Olivia
Online
IOC Investigations
@intell_on_chain
Professional Crypto & OSInt Investigations | Visit us @ | Urgent support +44 (0) 330 133 9852 or visit
Get involved ➡️
Joined January 2022
1.2K Following
5.4K Followers
6K Posts
Pinned Tweet
🕵️♂️ It really feels great to help people during dark times
Today we helped @NiwinEth, a proud owner of @cryptopunks #8832! Their wallet was compromised, which saw the theft of the Punk among other assets!
😱 This is how it started ⬇️
Then @lorepunk got in touch on Niwin's behalf and we didn't hesitate!
1️⃣ The first priority is always secure any remaining assets.
2️⃣ Then we set about doing what we do best - Tracing
3️⃣ We also need to try to understand the cause!
4️⃣ Next, we watch and wait. This is where the break came from. The Punk was sold for 40 ETH and that was deposited to @okx
5️⃣ Now it's all about timing and luck. Luckily on this occasion, we caught it in time.
6️⃣ OKX didn't hesitate either - they were successful in freezing the proceeds.
7️⃣ Now its all about law enforcement - They NEED to get involved. @NiwinEth is working hard to achieve this!
Here is how it is now! Still work to do but Niwin now has a much higher chance of success.
Best of luck @NiwinEth 💙
A part of the funds went out to MEXC, the other part is being accumulated and commingled. You can get in touch with them but I doubt they will do anything beyond a temp freeze. Your real challenge is getting law enforcement involved.
Given the value, I don't think you'll get the traction you deserve! Regardless, here is the chart: https://t.co/M8vXYDGAUI
Don't trust "recovery specialists".
@SH13LDS7 Not quite 50 yet mate! Keep pushing 😅🔫
https://t.co/HP6Zh0ya0e
Who to follow
Misk
@Misk_one1
BAYC for life, Bullish on BTC, NFTs and The Arsenal 🚀🚀 Owner of BAYC #577
YaBonks
@YaBonksOfficial
188k on YouTube | Building @SnuggleFi and https://t.co/vGECqEPuno (zero-swap LP management) and DeFi Buddy (6.5k+ users) | Co-founder Karma Farm Sanctuary | ✝️
Jiraiya
@JiraiyaReal
Crypto growth since '17 · We only market what we'd use ourselves · Then build systems to scale that conviction · Founder @TailoredWeb3
🚀 We did it — 500 YT subscribers!
A huge thank you to everyone who has supported Intelligence on-Chain and helped us grow our community of crypto investigators, analysts, OSINT practitioners, and blockchain enthusiasts.
To celebrate, we've released a new video where we:
✅ Announce the winner of our FREE Blockchain & OSINT Investigations Class
✅ Share what's next for Intelligence on-Chain
✅ Thank the community for helping us reach this milestone
🎉 Congratulations to the winner!
The video link will be posted in the comments below.
Here's to the next 500. 🍻
@cyb_detective Without subscription?
A lesson for those running @safe multisigs.
1️⃣ Always update signers immediately
2️⃣ Decrease risk with 3/5 or 4/5 as a bare minimum
Sorry to see this but it could have been prevented - hence sharing
Urgent: the SAFE multisig of the @commonshub_bxl has been drained an hour ago by this address: https://t.co/xEYvgL8veO
We lost €110k, all the savings of the community :-(
Already reached out to @monerium who has been very reactive.
Any one at @gnosischain that could help us?
@0xDoubll Here is some additional info. Hope you don’t mind but @rugpullfinder used it as an opportunity to teach up coming investigators
How to Start a Crypto Investigation
In this video, we walk through the early stages of a crypto investigation and show you how investigators trace digital footprints across wallets, domains, phone numbers, and blockchain activity.
@OSINTindustries Video coming 👀 You will be tagged
I'm sorry to say, but this guy appears to be an amateur. The build of this website is literally terrible.
The phone number is linked to a Mr. Vishal Gadiya from Delhi in India. The Whoxy is from the same region... Wouldn't take much effort from law enforcement to find this guy...
The only question is the value and your jurisdiction and whether or not LE will support you. I doubt it unfortunately
I traced that wallet, and it has not just scammed me but an INSANE amount of people. @zachxbt I think you should take a look please.
Here are the findings - # Crypto Scam Incident Report
## Case Summary
- Victim wallet: `0x6A5838fB890A8C8b67d2c230A45FA6e24aC9c12D`
- Chain: BNB Smart Chain / BSC (chain ID `56`)
- Scam domain: `https://t.co/Mp0ZfVz8Ys`
- Token stolen: Binance-Peg BSC-USD / USDT on BSC (`0x55d398326f99059fF775485246999027B3197955`)
- Amount stolen: `5622.000000000001` BSC-USD
- Scam type: approval drainer / allowance abuse
- Date of theft: `May 20, 2026`
## Executive Summary
The victim connected wallet `0x6A5838fB890A8C8b67d2c230A45FA6e24aC9c12D` to the scam website `https://t.co/Mp0ZfVz8Ys` and signed an approval transaction that granted a malicious contract authority to spend BSC-USD from the wallet.
The approval transaction was:
- Approval tx: [0xcb0d8d1013cd2652f62a364e5a4b1c5857c5bb677c6f8508b0912543b2906e5e](https://t.co/gTwDo3O0eZ)
The spender was the malicious contract:
- Scam contract: [0xb6bF8D6f63689D3f1054cE1636b91010df44FC1F](https://t.co/SFdhxs2GKE)
About 21 seconds later, the contract owner executed a drain transaction against the victim wallet:
- Drain tx: [0x5eca2df3d5fe2de6a97b86d3dad43aaff4905e2f989dc461a9781795f8a1ea15](https://t.co/1uy2lvmp0L)
That transaction pulled `5622` BSC-USD from the victim wallet and split it between two scam-controlled addresses:
- Owner wallet: [0xfAe711ea96a91022cF674A3e4fF8D31b6A6A2b3a](https://t.co/OtFlE7fyTy)
- Sub-admin wallet: [0xb4fc46eb14ca4cb1eb8e37036c2a8759759dc599](https://t.co/cAczupbjc1)
The main branch of funds was then forwarded through multiple relay wallets and, at the time of tracing, ended at:
- Current main holder: [0x1d2d01fcaf5d8aecfdce26015b093073b831a63d](https://t.co/pSecI61LW7)
The side branch remained at:
- Current side holder: [0xb4fc46eb14ca4cb1eb8e37036c2a8759759dc599](https://t.co/cAczupbjc1)
At the time of checking, the approval from the victim wallet to the scam contract was still active with a very large remaining allowance.
## Key Entities
- Victim wallet: [0x6A5838fB890A8C8b67d2c230A45FA6e24aC9c12D](https://t.co/cNKLTwTByx)
- Scam contract: [0xb6bF8D6f63689D3f1054cE1636b91010df44FC1F](https://t.co/SFdhxs2GKE)
- Scam contract owner: [0xfAe711ea96a91022cF674A3e4fF8D31b6A6A2b3a](https://t.co/OtFlE7fyTy)
- Scam contract sub-admin: [0xb4fc46eb14ca4cb1eb8e37036c2a8759759dc599](https://t.co/cAczupbjc1)
- Stolen token: [0x55d398326f99059fF775485246999027B3197955](https://t.co/FnBpWxjKnS)
- Intermediate relay 1: [0x27e707Bf75D602B22602fC23ebd53f8276ed8950](https://t.co/2NHqHsE1zw)
- Intermediate relay 2: [0x4E86d3e210067F41F7CeCE69fF3dd5e7A8821a41](https://t.co/GNlTXKuL8p)
- Current main holding wallet: [0x1d2d01fcaf5d8aecfdce26015b093073b831a63d](https://t.co/pSecI61LW7)
## Timeline
All times below are UTC.
1. `2026-05-20 10:41:46 UTC`
Approval created by victim wallet:
[0xcb0d8d1013cd2652f62a364e5a4b1c5857c5bb677c6f8508b0912543b2906e5e](https://t.co/gTwDo3O0eZ)
Block: `99374939`
2. `2026-05-20 10:42:07 UTC`
Scam contract owner called `spendAllowance(...)` and drained the victim:
[0x5eca2df3d5fe2de6a97b86d3dad43aaff4905e2f989dc461a9781795f8a1ea15](https://t.co/1uy2lvmp0L)
Block: `99374984`
3. `2026-05-20 10:42:36 UTC`
Owner wallet forwarded the main share:
[0xc5fab7d5f734a6557c8d4d5338e48c736f7541a17bea5d436469ffb762702361](https://t.co/BX586i5O45)
From [0xfAe711ea96a91022cF674A3e4fF8D31b6A6A2b3a](https://t.co/OtFlE7fyTy)
To [0x27e707Bf75D602B22602fC23ebd53f8276ed8950](https://t.co/2NHqHsE1zw)
Block: `99375049`
4. `2026-05-20 10:43:49 UTC`
Relay wallet forwarded funds onward:
[0x4f87d02f6f9434d6ec6168bb1c3befecb31c603bf53d56e54d4787690df17b76](https://t.co/umvsUxdeYP)
From [0x27e707Bf75D602B22602fC23ebd53f8276ed8950](https://t.co/2NHqHsE1zw)
To [0x4E86d3e210067F41F7CeCE69fF3dd5e7A8821a41](https://t.co/GNlTXKuL8p)
Block: `99375211`
5. `2026-05-20 10:48:15 UTC`
Second relay wallet forwarded the main balance again:
[0x16b39b8ed1b06e2b53ee0b754e33489bf31f0d089af4564867fce6cf1afacf97](https://t.co/xL1A5dqa3T)
From [0x4E86d3e210067F41F7CeCE69fF3dd5e7A8821a41](https://t.co/GNlTXKuL8p)
To [0x1d2d01fcaf5d8aecfdce26015b093073b831a63d](https://t.co/pSecI61LW7)
Block: `99375802`
## Amount Breakdown
Drain transaction:
- From victim to scam contract: `5622.0` BSC-USD
Split performed by scam contract:
- To owner wallet `0xfAe711ea...`: `5205.972` BSC-USD
- To sub-admin wallet `0xb4fc46eb...`: `416.028` BSC-USD
Observed subsequent main-branch transfers:
- Owner to relay 1: `5207.824` BSC-USD
- Relay 1 to relay 2: `5263.719674741861` BSC-USD
- Relay 2 to current main holder: `5263.719685741861` BSC-USD
Observed current balances at time of tracing:
- Main holder `0x1d2d01fc...`: about `5263.71968574` BSC-USD
- Side holder `0xb4fc46eb...`: about `416.176` BSC-USD
## Contract Behavior
The malicious contract is verified on BscScan and exposes:
- `owner()`
- `subAdmin()`
- `spendAllowance(address tokenAddress, address from, uint256 amount)`
- `updateSubAdmin(address _subAdmin)`
The contract logic:
1. Checks the victim's allowance.
2. Calls `transferFrom(victim, contract, amount)`.
3. Splits the stolen funds between `owner` and `subAdmin`.
The verified source indicates the split formula:
- Owner share: `92.6%`
- Sub-admin share: `7.4%`
This is consistent with the observed drain of `5622` BSC-USD:
- Owner share observed: `5205.972`
- Sub-admin share observed: `416.028`
## Prior Use of Same Scam Infrastructure
The same owner wallet had already used the same scam contract against another wallet minutes before the victim's loss:
- Prior drain tx: [0xc4a373d03db2e6fc137302e7f943ec5bb7875db93bdb183bbf1d950c3de95db0](https://t.co/Ewe45S7puy)
- Time: `2026-05-20 10:37:22 UTC`
- Victim in that earlier drain: [0x27e707Bf75D602B22602fC23ebd53f8276ed8950](https://t.co/2NHqHsE1zw)
- Amount drained there: `2.0` BSC-USD
This is notable because the same wallet `0x27e707...` later appeared as an intermediate holder in the victim's own fund flow. That strongly suggests repeat use of the same operator infrastructure.
## Current Risk Status
At the time of tracing, the approval from the victim wallet to the scam contract remained active with a very large remaining allowance.
That means:
- If the victim wallet receives more BSC-USD in the future, the same scam contract may be able to drain it again.
- The approval should be revoked immediately.
Recommended revoke link:
- [BscScan Token Approval Checker for victim wallet](https://t.co/OwwBrv2zPb)
## Address Flow Diagram
```mermaid
graph LR
V["Victim Wallet
0x6A5838...c9c12D"] -->|Approval tx
0xcb0d8d...906e5e| C["Scam Contract
0xb6bF8D...44FC1F"]
C -->|Drain tx
0x5eca2d...a1ea15
5622 BSC-USD| O["Owner
0xfAe711...A2b3a"]
C -->|416.028 BSC-USD| S["Sub-admin
0xb4fc46...dc599"]
O -->|0xc5fab7...02361
5207.824| R1["Relay 1
0x27e707...d8950"]
R1 -->|0x4f87d0...17b76
5263.719674741861| R2["Relay 2
0x4E86d3...21a41"]
R2 -->|0x16b39b...acf97
5263.719685741861| H["Current Main Holder
0x1d2d01...1a63d"]
```
## Evidence Links
- Victim wallet: [0x6A5838fB890A8C8b67d2c230A45FA6e24aC9c12D](https://t.co/cNKLTwTByx)
- Approval tx: [0xcb0d8d1013cd2652f62a364e5a4b1c5857c5bb677c6f8508b0912543b2906e5e](https://t.co/gTwDo3O0eZ)
- Scam contract: [0xb6bF8D6f63689D3f1054cE1636b91010df44FC1F](https://t.co/SFdhxs2GKE)
- Contract creation tx: [0xb389c8d6f9bafea9dee56f91b3b6c7aa924bb86bbd266bfa4a00cc3a775a9cdb](https://t.co/Hl6mYz8Ymm)
- Drain tx: [0x5eca2df3d5fe2de6a97b86d3dad43aaff4905e2f989dc461a9781795f8a1ea15](https://t.co/1uy2lvmp0L)
- Owner wallet: [0xfAe711ea96a91022cF674A3e4fF8D31b6A6A2b3a](https://t.co/OtFlE7fyTy)
- Sub-admin wallet: [0xb4fc46eb14ca4cb1eb8e37036c2a8759759dc599](https://t.co/cAczupbjc1)
- Relay 1: [0x27e707Bf75D602B22602fC23ebd53f8276ed8950](https://t.co/2NHqHsE1zw)
- Relay 2: [0x4E86d3e210067F41F7CeCE69fF3dd5e7A8821a41](https://t.co/GNlTXKuL8p)
- Current main holder: [0x1d2d01fcaf5d8aecfdce26015b093073b831a63d](https://t.co/pSecI61LW7)
- Prior related drain by same owner: [0xc4a373d03db2e6fc137302e7f943ec5bb7875db93bdb183bbf1d950c3de95db0](https://t.co/Ewe45S7puy)
Please flag this address.
@0xDoubll @TrustWallet @binance @Bybit_Official @MEXC Is this phone number related to the bad actor?
We're proud to announce that all of our training courses are now FREE to law enforcement
@crypto_bitlord7 @TrojanOnSolana Yes very common attack vector! So they didn't get you? You're lucky.
I sometimes see this on YT videos too - for some automated trading bot or something
Has @rugpullfinder just found a major clue as to the identity behind the 'pre' [email protected] email address?
Putting this out there!
[email protected] has a PayPal account and when you go to send a payment to it, this is what you see:
Is Andrew Burns Satoshi Nakamoto?
🧵 How one trader drained $100M from DeFi… without hacking anything
1/
In 2022, Mango Markets lost $100M+.
No exploit.
No bug.
No stolen keys.
Just… a better understanding of the rules than everyone else.
@rugpullfinder's thread https://t.co/cDFJYwVPSb
Followed by our blog post: https://t.co/gsiSrxQ1z8
🧵 How one trader drained $100M from DeFi… without hacking anything
1/
In 2022, Mango Markets lost $100M+.
No exploit.
No bug.
No stolen keys.
Just… a better understanding of the rules than everyone else.
Oracle attacks and price manipulation!
We've just release a new blog post along with @rugpullfinder's thread on the Mango Market price manipulation exploit by Avi Eisenberg!
Check out the articles below 👇
@zachxbt Great work Zach
Most Popular Users
Elon Musk
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109M followers
Narendra Modi
@narendramodi
107M followers
Rihanna
@rihanna
97.3M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.6M followers
KATY PERRY
@katyperry
86.8M followers
Taylor Swift
@taylorswift13
80.6M followers
Lady Gaga
@ladygaga
72.2M followers
Kim Kardashian
@kimkardashian
69.4M followers
YouTube
@youtube
68.6M followers
Virat Kohli
@imvkohli
68.6M followers
Bill Gates
@billgates
63.4M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.1M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
59.9M followers