MxSxC1 vs Sandbox Hackers - Case Study

Do not attempt to do what I have done here as there may be malicious software and other methods they can use to hack you! Do not click on any links as I have done, this was done in a controlled manner and environment, with a secure browser with no links to either Sandbox or any open wallets. Plus 20+ years of experience. I have removed URLs and other details, and details on how I traced it back, the comms app used, and how far I traced it. This is to stop anyone clicking on the links, attempting to duplicate this scam, and so I don't tip off the scammers, or show them how to improve on this and protect themselves better!

Result: I reported this to the owner of the Short URL and to Twitter. The Short URL company blocked this within 2 hours of my report which is a great result!

Update: Two Days After Raising This With Multiple Contact Points - The Web Site Is Offline. Great Result!

Ticket With Sandbox Closed Without Comment: Not So Good Result!

The commonality I will not mention with "Official Links" from sandbox to this infrastructure and setup...disappointing.

It is hardly going to stop them, they can likely spin up a new one in minutes.

Update 16/09/2022

Summary

I submit a legit (hopefully) sandbox competition entry in twitter.

Shortly after I get fake twitter Phishing Responses & notification from what appears (for all of 1/4 second) to be legit Sandbox, but it looked genuine enough.

Method (without providing too much detail)

Tweet-> Short URL -> Fake Development WebSite (Bad Clone of Real Site) -> Form Requesting Crypto Seed Phrase -> Form Using Scripted API Sending Seed Phrase (they would have got some interesting phrases from me) -> [REMOVED] -> Channel in Comms app.

I have identified the [REMOVED] and the Channel being used. If I was to put in proper logging and monitoring, and use some proper tools, go through the code I could likely investigate further. With assistance from the comms app, I could trace back even further. But the point here was to provide an example for educating users on scams, not to try identify the perpetrators.

If anyone has been scammed by this and wants to take it further I can provide law enforcement details of the method and code used, the comms app, the [REMOVED] and the channel.

If anyone has lost money or been scammed by something similar, I am happy to help investigate for a small fee, or a small % of recovered funds (for funding the site, and towards educating children on security/privacy). Or I might even just do it from the goodness of my heart. Free if any children have been targeted. Also if you are really keen and with a small investment you will not get back (and neither will I benefit from it) we can do a bit more perhaps.

Getting anyone to take you seriously, or authorities to investigate is near impossible, but with the information I can potentially provide (assuming the scam is still up and running) I can at least maybe give you something to work with.

The focus is on education right now but this was a useful case study. One of thousands...

A proper tutorial and more info is being worked on, and info on how to "more" securely install and verify software can be found elsewhere on the site.

The initial tweet is me entering the Sandbox competition.

After submitting entry and tweet immediately get notifications which look legit for all of 1/4 second...I'm getting slow.

I have won 50 SAND, yay to me!

I am so excited about my winnings I click on the link from my browser which is connected to my wallet, and try claim my winnings, and enter my pass phrase. I then find my wallet emptied minutes later.

No not really, I'm not that stupid.

Most people are sensible enough they would already have walked away, but there are more clever things than this out there.

Also you may click the initial link...but then, you have doubts. This gives you a few ideas on how to check whether its legit or not.

So I thought I'd take this a bit further and have a look.

Using a secure browser and environment not linked to my wallet I click the link (DO NOT DO THIS) which is a short URL (I have reported this URL and it has now been blocked).

Immediately looking at the certificate and the URL it links to.

It starts with wwv instead www

It is not the official Sandbox site.

It is a valid cert, but it's from development company (who are legit), but it's obviously not what we are looking for here.

It is possible this is the sandbox devs, and they have mistakenly sent us a link to their dev site, but I seriously doubt that, and even if so, you wouldn't connect your wallet to it!

It just looks dodgy.

I then click on the link (DO NOT DO THIS), and it at first glance reasonably legit.

But they did a pretty poor job.

Dozens of things immediately jump out as wrong, or just badly implemented.

It is an old copy of the website.

The URL is wrong.

The certificate is wrong.

When you try click on any link it asks you to connect your wallet, which is not needed for general browsing, and does not happen on the real website.

OK so let's submit a fake recovery phase. In fact let's submit a load of them 100 times :-) If I'd lost any funds to them, I'd maybe do something a bit more clever (and malicious), script it, and spam them to hell. but this is not what we are here to do.

I wont elaborate or show details, or explain further, as knowledge can be misused, or used to make their set up better. I have traced them back as far as I can, but I have better things to work on right now, and enough to make my point.

Reported to Twitter and to shortURL supplier, and blocked. Twitter were less than impressive, but see below for shortURL...

Blocked! Great result! Everyone currently targeted by the current scam will now be safe if they do click on it. Hardly going to stop them but a minor win and great result. ----->

Page updated

Report abuse