Blockchain & Cryptocurrency , Cryptocurrency Fraud , Fraud Management & Cybercrime

Scammers Get Scammed, Crypto Worth Thousands Stolen

'Water Labbu' Drained at Least $316K From 9 Scammers
Scammers Get Scammed, Crypto Worth Thousands Stolen

The best way to steal money is by piggybacking onto other thieves - that is the apparent motto of a cryptocurrency threat actor who drained hundreds of thousands of dollars' worth of digital assets destined for scammers.

See Also: OnDemand | NSM-8 Deadline July 2022:Keys for Quantum-Resistant Algorithms Implementation

Analysts from Trend Micro dub the thief robber "Water Labbu" and peg its takings as 316,728 USDT filched from nine scammers so far. USDT is a stablecoin whose value is pegged to the U.S. dollar.

Water Labbu targets fraudulent decentralized applications created by scammers who entice victims into investing in a cryptocurrency mining scheme. Websites of the fraudulent decentralized application, to which victims connect their digital wallets, are infested with malicious scripts that allow Water Labbu access to the wallets. The threat actor does not appear to have added any new victims since August. The group, Trend Micro researches tell Information Security Media Group, "appear to be preparing for next campaign."

This isn't the first instance of a threat actors infecting other threat actors, but it is "pretty rare" to see an example of a thief piggybacking on another thief in this space, Trend Micro says. The group likely comprises Chinese-speaking individuals and has been active since at least 2019, the company says.

At least 45 fraudulent, cryptocurrency-related DApp websites promising risk-free income through liquidity mining contain Water Labbu code, Trend Micro says. The threat actor injects malicious JavaScript that, in turn, loads another script that delivers different content based on the victim's IP address and browser type.

The similarity in the themes of the fraudulent DApp websites Water Labbu targets likely means the scammers use the same toolkits to run these platforms.

If the victim loads the script from a desktop running Windows, Water Labbu returns another script showing a fake Flash update message asking the victim to download a malicious executable file. If the victim is using a mobile device, Water Labbu delivers a script that connects to the victim's wallet, provided that the victim has already connected their wallet to the liquidity marketing scam site.

Should the victim wallet contains more than .005 Ethereum cryptocurrency and more than 22,000 USDT tokens, Water Labbu returns an additional script that displays a pop-up window asking for permission to complete transactions. Any time the victim approves the request, money disappears from the connected wallet.

Water Labbu primarily uses two addresses to seek permissions and transfer the victims' cryptocurrency assets, Trend Micro says. It uses 0xd6ed30a5ecdeaca58f9abf8a0d76e193e1b7818a to receive token approvals from victims, drains the funds via 0xfece995f99549011a88bbb8980bbedd8fada5a35 and sends the money to 0x3e9f1d6e244d773360dce4ca88ab3c054f502d51. It then obfuscates the flow of funds by further transferring the money to multiple other crypto wallets, swapping them for other tokens on the Uniswap cryptocurrency exchange and depositing them in the Department of Treasury-sanctioned mixer Tornado Cash.

The threat actor implements a mechanism to avoid loading a script multiple times from the same IP address over a short period of time - mostly hours, Trend Micro says.

The fraudulent DApps Water Labbu uses to scam other threat actors, they say, include,,,,,,,,,,,,,, and

Update Oct. 5, 2022 18:37 UTC: Adds detail throughout from information supplied by Trend Micro.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.