Mistaken Identity: How a Yuga Labs Researcher Was Wrongly Tied to a $1.1M Bored Ape Phishing Theft

One of the more troubling cases of mistaken identity in recent crypto history shows how a respected white-hat hacker and former Yuga Labs security researcher was detained at the airport in 2023 under suspicion of being behind a sophisticated phishing attack that resulted in the theft of over $1.1 million in Bored Ape NFTs.

This incident raises many questions about the precision of law enforcement’s forensic processes, especially in the context of increasingly available privacy tools and the growing use of decentralized identities.

Sam Curry—a researcher at Yuga Labs who had been working on analyzing phishing threats—became an unintended target because of poor IP-based attribution and a misunderstanding of the digital trail he had traced to the real attacker. Blockchain forensics now reveal far stronger evidence pointing toward another suspect still at large.

It goes back to December 2022, an incident that goes back to another time altogether. A victim engrossed with 14 highly prized Bored Ape Yacht Club (BAYC) NFTs was lured into a social engineering scam. Who set this scam into motion? A not-so-innocent scammer who masqueraded as a fight producer, using repurposed, deeply trusted, and ancient verified X (formerly Twitter) accounts.

Using this made-up offer as bait, the scammer lured the victim to a phishing website. Once there, the victim was prompted to grant a malicious access right to the scammer. It worked. Within seconds, all 14 NFTs were stolen and sent to an address where they could be liquefied: `0x9335da37d37bc5d46850eaee48f8b9ccbe94d9a2`.

After that, the assailant moved fast, disposing of the NFTs and directing the proceeds through tools that preserve privacy. The transfers themselves were quite the spectacle—four separate batches of 100 ETH, five deposits, mind you, of 100,000 DAI, and several other smaller ETH depositions. All in all, these transfers were intended to make the sender look quite innocent, by sending the funds through Tornado Cash.

Nonetheless, because of the distinctive quantities and timing of both deposits and withdrawals, analysts were able to, with confidence, reverse-mix the transactions happening within Tornado. This was a substantial step forward in uncovering the true destination of the funds.

Jump to September 2023: well-known white-hat hacker Sam Curry, who had lodged security contributions at Yuga Labs, was taken by law enforcement at an airport. A grand jury subpoena in connection with the $1.1 million NFT theft was served to Curry — a charge that surprised and shocked the security community.

The case against Curry, however, unraveled rapidly. Detectives had uncovered Curry’s residence IP address in OpenSea logs tied to the phishing website. What they had overlooked was that Curry had accessed the site as part of his own security analysis. The scammer, it turns out, had mistakenly left a private key in the site’s JavaScript, which Curry utilized during his investigation. The match of the IP address was purely circumstantial—a case of incomplete context leading to a wrongful implication.

In the end, the subpoena was rescinded, but harm had already been inflicted on Curry’s character and privacy. All the while, a much more visible trail of suspects was conservatively concealed on the blockchain.

Following the breakup of the Tornado Cash transfers, analysts found that the next target was ready and waiting — a cryptocurrency exchange called Gate.io. The funds the hackers had stolen were sent through a series of speed-swap services that almost instantly turned one form of cryptocurrency into another. And then, using 21 different addresses on the exchange, Gate.io received a total of more than $105 million in cryptocurrency that was, for all practical purposes, in as many different forms as any previously existing cryptocurrency could be.

Just a couple of weeks before using Gate.io, the hackers had sent the same series of swaps through a different service to give the same coins different forms. They had also used a speed-swap service as the first stage of this process. And when? Just as it took to get the stolen funds into the right mix to carry the next part of the plan out.

Subsequently, all funds were brought together to `0x4f9051a58b416eaa0216081d7030679f17e9b069` and divided into two sizable chunks. Part of it was cashed out using the peer-to-peer platform Remitano. One of the wallets that received the funds was apparently connected to the ENS domain fugazigambler.eth, the X account @FugaziGambler, and the Telegram ID 5970895400, among other things.

The Telegram ID and ENS were connected by investigators correlating on-chain betting activity with messages in a Telegram group associated with a gambling project. These circumstantial links, unlike those used against Curry, are backed by on-chain behavior, social media identities, and transaction patterns.

This instance underscores the risks of misconstruing digital traces, particularly when it comes to something as serious as cybercrime. Blockchain may provide the clarity one needs to follow the bread crumbs left behind, but it takes critical thinking, context, and an appreciation for technical detail to understand what’s really happening. Sam Curry got thrown under the bus in a attribution fail — meanwhile, the real bad guy seems to be an individual (or group) going by the name “Fugazi Gambler.”

Now, law enforcement should center their efforts by subpoenaing the data tied to the Fugazi Gambler Telegram and X accounts, alongside a deeper analysis of the transaction history from Remitano. With the forensic trail still warm, there’s still hope for accountability, and perhaps a small measure of justice that can be done for the wrongly accused.

Disclosure: This is not trading or investment advice. Always do your research before buying any cryptocurrency or investing in any services.

Follow us on Twitter @themerklehash to stay updated with the latest Crypto, NFT, AI, Cybersecurity, and Metaverse news!

The post Mistaken Identity: How a Yuga Labs Researcher Was Wrongly Tied to a $1.1M Bored Ape Phishing Theft appeared first on The Merkle News.