On Feb 15th 2021, a Russian guy had his life savings drained in a scam. The total amount lost was about $4,200 USD. The event was a devastating life altering experience for him.

While the total value lost was relatively small, this was just the tip of the iceberg. However big or small, losing savings you spent years accumulating is never a good feeling.

The victim fell for an Elon Musk Giveaway scam.

Below are the details on how this 20 Million+ scam happened as well as Konstantin Pylinskiy’s role in the theft.

Wallets and Transactions in the Theft

Victim’s Wallets

• D7VDWr4waVPNQkC452Yr4G7nwvKUwYf6yJ - Dogechain Theft txn - $1,882.52

• DKLwuJYN135hozXH9keKC4tH2K9Lb57aGM - Dogechain Theft txn - $741.24

• 0x84afb532e03432994f675846570aee1e20244507 - Etherscan Theft txn - $1,582.26

Main Hacker Wallets

• DEfc35egio6jTuVUyKCHVoRyWDwRQUZEy3

• 0xe35814738ED9e9c85D12901cAC5AEebe2F0897D0

How the Elon Musk Impersonation/Giveaway Scam Works

Thanks to the victim diligently documenting his journey, we have 1st party information on how the scam worked.

Above is an example of an Elon Musk impersonation giveaway scam

An army of Twitter accounts impersonating Elon Musk posts one time offers to double your DOGE, BTC, or ETH stacks. All you have to do is send X amount and you’ll receive 2X + a bonus! (One of those too good to be true scenarios).

The image above is the exact scam the victim fell for at musk-club.com.

The victim sent two DOGE txns, one for about 27,000 DOGE and the other about 10,000 DOGE to DEfc35egio6jTuVUyKCHVoRyWDwRQUZEy3.

The above is the ETH scam the victim fell for, also at musk-club.com.

Hoping to get 1 ETH back, the victim sent .5 ETH to the scammer’s wallet of 0x84afb532e03432994f675846570aee1e20244507.

Connection to Konstantin Pylinskiy, konpyl

Like all of the hacks/scams attributed to “konpyl”, I came across this one researching other hacks.

The deposit address of 0x6A29aEa8e7C62587730027EacDc4406b2de5Fc86 - Yobit shares other interactions with hacker wallets associated with the victim who had 1000 ETH stolen from her Coinbase account.

Above is connecting the theft wallet of the Elon Impersonation scam to a deposit address Konstantin appears to own.

Below is the path I took to find the connection:

• 0xe35814738ED9e9c85D12901cAC5AEebe2F0897D0 - Original theft wallet

• -0x80293f92AEE5E1dB39fe90D89ebBE101C8B68010 - 39.258 ETH sent here /w this Etherscan txn - This wallet was also used to consolidate all the stolen victims funds

• —0x208a525ae2c66d9629E44DCBB1e71243407A650f - 146 ETH sent here /w this Etherscan txn

• —-0x1e9ada56BbE964Bd78B96E62E8C5b07E165A1d3C - 145.997 ETH sent here /w this Etherscan txn.

• ——0x3be3DE64556c0883FFfdb3ab338AF352517306C1 (448K here) - 165 ETH sent here /w this Etherscan txn

• ——-0x45E9995f80F9C1a610C1a7681a8A26297f2561aa (Most recent incoming txn. No outgoing txns.) - 2.734 ETH incoming txn with this Etherscan txn.

• ———0x6A29aEa8e7C62587730027EacDc4406b2de5Fc86 - Yobit Deposit

Connection to Konstantin Pylinskiy, konpyl 2

In order to understand the connection here we need to start with Konstantin’s main wallet of 0x44BdB19dB1Cd29D546597AF7dc0549e7f6F9E480. The Opensea user name for this wallet was literally “konpyl”.

Arkham Analytics logs previous OpenSea usernames. The user name was changed recently from “konpyl” to “Pehuzlgo”.

The “konpyl” wallet sent 43 txns to 0x909189fC2a599aEfDF4a69D0be637200cfCe4371.

Additionally, there’s numerous shared deposit address activity including:

• 0xf0a59E87f09024966493B912D8687336Bee2f4D9 - Binance

• 0x278FF1446Ffc66F861f46F6Ac83d9A90624C92D4 - Binance

Above is a look inside 0x909189fC2a599aEfDF4a69D0be637200cfCe4371. The top two highest value txns is a Yobit Deposit Address and konpyl’s main wallet of 0x44BdB19dB1Cd29D546597AF7dc0549e7f6F9E480.

Now that we established that 0x909189fC2a599aEfDF4a69D0be637200cfCe4371 = konpyl (Konstantin Pylinskiy), lets look at the connection to the Elon Impersonation Scams.

• 0xe35814738ED9e9c85D12901cAC5AEebe2F0897D0 - Original theft wallet (Fake_Phishing6898 label on Etherscan)

• -0x80293f92AEE5E1dB39fe90D89ebBE101C8B68010 - 39.258 ETH sent here /w this Etherscan txn - This wallet was also used to consolidate all the stolen victims funds

• —0x8DB82c0134Fc611a3a44624306c0407dDCe06330 - 100 ETH sent here /w this Etherscan txn

• — -0xa5822C422b701fa290E0bbeEf177466F2E49a892 - .477 ETH sent here with this Etherscan txn (9.515 ETH sent through Cointool, these end up in the 0x909189fC2a599aEfDF4a69D0be637200cfCe4371 wallet as well)

• — —0x4744dc92E1eCF460652d2749DE4769966f6a40D8 - .476 ETH sent here /w this Etherscan txn

• ——-0x909189fC2a599aEfDF4a69D0be637200cfCe4371 (All funds go here in a single outgoing transaction! Here’s the Etherscan txn)

Above is a look inside 0x4744dc92E1eCF460652d2749DE4769966f6a40D8. There’s only one outgoing txn and it goes to 0x909189fC2a599aEfDF4a69D0be637200cfCe4371.

The $20,000,000+ Scam

This one took ALOT of research to pin down and outline all of the wallets affected. Suffice to say, I can confidently say the impersonation/giveaway scams netted the scammer or scammers over 20M in stolen ETH, BTC, and DOGE.

The MalwareHunter team outlined 48 verified Twitter accounts that participated in the scam. In many instances, verified Twitter users with hundreds of thousands of followers were hacked and taken over by the attackers.

Above is a couple of examples of the Twitter takeover over the account of “Sarah_K_Brooks” and the messaging used to lure victims.

$3,154,450 (960.588 ETH) Stolen on the ETH Network

The address of 0x80293f92AEE5E1dB39fe90D89ebBE101C8B68010 represents a singular wallet where the hacker moved all of the ETH from the Impersonation Scams.

Above is a look inside the incoming txns of 0x80293f92AEE5E1dB39fe90D89ebBE101C8B68010. This wallet was used to consolidate all the stolen victims funds from other wallets.

Every single wallet with inflows to 0x80293f92AEE5E1dB39fe90D89ebBE101C8B68010 is part of the Elon impersonation scams. The ones with labels I can attribute to certain scam websites or from victims. The unlabeled ones also appear to be part of the scam, though no one complained or mentioned as such.

Michael Saylor and Microstrategies makes an appearance as the scammer diversified a bit from the Elon Musk/Tesla scam sites.

The outflows lead to numerous wallets owned by Konstantin Pylinskiy, konpyl.

$14,000,000+ Stolen on the BTC Network

I’m showing at least 14M in Bitcoin flowing through known hacker wallets connected to the Impersonation/Giveaway scams.

Above is a look inside bc1q2k0822fr77l5f045nvyktuae3n0dphp788g6xd. 8.285 BTC goes into this wallet from 1AtWngRL7VPsGJGXLyiGriqwBEbtuXEoEJ labeled Musk-club BTC Scammer.

I was only able to attribute about $528,020 (10.126 BTC) stolen from the musk-club.com scam from wallet - 1AtWngRL7VPsGJGXLyiGriqwBEbtuXEoEJ.

There’s at least 48 verified scam websites identified with musk-club.com representing a small portion of the stolen Bitcoin.

The victim mentioned at the beginning of the article that he sent the scammer ETH and DOGE, but did not send any BTC.

Above is the BTC wallet for the scam website musk-club.com/btc - 1AtWngRL7VPsGJGXLyiGriqwBEbtuXEoEJ. This is just one example of the 48+ Impersonation scams going on at the same time. The victim was scammed from the websites musk-club.com/eth and musk-club.com/doge

Even though many of these impersonation scams were blacklisted and shutdown days after launching, the damage was already done. Millions worth of crypto were stolen during these Giveaway Scams.

Interestingly, I’m showing many of the funds ending up at the Hydra Market. The Hydra Darknet Marketplace was shutdown in April 2022.

The rest of the 13.5M+ in BTC

Where’s the rest of the stolen Bitcoin?

The Bleeping Computer article gives an insight of the amount of BTC stolen in the Impersonation Scams in one week.

Following the flow of funds starting with 1E9GwoiRbzzEgQXk32J5ksr9FbcfGcJXuZ (listed in the image above), .775 BTC is sent to 34PVg8NwW6i4BJ5DyuzsPE2URcPxzV3oV8 then bc1qvgzqcxe69vm4mv2te2duj34htwppn02w0mccul. The timing is interested as the hacker waited almost 2 and a half years before sending the funds out.

Note: Attribution can be a challenge, especially wallets doing huge transactions. It’s possible bc1qvgzqcxe69vm4mv2te2duj34htwppn02w0mccul is an exchange, defi platform or decentralized financial institution of sorts. If that’s the case I’ll go back and update my numbers

The above image is inside bc1qvgzqcxe69vm4mv2te2duj34htwppn02w0mccul. This wallet currently has about 15 BTC worth about 850K in it. Note the timestamps on the left. The scammer waited over 3 years to move funds out of this wallet from the original scam wallet of 1E9GwoiRbzzEgQXk32J5ksr9FbcfGcJXuZ, which made it’s only outgoing txn on 2/24/21 with this txn. There’s about $14 MILLION in outflows here!

I spot checked a few of the outgoing wallets and noticed anywhere from .5 - 3 BTC get peeled off at a time.

For example, looking at the txn for 2.39M to bc1q4rrq8xx9xcw0talhang9t0umcfpxjhq7zeqnf6, I noticed 2 BTC was peeled off to bc1qgp9tl4zu0cp9y5mjm7gfnyl7rhf8cpmef7ugxc. Below is an image.

All of the funds inside bc1qgp9tl4zu0cp9y5mjm7gfnyl7rhf8cpmef7ugxc go through the Avalanche Bitcoin Bridge. The total BTC is slightly over 26 BTC.

Above is a visual inside the wallet of bc1qgp9tl4zu0cp9y5mjm7gfnyl7rhf8cpmef7ugxc. About 26 BTC goes through the Avalanche Bitcoin Bridge between 3/19 - 3/22/24.

I took a random sample of the Bridge outputs and noticed they all lead to the same place. For example, this was the 2nd txn to the Avalanche Bitcoin Bridge from the image above.

An example of one of the transactions to the Avalanche Bitcoin Bridge.

I traced the output to 0xf67725080B77E4Ab0569Bd03d6bbA02f316cf08a. All of the funds get swapped to USDT and sent to 0x91884BeC6AC95c016c21711Db165A86b3178868E.

This is a win for the good guys as over 4.2 MILLION in USDT was frozen by Tether on 4/18/24!

You can see the event on Etherscan here.

The post is worth a re-visit in the future. Maybe I’ll do a Part 2 once new information reveals comes to light.

I didn’t even get to the DOGE portion of the scam. My prediction is anywhere from 1 - 3 MILLION was stolen in DOGE as well.

It’s hard to believe Konstantin Pylinskiy worked alone in these scams, though he may be the main benefactor. The scale at which Twitter accounts were hacked and scam websites were created leads me to believe there’s a few other bad actors involved here.

Perhaps more information on deposit addresses at the exchange level could reveal additional players and their roles.

Nevertheless, Konstantin is 100% involved in one of the biggest scams targeting retail crypto users I’ve ever come across.