2.1M in SHIBA INU was stolen between 10/6/21 - 10/14/21.

During the 8 day hacking spree, numerous victims were drained of SHIB on their Coinbase, Binance, Kraken, Crypto.com and Voyager exchange accounts.

The total score from all the hacks was over $2.1M, not a bad payday!

• How was the scam executed?

• How was the theft pinned on Konstantin?

• Where are the funds now?

Read below for a detailed analysis of this unsolved hack…until now! Konstantin Pylinkskiy appears to be the main player behind this hack.

Following the Funds

Here’s the main wallet to follow

0x68aCE763C2c37f6Dd3339ABD95E387C8216E70aE

This wallet collected all the stolen SHIB funds before sending off to other intermediary wallets. All of the incoming transactions take place between 10/7/21 - 10/14/21.

The above image is inside the wallet of 0x68aCE763C2c37f6Dd3339ABD95E387C8216E70aE. All of the stolen SHIB was consolidated here.

The below wallets stole the SHIB from victims and sent to the 70ae wallet above. Reference the image above for a visual look.

• 0x5Ee79DCFa59D54cF449d0b9f10ad9bB61fFf0f68

• 0xd6C5075bE4df7972510022B1D955dF6CEDEA2Ef0

• 0x2D6B4bB2a14A3C46176a8f0fCcE7507E61d82cD2

• 0xb8ce565378BFA6e4B19D7B426C330991da0cD21F

• 0xDAcE46e00f042929Ac6c2b29CD21785092ce579E

• 0x808907965e6E37999B7E199484F0e7d54cD5D6E8

• 0x61C4E6ec87736bB6C57BAeb0f7A15C0Be0462D89

• 0xB6aBeCf46b773f96d9cf00a3e0bCCF2B5f042D3b

• 0xca12bbbfDb741645F5Ec3e0B10D90D4d1bf3f08c

• 0x0cDdf4E313dC7f242B938c9D9DE1B889ED194D4f

• 0xBA8379Fe4cc1453667ab989a7da54ea6865F77E8

• 0x017D858FC5ab60a51B9e6e9BB46cC7CB4Ea7BB0B

• 0x6E9bD7B7761820c0d45225D795F556e94079d6Bb

Once all the SHIB was collected, the stolen funds were sent to the following wallets:

0xb3Df9E7Bdaf06172864ad50057A0Cc3fB34b19b6 -0x0B5f884471A481E9a8b8183F5b52318a91E92fBd

There’s still slightly over $1M in SHIB in 0x0B5f884471A481E9a8b8183F5b52318a91E92fBd at the time of me writing this.

The hacker laundered only about 500K of the funds so far. Most of the stolen SHIB is still sitting in the 2fBd wallet.

It’s only a matter of time before the rest of the funds get laundered through deposit addresses.

Victim’s Report

Below are a few victims that spoke out.

How the hacker ALMOST got away with 2.1M? 

By targeting users posting about SHIBA INU of course! 

A method of attack was monitoring twitter users who use the hashtags #SHIB #LEASH or #SHIBASWAP. Many of these super fans were huge bag holders of SHIB. Users would then get invited to a Telegram group where the scammers would impersonate official accounts.

A promise of an airdrop or social engineering techniques like fake Coinbase exchange login pages could be used to gain access to the victim’s SHIBA INU.

The Shiba Inu team posted a video on 11/20/21 warning users of scammers targeting SHIB holders. Above is a screen shot of some of the video.

Shortly after the attack that started on 10/6/21, the real SHIBA INU team came out with a video warning users about scammers. Cointelegraph also mentioned the scam alert to SHIB investors around the same time.

Connection to Konstantin Pylinskiy

This hack featured numerous jumps and bridges to obscure the trail. Similar to the other hacks and scams posted, I was researching a different theft connected to Konstantin when I came across this one.

All of my posts will eventually be connected together in one beautiful, long story. Until then, I’ll go back and update this post to cover the additional scams/hacks connected in the future..

Above is showing the outflows inside the hacker wallet of 0x68aCE763C2c37f6Dd3339ABD95E387C8216E70aE. The SHIB gets consolidated into 0xb3Df9E7Bdaf06172864ad50057A0Cc3fB34b19b6, labeled 2M SHIB and HEX Hacker while the ETH goes into 0x1e9ada56BbE964Bd78B96E62E8C5b07E165A1d3C, labeled Scam: muske.net 1 1 1 with this Etherscan txn.

Here’s the direct connection starting with the initial theft address of 0x68aCE763C2c37f6Dd3339ABD95E387C8216E70aE:

• 0x68aCE763C2c37f6Dd3339ABD95E387C8216E70aE - Theft wallet

• *0x1e9ada56BbE964Bd78B96E62E8C5b07E165A1d3C - Intermediary, connected to another scam, Elon Musk impersonation

• **0xAED8d30C74AC4306b64ae78876F25985Da03061a - Intermediary 2

• ***0x6A29aEa8e7C62587730027EacDc4406b2de5Fc86 - Yobit Deposit Address

I’ll eventually cover the Musk impersonation scam, but the focus here is the Yobit Deposit Address of 0x6A29aEa8e7C62587730027EacDc4406b2de5Fc86.

Above is a visual view of the deposits into the Yobit Deposit Address of 0x6A29aEa8e7C62587730027EacDc4406b2de5Fc86. There’s direct connections to 0x148045a8f50A260f2D106771108b81A02B36A889, a theft address in the Coinbase 1000 ETH Scam and 0xBd7D80D065508dd8509DE550203211d6C28A2DB7, a wallet directly connected to Konstantin Pylinskiy aka konpyl through numerous shared interactions and deposit address activity.

There other Hacks and Scams I haven’t covered yet as well as a few which I have yet to uncover.

Funds from this hack continue to be laundered through deposit addresses most recently as Aug 3 2024 at the time of this writing.