily." - Reddit (Mar 9, 2023)
  20. ↑ DiegoPapi6 - "Same" "I am 100% Shib staked!" - Reddit (Mar 14, 2023)
  21. ↑ 21.0 21.1 DiegoPapi6 - "I first started with the community." - Reddit (Mar 15, 2023)
  22. ↑ DiegoPapi6 - "I'm so glad I bought a billion SHIB when it was still affordable to buy!!!" - Reddit (Mar 16, 2023)
  23. ↑ DiegoPapi6 - "I already own a SHIBAInu duffle bag" - Reddit (Mar 16, 2023)
  24. ↑ DiegoPapi6 - "My 1 billion cost me $6300 back in June" - Reddit (Mar 16, 2023)
  25. ↑ DiegoPapi6 - "I appreciate my ZINU homies" - Reddit (Mar 9, 2023)
  26. ↑ DiegoPapi6 - "Basically ZINU will go from having 1,000T to 1B tokens." - Reddit (Mar 9, 2023)
  27. ↑ DiegoPapi6 - "I been following ZINU since launch but did not jump in till recently" - Reddit (Mar 9, 2023)
  28. ↑ DiegoPapi6 - "I will hodl my tokens." - Reddit (Mar 9, 2023)
  29. ↑ DiegoPapi6 - "I currently hold 25K VET" - Reddit (Mar 16, 2023)
  30. ↑ 30.0 30.1 30.2 30.3 DiegoPapi6 - "Especially ETH, BTC, ADA and VET when most of these coins" - Reddit (Mar 16, 2023)
  31. ↑ 31.0 31.1 31.2 31.3 31.4 31.5 31.6 31.7 Original Post By DiegoPapi6 In The Wrong Subreddit (Mar 22, 2023)
  32. ↑ DiegoPapi6 - "I have dog" - Reddit (Mar 15, 2023)
  33. ↑ DiegoPapi6 - "After studying both Lunar and CoinMerge I've decided to go with CM." - Reddit (Mar 16, 2023)
  34. ↑ 34.0 34.1 DiegoPapi6 - "Bitrise...since the 1st message I sent about 5 hours ago." - Reddit (Mar 15, 2023)
  35. ↑ DiegoPapi6 - "I ended up investing in WINK" - Reddit (Mar 14, 2023)
  36. ↑ DiegoPapi6 - "So glad I pulled out about a month ago" - Reddit (Mar 15, 2023)
  37. ↑ DiegoPapi6 - "Basically I do my DD and Research." - Reddit (Mar 15, 2023)
  38. ↑ Best Cryptocurrency Wallet | Ethereum Wallet | ERC20 Wallet | Trust Wallet (Mar 9, 2023)
  39. ↑ 39.0 39.1 Trust Wallet - Golden.com Wiki (Mar 9, 2023)
  40. ↑ Could Someone Guess Your Recovery Seed Phrase? - TrustWallet (Mar 9, 2023)
  41. ↑ T-Mobile customers warned of unblockable SMS phishing attacks - BleepingComputer (Mar 14, 2023)
  42. ↑ 42.0 42.1 Government issues warning against unblockable phishing attacks on T-Mobile customers - Phone Arena (Mar 14, 2023)
  43. ↑ 43.0 43.1 How to Tell if Your Phone Has Been Hacked - Techlicious (Mar 14, 2023)
  44. ↑ 44.0 44.1 Android malware tries to trick you. Here's how to spot it - CNet (Mar 14, 2023)
  45. ↑ Transaction Purchasing 120,497.324468532005704917 Locklet for 5.705739941367457907 WBNB - BSCScan (Apr 27, 2023)
  46. ↑ Attacker First Sets Up Their BNB Wallet - BSCScan (Apr 27, 2023)
  47. ↑ Attacker's Wallet First Ethereum Transaction (Apr 27, 2023)
  48. ↑ Another Wallet Likely Owned by the Attacker - Etherscan (Apr 27, 2023)
  49. ↑ 49.0 49.1 DiegoPapi6 Transaction paying 14.453749256986768434 WBNB for 547,378,480,000 Bitrise Tokens - BSCScan (Apr 27, 2023)
  50. ↑ 50.0 50.1 50.2 Attacker's Wallet Address - Etherscan (Mar 5, 2023)
  51. ↑ 51.0 51.1 51.2 DiegoPapi6's BNB Wallet Transactions - BSCScan (Mar 14, 2023)
  52. ↑ 52.0 52.1 First Unauthorized Theft Swap - BSCScan (Mar 14, 2023)
  53. ↑ Liquidation Of DiegoPapi6's Locklet Tokens - BSCScan (Mar 14, 2023)
  54. ↑ 54.0 54.1 Stolen 9.249 BNB Funds Transferred - BSCScan (Mar 14, 2023)
  55. ↑ DiegoPapi6's Post On The Wrong BitRise SubReddit - Reddit (Mar 4, 2023)
  56. ↑ 56.0 56.1 DiegoPapi6 - "MY TRUST WALLET WAS JUST HACKED AND COMPLETELY DRAINED OF ALL MY BITRISE AND LOCKLET TOKENS" - Reddit (Mar 5, 2023)
  57. ↑ Thief's Wallet Address on Binance - BscScan (Mar 5, 2023)
  58. ↑ DiegoPapi6 - "thankfully I am blessed financially and it really doesn't affect me in a negative way...but I honestly have no idea how they got into my [TrustWallet]" - Reddit (Apr 27, 2023)
  59. ↑ DiegoPapi6 - "My Trust Wallet was drained over 9 BNB after I clicked on a link that was supposed to show me how much BNB Bitrise had sent me. This happened on their Telegram" - Reddit (Mar 4, 2023)
  60. ↑ 60.0 60.1 BitRise Token Historic Price - CoinMarketCap (Mar 5, 2023)
  61. ↑ DiegoPapi6 - "I just deleted the post..." - Reddit (Mar 22, 2023)
  62. ↑ 62.0 62.1 62.2 DiegoPapi6 - "I have decided to get a SafePal for all my BEP20 coins." - Reddit (Mar 4, 2023)
  63. ↑ Attacker Switches To A New Wallet - Etherscan (Apr 27, 2023)
  64. ↑ 64.0 64.1 Another Wallet Owned By The Attacker - Etherscan (Apr 27, 2023)
  65. ↑ Transaction Shifting Funds Further - Etherscan (Apr 27, 2023)
  66. ↑ 66.0 66.1 Attacker's Wallet In September - Etherscan (Apr 27, 2023)
  67. ↑ Transfer To A New Wallet - Etherscan (Apr 27, 2023)
  68. ↑ 68.0 68.1 Attacker's Wallet Until February 2022 - Etherscan (Apr 27, 2023)
  69. ↑ 69.0 69.1 69.2 69.3 DiegoPapi6 - "Learned a very expensive but valuable lesson." - Reddit (Mar 15, 2023)
  70. ↑ 70.0 70.1 70.2 70.3 70.4 DiegoPapi6's Response To anonymizeme's Theft Case - Reddit (Mar 5, 2023)
  71. ↑ One Transaction Switching Funds To New Wallet - Etherscan (Apr 27, 2023)
  72. ↑ DiegoPapi6 - "it was $6800 at time of investment" - Reddit (Mar 22, 2023)
  73. ↑ DiegoPapi6 - "this person went in....sold my 2 biggest bags. BITRISE and LOCKLET....and then transferred over 9BNB to this wallet" - Reddit (Mar 22, 2023)
  74. ↑ BNB Historic Price - CoinMarketCap (Mar 5, 2023)
  75. ↑ DiegoPapi6 - "Way too many scammers- That definitely need to be regulated" - Reddit (Mar 4, 2023)
  76. ↑ 76.0 76.1 DiegoPapi6 - "I’m definitely one of those excited about the market right now because of my early buys into $BRISE and Now I also hold $CENX." - Reddit (Mar 4, 2023)
  77. ↑ Centcex price today, CENX to USD live, marketcap and chart | CoinMarketCap (Mar 21, 2023)
  78. ↑ DiegoPapi6 - "I'm a proud owner of 535i MSport Beemer" - Reddit (Mar 16, 2023)
Retrieved from "https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=DiegoPapi6_TrustWallet_Theft&oldid=3547"