Over the past year we’ve seen scammers become more creative with new methods to phish people in Web 3. In this investigation we’ll breakdown how two phishing scammers from France defrauded people out of NFTs worth millions of dollars and the trail of breadcrumbs left behind leaving them exposed.
On December 13 2021, Twitter user Dilly Dilly was phished for Bored Ape Yacht Club (BAYC) #237 after clicking on a link shared by a verified member of the BAYC Discord and approving a transaction on a website that he was lead to believe would produce an animated version of his BAYC. Unfortunately, Dilly Dilly fell victim to a phishing scam: once he approved the transaction, his BAYC was moved out of his wallet and into the hands of a scammer.
Tweet made by Dilly Dilly
The scammer proceeded to sell the BAYC on OpenSea for 47 ETH ($178k) that same day.
The same scammer phished 2 MAYC & 1 Doodles as well from three additional victims.
On December 15 2021, the scammer made seven 10 ETH deposits and three 1 ETH deposits into Tornado from 0x935e5aa5b49bbab19350399b470a02260f6c935b
On January 2nd 2022, Twitter user Tumolo was phished for BAYC #6166 after messaging the same scammer on Twitter and approving a transaction on a similarly fraudulent BAYC animator website.
The scammer made several other attempts to defraud multiple BAYC owners on Twitter using the same phishing website scam. Here are a few of DMs people received..
Once Tumolo’s BAYC was transferred to the scammer, they immediately sold it for 74.5 WETH ($180k).
The scammer then proceeded to make seven 10 ETH deposits into Tornado Cash that same day.
Just between these five victims we’ve reached a total loss of $1.7m. While our breakdown identifies that the victims all fell prey to a similar phishing scam, we haven’t yet proven where the funds went or who was potentially behind it.
While the scammer did make an attempt to hide their breadcrumb trail by depositing the stolen funds into Tornado Cash, they were not careful about covering their tracks when it came to withdrawing the funds from Tornado, so let’s break it down
Victim 1 — Dilly Dilly was scammed on December 13 2021 with seven 10 ETH deposits and three 1 ETH deposits made that same day into Tornado. On December 13 2021, seven 10 ETH withdrawals and three 1 ETH withdrawals were made from Tornado to mathys.eth.
Victim 2 — El Mono was scammed on January 5th 2022, and six 10 ETH deposits were made that same day into Tornado. On January 6 2022 six 10 ETH withdrawals were made from Tornado to mathys.eth.
Victim 3 — Tumolo was scammed on January 22 2022, and seven 10 ETH deposits were made that same day into Tornado. On January 24 2022, seven 10 ETH withdrawals were made from Tornado to mathys.eth.
mathys.eth then sent the funds ($1.09m) to Kraken, Bitpanda, and SideShift.
After one of the first victims got scamed we reached out to ‘exyt’ on Instagram and were able to uncover they were likely French.
In March 2022 after BlackAppleArt was phished, we checked the source code for the BAYC animator phishing website and found the handle “mtscam”, which led us to Telegram user mtscam and this profile picture.
This ultimately lead me to the Twitter account ‘mtsgtb’ and Instagram account ‘wef’ ‘mthsl’
Screenshot taken in May 2022
Notice the gold ring and necklace match those seen in the Telegram profile picture. Even more damning, we uncovered multiple Tweets made by Mathys, in which he broadcasts selling crypto for cash in Paris, presumably with the stolen funds.
Paying with XMR for hotel
Mathys flexing 100 ETH from Tornado pt 1
Mathys flexing 100 ETH from Tornado pt 2
Mathys clearly hasn’t acted alone, so who else is involved? We took a look at a friend Mathys named Camille (Cam) who posts as ‘rxtkv’ on Twitter
Here’s a photo of Mathys and Camille together that was posted to Twitter (it has since been deleted).
The address that owns the NFTS Cam boasted about on Twitter just so happens to have been funded by the same address that was used for multiple phishing scams. Cam’s address also sent 12 ETH to the same address used to scam BlackAppleArt and Jason Stone.
The ‘mtscam’ Telegram username starts to make sense as a combination of the two names, Mathys and Camille.
On Twitter, Mathys and Camille reply to each other frequently, although both often delete their tweets.
While this covers just a few examples of stolen BAYC NFTs, there are others who have had their NFTs stolen by these same two individuals. If we revisit the Kraken deposit address, directly linked to it are four more addresses with 497 ETH+ ($851k) worth of crypto assets sitting in them. I suspect these funds are the result of phishing sites created for Azuki, Sudoswap, and Doodles.
More phishing scams linked to the Kraken account deposit
So far, I’ve uncovered $2.5m+ worth of NFTs that have been scammed by both Mathys and Camille. Undoubtedly there is more to uncover, but there is only so much that can be tracked through Tornado Cash. Hopefully in the near future we will see some form of legal action taken against Mathys and Camille for the financial harm they have perpetrated on so many people.