Last February, unsuspecting users lost about $1.6 million to a fake cryptocurrency wallet that failed Apple’s rigorous app review process. The magazine tracks clues on the blockchain to find out who’s behind the fake wallet.
A fraudulent app posing as DeBank’s Rabby Wallet remained on the App Store for four days and siphoned funds from several victims before Apple removed it.
“I never once thought it was a scam because I completely trusted the Apple App Store. “After about 20-30 minutes, I opened my Rabby laptop wallet and saw that my balance was effectively zero,” a fake Rabby wallet victim told the Magazine.
One of the first victims to highlight the scam was X user Bthemouth, who claimed that his funds were transferred to the Rabby Drainer (RD) wallet “0x652…” Reported exit at 0371F.”
Blockchain analysis links the RD wallet to “0x44Bd…9E480”, initially labeled as “Konpyl” on NFT marketplace OpenSea. Although the account name has since changed, you can still see the original label on Arkham Intelligence, a blockchain data platform that tracks OpenSea accounts and more.
A private investigator, who the magazine confirmed was cooperating with authorities on the case, claims his investigation connects “Konpyl” to a larger web of at least 20 cases, of which the magazine has independently confirmed links to seven.
The common denominator among this mountain of scams is Konpyl addresses.
“He’s been doing this for about seven years (and) he’s going after users who have dedicated their lives to this, not the big protocols,” the investigator told the Magazine.
Investigators shared with the magazine images of know-your-customer (KYC) records purportedly submitted to numerous clearinghouses from addresses linked to the scam.
The documents seen by the magazine are linked to “Konstantin Pylinskiy”, CEO of Moonward Capital, a Dubai-based investment firm that uses X and Telegram handles “@konpyl”. However, multiple fake KYC credentials and aliases were also used to open the accounts, so the Magazine does not suggest that Pylinskiy is Konpyl. It’s just that your name is linked to your account.
Initially, Konpyl greeted Magazine on Telegram: “How can I help you?” However, when asked to clarify the link between Konstantin Pylinskiy, the Konpyl online persona, and the Rabby wallet scam, he stopped responding.
The Magazine attempted to contact Pylinskiy through alternative channels, but he did not respond.
Moonward Capital also did not respond to the Magazine’s request to comment for this story.
Magazine confirmed with U.S. government agencies that the ongoing investigation is linked to the Konpyl address.
Recent inbound transactions to the Konpyl wallet came from addresses labeled “Fake_Phishing” on Etherscan. Interactions with Konpyl are only outbound transactions.
Fake Rabby Wallet-Konpyl connection
“He had a drain bot on my account,” Bthemouth told the magazine, referring to an automated script designed to drain funds. “It’s still active months later.”
Rabby Drainer Attackers take several steps to cover their tracks, including dividing the proceeds of their crimes into multiple wallets, using DeFi services to obscure evidence, and blending into the crowd.
Fraudsters then often consolidate large amounts of funds into subsequent wallets and deposit them on centralized exchanges. Even after these obfuscation efforts, there is a connection between RD and Konpyl.
Bthemouth’s leaked funds went into Rhino, a multichain bridge frequently visited by Rabby wallet fraudsters. The fraudster deposited tokens into Rhino and then withdrew them through another wallet.
Between February 15th and 18th, RD claimed more victims, with most of the proceeds made up of ERC-20 tokens. On February 19, these tokens were converted to 52 ETH (about $151,000 at the time) using DeFi services such as Uniswap and 1inch.
Later that day the funds were returned to wallet “0xCE6A…” b2Ac5”, approximately $173,000 of Ether was transferred to Rhino along with funds from Bthemouth and an additional 7 ETH.
On-chain detectives Tay and SomaXBT identified wallet “0x4E93…c71C2” as the recipient of the Rhino output. In three transactions, I won $173,388 in USDT, with the first batch arriving about 10 minutes after my initial deposit.
Blockchain records show that the same Rhino output wallet received nearly $100,000 from Konpyl in transactions over a six-month period from February to July.
These funds eventually find their way to OKX.
Scammers appear to use multiple exchanges and typically use more than one deposit address per exchange.
When analyzing wallets suspected of being involved in a hack, the first inbound transaction often leaves important clues to the associated wallet. Sometimes it can even show who financed the gas costs for your wallet.
However, this is not a characteristic of Konpyl-related scams.
“(Konpyl) funds these accounts from the victims’ wallets,” says the private investigator.
“He will take money from other hacks to fund his hacker wallet, so you have no idea who he is.”
Also read
characteristic
Green consumers want supply chain transparency through blockchain.
characteristic
11 key moments that made Ethereum the No. 2 blockchain
Rabbit Wallet Drain Total Damage
At least 10 addresses have been identified according to public victim reports, including RD, where victims lost an estimated $152,257. This address caused more than $1 million in losses after users downloaded a fake Rabby wallet from the App Store in February.
The February incident isn’t the first time fake Rabby wallets have appeared on the App Store. Another iteration of the scam used at least two wallets linked to Konpyl to extract about $93,000 from victims in late 2023.
Magazine has confirmed that the old Rabby wallet scam is linked to Konpyl and that the funds trail points to the same Rhino output address used in Bthemouth’s case.
A private investigator told the magazine that $278,872 was taken from three other suspicious wallets suspected of being linked to the Rabby wallet scheme. However, this incident was not publicly reported by the victims.
The magazine also knows of at least three wallets that were not part of the Rabby fake wallet scheme but had funds stolen using other tactics, such as phishing links shared on social media. These three wallets are Rabby wallet scammers who also show a connection to Konpyl by using a common OKX deposit address and transferring funds to the Rhino output wallet.
A total of $93,261 was taken from victims, bringing the estimated losses related to the Rabby fake wallet incident to at least $1.6 million.
Also read
characteristic
Want to quit your job and make $300,000 for your DAO? Here’s how:
characteristic
Become a Balinese cryptocurrency digital nomad like me: here’s how.
Other Scams Related to Fake Rabby Wallet
The 2024 Rabby wallet scam is not the first illegal activity to use Konpyl addresses and strong blockchain connections, blockchain records confirmed by the private detective show.
For example, Reddit’s victim report states that the user’s funds were leaked by the “0x0000…4e9Aba” wallet (known as LS1 in the Ledger Scam). A closer look at LS1 shows that it has a similar deposit strategy to the one used in the 2024 Rabby fake wallet scheme.
In 2020, LS1 has a deposit address of “0x05a8…” I moved the funds to the cryptocurrency exchange Yobit using a21e6” (YB1).
LS1 frequently interacts with “0x1111…858eB” (LS2), exchanging more than $51,000 worth of cryptocurrency with each other in 14 transactions over the course of a year starting in April 2020.
It appears that both wallets use different deposit addresses on Yobit, as LS2 prefers “0x7e17…873cE” (YB2).
YB2 was regularly used to move funds from Konpyl to Yobit at the time. Konpyl sent over $41,000 of ETH in 23 transactions between September 2020 and February 2021.
YB1 and YB2 are further connected as “0xBd7D…A2DB7”. While recording a 2.4-ETH transaction on YB1, I use the second deposit address 5 times for $196,000 in ETH.
This wallet also has two direct transactions for 6 ETH from Konpyl.
Also read
characteristic
What happened to EOS? Community shooting unlikely to return
characteristic
Bitcoin payday? Cryptocurrency that will revolutionize job wages…
Investigation into fake Rabby Wallet and other scams continues
“One of my goals is to get Apple to go after fraudsters on the App Store without panicking. We reported it to Apple several months ago but never heard back,” the investigator told the Magazine.
Rival tech giant Google set a precedent for responding to such fraud schemes earlier this year when it sued a group of cryptocurrency fraudsters for allegedly defrauding more than 100,000 people by uploading questionable apps to its marketplace, Google Play.
Bthemouth said he had given up on recovery efforts and had already done “everything” he could.
Initially, victims’ groups were formed, but now “everyone is living their own lives.”
“It’s a dead end,” says Bthemouth.
But there is still hope for the victims.
The investigation by law enforcement and private blockchain detectives is ongoing, and Konpyl and its associated wallets remain at the center of suspicion.
subscribe
The most interesting read on blockchain. Delivered once a week.
Yoon Yohan
Yohan Yoon is a multimedia journalist covering blockchain since 2017. He has contributed as an editor to Forkast, a cryptocurrency media outlet, and has covered Asian technology stories as an assistant reporter for Bloomberg BNA and Forbes. He spends his free time cooking and experimenting with new recipes.
Also read
heat
SocialFi Boosts Gaming Revenue, Axie Infinity Creator Wants to Ditch Discord: Web3 Gamer
6 minutes
June 11, 2024
Web3 Games builds their communities on Discord, but Sky Mavis wants to change that. SocialFi is key to increasing gaming revenue, says MetaRun review.
read more
Hodler’s Digest
Bitcoin Nerves, DeFi Resistance, PayPal Debut, Coinbase Alert: Hodler’s Digest, November 9-15
10 minutes
November 15, 2020
Best (and worst) estimates, adoption and regulation highlights, major coins, predictions, and more – all in one link on Cointelegraph for the week!
read more