Threat Actors Exploit Smart Contracts to Drain Over $900K from Crypto Wallets

SentinelLABS has exposed a sophisticated series of cryptocurrency scams where threat actors distribute malicious smart contracts masquerading as automated trading bots, resulting in the drainage of user wallets exceeding $900,000 USD.

These scams leverage obfuscated Solidity code deployed on platforms like the Remix Solidity Compiler, targeting Ethereum-based ecosystems.

The campaigns, active since early 2024, employ aged YouTube accounts to disseminate instructional videos that guide victims through deploying the weaponized contracts.

These videos, often AI-generated with unnatural audio cadences and static visual elements, create a veneer of legitimacy by curating comment sections to suppress negative feedback and promote positive endorsements.

Cryptocurrency Scam Campaign

Actors manage these channels by posting unrelated content, such as cryptocurrency news playlists or pop culture compilations, to enhance account credibility and algorithmic ranking.

In one prominent case, a video by @Jazz_Braze amassed over 387,000 views, yielding the highest profits without evident AI artifacts, suggesting a blend of human and automated production methods to evade detection.

The distribution strategy involves linking to external sites hosting the malicious code, instructing users to fund the deployed contract with at least 0.5 ETH to cover gas fees and purported arbitrage operations.

Victims are lured with promises of passive income through Maximal Extractable Value (MEV) bots, which supposedly exploit price discrepancies across decentralized exchanges.

However, upon deployment and funding, the contract initializes functions like Start() or StartNative(), which unobfuscate the attacker’s Externally Owned Account (EOA) and route funds accordingly.

Even without explicit invocation, built-in failover mechanisms enable attackers to withdraw assets, ensuring high success rates.

Channels like @todd_tutorials and @SolidityTutorials exhibit AI hallmarks, including robotic narration and misaligned lip-sync, while curating overwhelmingly positive comments via YouTube’s moderation tools.

This manipulation, combined with unlisted videos shared via platforms like Telegram, amplifies reach and urgency, often framing the bots as limited-time free offerings.

Technical Analysis of Exploitation

At the core of these scams are Solidity smart contracts employing advanced obfuscation to conceal attacker-controlled EOAs, complicating static analysis and victim scrutiny.

Variations include XOR operations on 32-byte constants (e.g., DexRouter and factory) to derive addresses via expressions like address(uint160(uint256(a) ^ uint256(b))), string concatenation of address fragments, and conversion of large 256-bit decimals to uint160 types, effectively masking Ethereum addresses.

According to the report, A recurring EOA, 0x872528989c4D20349D0dB3Ca06751d83DC86D831, appears across multiple contracts using XOR, interfacing with declarations like DexInterface to compute router addresses and facilitate fund transfers.

Deployment sets dual owners: the victim’s wallet and the hidden attacker EOA enabling seamless drainage post-funding.

Transaction analysis reveals varying efficacy: one EOA from @SolidityTutorials netted 4.19 ETH (~$15,000 USD), while @todd_tutorials yielded 7.59 ETH (~$28,000 USD).

The outlier, linked to @Jazz_Braze, amassed 244.9 ETH (~$902,000 USD), funneled to secondary addresses for laundering.

These operations underscore the risks in the Web3 space, where unverified code from social media can exploit blockchain immutability.

Crypto users must rigorously audit smart contracts, avoiding hasty deployments promoted via influencer content, as the proliferation of AI tools and purchasable aged accounts lowers barriers for adversaries.

These scams highlight the intersection of social engineering and technical deception in cryptocurrency, urging validation of inputs, outputs, and on-chain behaviors before engagement.

Indicators of Compromise

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free