Loyalist: $4m stolen from over 400 victims

February 16th, 2023

Background

Since early 2022 Loyalist / Lukas / Shibango has stolen an estimated $4m+ worth of crypto and NFTs through running phishing scams on Twitter and by collaborating with other known phishing scammers.

July 2022

On July 25 2022 multiple people fell victim to an ENS domain phishing site prompting people to grant approvals to 0xe55 and lose 10 NFTs. This address had been freshly funded by 0x908 earlier that day. Prior to then 0x908 had deposited 100,000 DAI into Tornado Cash.

Stolen funds from 0xe55 were then swept to 0xc997. Connected to 0xe55 are numerous addresses who have fallen to victim to similar phishings scams.

Blue = documented victim | Purple = main phishing address

Twitter user rugnft had BAYC 3273, BAKC, and Otherdeed stolen on July 30 2022 ending up in 0xc997 and 0x85d, two addresses seemingly controlled by Loyalist. Later that day 100 ETH was deposited into Tornado Cash by 0xc997.

August 2022

On Aug 1 2022 0xc997 funded a new address 0xa30 before then funding 0x572a on Aug 10 2022. From 0x572a 526 NFTs were stolen from various phishing scams.

EX 1: Twitter user buchetto phished for Meebit 8661 by 0x572a on Aug 13

EX 2: Twitter user StockDisick phished for 17 NFTs on Aug 15 by 0x572a

EX 3: Twitter user AJslays phished for 9 NFTs on Aug 15 by 0x572a

EX 4: Twitter user Jasoncooperpix phished for 5 NFTs on Aug 21

Discord

In August 2022 Loyalist became active in the Doodles Discord server with the username Shibango#8161 (ID: 819713798419251280)

Inside the server Loyalist revealed his Twitter account “Loyalist” along with the matching ENS address “loyalist.eth”

Doodle 6755 matched what was posted to Discord and his OpenSea profile.

Visiting loyalist.eth revealed the address was primarily funded by multiple large Tornado Cash withdrawals.

From earlier in this article it was revealed 0x908 had made a 100,000 DAI deposit into Tornado on July 18 2022 as well as a 100 ETH deposit on July 30 2022.

loyalist.eth coincidentally received 100,000 DAI from Tornado on July 20 2022. The 100,000 DAI pool typically doesn’t see much activity and has a small anonymity set.

Four hours after depositing on July 30, loyalist.eth then receives 100 ETH from Tornado.

Although this is promising it’s not yet conclusive so let’s continue digging.

September 2022

On Aug 13 0x572a funded a new address 0xaa18 which went on to steal 446 NFTs from various phishing scams.

EX 1: Twitter user Tutushik5 was phished for 10 NFTs on Sep 4 by 0xaa18

EX 2: Twitter user jfitz69420 was phished for 4 NFTs on Sep 4 by 0xaa18

EX 3: Twitter user Frank_theTnk was phished for 1 X MAYC and 3 X Otherdeed NFTs on Sep 5 by 0xaa18 after falling for a Otherside impersonator on Twitter that posted links to a phishing site.

EX 4: Twitter user CryptoKlopp was phished for 3 X Otherdeed NFTs on Sep 5 from the same Otherside phishing scam by 0xaa18.

EX 5: Twitter user ametaversea was phished for 5 NFTs on Sep 15 by 0xaa18

0xaa18 consolidated the stolen funds to 0xaf5c and made 2 X 100 ETH and 1 X 10 ETH deposits into Tornado beginning September 12 at 10:29 am UTC.

Sep 12 at 8:07 pm UTC: 100 ETH was withdrawn from Tornado
Sep 12 at 8:08 pm UTC: 10 ETH was withdrawn from Tornado
Sep 13 at 2:09 pm UTC: 100 ETH was withdrawn from Tornado

All three withdrawals were eventually moved to addresses tied directly to Loyalist once again.

October 2022

On Sep 15 0xaa18 funded 0x41cc before then funding 0x465 on Oct 10. From 0x465, 480 NFTs were stolen from various phishing scams. During this month Loyalist started actively using Monkey Drainer to steal NFTs.

EX 1: Twitter user greenmamba_eth was phished for 19 NFTs on Oct 10 by 0x465.

EX 2: Twitter user ursthiru was phished for MAYC, 2 X Meebits, Cool Cats, and 16 other NFTs on Oct 22 by a fake Blur Twitter account.

EX 3: Twitter user Blainetrain83 was phished for 17 NFTs on Oct 22 from the same fake Blur Twitter account by 0x465.

On Oct 22 funds were consolidated to 0x8fed before depositing 2 X 100 ETH to Tornado on Nov 3 2022 at 6:17 am UTC.

Nov 4 at 3:13 am UTC: 100 ETH was withdrawn from Tornado
Nov 4 at 3:15 am UTC: 100 ETH was withdrawn from Tornado

Once again the funds consolidate to to a loyalist address.

We now have seven instances of Tornado deposits and withdrawals tied directly to loyalist matching 1:1.

November 2022

On Nov 4 2022, 7 X CryptoPunks were phished using Monkey Drainer. Loyalist used 0x8fed to initially fund the main address tied to the phishing scam. It remains unclear what exact role he played in the attack.

Who is Loyalist

In the Doodles Discord server and on Twitter Loyalist reveals he is from Eastern Europe and even posts pictures of the country.

A reverse image search of the photo that Loyalist shared shows this is Kaunas, Lithuania.

Loyalist proceeds to show real estate listings on Discord from Lithuania.

The real estate website in the photo has a Lithuania domain.

In January 2023 it was revealed that 200 million Twitter users had their email addresses and other information leaked online as a result of an API issue from Q4 2021.

Searching the database revealed Loyalist’s personal email account along with the name of Lukas B. This info was also cross-referenced with other publicly available information.

Email | Name | Screenname | Followers | Created At
Email redacted | Loyalist.eth | loyalist | 175 | 2014-12-17

The email and other personal information has been redacted for privacy reasons but veracity has been confirmed and will be shared with victims and projects so legal action can be taken.

Conclusion

Currently the address loyalist.eth has been inactive since Oct 2022 but $1m DAI is currently held in his alt address 0xa13 which has made transfers in the past two weeks. His primary exchange account has seen $2.9m in total deposits on Ethereum. Based on these number it’s fair to estimate at least $4m has been stolen by Loyalist as a result of running phishing scams and any other illicit activity.

In total 1741 NFTs were found to have been stolen by Loyalist and 416 unique victims have been observed. Here are two graphs visualizing the number of thefts by collections and unique NFT phishing victim accounts per day.

This first graph by bax1337 shows the number of NFTs phished by collection. Collections with a floor price below 0.1 ETH as of 2-14-23 were omitted.

Loyalist’s activity was analyzed over a period of 7 months. This second graph by bax1337 shows the number of unique victims phished on each day he was active.

If you believe you were possibly a victim of Loyalist please search your address here.

Hopefully in the near future we will see legal action taken against Loyalist (Lukas) for everyone he has harmed. The recent announcement of a seizure by the US FBI from another phishing scammer is promising and leads to me believe it will liekly be one of many to come.

If you find research like this interesting or perhaps if you were a victim of Loyalist yourself please consider donating to my wallet address. My work is entirely community funded with countless hours going into articles such as this one.

ENS:

zachxbt.eth

For EVM compatible coins:

0x9D727911B54C455B0071A7B682FcF4Bc444B5596

Gitcoin:

Subscribe to Investigations By ZachXBT

Receive the latest updates directly to your inbox.

Mint this entry as an NFT to add it to your collection.

Verification

This entry has been permanently stored onchain and signed by its creator.

Arweave Transaction

Lc4gOr_2-BK-M8X…_KsYsAYew985EQk

Author Address

0x3D502fA3C2Aac31…Bd38AB861211458

Content Digest

chj355oHn5PcRIc…-E6k37oE3w619HY