Date:: March 29th, 2024
Amount Stolen:: $1,114,813
Amount Frozen:: $942,462.85 (Tether) + ~$50,000 (FixedFloat)
Tags:: 💼 IT Workers
Mar 29 Victim Count: 456
Apr 2 Victim Count: 933++
Total Victim Count: 1334++
On March 29th, 2024, users began reporting on Twitter/X that their Solana wallets had been drained. It was initially suspected that Telegram bot "BONKBOT" was the culprit, as many users were active BONKBOT users.
Upon further investigation, it was determined that all of the compromised BONKBOT users had previously exported their BONKBOT-generated keys. These users had all imported their keys into a similar Telegram bot SOLAREUM.
Solareum speculated that the exploits may have been linked to compromised Telegram bot tokens, which could have allowed the attackers to obtain private keys from message history.
The Solareum team has been less forthcoming with information and initially denied they had been exploited. Eventually they accepted, "There maybe a chance we got exploited." They have not been helpful in the investigation.
Solareum later wrote that they would be closing the project, and deleted their website. This drew some criticism from users who accused them of doing nothing to investigate the hack, or even being responsible themselves. The project wrote on Twitter, "We at #SOLAREUM team can clarify that we DO NOT steal money." Ah, well, in that case....
As such the investigation is led by a collection of BONKBOT team members, private investigations (e.g. Plumferno of OpenSea/Blowfish), and victims. These investigators collected victim reports and addresses and subsequently the addresses that received the stolen funds.
Collectively, they identified addresses received an estimated 4,927.34 SOL (~$926k USD) that had been stolen from 446 distinct victim addresses. All were drained at the same time and follow the same pattern as one another in terms of the theft and subsequent laundering.
US Forfeiture - Solareum - US v 942,462.845 USDT
The FBI attributed the U.S. Company 1 theft to North Korean IT workers based on, among other things, distinctive tactics, techniques, and procedures observed in this heist and other virtual currency heists linked to North Korea IT workers. For example, the FBI has observed North Korea actors using Internet Protocol (IP) addresses hosted by the Russian telecommunications company TransTeleCom (TTK) service in other North Korea IT worker investigations. According to open-source information, the North Korean government began leasing internet access from TTK in or about October 2017; TTK is assigned autonomous system (AS) 20485. In the other IT worker investigations, TTK IP addresses associated with AS 20485 have been observed logging into command-and-control servers, logging into operational accounts, and conducting spear phishing attacks. In this case, as described in greater detail below, a TTK IP addresses assigned AS 20485 initiated the transfer of stolen funds from users of the U.S. Company 1 to threat-actor-controlled wallets.
- Transactions from SOL -> USDT-ETH:
- March 31st IP: 83.234.227.29 (Russia TTK)
- March 29th IP: 107.175.60.14
- en-US,en;q=0.9
- English Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36
- Timezone: Asia/Tokyo
- User email: takanmolotov@gmail.com
- User email: petersmith.0322@gmail.com
- https://twitter.com/SolareumProject/status/1773745573234983021
- https://twitter.com/bonkbot_io/status/1773655415760588997
- https://docs.google.com/spreadsheets/d/16edS0MLAbLR5ZpiX7ds3bmWJWcFjUsKimN3O3jmGlZM/edit?usp=sharing
- https://twitter.com/SolareumProject/status/1773751219149824274
- https://twitter.com/Plumferno/status/1773736811090629114
- https://flipsidecrypto.xyz/crypto_edgar/solareum-exploit-MX-y0T
- 6AZpMspmfdpA7jKCzHpypy18szmgh9sPTvxz6vcPY22a
- dreNf5jDr6Sm6euvA14rjfYiVRu7BunVzZz6ANk1ydT
- 7kCNeLRQno5EcY6isJitgXwfiEWgdYYAtiow1TuZc3sE
- 2ymk4r9HunMLtbutJU4JMFfhcF46dvGywmd1WBdwnL9y
- HkhFZnEeTkiDXCgG8RkHR6tZWGBbi2Trrv1Tt68CCvDo
- FuCor4bRA5mNncwHXPon5KW5knCW1PHo5apvFSK5sFta
- 5a87Rq7RwwmxNYwCUw75mwQxjyxSJv9rJWaAct5FnVvN
- AUXUQzRwE1rRHp9nzo7xzoXbb6eFJ64a3hVik5YG8R6d
- ASLeKH6nmo9SYCErtzoDtE757Y1ZW6XnwoKjvw4pRfqL
- 2VjYEze2FyxMYmbccCamkhJP2bS3GPHzuQNPTjSnp23R
- K5NitffNriXxk3zKPTMDhx3z5oFc5PhwQyNQmUNTbxx
- 5X1N7qkaJaAdRrAfTv1yxGxcLnzdm61ixc1B2dWUsM45
- 687nV1efL1yprxkKUo2N6njPVKXiu2QqoqU5giEDzevZ
- 4zTUnoEJiskPtMSHZgfoMowv466FffazrYk4iX8Q5wSf
- 463o2SqgtTkGSrnhkLYueRg2WeN5Run62SomNCyGht7p
- FLwXRaN8oVqPuuM455gL6W31VvdxXo4pADQsuqCveqcP
- 8SNQ1dKyZyPT8M42L3LxnbtzYgp1fL3pKbYNgA2jeWv5
- 3z3nLpD8qskGW25H18mSmx5SKY9z4ibKDx4njP46H9He
- 6JCNpXi6zXeT1bQUj4b7jaEa2nJvAnkxSKfCj6mbgzD4
- J6WH1RqvZZVBHDoohV1S9gWDsQsZjQzbtooaqQpNeuWy
- Cnb6fyuosrzx9GBgm5fHx3rNoiZfK81Ja4M93DNVvGir
- Gux6cujdTabgkaaBn8iDpBBqqQLbZPTyNad14NJCafg8
- B8iY8z7VSYvJ2ic3VA3957H8vDfpPRbvhixwnHhb8TDX
- CwezuQAc4HNMsKymXffGfG4PFqLazyumdZ2wfQxzmBaC
- Ez7KAmhBXLAjFj5MKYbNNUipU72NDUrGHzRvBS5cjGiy
- DTCoQ2oiiUaLstuc3xe1dbbVwCTydu1Mr6z5XW1N6aK2
- BKdTfBndN6PhpdGQKw5n1eVtosvbLWx2TTyzZuhQxqAi
- 2Rs4xxz1SdZRZBRgzBmSY7T5AZUSGRDh5GpiySoKsamW
- HnUduQSniygESCv593wmhcZeAR4gSgpJu82hrLeTxyeo
- F1AeVSFF9Kv2BNTvfpGCgFKdjQWFTVc3jtHaSGKN9mJj
- A7HkLAzGtiffSpEFPEyRGw7n4UMRUp8VpQQZwRa6Ekus
- 5NqYhBxS5TKU725JokRUGZHcWteKXjL8ag5cPKrmG7kn
- D9VACAfVmvTZxHLnmf1JNXhTerFRGUUEkWSeQXvs4FdJ
- iNcPWqnVMUKQ5CqgztWwELP3a1kJQD5avFNaWnoQUyo
- 7ovevcbx2T3qu3eAvDFyKDSreXUeLv7VHs9pSTFvr2hU
- 9kU1QETxpCPgHGSUspUXJwwEchBR4q2ZieDw1Y8tiYJP
- 0x84Ad3Ad89CC96e82EE1D57151fDbDcaA823e6aCc $40,104 USDT
- 0xD7AD5a1db7739C01d9B4471c5B9ffb871F625941 $20,218 USDT
- 0x05ae4747262f351eC861355987E8ED58a78F10Ca $40,123 USDT
- 0x6a0012bdDdA0bC958c28691b373f6236e8fAbAa0 $40,097 USDT
- 0xC955915bd7fa544D26d5Bb6547A8169CB37130C4 $39,941 USDT
- 0x5e6BA75E0FbDc9a9dd0fbDEe5d4B0bfEAC9f0Fb6 $40,277 USDT
- 0x9A9fd8435a02CB1Dc4c8F5Db33f31aA5C56CA3e7 $40,212 USDT
- 0xaA4436a1D19fd53275817D38b5282b9c3951599E $40,026 USDT
- 0x99caa2DD9f1f845a9a01422c991c472d15ceD1d1 $40,040 USDT
- 0x474604bcaf36FDf518bECFcaEBB0C98b5B85A152 $40,001 USDT
- 0x8E2eb468D10e53f99639f02D58a19aB3d60cd07d $40,089 USDT
- 0x1DBbD7182Ee17720d09121c20bc658De28F2054F $39,990 USDT
- 0x6bE0873C769Cb4E9Fb3CD42Fa25bC179945cd2b9 $39,964 USDT
- 0xd4aC8325131512D792EeadD73B694B744dE9D947 $40,012 USDT
- 0x71E8aB7C141A58bD79948c11C9d8D1F7ef041F47 $40,049 USDT
- 0xB86369eD3754a404C5C0D5AA9Da6400A9466053E $40,171 USDT
- 0x0A9Ed2a9d3F811B3cd6aD673CDEcCd88047618CA $40,236 USDT
- 0x1C7F7F7b66d1f6e9C23545c0156A6A1F676C0E1b $40,153 USDT
- 0x284512d226465443e04ffFE82FA20628a94D46B6 $40,467 USDT
- 0x48CFaFE2460570575e80eaCD4f762c7cF8F6f3B3 $40,000 USDT
- 0x655113606AAFe1549dcCfeD4E120DA22b6CddA24 $40,134 USDT
- 0xDdb5DEd6c513747b8B831d7521E00c3202Bc08fd $40,117 USDT
- 0x97BeCBB90ff30513e7984e3bdcE4863d03d59FC4 $40,050 USDT
- 0x05C8A416aE8dB42B737a15c4C3FF5F5beF051FEf $39,980 USDT
- 0xb6c915f82939bc7983169690d552e6c7a65e7899 7.94 ETH
- 0x98d9af30b287d723326e39e0022d849004483302 13.19 ETH
- 0x47cfad92fadcecb5ce49b22997095eb013665f4a 9.57 ETH
- 0xed7e740803a5ab25048e225e835fa61e10e58b88 12.74 ETH