Investigating the Azuki Fake Land Drop Scam

https://www.linkedin.com/pulse/investigating-azuki-fake-land-drop-scam-tara-annison

Last June I wrote a report titled “The Future of Financial Crime in the Metaverse” https://www.elliptic.co/resources/crime-in-the-metaverse 

where I outlined the key components of a virtual world and delved into the current financial crimes playing out. I also predicted some future criminal typologies which could start to emerge as more criminals pivot their tactics and attention to the metaverse space.

One typology I predicted was Fake Land Expansions/Drops, and at the end of January an example of this new typology saw over $750,000 worth of crypto assets stolen.

What is a Fake Land Expansion/Drop?

The majority of metaverses have a limited land supply in order to help hold land value and create a more exclusive community/ownership model. For Decentraland, this is 90,601 plots of land, with some reserved for community owned spaces, The Sandbox has 166,464 pieces of land, and Yuga Lab’s Otherside metaverse has 100,000 Otherdeeds land parcels. 

However, as some of the main metaverses fill up and secondary land sales become more expensive due to scarcity, we may see nefarious actors look to launch fake land expansions of new areas in these principal worlds or efforts to try to deceive users into buying fake versions of prominent metaverse land launches.

No alt text provided for this image

The Akuzi Fake Metaverse Drop

The gold ticked Akuzi Twitter account was taken over on February 24th and posted a “surprise land mint”. This looked to build off the hype from the January announcement by the project about their new metaverse – Hilumia. However the link in the tweet sent users to a fake Hilumia launch website which, when interacted with, requested that they sign a transaction in order to mint the free land. If you’ve been in crypto for any length of time then there’s a few red flags here already:

🚩 A surprise announcement on Twitter and not corroborated on any other project channels e.g Telegram, Discord, Lens, mod Twitter accounts, could signal something is amiss. Especially as there’s a heap of examples from the recent past with project Twitter accounts and even their gated Discord servers being compromised. Don’t let FOMO get the better of you!

🚩Always check the domain name of any project links and ensure they’re the official ones. The scammer was sending users to akuzi.ws but the official project website is akuzi.com 

🚩Very few things in life, or crypto, are free. A land drop which is free for anyone certainly bucks the trend of the majority of metaverse projects to date. Often land will be given to certain token holders first or for free but a metaverse that offers free land for everyone is leaving some $$$ on the table, and with the crypto winter still in full swing this should have been a warning sign for would be minters.

The transaction that users were being prompted to sign was a drainer attack – so anyone who signed saw the crypto assets in their account sent to the attacker!

What Was Stolen?

In ~2 hours after the scam tweet was posted, 0.2 WETH, 751,321.805231 USDC and 24,044,724.17807868 STARL tokens had been pilfered by the attacker. That’s $751,539.57 scam revenue in just 2 hours!

However that wasn’t all, the attack was also draining NFTs from the compromised accounts. In total 18 NFTs, including 5 Pixlemon, were stolen. 

No alt text provided for this image

So what happened to these assets?

Following the Fungible Money

The account still has (as of 13/02/23) a balance of $36.12 in ETH and has not yet moved the WETH or STARL. Looking at the accounts the STARL and WETH originated from, both appear to be victim accounts as they have a host of activity stretching back a significant amount of time, no obvious pre-attack links to the attacker and their activity is consistent with DeFi users. The USDC sending account has very notable activity with in/outflows of c$44m but has only been active since October 2022. There’s various NFT trading activity and lots of ERC20 activity. Possibility indicating that this is either a highly capitalised individual or a market making entity who was looping to ape into the land buying opportunity.

The USDC was moved on by the attacker in one transaction to another account, A, which has a total incoming value of $1,501,876.73. This value is driven by another substantial inflow of $745,184.69 from Uniswap – indicating that the hacker is likely linked to another notable scam. 

The $1.5m of USDC is then split up into various paths with almost $500,000 being sent to Tornado Cash and over $750,000 ending up in Uniswap. There are also other obfuscating attempts with several paths leading to coin swap services, crypto exchanges and gambling services. 

What’s perhaps a minor detail within the broader picture here but worth noting nonetheless, is that since the attacker has sent funds through Tornado Cash not only are they guilty of the theft of digital assets but also a sanctions violation since Tornado Cash is now designated by OFAC as sanctioned code. 

The quick movement into Uniswap is likely also explained by the risk to the attacker of Circle, the issuer of USDC, being able to blacklist their account due to the nexus with illicit activity. There are plenty of examples of Tether and Circle blacklisting (essentially freezing) accounts linked to thefts and attacks and so in order for the attacker to avoid this it seems that they have very quickly moved their funds into Uniswap where they become mingled with legitimate USDC and therefore are non-confiscatable. 

Another hacker linked account, B, is highly connected with the accounts used to move funds through to Uniswap and Tornado Cash and has seen $158k of cryptoassets flow through.

When looking at the top 3 direct counterparties for this account:

  • $96k is sent into a consolidation account, with a total inflow of $131k, and so far no outflow
  • $5.8k is sent via an intermediary account to Stake Casino
  • $9.8k is sent to Uniswap

However when the other small outflows are mapped, we can see that ~$11k of funds eventually end up with Stake Casino, and there are a few hundred dollars sent to other casinos. 

Interestingly there appears to be some direct transfers from a hacker linked account to The Sandbox Instagram hacker who, back in Sept 2022, managed to compromise the official The Sandbox instagram page to promote a fake raffle: https://twitter.com/zachxbt/status/1567712868275027968

Could this be the same attacker?! There are certainly a few markers which point to this being either a practice run for them or potentially it’s an indication of their MO. Could this therefore be linked to the $745k coming from Uniswap which looks to be from another scam?

However that’s just the fungibles, the attacker also stole over $30,000 worth of NFTs, so let’s explore what’s been done with them so far ….

Following the Non-Fungible Money

14 of the 18 NFT were quickly moved onto account A and then the attacker looked to liquidate them as fast as possible through NFT marketplace X2Y2, which aptly carried the tag line “ Best place to liquify your illiquidity”.

Through this decentralised marketplace the attacker managed to see 12 of these NFTs for a combined value of $4,747.86, not a bad profit but hardly in the realms of the mega bucks. The Beanz NFT was moved to SudoSwap where it remains for sale, and the We Are All Going To Die NFT was moved to another account which connects to the broader attacker activity – indicating that it’s been parked there for now.

No alt text provided for this image

Following previous NFT thefts we’ve seen marketplaces look to quickly blacklist them and explorers like Etherscan move to label them as stolen/linked to illicit activity. As much attackers often need to liquidate NFTs quickly and at below market value in order to convert these goods into fungible and more easily fiat-off ramped assets. In this case the attacker has sort to convert the NFTs into WETH/ETH, presumably to then deposit into an exchange with low or no KYC and withdraw as USD. This highlights the interconnectedness between crypto and fiat, and shows that cash (and specifically USD) is still king when it comes to criminal activity. 

Therefore from investigating the Azuki fake land drop we can see that the attacker has netted around $750k in USDC, which they look to have laundered through Tornado Cash and mixed through Uniswap, (alongside the potential profits of another scheme), and then liquidated their pilfered NFTs for ~$5,000. In total it’s a sizable return for a few hours of activity.